GITBOOK-3806: No subject

This commit is contained in:
CPol 2023-03-04 19:33:37 +00:00 committed by gitbook-bot
parent fb8562b7c0
commit 3a122edb7d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
27 changed files with 34 additions and 28 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 344 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 344 KiB

After

Width:  |  Height:  |  Size: 8 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 326 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 326 KiB

After

Width:  |  Height:  |  Size: 3.4 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 7.2 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 127 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 389 KiB

After

Width:  |  Height:  |  Size: 127 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

After

Width:  |  Height:  |  Size: 389 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 23 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 94 KiB

After

Width:  |  Height:  |  Size: 23 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 3.4 KiB

After

Width:  |  Height:  |  Size: 94 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 114 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8 KiB

After

Width:  |  Height:  |  Size: 114 KiB

View file

@ -147,7 +147,7 @@
* [AppendData/AddSubdirectory permission over service registry](windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md)
* [Create MSI with WIX](windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md)
* [COM Hijacking](windows-hardening/windows-local-privilege-escalation/com-hijacking.md)
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md)
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
* [Writable Sys Path +Dll Hijacking Privesc](windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
* [DPAPI - Extracting Passwords](windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md)
* [From High Integrity to SYSTEM with Name Pipes](windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)

View file

@ -113,7 +113,7 @@ Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
![](<../../.gitbook/assets/image (253).png>)
![](<../../.gitbook/assets/image (253) (1).png>)
Finally just access the newly created node:

View file

@ -27,7 +27,7 @@ When performing your directory brute force attacks make sure to add the followin
* _/graphql.php_
* _/graphql/console_
<figure><img src="../../.gitbook/assets/image (6) (1) (3).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
Once you find an open graphQL instance you need to know **what queries it supports**. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**\
Its often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…](https://graphql.org/learn/introspection/)

View file

@ -14,7 +14,7 @@
## **Spring Auth Bypass**
<figure><img src="../../.gitbook/assets/image (5) (4).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)****

