GITBOOK-3806: No subject
BIN
.gitbook/assets/image (17) (3).png
Normal file
After Width: | Height: | Size: 344 KiB |
Before Width: | Height: | Size: 344 KiB After Width: | Height: | Size: 8 KiB |
BIN
.gitbook/assets/image (18) (2) (1).png
Normal file
After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 326 KiB |
Before Width: | Height: | Size: 326 KiB After Width: | Height: | Size: 3.4 KiB |
BIN
.gitbook/assets/image (253) (1).png
Normal file
After Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 30 KiB After Width: | Height: | Size: 7.2 KiB |
Before Width: | Height: | Size: 127 KiB |
Before Width: | Height: | Size: 389 KiB After Width: | Height: | Size: 127 KiB |
Before Width: | Height: | Size: 7.2 KiB After Width: | Height: | Size: 389 KiB |
Before Width: | Height: | Size: 23 KiB |
Before Width: | Height: | Size: 94 KiB After Width: | Height: | Size: 23 KiB |
Before Width: | Height: | Size: 3.4 KiB After Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 114 KiB |
Before Width: | Height: | Size: 8 KiB After Width: | Height: | Size: 114 KiB |
|
@ -147,7 +147,7 @@
|
|||
* [AppendData/AddSubdirectory permission over service registry](windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md)
|
||||
* [Create MSI with WIX](windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md)
|
||||
* [COM Hijacking](windows-hardening/windows-local-privilege-escalation/com-hijacking.md)
|
||||
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md)
|
||||
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
|
||||
* [Writable Sys Path +Dll Hijacking Privesc](windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
|
||||
* [DPAPI - Extracting Passwords](windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md)
|
||||
* [From High Integrity to SYSTEM with Name Pipes](windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
|
||||
|
|
|
@ -113,7 +113,7 @@ Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
|
|||
|
||||
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
|
||||
|
||||
![](<../../.gitbook/assets/image (253).png>)
|
||||
![](<../../.gitbook/assets/image (253) (1).png>)
|
||||
|
||||
Finally just access the newly created node:
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ When performing your directory brute force attacks make sure to add the followin
|
|||
* _/graphql.php_
|
||||
* _/graphql/console_
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (6) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Once you find an open graphQL instance you need to know **what queries it supports**. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**\
|
||||
It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…](https://graphql.org/learn/introspection/)
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
## **Spring Auth Bypass**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (5) (4).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)****
|
||||
|
||||
|
|
|
@ -124,7 +124,7 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
|
|||
</script>
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (5) (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (5) (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## RCE: preload
|
||||
|
||||
|
|
|
@ -194,7 +194,7 @@ If a plarform is taking **data from an HTTP request and using it without sanitiz
|
|||
|
||||
For example, in the original discovered vuln, cache keys were used to return the IP and port a user shuold connect to, and attackers were able to **inject memcache comands** that would **poison** the **cache to send the vistims details** (usrnames and passwords included) to the attacker servers:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Moreover, researchers also discovered that they could desync the memcache responses to send the attackers ip and ports to users whose email the attacker didn't know:
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@ Manufacturers love to use their own unique IR protocols, even within the same ra
|
|||
|
||||
The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (18) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.
|
||||
|
||||
|
|
|
@ -557,7 +557,7 @@ First, we obtain the hash of `Jane` with for instance Shadow Credentials (using
|
|||
|
||||
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (18) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (18) (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
This is not a constraint violation, since the `DC$` computer account does not have `userPrincipalName`.
|
||||
|
||||
|
|
|
@ -424,7 +424,7 @@ powershell -command "Get-Clipboard"
|
|||
### File and Folder Permissions
|
||||
|
||||
First of all, listing the processes **check for passwords inside the command line of the process**.\
|
||||
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/):
|
||||
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking.md):
|
||||
|
||||
```bash
|
||||
Tasklist /SVC #List processes running and services
|
||||
|
@ -450,7 +450,7 @@ for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executabl
|
|||
)
|
||||
```
|
||||
|
||||
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/)**)**
|
||||
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking.md)**)**
|
||||
|
||||
```bash
|
||||
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
|
||||
|
@ -562,7 +562,7 @@ Other Permissions can be used to escalate privileges:\
|
|||
|
||||
### Services binaries weak permissions
|
||||
|
||||
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/))**.**\
|
||||
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking.md))**.**\
|
||||
You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**:
|
||||
|
||||
```bash
|
||||
|
@ -654,7 +654,7 @@ It's possible to indicate Windows what it should do[ when executing a service th
|
|||
|
||||
### Installed Applications
|
||||
|
||||
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/)).
|
||||
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking.md)).
