In this case, we will look into how we can use LLMNR to poisoning to get the hash for a specific user and crack that in order to gain access.
We have a domain called master.loc where the domain controller is dc1. The client workstation is client1.
LLMNR is a protocol which is used to discover any hosts present in the network. In our scenario, we will try to access a fileserver called wow.
In this case, we will look into how we can use LLMNR to poisoning to get the hash for a specific user and crack that in order to gain access.
We have a domain called master.loc where the domain controller is dc1. The client workstation is client1.
LLMNR is a protocol which is used to discover any hosts present in the network. In our scenario, we will try to access a fileserver called wow.
init Lets try to exploit the yet-another-windows-vulnerability known as CVE-2023-38146 aka ThemeBleed. To do that we need to create the theme file which will consist of “path” from where the payloads will be delivered.
Please note that as per my testing, the command execution only happens if both the SMB server and the theme file is in the same machine. Pulling dll(s) from remote system appears not to work.
In the attacker machine, you will need to disable the SMB by disabling the Server service from the services.
init The primary objective of this writeup is to check if an attacker can use this technique to bypass UAC and gain additional privilege ONLY using Command / Powershell window got from a Reverse Shell.
User Account Control (UAC) in Windows is a “feature” (do not know how to attribute it) which can be used to prevent a user from making unwanted changes into the system. When running a application in a privileged permission, Windows asks the user if the action is actually legit.
In this tutorial we will go through the very easy to exploit Follina (CVE-2022-30190) which can be used to perform command execution. This is a easy to build exploit as command can be executed on the remote system witout any promot. As this exploit does not require any macro for exploit, and the complexity of the development is easy, attackers can easily use this to enter enterprise network via email and opening the file using Microsoft Office.
log4j vulnerability is a vulnerability which can have significant impact on the security of the system. It gives remote command execution on the target system which can cause significant damage on the system. This attack vector has been carried out by various threat actors and they were able to breach various servers and execute commands. It is strongly advised that system administrators update their systems as soon as possible.
summary On December 10th, 2021, the National Vulnerability Database (NVD) published the CVE-2021-44228 documenting a vulnerability in the Apache log4j library Java Naming and Directory Interface (JNDI) lookup feature allowing for remote code execution by an attacker who is able to manipulate log messages.
