From dca2edc667497802d548d36fd95230a888e70a76 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 13 Aug 2025 10:38:22 +1000 Subject: [PATCH 1/4] Adding pentest templates for internal infrastructure and AD --- .../guidance.md | 5 ++++ .../recommendations.md | 5 ++++ .../template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 6 +++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 15 +++++++++++ .../template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 6 +++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 5 ++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 4 +++ .../template.md | 20 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 4 +++ .../template.md | 26 +++++++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 4 +++ .../template.md | 21 +++++++++++++++ .../weak_machine_account_password/guidance.md | 5 ++++ .../recommendations.md | 9 +++++++ .../weak_machine_account_password/template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 5 ++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 7 +++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 5 ++++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 5 ++++ .../template.md | 21 +++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 17 ++++++++++++ 75 files changed, 726 insertions(+) create mode 100644 submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md create mode 100644 submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md create mode 100644 submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md create mode 100644 submissions/description/active_directory/excessive_domain_admin_membership/guidance.md create mode 100644 submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md create mode 100644 submissions/description/active_directory/excessive_domain_admin_membership/template.md create mode 100644 submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md create mode 100644 submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md create mode 100644 submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md create mode 100644 submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md create mode 100644 submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md create mode 100644 submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md create mode 100644 submissions/description/active_directory/insecure_service_account_management/guidance.md create mode 100644 submissions/description/active_directory/insecure_service_account_management/recommendations.md create mode 100644 submissions/description/active_directory/insecure_service_account_management/template.md create mode 100644 submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md create mode 100644 submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md create mode 100644 submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md create mode 100644 submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md create mode 100644 submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md create mode 100644 submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md create mode 100644 submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md create mode 100644 submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md create mode 100644 submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md create mode 100644 submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md create mode 100644 submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md create mode 100644 submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md create mode 100644 submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md create mode 100644 submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md create mode 100644 submissions/description/active_directory/user_does_not_require_preauthentication/template.md create mode 100644 submissions/description/active_directory/weak_machine_account_password/guidance.md create mode 100644 submissions/description/active_directory/weak_machine_account_password/recommendations.md create mode 100644 submissions/description/active_directory/weak_machine_account_password/template.md create mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md create mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md create mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md create mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md create mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md create mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md create mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md create mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md create mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md create mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md create mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md create mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md create mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md create mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md create mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md create mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md create mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md create mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md create mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md create mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md create mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md create mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md create mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md create mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md create mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md create mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md create mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md new file mode 100644 index 00000000..1b9cf4e4 --- /dev/null +++ b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Disable Unconstrained Delegation on the affected system/account. Where delegation is strictly necessary, consider migrating more restrictive delegation types (such as Resource-Based Constrained Delegation (RBCD)). + +Ensure that highly privileged accounts are protected from delegation by enabling the "Account is sensitive and cannot be delegated" option in Active Directory. diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md new file mode 100644 index 00000000..5815df37 --- /dev/null +++ b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md @@ -0,0 +1,21 @@ +A system configured with unconstrained delegation was compromised during the assessment, leading to domain privilege escalation. + +Unconstrained delegation is a Kerberos feature introduced with Server 2000 which allows a service to impersonate any user who authenticates to it and subsequently access any other service in the domain on behalf of that user. This is a highly permissive configuration and the least restrictive form of delegation available in an active directory environment. + +When a user authenticates to a service configured with unconstrained delegation, the Key Distribution Center (KDC) issues a Ticket-Granting Ticket (TGT) for the user, and a copy of this TGT is forwarded to and stored in the memory of the delegating service. If this delegating service account is compromised, an attacker can extract these cached TGTs. With a user's TGT, the attacker can then request service tickets for any service within the domain, effectively impersonating that user to any resource. + +Rather than waiting for a highly privileged user to authenticate to the service, unconstrained delegation is usually combined with authentication coercion techniques where the target account is forcibly triggered to authenticate to the controlled service. A typical abuse pathway is to coerce authentication from a Domain Controller (DC) machine account, which is then leveraged to perform a DCSync attack. The DCSync simulates the replication process of one DC to another in order to retrieve the stored credentials/hashes of domain-wide user accounts. With access to these hashes, the attacker can then forge additional TGT’s on behalf of any arbitrary user in the domain (including privileged domain administrator accounts), resulting in full domain compromise. + +**Business Risk** + +This vulnerability could be abused by an attacker to gain unauthorised access to any user account, effectively leading to full domain compromise. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/guidance.md b/submissions/description/active_directory/excessive_domain_admin_membership/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/excessive_domain_admin_membership/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md b/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md new file mode 100644 index 00000000..21b1c07e --- /dev/null +++ b/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md @@ -0,0 +1,6 @@ +# recommendation(s) + +The Domain Administrators group should contain only accounts that strictly require such authority to complete their roles. The accounts themselves should be used infrequently, so as to further reduce the chance of compromise. + +Ensure that regular auditing of security group membership and user access rights is undertaken to prevent unnecessary permissions from being granted to user accounts. + \ No newline at end of file diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/template.md b/submissions/description/active_directory/excessive_domain_admin_membership/template.md new file mode 100644 index 00000000..b2578875 --- /dev/null +++ b/submissions/description/active_directory/excessive_domain_admin_membership/template.md @@ -0,0 +1,19 @@ +The Active Directory (AD) domain had a large number of user accounts belonging to the highly privileged “Domain Admins” security group. + +The "Domain Admins" group possesses the highest level of administrative authority within an Active Directory domain, granting full control over all domain controllers, workstations, servers, and every object in the domain. + +Having an excessive number of Domain Admins (DA) enlarges the attack surface by presenting a broad range of high-value targets, in turn increasing the likelihood of domain compromise. + +**Business Risk** + +Having an excessive number of highly privileged accounts in the domain expands the attack surface and increases the risk of an attacker compromising the domain. In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md new file mode 100644 index 00000000..cc75dcb8 --- /dev/null +++ b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Install the KB2962486 patch on all affected systems to prevent new credentials from being placed in Group Policy Preferences. As this patch will not fix existing Group Policy Preference files, refer to the vendor security bulletin MS14-025, where Microsoft has provided a PowerShell script to detect existing stored passwords for removal. diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md new file mode 100644 index 00000000..fdd66583 --- /dev/null +++ b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md @@ -0,0 +1,19 @@ +The Group Policy implementation was vulnerable to Microsoft Security Bulletin MS14-025, which allows an attacker to retrieve and decrypt passwords stored within Group Policy Preferences (GPP). + +In Older Windows servers, when GPP are used to deploy local user accounts, the passwords for these accounts are stored as encrypted strings within XML files (e.g., Groups.xml, Services.xml, ScheduledTasks.xml) hosted on the SYSVOL share. The private key used to encrypt the stored passwords has been publicly shared by Microsoft. + +As SYSVOL is accessible to all authenticated users, an attacker in possession of a domain account can search the SYSVOL share for XML files containing stored passwords. With access to the XML file(s), the attacker could then use the publicly available encryption key to decrypt the GPP password and retrieve the plaintext credential(s). This presents a trivial attack vector for a malicious user to escalate privileges or gain lateral movement within the domain. + +**Business Risk** + +An attacker could leverage the credentials obtained through this vulnerability to escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md new file mode 100644 index 00000000..ced9ce00 --- /dev/null +++ b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md @@ -0,0 +1,15 @@ +# recommendation(s) + +Disable LLMNR and NBT-NS protocols across the network. + +To disable LLMNR, the Group Policy Object (GPO) “Turn off multicast name resolution” should be set to ‘Enabled’ and applied to all domain-joined devices. + +NBT-NS can be disabled on a network adaptor of a machine by navigating to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and selecting “Disable NetBIOS over TCP/IP”. + +Whilst there is no GPO to disable NBT-NS across the domain, as a workaround, the following PowerShell script can be added to Group Policy under the path: Computer Configuration > Policies > Windows Settings > Scripts > Startup > PowerShell: + +``` + +Scripts.$regkey = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces” +Get-ChildItem $regkey |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name NetbiosOptions -Value 2 -Verbose} +``` diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md new file mode 100644 index 00000000..42289484 --- /dev/null +++ b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md @@ -0,0 +1,21 @@ +Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows protocols for name resolution – translating hostnames to IP addresses. + +Windows systems will fall back to name resolution via LLMNR and NBT-NS when DNS (Domain Name System) has failed to resolve a hostname in the local network. To resolve hostnames, these protocols initiate a broadcast message to the network requesting the address of the resource it needs. + +An attacker situated within the same network segment can exploit LLMNR and NBT-NS queries by replying with spoofed responses impersonating the requested hostname. This process, known as poisoning, tricks victims into communicating with the attacker-controlled system. If the query is for a resource that requires authentication (such as a fileshare), the victim's system will send the user’s Net-NTLM(v1/2) hash to the attacker's machine. + +After poisoning a hostname resolution query, an attacker can proceed by attempting to crack the retrieved password hash offline using brute force methods. More commonly, the attacker will relay the authentication to another target in order to perform actions on the targeted system with the privileges of the impersonated user. + +**Business Risk** + +This vulnerability could allow an unauthenticated attacker situated within the network to compromise domain user accounts and gain lateral movement across systems in the domain. In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/insecure_service_account_management/guidance.md b/submissions/description/active_directory/insecure_service_account_management/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/insecure_service_account_management/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/insecure_service_account_management/recommendations.md b/submissions/description/active_directory/insecure_service_account_management/recommendations.md new file mode 100644 index 00000000..423e6092 --- /dev/null +++ b/submissions/description/active_directory/insecure_service_account_management/recommendations.md @@ -0,0 +1,6 @@ +# recommendation(s) + +Ensure that service accounts follow the principle of least privilege such that only the minimum permissions necessary to perform their required functions are granted, thereby limiting their potential for misuse if compromised. A strong password policy should also be enforced, ensuring that all service account passwords are long, complex, and unique. + +For a more robust and sustainable solution, organizations should consider transitioning to the use of Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) wherever possible. These accounts offer automatic password management and rotation, in turn reducing administrative burden and preventing the risk of using weak or reused passwords. + diff --git a/submissions/description/active_directory/insecure_service_account_management/template.md b/submissions/description/active_directory/insecure_service_account_management/template.md new file mode 100644 index 00000000..b88059b3 --- /dev/null +++ b/submissions/description/active_directory/insecure_service_account_management/template.md @@ -0,0 +1,19 @@ +Insecure service account management occurs when an overly privileged domain user is configured to run a service. + + + +When a domain account is configured to run a service, a Service Principal Name (SPN) is used in the domain to associate the service with a login account. Any valid (including low privileged) domain user can request an SPN for a registered service and receive a Kerberos service ticket that is signed with the NTLM password hash of the account running that service. This data can then be extracted and subjected to offline brute-force password guessing with the aim of recovering the account's plaintext password. This attack pathway is referred to as 'Kerberoasting' and is used by an adversary to escalate their privileges within a domain. Accounts which use short and non-complex passwords increase the likelihood of a successful Kerberoasting attack. + +**Business Risk** + +This vulnerability could allow a low-privileged malicious user to escalate their privileges over the domain. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md new file mode 100644 index 00000000..e2c8474e --- /dev/null +++ b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Apply the Microsoft security updates addressing CVE-2019-1040 and CVE-2019-1166 to the affected system. These patches modify how the server validates the MIC, preventing the bypass. + +Additionally, for comprehensive protection across the domain, consider enforcing signing requirements on all servers where possible. diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md new file mode 100644 index 00000000..5f0bace0 --- /dev/null +++ b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md @@ -0,0 +1,19 @@ +The server was vulnerable to a NT LAN Manager (NTLM) tampering vulnerability referred to as “Drop the Mic”, which allows Message Integrity Code (MIC) protections to be bypassed. + +The MIC is a cryptographic checksum designed to provide integrity protection for the NTLM authentication exchange. It serves as a protection mechanism against attempts to downgrade security features such as session signing which are negotiated during the exchange. + +Drop the Mic (CVE-2019-1040) and Drop the Mic 2 (CVE-2019-1166) are vulnerabilities which allow the protections provided by the MIC to be circumvented, in turn permitting the attacker to overcome session signing negotiation. As a result, affected servers which do not enforce session signing become vulnerable to NTLM relay attacks. In an NTLM relay attack, an attacker intercepts an NTLM authentication attempt from a client and "relays" it to the targeted server in order to perform actions with the privileges of the impersonated user. + +**Business Risk** + +This vulnerability could allow an unauthenticated attacker to gain a foothold on the domain or pursue lateral movement vectors using NTLM relay attack(s). In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md new file mode 100644 index 00000000..4edfb56d --- /dev/null +++ b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Remove passwords and other sensitive information from all AD user account description fields. diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md new file mode 100644 index 00000000..5356d769 --- /dev/null +++ b/submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md @@ -0,0 +1,19 @@ +Active Directory (AD) user accounts were discovered with plaintext or easily decipherable passwords (or password fragments/hints) stored within their "Description" attribute. + +Storing passwords or sensitive information in the Description fields of user accounts may be practiced for administrative convenience, however, these account descriptions are retrievable by any authenticated domain user without any special privileges. + +As a result, an attacker with access to any valid domain user could retrieve the sensitive data stored in account descriptions and leverage any resulting credentials to compromise the affected accounts. + +**Business Risk** + +This vulnerability may lead to an attacker compromising the affected user accounts. The extent of malicious impact is dependent on the permissions of the compromised user. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md new file mode 100644 index 00000000..00bbe5e8 --- /dev/null +++ b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md @@ -0,0 +1,4 @@ +# recommendation(s) + +Reconfigure PXE deployment to disable unknown computer support. Additionally, ensure that boot media is protected with a suitably complex password. + diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md new file mode 100644 index 00000000..d5a02ad3 --- /dev/null +++ b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md @@ -0,0 +1,20 @@ +An insecure Pre-Boot Execution Environment (PXE) configuration was identified which would allow an attacker to retrieve boot media and obtain secrets contained within. + +The PXE is a mechanism which allows clients to request and deploy operating systems over the network. Instead of booting from a CD drive, USB key or hard disk, the PC will use the network to retrieve boot media from the PXE server. + +When PXE deployment is configured to support unknown computers, and the PXE media is protected with either a blank or weak password, then an attacker may abuse this configuration to retrieve and decrypt boot media. In turn, this enables access to any secrets and credential material held within the media file. This may include local administrator passwords that are reused in other devices, or credentials for potentially privileged domain-joined accounts. + + +**Business Risk** + +An attacker could leverage the credentials obtained through this vulnerability to gain a foothold in the domain, escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md new file mode 100644 index 00000000..082a900e --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md @@ -0,0 +1,4 @@ +# recommendation(s) + +Conduct a thorough audit to identify, review and restrict access to all sensitive network file shares based on the principle of least privilege to ensure that only authorized individuals or groups with a legitimate business need have access to sensitive data. The practice of storing plaintext credentials within files should be avoided and replaced with secure credential management solutions (e.g., password vaults, secrets management systems). +Furthermore, consider educating employees on data handling policies, the importance of protecting sensitive information, and the risks associated with unauthorized access. diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md new file mode 100644 index 00000000..c446d275 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md @@ -0,0 +1,26 @@ +Sensitive data was disclosed in network file shares which were accessible to all authenticated users in the Active Directory domain. + +Due to the permissive access controls, an attacker who had successfully compromised a domain user account could abuse this access to obtain a variety of sensitive data, including: + +- Employee PII (e.g., HR records, payroll information) +- Customer data (e.g., contact lists, contract details) +- Financial documents (e.g., budgets, invoices, bank statements) +- Proprietary business plans or intellectual property + +< Customise the above as needed > + +Furthermore, plaintext credentials were also discovered within the exposed shares. Equipped with these credentials, an attacker could look to compromise additional systems and accounts, or elevate privileges within the domain. + +**Business Risk** + +This vulnerability could be abused by an attacker to view, exfiltrate and potentially modify sensitive data. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md b/submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md b/submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md new file mode 100644 index 00000000..10b0e61f --- /dev/null +++ b/submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md @@ -0,0 +1,4 @@ +# recommendation(s) + +For all user accounts, ensure that the "Do not require Kerberos preauthentication" option is disabled in Active Directory. This setting can be found in the user account properties under the "Account" tab. + diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/template.md b/submissions/description/active_directory/user_does_not_require_preauthentication/template.md new file mode 100644 index 00000000..d608d2f0 --- /dev/null +++ b/submissions/description/active_directory/user_does_not_require_preauthentication/template.md @@ -0,0 +1,21 @@ +A domain user was vulnerable to an attack referred to as ASREPRoasting due to preauthentication being disabled for the account. + +The ASREPRoast attack targets the first step of the Kerberos authentication process, where the client supplies their User Principal Name (UPN) in a request to receive a ticket from the Authentication Service. Importantly, the resultant ticket is signed with the associated user’s password hash. + +Kerberos preauthentication performs checks to validate the identity of the requestor against the UPN supplied in the request, to ensure that only a requestor in possession of the associated user password will receive a ticket. + +When preauthentication is disabled, an unauthenticated attacker can request a ticket on behalf of the vulnerable user and attempt to crack the password hash in order to retrieve their plaintext password. Accounts which use short and non-complex passwords increase the likelihood of a successful ASREPRoast attack. + +**Business Risk** + +This vulnerability could result in an attacker gaining a foothold or escalating privileges in the domain. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/weak_machine_account_password/guidance.md b/submissions/description/active_directory/weak_machine_account_password/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/weak_machine_account_password/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/weak_machine_account_password/recommendations.md b/submissions/description/active_directory/weak_machine_account_password/recommendations.md new file mode 100644 index 00000000..5c3f5af3 --- /dev/null +++ b/submissions/description/active_directory/weak_machine_account_password/recommendations.md @@ -0,0 +1,9 @@ +# recommendation(s) + +Reset the computer account password to a suitably secure value. + +To address weak machine account passwords and potential timeroasting vulnerabilities which may be present in the wider network: + +- **Audit Pre-Windows 2000 Compatibility:** For computers created for pre-Windows 2000 compatibility within the last 30 days, ensure passwords are reset to suitably secure values. These accounts are initialized with a default weak password (matches the first 14 characters of their computer name) which will persist until being rotated. +- **Enable Automated Rotation:** Ensure the GPO "Domain member: Disable machine account password changes" is not enabled, allowing the default 30-day password rotation for all machine accounts. +- **Identify and Reset Stale Passwords:** Identify any machine accounts whose passwords have not expired/rotated in the last 30 days to identify and rectify issues preventing automated rotation. diff --git a/submissions/description/active_directory/weak_machine_account_password/template.md b/submissions/description/active_directory/weak_machine_account_password/template.md new file mode 100644 index 00000000..0df404ef --- /dev/null +++ b/submissions/description/active_directory/weak_machine_account_password/template.md @@ -0,0 +1,21 @@ +A workstation/server was configured with a weak computer account password, which allowed the system to be compromised via a “Timeroasting” attack. + +Timeroasting is a technique which abuses the Windows authentication mechanism of the Network Time Protocol (NTP) to extract password hashes for computer accounts. + +The Network Time Protocol enables domain-joined computers to synchronise their clocks with a Domain Controller (DC), which acts as the centralised time server. Due to concerns with time spoofing, Microsoft implemented an extension to the protocol (MS-SNTP) to provide a means for the time server (DC) to verify its identity. In this process, the clients (computer accounts) supply their RIDs in requests to the time server, which in turn looks up the corresponding computer account and generates a response using its password hash. Whilst this extension addresses time spoofing concerns, it also allows any unauthenticated user to retrieve and subject password hashes for any computer account in the domain to brute-force password cracking techniques. + +By default, machine account management for domain-joined systems is automated