Magic Hashes + SQL fuzz

2024-05-10 16:56:05 +02:00 · 2020-04-26 21:43:42 +02:00 · 2020-04-26 21:43:42 +02:00 · 04899355ad
parent 879ead1558
commit 04899355ad
4 changed files with 34 additions and 2 deletions
--- a/Resources/Cloud
+++ b/Resources/Cloud
@ -7,6 +7,7 @@
 * [Azure Storage Account - Access](#azure-storage-account----access)
 * [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
 * [Azure AD - Enumeration](#azure-ad---enumeration)
+* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid)
 * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal)
 * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
 * [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
@ -285,6 +286,17 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online
 3. Pick the account from the active sessions
 4. Select Azure Active Directory and enjoy!

+## Azure AD - Convert GUID to SID
+
+The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.
+
+```powershell
+GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
+SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
+```
+
+For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`
+
 ## Azure AD - Sign in with a service principal

 https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal
@ -443,4 +455,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
 * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
 * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
-* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
+* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
+* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
--- a/Resources/Network
+++ b/Resources/Network
@ -151,6 +151,9 @@ pacman -Sy sshuttle
 apt-get install sshuttle
 sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
+
+# using a private key
+$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" 
 ```

 ## chisel
--- a/Injection/Intruder/Generic_Fuzz.txt
+++ b/Injection/Intruder/Generic_Fuzz.txt
@ -0,0 +1,12 @@
+1
+1'
+1"
+[1]
+1`
+1\
+1/*'*/
+1/*!1111'*/
+1'||'asd'||'
+1' or '1'='1
+1 or 1=1
+'or''='
--- a/Juggling/README.md
+++ b/Juggling/README.md
@ -42,9 +42,13 @@ var_dump(md5([]));  # NULL

 If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.

-| Hash | “Magic” Number / String    | Magic Hash                                    | Found By      |
+| Hash | “Magic” Number / String    | Magic Hash                                    | Found By / Description      |
 | ---- | -------------------------- |:---------------------------------------------:| -------------:|
 | MD5  | 240610708                  | 0e462097431906509019562988736854              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | QNKCDZO                    | 0e830400451993494058024219903391              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 0e1137126905               | 0e291659922323405260514745084877              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 0e215962017                | 0e291242476940776845150308577824              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
+| MD5  | 129581926211651571912466741651878684928                | 06da5430449f8f6f23dfc1276f722738              | Raw: ?T0D??o#??'or'8.N=? |
 | SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
 | SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
 | SHA-256 | 34250003024812          | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |