From b8c803717a283057fce835ebc07a0d5c371a8bf7 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 31 May 2023 14:18:25 +0200 Subject: [PATCH] WDAC Policy Removal + SSRF domains --- .../Active Directory Attack.md | 1 + Methodology and Resources/Windows - Defenses.md | 8 ++++++-- Server Side Request Forgery/README.md | 14 ++++++++------ XSS Injection/README.md | 4 ++-- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 4afffad..95a255e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -4414,3 +4414,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) * [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) * [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) +* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md index f99b009..7e7f297 100644 --- a/Methodology and Resources/Windows - Defenses.md +++ b/Methodology and Resources/Windows - Defenses.md @@ -307,7 +307,10 @@ Also known as `WDAC/UMCI/Device Guard`. DeviceGuardCodeIntegrityPolicyEnforcementStatus : EnforcementMode DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode ``` - +* Remove WDAC policies using CiTool.exe (Windows 11 2022 Update) + ```ps1 + $ CiTool.exe -rp "{PolicyId GUID}" -json + ``` * Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip` * Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\` * WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies @@ -383,4 +386,5 @@ You can check if it is done decrypting using this command: `manage-bde -status` * [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/) * [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/) -* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101) \ No newline at end of file +* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101) +* [Remove Windows Defender Application Control (WDAC) policies - Microsoft - 12/09/2022](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies) \ No newline at end of file diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 000a217..183e43c 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -110,11 +110,13 @@ http://0000::1:3128/ Squid ### Bypass localhost with a domain redirection - -* `spoofed.[BURP_COLLABORATOR]` such as `spoofed.redacted.oastify.com` -* `localtest.me` redirect to `::1` -* `company.127.0.0.1.nip.io` redirect to `127.0.0.1` -* `bugbounty.dod.network` redirect to `127.0.0.2` +| Domain | Redirect to | +|------------------------------|-------------| +| localtest.me | `::1` | +| localh.st | `127.0.0.1` | +| spoofed.[BURP_COLLABORATOR] | `127.0.0.1` | +| spoofed.redacted.oastify.com | `127.0.0.1` | +| company.127.0.0.1.nip.io | `127.0.0.1` | The service nip.io is awesome for that, it will convert any ip address as a dns. @@ -138,7 +140,7 @@ http://127.0.0.0 http://2130706433/ = http://127.0.0.1 http://3232235521/ = http://192.168.0.1 http://3232235777/ = http://192.168.1.1 -http://2852039166/ = http://169.254.169.254 +http://2852039166/ = http://169.254.169.254 ``` ### Bypass using octal IP diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 59087ac..2bc8e6a 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -62,7 +62,7 @@ - [Bypass "<" and ">" using < and >](#bypass--and--using--and-) - [Bypass ";" using another character](#bypass--using-another-character) - [Bypass using HTML encoding](#bypass-using-html-encoding) - - [Bypass using Katana](#bypass-using-katana) + - [Bypass using Katakana](#bypass-using-katakana) - [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass using Lontara](#bypass-using-lontara) - [Bypass using ECMAScript6](#bypass-using-ecmascript6) @@ -967,7 +967,7 @@ Unicode Character U+FF1C and U+FF1E > ``` -### Bypass using Katana +### Bypass using Katakana Using the [Katakana](https://github.com/aemkei/katakana.js) library.