in Windows systems to ensure that suitably secure values are set for passwords and rotated every 30 days. As a result, machine account passwords typically do not represent attractive candidates for brute force cracking techniques. However, machine account passwords can become vulnerable when weak values are manually set by system administrators, or when the machine was enabled to be pre-windows 2000 compatible (in which case the initial password matches the first 14 characters of the computer name). + +**Business Risk** + +This vulnerability could allow an unauthenticated attacker to gain a foothold on the domain or pursue lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md new file mode 100644 index 00000000..c1565227 --- /dev/null +++ b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Disable anonymous login on FTP if it is not required. + +In the event anonymous logins are required as part of a legitimate business need, compensating controls such as IP allow listing should be put in place to mitigate the risk of truly anonymous connections. Regularly audit the contents of the service and file system permissions to prevent inadvertent exposure of sensitive data. diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md new file mode 100644 index 00000000..3d2f3f02 --- /dev/null +++ b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md @@ -0,0 +1,19 @@ +A File Transfer Protocol (FTP) server running on the remote host allows anonymous logins. + +Any individual with remote connectivity to the service may gain access to the server without providing a password or unique credentials. + +This would permit an anonymous attacker to access any files made available by the FTP server within the folder to which the anonymous account has permission to view, potentially exposing sensitive material. + +**Business Risk** + +This vulnerability could lead to unauthorised access and data theft. The severity of the impact to the business is dependent on the sensitivity of the data exposed by the service. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md new file mode 100644 index 00000000..d8378e43 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable support for cipher suite zero on the IPMI device. Enforce the use of strong, unique passwords for all IPMI user accounts. diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md new file mode 100644 index 00000000..58122d49 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md @@ -0,0 +1,19 @@ +The Intelligent Platform Management Interface (IPMI) on the host was affected by the “Cipher Zero” authentication bypass vulnerability. + +IPMI is used by a server's Baseboard Management Controller (BMC) to provide out-of-band management and monitoring capabilities for remote systems. When IPMI is configured to support cipher suite 0 (aka cipher zero), password requirements can be bypassed to authenticate to the BMC with only a valid username (which can be readily found in vendor documentation detailing default accounts). + +Once access has been obtained, an attacker would gain administrator-level control over the underlying hardware for that system. This may include the ability to remotely power cycle systems, modify BIOS settings, deploy firmware, mount remote media, and access keyboard/video/mouse (KVM) functionality. + +**Business Risk** + +This vulnerability could lead to a malicious user gaining unauthorised hardware-level access to the affected server(s). This access could be abused to compromise the integrity and availability of the vulnerable systems. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md new file mode 100644 index 00000000..7e4ee147 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +This vulnerability stems from an inherent design flaw within the IPMI v2.0 specification itself, and as such there is no patch for remediation. However, strong and unique passwords can be implemented to limit the likelihood of success for off-line dictionary attacks against retrieved hashes. Further mitigations may include implementing access controls or network-level isolation to limit access to IPMI management interfaces. diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md new file mode 100644 index 00000000..17364b83 --- /dev/null +++ b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md @@ -0,0 +1,21 @@ +The host supported Intelligent Platform Management Interface (IPMI) version 2.0, which is affected by an information disclosure vulnerability. + +IPMI is used by a server's Baseboard Management Controller (BMC) to provide out-of-band management and monitoring capabilities for remote systems. + +The IPMI 2.0 authentication process requires the server to transmit a salted SHA1 or MD5 hash of the requested user's password to the client prior to authentication occurring. This can be leveraged by an attacker to obtain the password hash for any valid user account on the BMC. + +Once obtained, these password hashes can be subjected to offline brute-force or dictionary attacks to recover the plaintext credentials. Successful recovery of these credentials grants an attacker access to the BMC, which provides control over the underlying hardware for that system and any other systems in the IPMI managed group. This may include the ability to remotely power cycle systems, modify BIOS settings, deploy firmware, mount remote media, and access keyboard/video/mouse (KVM) functionality. + +**Business Risk** + +This vulnerability could lead to a malicious user gaining unauthorised hardware-level access to the affected server(s). This access could be abused to compromise the integrity and availability of the vulnerable systems. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md new file mode 100644 index 00000000..6b6217b2 --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Consult vendor documentation to disable anonymous bind on the LDAP server and ensure that only authenticated users can retrieve sensitive information. diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md new file mode 100644 index 00000000..0214ed8d --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md @@ -0,0 +1,21 @@ +The Windows Lightweight Directory Access Protocol (LDAP) server allows anonymous binds. + +By default, Microsoft Windows Server 2003 and later versions restrict anonymous LDAP operations, with the exception of rootDSE searches and binds. However, anonymous binds may still be encountered on older implementations, such as Windows 2000-based domain controllers, or in more modern environments where this default security setting has been overridden. + +When anonymous binds are permitted, any user can connect to the directory service and query it for information without providing authentication credentials (i.e., with an empty bind Distinguished Name (DN) and password). The information returned from the LDAP server can include details about users, group memberships, domain-joined devices, password policy, and more. + +This information can be leveraged by an attacker to inform further attacks with the aims of gaining a foothold on the domain. For example, the enumerated details may be used to perform targeted phishing attempts, identify valid users for brute-force password guessing attacks, and map valuable targets for further compromise. + +**Business Risk** + +This vulnerability may lead to indirect financial loss and reputational damage if the information exposed by the service is leveraged in more advanced attacks. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md new file mode 100644 index 00000000..b15995d5 --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md @@ -0,0 +1,7 @@ +# recommendation(s) + +Configure all LDAP servers and clients within the environment to require and enforce LDAP signing. This will ensure the integrity of LDAP communication and protect against tampering and NTLM relay attacks. + +For LDAP signing to be enforced, this requirement must be configured on both the domain controllers and clients. If the server requires signing but the client does not support signing, the session will be terminated by the server. On a domain controller LDAP signing is managed using the policy setting Domain controller: LDAP signing requirements. On a Windows LDAP client the signing is managed by the policy setting Network security: LDAP client signing requirements. + +After enforcing LDAP signing on the server, clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working. diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md new file mode 100644 index 00000000..55f22f6a --- /dev/null +++ b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md @@ -0,0 +1,19 @@ +The Windows Lightweight Directory Access Protocol (LDAP) server did not require signing. + +LDAP signing is a security feature of the Simple Authentication and Security Layer (SASL) that ensures the integrity of LDAP communication by requiring messages to be digitally signed. This provides authenticity and integrity verification, by validating the identity of the requestor and ensuring that LDAP messages have not been altered in transit. + +Unsigned network traffic is susceptible to man-in-the-middle (MITM) and replay attacks. In such attacks, a client’s messages are intercepted by the attacker and relayed to the LDAP server, effectively allowing the attacker to perform actions on the LDAP server on behalf of the impersonated client. + +**Business Risk** + +When signing is not enforced, the integrity and authenticity of messages in transit across the network can be compromised. This can be abused by attackers to compromise user accounts and services within the domain, leading to unauthorized access, data theft, and potentially service disruption. