Bypass chrome tls security checks

Normally things like invalid certificates throw an error within google chrome, and if the page has hsts in place, there is no way to bypass that.
For normal users this is a good thing, but if you’re the developer/admin and have logged out yourself because of a miss configured server or you’re a pentester and want to access the contents of a wrongly configured web server, this can be frustrating.

And there is a way to access the pages, even though it is not available in the normal google chrome version.
You need to use the selenium driver. Therefore in turn you need the WebDriver library and the chromedriver.

1. Download the latest WebDriver https://www.nuget.org/api/v2/package/Selenium.WebDriver/
2. Download the latest ChromeDriver https://chromedriver.storage.googleapis.com/index.html (Keep in mind, that Version 2.10 is higher than 2.9)
3. Open PowerShell and import the WebDriver using “Import-Module” (or more specifically the correct dll for your installed .net version)
4. Unzip the chromedriver and place it inside of “./bin/selenium.chromedriver/”
5. Use PowerShell or C# to launch a new browser instance

$options = [OpenQA.Selenium.Chrome.ChromeOptions]::new()
$options.setBinary('./bin/selenium.chromedriver')
[OpenQA.Selenium.Chrome.ChromeDriver]::new($options)

Or use this script to install it inside of your current directory:

function Install-PSArchive {
    param()
    $null = Install-PackageProvider -Name PowerShellGet -Force -Scope CurrentUser
    Install-Module -Name 'Microsoft.PowerShell.Archive' -Force -Repository PSGallery -Scope CurrentUser -WarningAction SilentlyContinue
}

function Install-Selenium {
    param($ChromeSeleniumVersion = '2.45')
    Invoke-WebRequest -Uri 'https://www.nuget.org/api/v2/package/Selenium.WebDriver/' -UseBasicParsing -OutFile './selenium.webDriver.nupkg.zip'
    Expand-Archive -Path ./selenium.webDriver.nupkg.zip -Force
    $null = New-Item -Name './lib/selenium.webDriver' -ItemType Directory -Force
    Copy-Item -Path ./selenium.webDriver.nupkg/lib/netstandard2.0/WebDriver.dll -Destination ./lib/selenium.webDriver -Force
    Copy-Item -Path ./selenium.webDriver.nupkg/lib/netstandard2.0/WebDriver.xml -Destination ./lib/selenium.webDriver -Force
    Remove-Item -Recurse -Force -Path './selenium.webDriver.nupkg'
    Remove-Item -Recurse -Force -Path './selenium.webDriver.nupkg.zip'

    $ChromeSeleniumURLLinux = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_linux64.zip' -f $ChromeSeleniumVersion
    $ChromeSeleniumURLMacOS = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_mac64.zip' -f $ChromeSeleniumVersion
    $ChromeSeleniumURLWindows = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_win32.zip' -f $ChromeSeleniumVersion
    If ($IsWindows) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLWindows -OutFile 'chromedriver.zip'
    }
    elseif ($IsLinux) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLLinux -OutFile 'chromedriver.zip'
    }
    elseif ($IsMacOS) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLMacOS -OutFile 'chromedriver.zip'
    }
    else {
        Write-Error -Message 'Platform not supported.'
    }
    $null = New-Item -Name './bin/selenium.chromedriver' -Force -ItemType Directory
    Expand-Archive -Path 'chromedriver.zip' -Force -DestinationPath ./bin/selenium.chromedriver
    Remove-Item -Recurse -Force -Path './chromedriver.zip'
    If ($IsLinux -or $IsMacOS) {
        chmod a+x ./bin/selenium.chromedriver/chromedriver
    }
}

function Install-HtmlAgilityPack {
    param()
    Invoke-WebRequest -Uri 'https://www.nuget.org/api/v2/package/HtmlAgilityPack/' -OutFile ./HtmlAgilityPack.zip
    Expand-Archive -Path './HtmlAgilityPack.zip' -Force
    $null = New-Item -Name './lib/HtmlAgilityPack' -ItemType Directory -Force
    Copy-Item -Path ./HtmlAgilityPack/lib/netstandard2.0/HtmlAgilityPack.dll -Destination ./lib/HtmlAgilityPack -Force
    Copy-Item -Path ./HtmlAgilityPack/lib/netstandard2.0/HtmlAgilityPack.xml -Destination ./lib/HtmlAgilityPack -Force
    Remove-Item -Force -Recurse -Path './HtmlAgilityPack'
    Remove-Item -Force -Recurse -Path './HtmlAgilityPack.zip'
}

Install-PSArchive
Import-Module -Name 'Microsoft.PowerShell.Archive'
Install-Selenium
Import-Module './lib/selenium.webDriver/WebDriver.dll'

## If you need to parse some html inside of your scripts and want to have cross platform functionality (or if internet explorer is not enabled), you also need to install HtmlAgilityPack, as powershell on windows relies upon it for parsing html into objects.
Install-HtmlAgilityPack
Import-Module './lib/HtmlAgilityPack/HtmlAgilityPack.dll'

Using Amazon Windows Images

If you tried to use some windows images on aws, you may have noticed, that they have no password specified. In fact, there agent fails to set one.

I’ve tried multiple ways to reset the password, after the support told me, that in order to help me I first need to buy a higher support level…

The one that was the simplest and easiest is usually the utilman.exe trick, but as aws does not allow to interact with the console session, this is out of scope.

So I’ve tried different autostart locations, but most are only invoked after a user has logged on.

Therefore mounting the volume on another instance and editing the registry to add a custom service was one possibility and it worked great.

