-
Use Searching Engines to Hunt For Threat Actors
Background Hi folks, today, I’d like to discuss how to leverage search engines to identify vulnerable servers used by threat actors. These actors often employ multiple servers for various purposes, such as phishing infrastructure, command and control (C2) infrastructure, and tool/payload servers. Due to poor operational security (OPSEC) or budget constraints, some may even use a single server for multiple functions. People make mistakes, including threat actors. While they may employ advanced C2 frameworks, custom C2 profiles, redirectors, legitimate domains and certificates, and evasive tradecraft, a single mistake, such as an open directory misconfiguration, can undermine their entire effort. As I am not a threat-hunting expert, my approach to identifying…
-
Targeted and Efficient Phishing: Alteryx Workflow
Background Recently, my friend who works in the accounting industry has been working hard to learn how to use a tool called Alteryx. She occasionally shares her learning experience with me, even though I do not have any knowledge of the accounting industry. Through our conversations, I learned that this software has macro functions. Based on a hacker’s intuition, I wondered if the macros in this software could execute code, even using its importable files for phishing, just like in Microsoft Office products. After some searching and research, I discovered that Alteryx’s importable files could indeed be used to execute client-side code and for phishing, and they can be very…
-
OSEP and OSWE Review
Hello folks, recently I took OSWE exam. For more information about the course, you can check the official website https://www.offensive-security.com/awae-oswe/. Considering that I also passed OSEP (https://www.offensive-security.com/pen300-osep/) half a year ago, I would like to share my thoughts and feelings. It should be noted that because I passed OSEP half a year ago, I cannot be 100% sure that my personal experience is still fully applicable, such as whether the course content has been added and modified. Next, let’s talk one by one. Before reading the following, please make sure you have an understanding of the course content of OSWE and OSEP, for example, you are a student who is…
-
Review for OSWE and OSEP
大家好,在近期,我參加了 Offsec 家的 OSWE 課程認證考試,關於課程的相關信息可以查看官網 https://www.offensive-security.com/awae-oswe/。考慮到我在半年以前也通過了 OSEP (https://www.offensive-security.com/pen300-osep/) ,因此心得感受一起分享。需要注意的是,因為我在半年前通過了OSEP,我不能百分百確保個人的心得體會依舊可以完全適用,例如課程內容是否增加和修改。接下來,我們一個一個說。在閱讀下文之前,請確保自己對 OSWE 與 OSEP 的課程內容有所了解,例如你是正在備考的學員,或者是打算報名的觀望者。因此可以在官網中找到的信息這裡不再贅述。 OSWE 對於我來說,WEB 安全與滲透一直是我不太自信的技能,因為我沒有過應用開發經驗。對於 WEB 滲透來說,擁有開發經驗無疑是一項優勢,無論是對應用架構、代碼閱讀等都更得心應手。而且在我比較早期通過的課程中,例如 OSCP,並沒有深入探究 WEB 常見的漏洞原理與利用,大多數時候都是用公開的 exp攻擊。作為滲透測試與紅隊操作員,雖然我更擅長於網絡與基礎設施滲透,但是 WEB 的利用始終是無法逃避的,WEB 的攻擊往往是打開企業入口的一道鑰匙。因此,我下定決心報名了 OSWE 來強化自己的 WEB 能力,並且對於我現任工作也是有直接幫助。OSWE 是一門 300 系列的課程,深度與難度在 OSCP 中 WEB 內容之上,這是一門以白盒代碼審計為重心的課程,包含少量黑盒滲透內容,但是審計與分析代碼是貫穿所有內容的。但如果問我對黑盒滲透是否有幫助,那肯定是有的,尤其是對與 WEB 基礎不太好的我。我之前連 CORS,CSRF,反序列化,SSTI 等概念都說不清楚,OSWE 雖然是300級別的課程,但還是比較從基礎抓起的,這些概念闡釋地很詳細,給我打好了基礎。理解了基礎與原理,即便是黑盒測試中,自然也能猜測後端可能存在的輸入過濾、代碼片段等。 我在報名之前,擔心自己的基礎不足以學習 OSWE,學起來會很吃力。我也確實在學習個別章節的時候覺得比較難以理解,例如原型污染,.NET 反序列化等。但是在閱讀教材多遍、跟著教材操作、完成課後習題之後,不知不覺自己的水平顯著地提高了,理解起來就輕鬆了許多。