CTF
If we have high privilege access to a domain, we will likely want to establish persistence with high privilege access. One mechanism to do this is to assign ourselves permissions to the adminSDHolder object in active directory:
Here we have the default adminSDHolder permissions. We are going to add our user “low” in here with modify or full control permissions: Read more “Abusing AdminSDHolder to enable a Domain Backdoor”
CTF
Some hashes are obvious but even then, it’s a good job to check. There are a few ways to check a hash outside of manual validation.
Using the Hashcat example list:
https://hashcat.net/wiki/doku.php?id=example_hashes
Using hash-identifier:
https://github.com/blackploit/hash-identifier
Using cyberchef Analyse hash:
https://gchq.github.io/CyberChef/#recipe=Analyse_hash()
Using hash-id:
https://github.com/psypanda/hashID
Using HashTag:
https://github.com/SmeegeSec/HashTag
As you can see there are range of tools available to you, and remember if you want to keep the hashes to yourself you can download Cyberchef and run it locally!
Guides
This is a super-fast blog to show how to crack sshkeys with JohnTheRipper from Kali VM.
Create a key
ssh-keygen Read more “Cracking an SSH key with John the Ripper (JTR)”
Defense
Have you ever wanted to see what would occur in an environment if a worm was a make its way in? I often work with customers to show them about lateral movement from a human operated perspective however sometimes it’s useful for people to visualise this better and to demonstrate what could occur if a worm was set loose. A great tool to help with this is Infection Monkey from Guardicore (https://www.guardicore.com/
The process steps are as follows:
Defense
Ok these are a really simple UAC bypass from a userland GUI perspective. This is about increasing process integrity levels – it’s not about performing LPE from low integrity to high/SYSTEM with no interaction. These clearly work in older version of Windows as well but since Windows 11 will be the current version in the near future I thought it was fun to re-visit these!
And just to be clear, a medium integrity process as an administrator user will have the following privileges:
What we are talking about here is to move to a high integrity process without knowing credentials or having the secure desktop launch. Read more “Windows 11 Privilege Escalation via UAC Bypass (GUI based)”
Strategy
People band strategy around like it’s some sort of mythical beast that requires no knowledge of the subject involved but is done by wizards and executives (it’s just done by people, but I digress) so I thought I’d talk about strategy development.
Now forewarning you might come out of this post thinking… there must be something else… something you are missing as Dan’s not showing any secret magic…. Often what is commonly lacking when looking at strategic execution is effective communication, consensus, and marathon like commitment to deliver on said goals and objectives. Why? Because that part is really, really, hard, if it wasn’t we’d all be sipping Bollinger in the Bahamas.
If your first thoughts are to run to Sun Tzu or grab an ISO27001 document then you should probably pause, grab a tea, and take a breath. In my experience cyber security is:
People often think that a framework, guide, or standard will give them the answers. Sure, they are often useful tools to help, hell the domain of cyber is broad as hell and there’s so much to do and often so little time, so job aides and not re-inventing the wheel is a good thing, that doesn’t however just mean that with documents you will be in a good position. Read more “Cyber Strategy Magic”
Defense
“And I looked and behold a pale horse: and his name that sat on him was Death, and Hell followed with him.”
Firstly, Kudos to @j0nh4t for finding this!
I woke up this morning to see twitter fun with a LPE discovered in the Razer driver installation. Basically, when you plug a Razer mouse into a Windows machine, it will download (via windows update) and execute a process as system which has user interaction. This interface includes an install path selector, with this a right click + SHIFT (LULZ) on whitespace will allow you to launch a command prompt/PowerShell window (as SYSTEM).
Guides
Ever needed to test active directory in a hurry? Well, here’s some common commands to test active directory domain services. In this post today we are going to focus on DNS and username enumeration, there are however a range of weaknesses you want to look for:
Port Scanning and Service Fingerprinting
nmap -p- -sC -sV -Pn -v -A -oA ecorp.local.txt 192.168.1.22
Read more “Rapid Active Directory Security Testing of Windows Server 2022 and Kali Linux”
Guides
WIndows Server 2022 is RTM! I love new operating systems, but also with the new, what is old? There will be loads of new blogs and articles on new features of Server 2022 however I wanted to see what mischief we can have with it! So I’ve decided to start looking at common vectors and exploits (from the fun to the serious) so that we can see how much of the world has changed (or not!)
So let’s take a look. The first thing I did was to offline replace stickykeys with cmd.exe – yes this method still works. But as lots of people will realise, you neeed physical access to the disk (well you don’t if you have access to someone’s vcenter you don’t!) but also the reg key methods also work! We can still backdoor RDP – here’s a script to disable NLA, Enable RDP, configure the firewall rules and set the registry keys to backdoor the system (clearly for lab use only!)
https://github.com/mr-r3b00t/RDP_Backdoor
Read more “Hacking Windows Server 2022”
Defense
Windows Remote Management is easy if you are using a domain joined machine and have a CA. But what if you are off the domain and you want to connect to WINRM that has an HTTPS listener? (by default WINRM uses HTTP on TCP 5985, you can clearly chop out the TLS related configs in the example scripts and they will work for plain old WINRM)
This is useful from a sysadmin and penetration testing/red team perspective. Now obviously you could export the certificates and import them into your store, however that’s more work. So, let’s look at how we ignore revocation, CA name and Computer Name checks.
