Offensive Security Documentation by Ruben Santos Garcia
Introduction to Active Directory
Introduction to Active Directory 10. Privilege escalation with DLL hijacking
Introduction With today's chapter, we begin the active directory section of privilege escalation. In this section we will see the main techniques that are commonly used both in individual Windows machines to become administrators to techniques more oriented to active directory as such. To begin with, I have decided to introduce one of the most well-known ones, DLL hijacking. So today you will learn what this technique is, how you can use it to escalate privileges as well as ways to detect appl
In today's chapter, we will continue with the series of binary exploitation on Linux. In the previous one we saw format string, and in this chapter what we will be studying is how we can abuse multiple vulnerabilities at the same time. Specifically, we are going to exploit both format string and buffer overflow. In this chapter you will not only learn how to exploit these two vulnerabilities but also how to study the code in depth with radare2 to overcome a number of problems you may encounter d
Read more
Introduction Hello everyone, I hope you are well. In today's chapter, we will see what it is and how we can exploit format string. This is one of the most classic code vulnerabilities that are learned along with buffer overflow, and that I have a special affection because it was the first one I learned back in the day. This vulnerability allows an attacker to not only dump memory, but also to write arbitrarily to it. During the chapter you will learn not only how to exploit it but also
Read more
Introduction Hello everyone, hope you are all well. I have written chapters focused on basic active directory concepts as well as the main attacks that are usually performed to get a user/intrusion in these environments. The following chapters are going to focus more on methods to enumerate the active directory assuming that we already have a compromised user. We will also discuss privilege escalation issues by introducing the main techniques that are commonly used both on Windows machi
Read more
Introduction Hi everyone, I hope you are doing great, in this week's chapter we are going to continue the active directory series. Specifically, we are going to talk about how to pivot once we have gained access to a machine in the domain. But, wait a minute, what is pivoting really?. Pivoting refers to the technique of using a compromised access point in a network to move to and access other systems or network segments that were not initially directly accessible. This technique is wid
Read more
Introduction Hello everyone, I hope you are doing well. We continue with the last chapter published to have an almost complete laboratory. Thanks to this article, you will learn different things that can be very useful for you. Among them, I highlight the use of subnets in Proxmox as well as the assignment of static IPs in the different machines that we have already deployed. In addition, you will also learn how to redirect traffic so that the different subnets we create have access to
Read more
Introduction Hello everyone I have been on vacation this August and that is why I have not uploaded any articles this last month. However, that ends this week as I am back to upload an article to continue the series on creating a hacking lab with proxmox 😄. In this post we will see how to finish installing the dirvers needed for Windows machines to work as well as the configuration needed to have a functional Active Directory where we can practice many of the attacks seen in the Active
Read more
Introduction In the previous chapters, we have developed exploits in simple contexts where they are easy to perform. But, what happens if we have a vulnerable code that, because of how it is programmed, we cannot exploit using the methods we have seen? In this chapter, we will solve this problem by introducing another technique to our repertoire. Specifically, we will use our knowledge of dynamic function resolution from the GOT and PLT that we saw in chapter 4 to bypass some restrictio
Read more
Introduction In this chapter we will see how the Kerberos authentication protocol works at a high level as well as the main attacks that can be performed today against this protocol. Likewise, we will see how we can replicate these techniques in our lab to really understand what are the configuration flaws that can be committed to give rise to these attacks. During the article I will mainly focus on using the scripts provided by “impacket”, however, I would like to point out that all th
Read more
Introduction In this chapter of the series, we will see how to put together the knowledge learned about shellcode and buffer overflow in order to get an interactive shell thanks to a vulnerable program. In the process, we will learn how to make a basic use of pwndbg as well as a more advanced use of the pwntools library. Vulnerable code and strategy As in chapter 5, we again have a vulnerable program due to the buffer overflow vulnerability of the “gets” function. In this chapter, we
Read more
Introduction Shellcodes are one of the most key aspects of exploiting a code vulnerability as they allow, among other things, remote execution of commands on the machine with the vulnerable software. It could be considered as the icing on the cake after having found a vulnerability in the code. For this reason, in this chapter we will look at different aspects of shellcode programming as well as some of the tools we can use to help us build them. What is a shellcode ? A shellcode is
Read more
Introduction In this article, I am going to teach some concepts about how Python can be used for hacking web applications. To do this, I am going to use ipython3, which is nothing more than an interactive shell that allows you to run Python code. After reading the article, you will learn concepts that will help you improve your web hacking skills as well as some tricks related to ipython3. In addition, you will learn how to develop small functionalities that will make it easier for you
Read more