|
||||
|
||||
```bash
|
||||
dir /a "C:\Program Files"
|
||||
|
@ -723,6 +723,12 @@ Check permissions of all folders inside PATH:
|
|||
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
|
||||
```
|
||||
|
||||
For more information about how to abuse this check:
|
||||
|
||||
{% content-ref url="dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md" %}
|
||||
[writable-sys-path-+dll-hijacking-privesc.md](dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Network
|
||||
|
||||
### Shares
|
||||
|
@ -1484,7 +1490,7 @@ If you want to read an example of [**how to go from high integrity to System usi
|
|||
### Dll Hijacking
|
||||
|
||||
If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\
|
||||
**You can** [**learn more about Dll hijacking here**](dll-hijacking/)**.**
|
||||
**You can** [**learn more about Dll hijacking here**](dll-hijacking.md)**.**
|
||||
|
||||
### **From Administrator or Network Service to System**
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -39,13 +39,13 @@ There is a **variety of approaches** to choose from, with success depending on h
|
|||
|
||||
The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (311).png>)
|
||||
![](<../../.gitbook/assets/image (311).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (313).png>)
|
||||
![](<../../.gitbook/assets/image (313).png>)
|
||||
|
||||
and just show the **File System Activity**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (314).png>)
|
||||
![](<../../.gitbook/assets/image (314).png>)
|
||||
|
||||
If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.\
|
||||
If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "\<exec name>", execute it, and stop capturing events**.
|
||||
|
@ -116,8 +116,8 @@ dumpbin /export /path/file.dll
|
|||
|
||||
For a full guide on how to **abuse Dll Hijacking to escalate privileges** with permissions to write in a **System Path folder** check:
|
||||
|
||||
{% content-ref url="writable-sys-path-+dll-hijacking-privesc.md" %}
|
||||
[writable-sys-path-+dll-hijacking-privesc.md](writable-sys-path-+dll-hijacking-privesc.md)
|
||||
{% content-ref url="dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md" %}
|
||||
[writable-sys-path-+dll-hijacking-privesc.md](dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Automated tools
|
||||
|
@ -127,7 +127,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
|
|||
|
||||
### Example
|
||||
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](../#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
|
||||
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
|
||||
|
||||
## **Creating and compiling Dlls**
|
||||
|
@ -237,7 +237,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
|
|||
}
|
||||
```
|
||||
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
|
@ -20,8 +20,8 @@ In order to do that you can abuse a **Dll Hijacking** where you are going to **h
|
|||
|
||||
For more info about **what is Dll Hijackig** check:
|
||||
|
||||
{% content-ref url="./" %}
|
||||
[.](./)
|
||||
{% content-ref url="../dll-hijacking.md" %}
|
||||
[dll-hijacking.md](../dll-hijacking.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Privesc with Dll Hijacking
|
||||
|
@ -57,13 +57,13 @@ if ($envPath -notlike "*$folderPath*") {
|
|||
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
|
||||
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (18).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Missed Dlls
|
||||
|
||||
Running this in a free **virtual (vmware) Windows 11 machine** I got these results:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (253).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
In this case the .exe are useless so ignore them, the missed DLLs where from:
|
||||
|
||||
|
@ -79,7 +79,7 @@ After finding this, I found this interesting blog post that also explains how to
|
|||
|
||||
So, to **escalate privileges** we are going to hijack the library **WptsExtensions.dll**. Having the **path** and the **name** we just need to **generate the malicious dll**.
|
||||
|
||||
You can [**try to use any of these examples**](./#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
|
||||
You can [**try to use any of these examples**](../dll-hijacking.md#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
|
||||
|
||||
{% hint style="warning" %}
|
||||
Note that **not all the service are run** with **`NT AUTHORITY\SYSTEM`** some are also run with **`NT AUTHORITY\LOCAL SERVICE`** which has **less privileges** and you **won't be able to create a new user** abuse its permissions.\
|
||||
|
@ -90,7 +90,7 @@ At the moment of writing the **Task Scheduler** service is run with **Nt AUTHORI
|
|||
|
||||
Having **generated the malicious Dll**, save it in the writable System Path with the name **WptsExtensions.dll** and **restart** the computer (or restart the service or do whatever it takes to rerun the affected service/program).
|
||||
|
||||
|
||||
When the service is re-started, the **dll should be loaded and executed** (you can **reuse** the **procmon** trick to check if the **library was loaded as expected**).
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -203,7 +203,7 @@ If you don't care about being noisy you could always **run something like** [**h
|
|||
|
||||
### Your own bypass - Basic UAC bypass methodology
|
||||
|
||||
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/).
|
||||
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking.md).
|
||||
|
||||
1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
|
||||
2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
|
||||
|
|