OSWE 目前涉及了 PHP,JAVA,.NET,NodeJS,以及 Python 後端語言的 WEB 應用,因此能讀懂這些語言的代碼自然是有必要的。除此之外,對 Javascript,Python 的腳本編寫能力也有很大的需求,一些時候甚至需要用 Java,.NET,C 來編寫 PoC。除了這些語言之外,對 SQL 語法用法、BurpSuite 的熟悉也是十分重要。如果你跟我一樣,對自己的 WEB 不太自信但是想報名 OSWE,我還是建議把這些提前熟悉一下的,雖然 OSWE 把很多東西都是從基礎開始教起,但跳轉較快,即默認你已經掌握了一定的知識,例如 python 中 requests 庫的使用,SQL 語法等。對了,如果你依舊不確定自己是否具備學習 OSWE 的基礎技能要求,並且預算充足,eLearnSecurity 的 eWPT (https://elearnsecurity.com/product/ewpt-certification/) 可以幫你補充絕大多數的所需基礎,因為我說了,OSWE 雖然也會有講基礎概念,但跳轉地比較快。我雖然沒有參與 eWPT 的考試,但花了幾周把 eWPT 的課程材料過了一遍,思維清晰多了。 相比 OSCE3 中的 OSEP 和 OSED,OSWE 的歷史更長一些,因此課程內容也進行了擴充,例如上次更新所增加的 CSRF,SSRF,原型污染等漏洞的原理和利用。同時,Atmail 從 XSS 到 RCE 這章也被歸檔了,但是沒有限制學員訪問,因此我強烈建議像其他章節一樣學習與練習。教材學習方法的話,一定要親手跟著教材操作,光看是沒有用的。視頻與文字接合,理論與動手接合,以及把課後的練習都盡可能做完,雖然我至今還有少量練習沒做出來。每一章學完後,盡可能編寫能一鍵自動化利用的腳本。學習過程中,你還需要閱讀大量文章、官方文檔。例如 Express 框架的官方文檔、別的作者寫的關於某個漏洞的分析文章。 OSWE 一共有 3 個獨立 lab,是沒有指引的,也就是利用所學知識自己找到利用步驟,2 個是白盒,1 個是黑盒。在考試之前,無論如何都要至少把 2個白盒的 lab 完成,並且盡可能使用多種解法。在考試之前,是否需要其他練習,見仁見智。但如果你有這個打算,以下是一些個人搜集到的推薦資源。 1:HTB OSWE like 靶機 https://www.todosec.com/infosec/infosec-topics/boxes/htb/htb-oswe-tjnull 2:https://github.com/rootshooter/oswe-prep-2022…
-
Kerberos Delegation
Hey friends, it is the 3rd article in my Active Directory Theory and Exploitation series. Today, I would like to talk about 3 types of delegation. Kerberos delegation resolved Double Hop problem, however, an attacker can also abuse delegation to gain remote code execution and move to other machines. Concepts of delegation could be complex, but I will try my best to make it simple and easy to understand! Unconstrained Delegation Kerberos delegation enables a user or service to act on behalf of another user to another service. A typical scenario is that, a user authenticates to IIS server, and then IIS server acts on behalf of the user to…
-
Kerberos
Hey friends, it is the second article in my Active Directory Theory and Exploitation series. Today, I would like to talk about Kerberos. Kerberos might be complex and daunting in many peoples’ opinion, but never mind, hopefully I can make it simple and easy to understand! Kerberos Authentication Kerberos is an very interesting topic in Active Directory, since many abuse and exploitation are based on Kerberos. From Windows Server 2003, Kerberos acts as the main role in authentication. While NTLM authentication adopts challenge and response mechanism, Kerberos is based on ticket system. Let’s get familiar with some roles and keep them in mind! Client: The end user who logs on…
-
Vulnerability of Garage Management System 1.0
About one week ago, author mayurik released Garage Management System 1.0 on https://sourcecodester.com. The web application has a lot of vulnerabilities, so let’s take a look at some of them. Vendor Homepage: https://www.sourcecodester.com/users/mayurik Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html Version: 1.0 Test Environment: Ubuntu 22.04 + Apache2 Sample Vulnerability 1: Vulnerability: Persistent Cross-site Scripting Component: Parameter “brand_name” in /brand.php Cause: There is no user input sanitization on parameter “brand_name”. Simple PoC: Screenshot of Exploitation: Sample Vulnerability 2: Vulnerability: SQL Injection Component: Parameter “id” in /print.php Cause: There is no user input sanitization on parameter “id”. Simple PoC: http://hostname:port/garage/print.php?id=1 ’[SQL Query] Screenshot of Exploitation: Sample Vulnerability 3: Vulnerability: Persistent Cross-site Scripting Component: Parameter…
-
Chinese Version of Domain Enumeration
大家好,今天我开始了一个新的文章系列讨论 Active Directory 的渗透与利用。这是系列中第一篇文章,我们讨论域的枚举。我们假设你已经在域主机上拥有了初始的shell,无论是 Windows 域主机还是 Linux 域主机,因为它们都将会被讨论:D 请注意,这不是一篇专注于工具使用和具体命令的文章,我们专注于枚举的方法。 Windows 上的枚举 利用面向公网的服务后,我们可以获得一个shell作为本地服务帐户,此时我们不在域的上下文中。找到提升权限的方法会很有帮助。最终,我们获得了SYSTEM权限,这意味着我们已经以域主机帐户的身份有了域的上下文,因此我们可以开始枚举域。 0:一键拿域的漏洞 近年来,有一些漏洞可以直接让我们拿下整个域。 虽然它们可能大都被修复了,但试一试也无妨! CVE-2021-42278:noPAC 漏洞 CVE-2022-26809:RPC RCE CVE-2022–26923:ADCS 漏洞 CVE-2020-1472:Zerologin 漏洞 MS14-068:Kerberos 漏洞 1:域用户 用户描述:虽然很多时候描述可能是空白的,但如果不是空白,用户描述可能会暴露域用户的角色。如服务器管理员、开发人员等。 Kerberos 预认证:如果某些域用户没有启用预认证,我们可以对他们进行 ASREPRoast 并获取 krb5asrep 哈希。如果幸运的话,我们有机会离线破解这些哈希并获得明文凭证。 SPN:如果域用户有 SPN,它就是一个服务帐户。我们可以对它们进行 Kerberoast 并获取 krb5tgs 哈希值。如果幸运的话,我们有机会离线破解这些哈希并获得明文凭证。 组归属:每个域用户至少属于“Domain Users”组,但如果有任何域用户属于多个组,我们得检查他们属于哪些组。 2:域群组 组描述:正如用户描述。 群组类型:如果一个群组是自定义群组,我们需要多加注意,该群组有哪些特别的权限? 3:外部成员 如果拿下一个外部成员,我们就有机会移动到另一个域/森林。 4:域计算机 记下所有域主机的 FQDN 和 IP 地址。 Windows主机 Linux 主机:通常 linux 域计算机默认允许域用户进行 SSH 访问,也就是说有了凭证后无论如何可以尝试通过SSH移动到Linux主机。 5:现有会话和进程 来自域用户的进程 可模仿的令牌 获得 SYSTEM 权限后,我们可以模拟任何登录的域用户。如果模拟用户具有特定权限,我们可以移动到其他机器甚至域。 6:拥有用户的权限 对其他主机的RDP访问 对其他主机的本地管理员权限 对其他主机的WinRM 访问 DACL:如ForceChangePassword、GenericWrite等。 7:服务访问 SMB:如果拿下的用户可以访问其他域计算机上的 C$/ADMIN$,则意味着该用户拥有该计算机的本地管理员权限。除了 C$/ADMIN$,还要注意任何可读/可写的自定义共享,例如“dev”,它可能存储应用程序的源代码。 FTP:如果我们有访问权限,请检查其中的任何有趣的文件。 WinRM访问:如果我们可以利用WinRM,我们可以移动到另一台主机上。 SQL:利用 xp_cmdshell 和 SQL Link 在其他主机上执行命令。 8:GPO 通过枚举 GPO,我们可以查看当前域对特定 OU 的特殊设置。我们可能不知道 GPO 的详细设置,但我们可以根据 GPO 名称或描述来推断它们。 GPO 也可能有助于我们迁移到其他机器。例如,GPO 可以授予某些用户对特定计算机的 RDP 或 WinRM 访问权限。 9:委派 …
-
Domain Enumeration Methodology
Hey folks, today I start a new series of articles to discuss Active Directory Exploitation. This is the first article, we focus on domain enumeration. We assume you have already had an initial shell on a domain computer, no matter it is Windows domain computer or Linux domain computer, because we will discuss both of them : D Be aware that it is not an article which focuses on the detailed usage of tool and command, we focus on methodology. Enumeration on Windows After exploiting the public-facing service, we could get an shell as a local service account, at this moment, we are not under a domain context. It is helpful to…
-
Walkthrough of My Vulnerable AD Set
Hi guys, in previous days I designed and built a difficult and complex vulnerable AD set, I planned to post the guide to reproduce it. Today, I would like to share some bug fixes/updates on it, as well as the walkthrough of this vulnerable AD set. Updates: I think there are some issues with default Windows Installer, so a user cannot successfully install an msi package without GUI (RDP/VNC). The following steps are workaround to resolve this. I also enable PPL to add one more layer of protection. 1: Add jason.hudson to localgroup RDU on SRV01. 2: Open Local Group Policy Editor, make this setting. 3. Add AlwaysInstallElevated reg key for domain users on SRV01 under HKEY_USERS 4: Remove svc_sql from local group RDU both on SRV01 and SRV02, i.e., delete SQL Manager domain group. 5: (Optional) Remove IE’s cached password and home…