whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

potatoes

This commit is contained in:
Stefan Etringer 2023-02-25 20:40:13 +01:00
parent 0fc077dfa6
commit fddb815ab2
3 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Exploits/Web/JWT.md
View File

@ -17,6 +17,7 @@ header.payload.signature
## NONE Algorithm Vulnerability ## NONE Algorithm Vulnerability
* Example with `alg: NONE`, so no third part is needed. * Example with `alg: NONE`, so no third part is needed.
```sh ```sh
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K. eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.
@ -86,3 +87,4 @@ eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQs
* [JWTtool](https://github.com/ticarpi/jwt_tool.git) * [JWTtool](https://github.com/ticarpi/jwt_tool.git)
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token) * [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token)
* https://jwt.io * https://jwt.io
* [jwtcrack](https://github.com/Sjord/jwtcrack)

10
Exploits/Windows/DLL Hijacking.md
View File

@ -1,6 +1,8 @@
# DLL Hijacking # DLL Hijacking
## Search Orders ## Basics
### Search Orders
* __SafeDllSearchMode__ enabled searches paths in following order: * __SafeDllSearchMode__ enabled searches paths in following order:
* __cwd__ of executable * __cwd__ of executable
* System directory, `GetSystemDirectory` * System directory, `GetSystemDirectory`
@ -17,7 +19,7 @@
* Windows directory * Windows directory
* PATH environment variable * PATH environment variable
## Template ### Template
```C ```C
#include <windows.h> #include <windows.h>
@ -40,3 +42,7 @@ sc stop dllsvc
sc start dllsvc sc start dllsvc
``` ```
## LPE via StorSvc
* [BlackArrowSec's repository](https://t.co/8XMvewhgFn)

3
Exploits/Windows/Potatoes.md
View File

@ -5,3 +5,6 @@
* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/) * [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
* [Juicy Potato](https://ohpe.it/juicy-potato/) * [Juicy Potato](https://ohpe.it/juicy-potato/)
* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/) * [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
* [LocalPotato (CVE-2023-21746)](https://github.com/decoder-it/LocalPotato.git) works via NTLM local authentication Security Context IDs using a local SMB and start connecting a privileged and an unprivileged process at the same time. Both get a security context IDs which then will be swapped between the processes. Additionally DLL hijacking is needed to get a higher priv shell. [This is done via `SvcRebootToFlashingMode` of StorSvc and interpositioning of `SprintCSP.dll`](https://github.com/blackarrowsec/redteam-research/tree/master/LPE via StorSvc) in PATH
* [Original Post from James Forshaw and Elad Shamir](https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/)
* [Security Online](https://securityonline.info/poc-exploit-for-windows-ntlm-privilege-escalation-flaw-cve-2023-21746-published/)