View file

@ -124,7 +124,7 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
</script>
```
<figure><img src="../../../.gitbook/assets/image (5) (4) (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (5) (4).png" alt=""><figcaption></figcaption></figure>
## RCE: preload

View file

@ -194,7 +194,7 @@ If a plarform is taking **data from an HTTP request and using it without sanitiz
For example, in the original discovered vuln, cache keys were used to return the IP and port a user shuold connect to, and attackers were able to **inject memcache comands** that would **poison** the **cache to send the vistims details** (usrnames and passwords included) to the attacker servers:
<figure><img src="../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
Moreover, researchers also discovered that they could desync the memcache responses to send the attackers ip and ports to users whose email the attacker didn't know:

View file

@ -58,7 +58,7 @@ Manufacturers love to use their own unique IR protocols, even within the same ra
The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.
<figure><img src="../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (18) (2).png" alt=""><figcaption></figcaption></figure>
Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.

View file

@ -557,7 +557,7 @@ First, we obtain the hash of `Jane` with for instance Shadow Credentials (using
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
<figure><img src="../../../.gitbook/assets/image (18) (2).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (18) (2) (1).png" alt=""><figcaption></figcaption></figure>
This is not a constraint violation, since the `DC$` computer account does not have `userPrincipalName`.

View file

@ -424,7 +424,7 @@ powershell -command "Get-Clipboard"
### File and Folder Permissions
First of all, listing the processes **check for passwords inside the command line of the process**.\
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/):
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking.md):
```bash
Tasklist /SVC #List processes running and services
@ -450,7 +450,7 @@ for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executabl
)
```
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/)**)**
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking.md)**)**
```bash
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
@ -562,7 +562,7 @@ Other Permissions can be used to escalate privileges:\
### Services binaries weak permissions
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/))**.**\
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking.md))**.**\
You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**:
```bash
@ -654,7 +654,7 @@ It's possible to indicate Windows what it should do[ when executing a service th
### Installed Applications
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/)).
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking.md)).
```bash
dir /a "C:\Program Files"
@ -723,6 +723,12 @@ Check permissions of all folders inside PATH:
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
```
For more information about how to abuse this check:
{% content-ref url="dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md" %}
[writable-sys-path-+dll-hijacking-privesc.md](dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
{% endcontent-ref %}
## Network
### Shares
@ -1484,7 +1490,7 @@ If you want to read an example of [**how to go from high integrity to System usi
### Dll Hijacking
If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\
**You can** [**learn more about Dll hijacking here**](dll-hijacking/)**.**
**You can** [**learn more about Dll hijacking here**](dll-hijacking.md)**.**
### **From Administrator or Network Service to System**

View file

@ -12,7 +12,7 @@
</details>
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -39,13 +39,13 @@ There is a **variety of approaches** to choose from, with success depending on h
The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
![](<../../../.gitbook/assets/image (311).png>)
![](<../../.gitbook/assets/image (311).png>)
![](<../../../.gitbook/assets/image (313).png>)
![](<../../.gitbook/assets/image (313).png>)
and just show the **File System Activity**:
![](<../../../.gitbook/assets/image (314).png>)
![](<../../.gitbook/assets/image (314).png>)
If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.\
If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "\<exec name>", execute it, and stop capturing events**.
@ -116,8 +116,8 @@ dumpbin /export /path/file.dll
For a full guide on how to **abuse Dll Hijacking to escalate privileges** with permissions to write in a **System Path folder** check:
{% content-ref url="writable-sys-path-+dll-hijacking-privesc.md" %}
[writable-sys-path-+dll-hijacking-privesc.md](writable-sys-path-+dll-hijacking-privesc.md)
{% content-ref url="dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md" %}
[writable-sys-path-+dll-hijacking-privesc.md](dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
{% endcontent-ref %}
### Automated tools
@ -127,7 +127,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
### Example
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](../#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
## **Creating and compiling Dlls**
@ -237,7 +237,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
}
```
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -20,8 +20,8 @@ In order to do that you can abuse a **Dll Hijacking** where you are going to **h
For more info about **what is Dll Hijackig** check:
{% content-ref url="./" %}
[.](./)
{% content-ref url="../dll-hijacking.md" %}
[dll-hijacking.md](../dll-hijacking.md)
{% endcontent-ref %}
## Privesc with Dll Hijacking
@ -57,13 +57,13 @@ if ($envPath -notlike "*$folderPath*") {
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
### Missed Dlls
Running this in a free **virtual (vmware) Windows 11 machine** I got these results:
<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/image (253).png" alt=""><figcaption></figcaption></figure>
In this case the .exe are useless so ignore them, the missed DLLs where from:
@ -79,7 +79,7 @@ After finding this, I found this interesting blog post that also explains how to
So, to **escalate privileges** we are going to hijack the library **WptsExtensions.dll**. Having the **path** and the **name** we just need to **generate the malicious dll**.
You can [**try to use any of these examples**](./#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
You can [**try to use any of these examples**](../dll-hijacking.md#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
{% hint style="warning" %}
Note that **not all the service are run** with **`NT AUTHORITY\SYSTEM`** some are also run with **`NT AUTHORITY\LOCAL SERVICE`** which has **less privileges** and you **won't be able to create a new user** abuse its permissions.\
@ -90,7 +90,7 @@ At the moment of writing the **Task Scheduler** service is run with **Nt AUTHORI
Having **generated the malicious Dll**, save it in the writable System Path with the name **WptsExtensions.dll** and **restart** the computer (or restart the service or do whatever it takes to rerun the affected service/program).
When the service is re-started, the **dll should be loaded and executed** (you can **reuse** the **procmon** trick to check if the **library was loaded as expected**).
<details>

View file

@ -203,7 +203,7 @@ If you don't care about being noisy you could always **run something like** [**h
### Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/).
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking.md).
1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.