[#thread 🧵] For this 23rd day of #CyberAdvent, we will talk about the LDAP structure and its naming contexts. 🦋
[#thread 🧵(2/10) ] LDAP is a directory structure (a tree) containing objects with their attributes:
[#thread 🧵(3/10) ] You can search for objects in the LDAP with a query on a specified base object and a search scope. In return, you will then get a list of matching objects with the attributes you selected.
[#thread 🧵(4/10) ] There is three values for the search scope, BASE, LEVEL, SUBTREE.
- BASE: Only search in the given object.
- LEVEL: Search in the objects at the same level as the the given object.
- BASE: Search in the subtree of the given object.
[#thread 🧵(5/10) ] When I wrote ldap2json, I was trying to export the whole LDAP data all at once, so I decided to use a SUBTREE search on the DC=LAB,DC=local root object of my domain and I got a weird behavior:
[#thread 🧵(6/10) ] I noticed CN=Configuration,DC=LAB,DC=local did not appear in the results of SUBTREE search on DC=LAB,DC=local. But I could request it directly without problems. Why shouldn't they appear in the results ? Yesterday @cnotin pointed me towards naming contexts.
[#thread 🧵(7/10) ] The naming contexts (or directory partitions) are independent partitions of data inside the LDAP, hence we cannot find them in a SUBTREE query as we would have to switch partitions to access them.
[#thread 🧵(8/10) ] Fortunately, the list of naming contexts is given in the RootDSE object of the LDAP server and returned when we connect to it. I was able to get all of the naming contexts easily from the ldap_server object like this:
[#thread 🧵(9/10) ] Therefore in order to dump the whole LDAP data, I first needed to execute a query on RootDSE to get the list of naming contexts, and then iterate over the naming contexts to dump the data of each partition:
[#thread 🧵(10/10) ] I hope this thread has helped you understand the naming contexts! I was really confused about this until @cnotin explained it to me. Many thanks to him 🥳🎉
• • •
Missing some Tweet in this thread? You can try to
force a refresh
On the left I have my attacking machine and on the right I have a Windows Server that I use as a Domain Controller.
[#thread 🧵] In the top left terminal of my attacking machine is the program to exploit this new vulnerability.
In the bottom left is Responder, a tool allowing to mimic the authentication step of many windows protocols in order to show the hashes (NTLMv1, NTLMv2, etc ...)
Simple! This tool mounts the ISO file to a temporary location, and extract the xml file [1].xml from the Windows imaging (WIM) image in ./sources/boot.wim:
[#thread 🧵] Last week in #Microsoft#PatchTuesday, a critical vulnerability was patched that theoretically allows attackers to achieve Remote Code Execution on a target #IIS server (CVE-2022-21907). I'll explain how it works in this thread ⬇️
First of all, it is important to know that this vulnerability is a sibling of CVE-2021-31166 disclosed in May of last year. These two vulnerabilities occur in the parsing of HTTP headers of an incoming request, within the http.sys driver.
To understand what happens in a kernel driver crash, It's important to analyze the kernel #crashdump generated at the moment of the blue screen! Let's open it in #WinDbg and analyze it!
[#thread 🧵] For this 20th day of #CyberAdvent we'll be talking about the Local Admin Password Solution #LAPS of Microsoft, and how it can be used to reduce the risk of network pivoting of attackers.
[#thread 🧵(2/6)] One of the common vulnerabilities found in Windows domains is a distributed local administrator on the workstations (sometimes even servers). This means that if an attacker compromises one machine, all the machines with the same administrator password are owned.
[#thread 🧵(3/6)] The attacker can then connect to all the other machines of the network using LM:NT hashes found on one compromised host! 😅
[#thread 🧵] For this third day of #CyberAdvent (3/24), I'll tell you a story. The story of how I gained root access to a server by leveraging a really fun feature in a web application. This #pentest#writeup will explain the complete process from recon to root. 🦋
[#thread 🧵(2/9)] In the recon phase of my pentest, as usual I was performing a port scan. In the output from nmap, I saw an uncommon port 86 with an HTTP server running "Micro Focus DSD 1.0.0":
[#thread 🧵(3/9)] When going on the page from a browser, surprise 🥳🎉 we have an unauthenticated access! This is cool, but I never saw this app before so I didn't know whether we could exploit it simply or not!
[#thread 🧵] For this second day of #CyberAdvent (2/24), we will be talking about a common #PrivilegeEscalation when using the * (wildcard) in shell scripts. Almost everyone has used at least once the * (wildcard) in a shell script but what really happens with the #wildcard ? 🦋
[#thread 🧵(2/7)] We will take as an example this shell script, performing a backup of a website using tar and a wildcard:
[#thread 🧵(3/7)] In this script, the shell replaces the wildcard with matching files from the current directory then executes the command. The * character is never sent to the command (TAR in our case) instead a list of matched files will be sent as arguments to the command.