What you need to do:

    1. Spawn one of the buggy instances and one of “2016 Base Datacenter”
    2. Start the buggy instance once, to check if amazon has fixed the bug to receive the admin password.
    3. If this bug is still there, stop this instance again (not terminate!)
    4. Go to volume and disconnect, and attach to the server 2016 server instance as ‘xvdf’
    5. Remote into the 2016 image as usual
    6. Open the disk manager
    7. Switch the 2nd drive online (and keep the window open for later)
    8. Open Regedit
    9. Load the System hive from the offline windows as ‘offline.SYSTEM’.
    10. Copy the following text into a text file a.reg on the desktop.
      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\offline.SYSTEM\ControlSet001\Services\test]
      "Type"=dword:00000010
      "Start"=dword:00000002
      "ErrorControl"=dword:00000000
      "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,\
        73,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,\
        00,64,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,00,43,00,20,00,6e,00,65,00,\
        74,00,20,00,75,00,73,00,65,00,72,00,20,00,41,00,64,00,6d,00,69,00,6e,00,69,\
        00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,20,00,50,00,40,00,73,00,73,00,\
        77,00,30,00,72,00,64,00,00,00
      "DisplayName"="test"
      "ObjectName"="LocalSystem"
      "Description"="Test"
      "FailureActions"=hex:10,0e,00,00,00,00,00,00,00,00,00,00,15,00,00,00,14,00,00,\
        00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,\
        01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,\
        00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,\
        00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,\
        00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,\
        88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,\
        13,00,00,01,00,00,00,88,13,00,00,00,00,00,00,88,13,00,00
      
    11. Apply this registry keys to the registry by double clicking it.
    12. Unload the hive
    13. Switch the drive offline again
    14. Make sure rdp from the buggy instance is only available from your ip (not 0.0.0.0) before continuing.
    15. Detach the drive from the 2016 image.
    16. Attach the drive to the buggy image as ‘/dev/sda1’ (yes, it is windows, but you need to specify this here, or the instance is unable to start)
    17. Start the buggy instance.
    18. Connect to it with “Administrator” and “P@ssw0rd”
    19. Open Regedit and delete ‘HKLM\SYSTEM\ControlSet001\Services\test’
    20. Set a secure Password
    21. Install OpenSSH https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
    22. Add your public key to “C:/Users/Administrators/.ssh/authorized_keys”
    23. Remove the ports TCP-3389 and UDP-3389 from your security group. It is not recommended to have rdp publicly available to the internet (if you still want to connect over public set up a remote desktop gateway, as it is intended to be accessible publicly and in combination with ADFS allows onetime passwords for pre-authentication.

Hacking an SQL-Server

Basically if you’re admin you own everything.

So how would you access an SQL-Server if you don’t have SQL-Permissions but you’re administrator on the system the SQL-server is running on?

Basically you can abuse the fact, that the sql-server has to have at least one account with the necessary permissions. Often this is the local system user.

  1. So just become system using psexec (or anything else): psexec -s cmd.exe
  2. Search for your local SQL-Instance: osql -L
  3. Connect to your SQL-Server using your current (system) credentials: osql -S <InstanceName> -E
  4. If the connection is successful, just enable the sa account and set a new password for it. After that you can use the SQL-Management Studio to administer all permissions:
    /* Enable SQL-User authentication and set sa password */
    ALTER LOGIN sa ENABLE;
    GO
    /* Reset the password, requires CONTROL SERVER permission */
    ALTER LOGIN sa WITH PASSWORD = '<newPassword>';
    GO
    /* just set sa password (alternative way)*/
    sp_password NULL, '<newPassword>', 'sa';
    GO
    
    /* To add an windows user to the admins role do this */
    CREATE LOGIN [DOMAIN\USER] FROM WINDOWS;
    GO
    EXEC sp_addsrvrolemember 'DOMAIN\USER', 'sysadmin';
    GO
    

    If the above is throwing an access denied error for you try a different user for example the mssql service user use process hacker to run a cmd prompt in the context of that user and try again. If also that fails, check if there is any application accessing the database that could have an account with too much permissions e. g. Server Admin instead of db_owner and try that one.

  5. If that all does not help, you have one last way of getting into the database, but that causes a downtime.
  6. Stop your SQL-Server Services (Server, Browser, Agent, …) and open an elevated cmd.
  7. Navigate to the folder containing the executable of the service and start it with the parameter “-m” for single user mode without authentication. After the server is back up do Step 4 and after that stop the server and restart the services you stopped earlier.

WARNING: BY DOING STEP 7 EVERYBODY COULD GAIN FULL ACCESS TO YOUR SERVER, DEPENDING ON YOUR INFRASTRUCTURE YOU MAY WANT TO BLOCK REMOTE CONNECTIONS ON THE WINDOWS FIREWALL WHILE PERFORMING THIS STEP

ntds.dit Auditing

By searching for a way to remotely force an Windows Update check, I accidentally found this: DSInternals
This looked very promising, so I checked out the linked blog and found this: Retrieving Active Directory Passwords Remotely

This might be useful in some disaster recovery scenarios (or for hackers to create Golden Tickets…) or to prevent the use of the “Reversible Encryption option” and push people to encrypt and prevent unauthorized physical access to there Domain Controllers (including backups).

Advice:
– On Domain Controllers use Bitlocker with a TPM
– Encrypt your Backups
– Physical access control (to dc and backups)

Note:
Golden Ticket attacks are no entry attacks. An attacker has to gain Administrative rights on a Domain Controller in order to apply this attack.