Introduction NTLM is a Microsoft proprietary protocol used for authentication in communications between two Windows computers and was introduced as an improvement over the LM protocol, the latter having proved to be too insecure. This protocol is of the challenge and response type and allows a user to be authenticated without the need to send the password in plain text. Instead, what is sent is a hash, known as Net-NTLMv1 hash or Net-NTLMv2 hash (sometimes called NTLM Response) depend
Read more
Introduction In this article, we will perform our first exploit of a vulnerable code :). In addition, I will introduce dynamic code analysis. This is a very common technique that is often used when writing exploits, and I am sure it will be very useful in the future. So let's get started. Vulnerable Code To learn about this exploiting technique, we will make use of the following vulnerable code from exploit education. Our goal is to change the value of the variable "modified" so that
Read more
Introduction In chapter 1 we introduced the three pillars of an active directory which are machines, users and domains. We have been talking quite a bit about Windows machines in the last few chapters, so we are going to leave this topic aside for now. The following chapters are going to focus on important user-related aspects that should be taken into account when performing pentesting exercises in these environments. During the explanation of these concepts, PowerSploit will be used (specifi
Read more
Introduction In this chapter, we are going to take a closer look at how dynamic library relocations are performed in ELF binaries. We will also begin to perform static analysis of the binary, as this will be useful when creating exploits. Finally, we wil lstudy the most important sections of a binary to understand and consider when writing exploits. Disassembly and decompilation Although we will not go much into disassembly related concepts in this chapter, I will give a little intro
Read more
Introduction In this chapter, I will cover the authentication process that is performed in Windows systems, as well as an introduction of the different protocols that exist to perform this process. Once seen this, I will comment on where the secrets or user credentials are usually stored. Windows logon Windows requires a user to be authenticated and authorized in order to access a local or remote resource. The interactive process that collects the user's credentials and validates the
Read more
Introduction In chapter 1 we introduced in a quick way the process of compiling a binary. In this chapter, we will now move on to testing using the gcc compiler to see this process more clearly and understand it at a low level. To do this, we will use the following C code, which we will examine in each of the phases of compilation of a binary. //main.c #include <stdio.h> #define FORMAT_STRING "%s" #define MESSAGE "Hello, world!\n" int main(int argc, char *argv[]) { printf(FORMAT_STR
Read more
Introduction APIs are very commonly used by web applications nowadays. That is why I am going to write a series of articles covering different hacking techniques related to them. What is an API ? Application Programming Interface (API) is a software interface that provides a computer friendly method to interacting with a data source or backend logic. Normally, the results returned by the API after web requests are in plain text. Usually XML or JSON, the latter being much more common
Read more
Introduction In this chapter, we are going to finish with the basic theory before we start to do more practical things. For this purpose, I am going to introduce in this chapter theory about the assembler function convention. Function calling convention in x32 A function's frame refers to the space on the stack where its arguments, local variables and return address are stored. As new functions are called, new frames are added. These frames are removed as they are returned from their
Read more
Introduction Normally, in an active directory domain, most machines make use of the Windows operating system and there are not only Domain Controllers. There are also Workstations (Windows 10/ Windows 7 machines) or servers to host applications (Windows Server machines). In today's post, we will focus on how to find these last computers in the domain and how we can connect to them remotely. Windows computer discovery Using LDAP One of the first options that you can perform is to qu
Read more
Introduction In this series, I will share my experience learning about binary exploitation techniques. It is one of my weak points, as it is one of the most complex topics to start with, but this year 2023 I have decided to give it a try :P For this I have decided to follow the Nightmare course, which is fantastic from what I have been seeing. However, I will also use others that I will leave in the resources section. That said, let's get started! The compilation Process The compilation pro
Read more
Domain Controllers As we discussed in the previous chapter, the Domain Controller is the central server that provides the Active Directory Domain Services (AD DS). This means that it is the one that maintains the database where all the domain objects are stored, in addition to providing different services for authorization, authentication .... This database is called New Technologies Directory Services (NTDS) and its file is located in the path "C:\\Windows\NTDS". If some gets this file
Read more
Introduction In this series, I will show you how to create a lab to practice hacking techniques. This first post is going to focus on setting up a basic Windows hacking practice environment using Proxmox. However, soon, I also plan to show how to better configure the lab network, how to extend it to be used for pivoting or web hacking, etc. What is Proxmox ? Proxmox is a hypervisor of type 1. A hypervisor is nothing more than software that allows multiple Virtual Machines (VMs) to ru
Read more
Introduction to the series The first post of this blog will be dedicated to the functioning of active directory. It is one of the topics that I like the most and that is most often found in offensive security projects. A year ago, I started a project called Igris which is a tool made in Python whose purpose is to help in testing active directory security. It is currently stopped due to the fact that I'm re-engineering it in the nim programming language. However, it may be useful as a b
Read more