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md new file mode 100644 index 00000000..e3f0772d --- /dev/null +++ b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Reconfigure the server to require Network Level Authentication (NLA). Note that once enforced, only client computers that support NLA can connect to the RDP server. diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md new file mode 100644 index 00000000..2ca98830 --- /dev/null +++ b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md @@ -0,0 +1,17 @@ +The Remote Desktop Protocol (RDP) server was not configured to use Network Level Authentication (NLA) only. + +Network level authentication is a security feature of Microsoft’s remote desktop protocol that requires users to authenticate before a session can be established with the remote device. Unlike traditional RDP connections, where the login screen is loaded before authentication, NLA ensures that credentials are validated prior to initiating the connection. This is a more secure authentication method which offers protection against Denial of Service (DoS) attacks which abuse unauthenticated requests to consume server resources, alongside reducing the risk of exposure to various threats that exploit the initial connection phase. + +**Business Risk** + +This vulnerability increases the service's exposure to attacks, including consumption of server resources, which may result in downtime for the affected host. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md new file mode 100644 index 00000000..e8dc24d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Implement strict access controls on all NFS shares, ensuring that only explicitly authorized IP addresses and hosts can mount them. Regularly audit NFS export configurations and file system permissions to prevent inadvertent exposure of sensitive data. Apply additional security features such as root_squash to prevent remote root users from having root privileges on the NFS share, nosuid to prevent set-user-ID or set-group-ID bits from taking effect, and noexec to prevent the execution of binaries on the mounted file system. + +If possible, consider employing NFSv4 with Kerberos for robust authentication and encryption, if available and compatible with your environment. diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md new file mode 100644 index 00000000..211e9030 --- /dev/null +++ b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md @@ -0,0 +1,19 @@ +Sensitive data was discovered to be accessible without authentication from mountable NFS (Network File System) shares. + +NFS (Network File System) allows a server to share directories and files which can be mounted on client machines over the network. NFS Versions 2 and 3 do not support modern authentication standards. Instead, access controls are configured at the host and user level, with defined hostnames (or IP addresses) and specific usernames permitted to mount the shares without providing a password. The most lenient configuration permits any user from any host in the network to mount the available shares. + +When an NFS export is configured overly permissively (e.g., world-readable or accessible to broad IP ranges), any system on the network capable of mounting the share can access its contents without explicit user authentication. This places the files exposed by the NFS share at risk of unauthorised access by an attacker situated in the local network. These files may include sensitive data such as SSH keys, backups, or configuration files. If write access is enabled, an attacker may also make malicious modifications to the share, including actions such as overwriting configuration files or planting malicious executables in efforts to compromise networked systems. + +**Business Risk** + +This vulnerability can lead to data theft and modification and potentially the compromise of additional services or systems in the network. The severity of the impact to the business is dependent on the permissions available to an attacker and the sensitivity of the data exposed by the service. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md new file mode 100644 index 00000000..f44a05bb --- /dev/null +++ b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Enable and enforce SMB signing on all relevant hosts within the network. This will ensure the authenticity and integrity of SMB communications, protecting against tampering and relay attacks. diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md new file mode 100644 index 00000000..47e6bd33 --- /dev/null +++ b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md @@ -0,0 +1,19 @@ +Signing was not required on the Server Messaging Block (SMB) server. + +SMB signing is a security mechanism which ensures that every SMB message contains a cryptographic signature which incorporates a hash of the entire SMB message, alongside the original sender and intended recipient. If the message is tampered with, the hash verification will fail. In turn, this allows the recipient of the SMB traffic to confirm the authenticity and integrity of the data. + +An unauthenticated attacker can exploit a lack of SMB signing to conduct man-in-the-middle and relay attacks against the SMB server. + +**Business Risk** + +When signing is not enforced, the integrity and authenticity of messages in transit across the network can be compromised. This can be abused by attackers to compromise user accounts and services within the domain, leading to unauthorized access, data theft, and potentially service disruption. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md new file mode 100644 index 00000000..98231123 --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable the commands VRFY, RCPT and EXPN in the SMTP server configuration. If this functionality is required, ensure it is only available to authenticated users. diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md new file mode 100644 index 00000000..e24c2387 --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md @@ -0,0 +1,17 @@ +The Simple Mail Transfer Protocol (SMTP) server allowed unauthenticated users to enumerate valid users on the host. + +When connected to a mail server, common mail commands including EXPN, VRFY and RCPT TO can be used to infer the presence of valid users based on the responses returned by the server. When this functionality is available without authentication, it can be abused by an unauthenticated attacker to identify valid accounts on the system and leverage the discovered users in brute-force password guessing attacks. + +**Business Risk** + +This vulnerability may lead to indirect financial loss and reputational damage if an attacker is able to chain this vulnerability with another to achieve user account compromise and data exfiltration. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md new file mode 100644 index 00000000..01f4ec0f --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +If possible, upgrade insecure SNMP versions (v1/2c) to SNMPv3, which provides more advanced security mechanisms, including encryption and password-based authentication. + +If it is not possible to upgrade the SNMP version, change all default community strings to suitably long, complex and unique values. diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md new file mode 100644 index 00000000..e0874dc4 --- /dev/null +++ b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md @@ -0,0 +1,21 @@ +The Simple Network Management Protocol (SNMP) server could be accessed using a default community string. + +SNMP provides monitoring capabilities to collect and poll information about devices (referred to as ‘agents’) on the network. In SNMP version 1 and 2c, access is commonly configured with default community strings to provide read-only and read-write access. + +If default community strings have not been updated to complex and secure values, an attacker located within the internal network could abuse this access to enumerate sensitive network configuration information. This may include; running processes, installed software, system info, hostnames, users, shares, services, listening ports, and any stored credentials. + +If write access is gained, an attacker could also modify configuration information. For example, it may be possible to change routing information, shutdown network interfaces, reboot systems, reset device passwords and more. In some cases, write access can also lead to remote code execution. + +**Business Risk** + +This vulnerability may lead to indirect financial loss and reputational damage if the information exposed by the service is leveraged in more advanced attacks or modified to compromise the system. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md new file mode 100644 index 00000000..71d0af85 --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable password-based authentication for SSH and enforce the use of public-key authentication. Disable direct root login via SSH; instead, use a non-privileged user and then sudo to root if necessary. Furthermore, consider setting a strong password on the authentication keys and the use of multi-factor authentication where possible. diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md new file mode 100644 index 00000000..afcd9bb4 --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md @@ -0,0 +1,17 @@ +The SSH (Secure Shell) server was configured to accept password authentication and direct login by the root user. + +Password-based authentication is susceptible to brute-force attacks, especially when weak passwords are in use. This increases the likelihood of an attacker gaining unauthorised access to the host. Furthermore, if a brute-force attack is successful against the root user, this would grant the attacker administrator privileges over the vulnerable system. + +**Business Risk** + +Allowing weaker authentication mechanisms may lead to the system being compromised in the event that a brute-force password guessing attack is successful. Malicious actions such as data exfiltration, modification and service disruption from the compromised host may result in financial loss and reputation damage. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md new file mode 100644 index 00000000..5a8dc4b5 --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Configure SSH servers to use only strong and modern key-exchange, host-key, encryption, and MAC algorithms. Disable all deprecated and insecure algorithms. Regularly review and update the allowed algorithms based on current security best practices. diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md new file mode 100644 index 00000000..225d29fe --- /dev/null +++ b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md @@ -0,0 +1,17 @@ +The SSH (Secure Shell) server supported key-exchange, host-key, encryption, or message authentication code (MAC) algorithms that are considered insecure. + +The use of these weak algorithms makes SSH communication vulnerable to various cryptographic attacks, potentially allowing attackers to decrypt sensitive data or tamper with communications. + +**Business Risk** + +This vulnerability negatively impacts the confidentiality and integrity of data. The severity of the impact to the business is dependent on the sensitivity of the data being stored and transmitted by the service. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md new file mode 100644 index 00000000..7ec27943 --- /dev/null +++ b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable the "None" authentication method on the VNC servers. Configure VNC servers to enforce strong authentication, ideally using a robust password or, where supported and feasible, integrate with existing authentication mechanisms like user accounts or multi-factor authentication. Restrict VNC access to authorized personnel and specific IP addresses or subnets through firewall rules and network segmentation. Regularly update VNC server software to the latest patched version to address any known vulnerabilities. diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md new file mode 100644 index 00000000..24119e45 --- /dev/null +++ b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md @@ -0,0 +1,17 @@ +The Virtual Network Computing (VNC) server had the "None" authentication method enabled. This configuration permits any client to connect to the VNC server and gain full graphical access to the remote desktop without requiring a valid password. + +An attacker situated in the local network may abuse this access to execute arbitrary commands on the host, install malicious software, read or exfiltrate sensitive data without leaving an authentication footprint, and leverage the system as a foothold from which target other internal network resources and/or pivot within the estate. + +**Business Risk** + +This vulnerability could lead to unauthorised system access, theft and manipulation of sensitive data. Such incidents can impact the organisation's operational security, result in financial losses, and damage the organisation's reputation, especially if customer data or critical business operations are compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md new file mode 100644 index 00000000..ad9a2193 --- /dev/null +++ b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable unauthenticated access to X11 servers. Configure X11 to use secure authentication methods, or ideally, tunnel X11 connections over SSH using SSH X11 forwarding. Restrict X11 access to authorized users and IP addresses through proper configuration and firewall rules. diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md new file mode 100644 index 00000000..cbabcb1e --- /dev/null +++ b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md @@ -0,0 +1,17 @@ +An X11 (X Windows) server was accessible without requiring authentication. This configuration, often referred to as "Open" access, allows any client on the network to connect to the X server and interact with the graphical display environment. + +An attacker with network access can leverage this configuration to perform various malicious actions, including: capturing screenshots of the graphical display, logging keystrokes, and executing arbitrary commands on the system in the context of the user running the X server. + +**Business Risk** + +This vulnerability could lead to unauthorised system access, theft and manipulation of sensitive data. Such incidents can impact the organisation's operational security, result in financial losses, and damage the organisation's reputation, especially if customer data or critical business operations are compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} From 826217a041359719b4d3287389304bfaddba7f33 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 1 Apr 2026 09:32:24 +1000 Subject: [PATCH 2/4] Updates for v1.18.1 MAR26 --- .../guidance.md | 0 .../recommendations.md | 3 +++ .../dormant_enabled_user_accounts/template.md | 20 ++++++++++++++ .../guidance.md | 0 .../recommendations.md | 3 +++ .../template.md | 20 ++++++++++++++ .../guidance.md | 0 .../guidance.md | 0 .../recommendations.md | 3 +++ .../template.md | 21 +++++++++++++++ .../recommendations.md | 0 .../guidance.md | 0 .../recommendations.md | 3 +++ .../template.md | 20 ++++++++++++++ .../template.md | 0 .../weak_domain_password_policy}/guidance.md | 0 .../recommendations.md | 3 +++ .../weak_domain_password_policy/template.md | 20 ++++++++++++++ .../guidance.md | 0 .../dacl_abuse/recommendations.md | 3 +++ .../active_directory/dacl_abuse/template.md | 20 ++++++++++++++ .../template.md | 21 --------------- .../recommendations.md | 6 ----- .../template.md | 19 -------------- .../recommendations.md | 3 --- .../template.md | 19 -------------- .../recommendations.md | 15 ----------- .../template.md | 21 --------------- .../recommendations.md | 6 ----- .../template.md | 19 -------------- .../guidance.md | 0 .../recommendations.md | 0 .../template.md | 20 ++++++++++++++ .../guidance.md | 0 .../guidance.md | 0 .../recommendations.md | 5 ++++ .../template.md | 20 ++++++++++++++ .../no_pre_authentication}/guidance.md | 0 .../no_pre_authentication}/recommendations.md | 3 +-- .../no_pre_authentication/template.md | 20 ++++++++++++++ .../kerberos_abuse/recommendations.md | 5 ++++ .../kerberos_abuse/template.md | 15 +++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 20 ++++++++++++++ .../recommendations.md | 5 ---- .../template.md | 19 -------------- .../recommendations.md | 4 --- .../template.md | 20 -------------- .../ldap_anonymous_bind_enabled/guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../ldap_anonymous_bind_enabled/template.md | 20 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 3 +++ .../template.md | 20 ++++++++++++++ .../recommendations.md | 4 --- .../template.md | 26 ------------------- .../automatic_device_approval/guidance.md | 5 ++++ .../recommendations.md | 7 +++++ .../automatic_device_approval/template.md | 19 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 7 +++++ .../template.md | 19 ++++++++++++++ .../active_directory/sscm_abuse/guidance.md | 5 ++++ .../guidance.md | 5 ++++ .../recommendations.md | 6 +++++ .../template.md | 20 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 8 ++++++ .../template.md | 20 ++++++++++++++ .../ntlm_site_server_site_system/guidance.md | 5 ++++ .../recommendations.md | 9 +++++++ .../ntlm_site_server_site_system/template.md | 20 ++++++++++++++ .../guidance.md | 5 ++++ .../recommendations.md | 6 +++++ .../template.md | 20 ++++++++++++++ .../pxe_boot_media_theft/guidance.md | 4 +++ .../pxe_boot_media_theft/recommendations.md | 5 ++++ .../pxe_boot_media_theft/template.md | 19 ++++++++++++++ .../sscm_abuse/recommendations.md | 14 ++++++++++ .../active_directory/sscm_abuse/template.md | 21 +++++++++++++++ .../template.md | 21 --------------- .../recommendations.md | 9 ------- .../weak_machine_account_password/template.md | 21 --------------- 84 files changed, 568 insertions(+), 260 deletions(-) rename submissions/description/active_directory/{domain_compromise_via_unconstrained_delegation => configuration_weaknesses/dormant_enabled_user_accounts}/guidance.md (100%) create mode 100644 submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/recommendations.md create mode 100644 submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/template.md rename submissions/description/active_directory/{ => configuration_weaknesses}/excessive_domain_admin_membership/guidance.md (100%) create mode 100644 submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/recommendations.md create mode 100644 submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/template.md rename submissions/description/active_directory/{group_policy_preferences_password_elevation_of_privilege => configuration_weaknesses}/guidance.md (100%) rename submissions/description/active_directory/{insecure_name_resolution_protocols_enabled => configuration_weaknesses/passwords_found_domain_description}/guidance.md (100%) create mode 100644 submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/recommendations.md create mode 100644 submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/template.md rename submissions/description/active_directory/{passwords_found_within_domain_user_account_description => configuration_weaknesses}/recommendations.md (100%) rename submissions/description/active_directory/{insecure_service_account_management => configuration_weaknesses/shared_administrator_passwords}/guidance.md (100%) create mode 100644 submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/recommendations.md create mode 100644 submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/template.md rename submissions/description/active_directory/{passwords_found_within_domain_user_account_description => configuration_weaknesses}/template.md (100%) rename submissions/description/active_directory/{ntlm_tampering_vulnerability_drop_the_mic => configuration_weaknesses/weak_domain_password_policy}/guidance.md (100%) create mode 100644 submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/recommendations.md create mode 100644 submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/template.md rename submissions/description/active_directory/{passwords_found_within_domain_user_account_description => dacl_abuse}/guidance.md (100%) create mode 100644 submissions/description/active_directory/dacl_abuse/recommendations.md create mode 100644 submissions/description/active_directory/dacl_abuse/template.md delete mode 100644 submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md delete mode 100644 submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md delete mode 100644 submissions/description/active_directory/excessive_domain_admin_membership/template.md delete mode 100644 submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md delete mode 100644 submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md delete mode 100644 submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md delete mode 100644 submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md delete mode 100644 submissions/description/active_directory/insecure_service_account_management/recommendations.md delete mode 100644 submissions/description/active_directory/insecure_service_account_management/template.md rename submissions/description/active_directory/{pre_boot_execution_environment_boot_media_theft => kerberos_abuse/domain_compromise_unconstrained_delegated}/guidance.md (100%) rename submissions/description/active_directory/{domain_compromise_via_unconstrained_delegation => kerberos_abuse/domain_compromise_unconstrained_delegated}/recommendations.md (100%) create mode 100644 submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/template.md rename submissions/description/active_directory/{sensitive_data_in_domain_file_shares => kerberos_abuse}/guidance.md (100%) rename submissions/description/active_directory/{user_does_not_require_preauthentication => kerberos_abuse/insecure_service_account_management}/guidance.md (100%) create mode 100644 submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/recommendations.md create mode 100644 submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/template.md rename submissions/description/active_directory/{weak_machine_account_password => kerberos_abuse/no_pre_authentication}/guidance.md (100%) rename submissions/description/active_directory/{user_does_not_require_preauthentication => kerberos_abuse/no_pre_authentication}/recommendations.md (58%) create mode 100644 submissions/description/active_directory/kerberos_abuse/no_pre_authentication/template.md create mode 100644 submissions/description/active_directory/kerberos_abuse/recommendations.md create mode 100644 submissions/description/active_directory/kerberos_abuse/template.md create mode 100644 submissions/description/active_directory/misconfigured_active_directory_certificate_services/guidance.md create mode 100644 submissions/description/active_directory/misconfigured_active_directory_certificate_services/recommendations.md create mode 100644 submissions/description/active_directory/misconfigured_active_directory_certificate_services/template.md delete mode 100644 submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md delete mode 100644 submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md delete mode 100644 submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md delete mode 100644 submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/guidance.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/recommendations.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/template.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/guidance.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/recommendations.md create mode 100644 submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/template.md delete mode 100644 submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md delete mode 100644 submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/automatic_device_approval/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/automatic_device_approval/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/automatic_device_approval/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/guidance.md create mode 100644 submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/template.md create mode 100644 submissions/description/active_directory/sscm_abuse/recommendations.md create mode 100644 submissions/description/active_directory/sscm_abuse/template.md delete mode 100644 submissions/description/active_directory/user_does_not_require_preauthentication/template.md delete mode 100644 submissions/description/active_directory/weak_machine_account_password/recommendations.md delete mode 100644 submissions/description/active_directory/weak_machine_account_password/template.md diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md b/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/guidance.md similarity index 100% rename from submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/guidance.md diff --git a/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/recommendations.md new file mode 100644 index 00000000..94581a77 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Implement an automated script or identity governance process that disables accounts inactive for more than 90 days and deletes them after a further grace period. Additionally, integrate account lifecycle management with the HR offboarding process to ensure accounts are disabled promptly when employees depart. Audit dormant accounts quarterly and review group memberships before disabling to confirm no critical service dependencies exist. Tag service accounts with a clear naming convention so they are not mistakenly identified as dormant user accounts. diff --git a/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/template.md b/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/template.md new file mode 100644 index 00000000..2bbf3588 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/dormant_enabled_user_accounts/template.md @@ -0,0 +1,20 @@ +Active Directory accounts that have not been used for authentication in over 90 dayshave been identified. These accounts are often forgotten service accounts, former employee accounts, or test accounts that were never disabled. An attacker can target dormant accounts for password spraying or brute-force attacks because they are less likely to be monitored, less likely to trigger user-reported alerts, and may have weak or never-rotated passwords. If a dormant account holds group memberships or access permissions, compromising it grants the attacker those same privileges. This allows an attacker to gain an authenticated foothold in the domain through an account that is unlikely to be noticed. + +**Business Risk** + +Dormant accounts represent unmonitored entry points into the domain. Compromising a dormant account is less likely to trigger security alerts or be reported by a legitimate user. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Query Active Directory for user accounts with a lastLogonTimestamp older than 90 days using {{query_tool}} against {{domain_controller}} +1. Filter the results to show only enabled accounts at {{filter_criteria}} +1. Identify {{dormant_account_count}} enabled accounts that have not authenticated in over 90 days +1. Document representative dormant accounts including {{example_account}} with last logon at {{last_logon_date}} +1. Verify the group memberships of {{example_account}} to assess the potential access granted if compromised at {{group_membership}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/guidance.md b/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/guidance.md similarity index 100% rename from submissions/description/active_directory/excessive_domain_admin_membership/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/guidance.md diff --git a/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/recommendations.md new file mode 100644 index 00000000..08c28aa9 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Audit all Domain Admins, Enterprise Admins, and Schema Admins group memberships and remove accounts that do not have a documented need for domain-level administrative access. Additionally, implement a tiered administration model where day-to-day administrative tasks use delegated permissions rather than full domain admin rights. Deploy Privileged Access Workstations (PAWs) for accounts that must retain domain admin membership. Enable just-in-time access through Privileged Access Management (PAM) solutions to grant temporary elevated access only when needed. diff --git a/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/template.md b/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/template.md new file mode 100644 index 00000000..ee7dd433 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/excessive_domain_admin_membership/template.md @@ -0,0 +1,20 @@ +It was identified that too many user accounts are members of the Domain Admins, Enterprise Admins, or other highly privileged Active Directory groups. Each account in these groups has full administrative control over the entire domain or forest. A large number of privileged accounts increases the attack surface for credential theft, phishing, and Kerberoasting. If any one of these accounts is compromised through password cracking, phishing, or credential dumping, an attacker gains full domain administrative privileges. + +**Business Risk** + +Excessive membership increases the probability that at least one account has a weak password, is targeted by phishing, or is used on a compromised workstation. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Enumerate the membership of the Domain Admins group in {{domain_name}} using {{enumeration_tool}} +1. Enumerate the membership of the Enterprise Admins and Schema Admins groups using {{enumeration_tool}} +1. Document the total number of accounts in each privileged group at {{admin_count}} +1. Identify accounts in privileged groups that do not require domain-level administrative access, such as {{example_unnecessary_account}} +1. Compare the observed membership count against the organization's operational requirements documented at {{baseline_reference}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md b/submissions/description/active_directory/configuration_weaknesses/guidance.md similarity index 100% rename from submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/guidance.md diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md b/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/guidance.md similarity index 100% rename from submissions/description/active_directory/insecure_name_resolution_protocols_enabled/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/guidance.md diff --git a/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/recommendations.md new file mode 100644 index 00000000..83b660fa --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Remove passwords and other sensitive information from all AD user account description fields. Rotate any affected account passwords immediately, and enforce a policy prohibiting the storage of credentials in directory attributes. Additionally, implement a privileged access management solution or password vault for storing service account credentials. Conduct regular audits of LDAP attributes across all user and computer objects to detect credential storage. diff --git a/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/template.md b/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/template.md new file mode 100644 index 00000000..ce4c04ef --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/passwords_found_domain_description/template.md @@ -0,0 +1,21 @@ +Active Directory (AD) user accounts were discovered with plaintext or easily decipherable passwords (or password fragments/hints) stored within their "Description" attribute. These attributes are readable by all authenticated domain users through standard LDAP queries. An attacker with any authenticated domain account can query Active Directory for user objects and read the description fields of all accounts in the domain. This allows an attacker with access to any valid domain user could retrieve the sensitive data stored in account descriptions and leverage any resulting credentials to compromise the affected accounts. + + +**Business Risk** + +This vulnerability may lead to an attacker compromising the affected user accounts. The extent of malicious impact is dependent on the permissions of the compromised user. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Query Active Directory for user objects with populated description fields using {{ldap_query_tool}} against {{domain_controller}} +1. Filter the results for description fields containing password-like strings using {{filter_method}} +1. Identify the account {{affected_account}} with a password stored in the description field at {{description_content}} +1. Authenticate to {{target_system}} as {{affected_account}} using the recovered password +1. Confirm successful authentication and note the access level granted + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/recommendations.md similarity index 100% rename from submissions/description/active_directory/passwords_found_within_domain_user_account_description/recommendations.md rename to submissions/description/active_directory/configuration_weaknesses/recommendations.md diff --git a/submissions/description/active_directory/insecure_service_account_management/guidance.md b/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/guidance.md similarity index 100% rename from submissions/description/active_directory/insecure_service_account_management/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/guidance.md diff --git a/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/recommendations.md new file mode 100644 index 00000000..994d6583 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Deploy Microsoft Local Administrator Password Solution (LAPS) to manage unique, automatically rotated local administrator passwords for every domain-joined device. Additionally, remove all Group Policy Preferences that store local administrator credentials, as GPP passwords are encrypted with a publicly known key and can be trivially decrypted. Disable the built-in Administrator account where possible and use named administrative accounts for accountability. diff --git a/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/template.md b/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/template.md new file mode 100644 index 00000000..1902949c --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/shared_administrator_passwords/template.md @@ -0,0 +1,20 @@ +Shared administrator passwords is a configuration weakness where multiple systems in the Active Directory environment use the same local administrator password. This commonly occurs when the local administrator account is configured through Group Policy Preferences, a golden image, or manual deployment without unique password management. An attacker who recovers the local administrator password from any single system can use the same credential to authenticate to all systems sharing that password. This enables lateral movement across the entire environment without needing additional credential theft or exploitation. + +**Business Risk** + +Shared local administrator passwords allow a single credential compromise to grant access to every system using the same password. An attacker can move laterally across workstations, servers, and infrastructure systems without triggering additional authentication failures. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised + +**Steps to Reproduce** + +1. Obtain local administrator access on {{initial_system}} using {{initial_access_method}} +1. Extract the local administrator password hash from {{initial_system}} using {{credential_extraction_tool}} +1. Attempt to authenticate to {{second_system}} using the same local administrator credential via {{authentication_method}} +1. Confirm successful authentication on {{second_system}} with local administrator privileges +1. Repeat authentication against {{additional_systems}} to demonstrate the scope of password reuse +1. Document the total number of systems accessible using the shared credential at {{reuse_count}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md b/submissions/description/active_directory/configuration_weaknesses/template.md similarity index 100% rename from submissions/description/active_directory/passwords_found_within_domain_user_account_description/template.md rename to submissions/description/active_directory/configuration_weaknesses/template.md diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md b/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/guidance.md similarity index 100% rename from submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/guidance.md rename to submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/guidance.md diff --git a/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/recommendations.md new file mode 100644 index 00000000..fe5a8226 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Update the default domain policy to require a minimum password length of 14 characters, enable complexity requirements, set an account lockout threshold, and enforce a maximum password age. Additionally, implement fine-grained password policies for privileged accounts requiring longer minimum passwords of 20 or more characters. Deploy a banned password list to prevent the use of common and organization-specific passwords. diff --git a/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/template.md b/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/template.md new file mode 100644 index 00000000..789f90f5 --- /dev/null +++ b/submissions/description/active_directory/configuration_weaknesses/weak_domain_password_policy/template.md @@ -0,0 +1,20 @@ +A weak domain password policy is a configuration weakness where the Active Directory default domain password policy does not enforce sufficient complexity, length, or rotation requirements. Common weaknesses include minimum password lengths below 12 characters, disabled complexity requirements, no account lockout threshold, and excessively long maximum password ages. A weak policy allows attackers to crack password hashes obtained through techniques such as Kerberoasting or NTLM hash extraction using dictionary and brute-force attacks in a short time. The weak policy also increases the likelihood that users select easily guessable passwords. This weakness allows an attacker to gain authenticated access to domain resources and escalate privileges. + +**Business Risk** + +A weak password policy increases the success rate of password cracking and guessing attacks across the entire domain. Attackers who obtain password hashes through credential dumping, Kerberoasting, or network interception can crack weak passwords in minutes. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Retrieve the default domain password policy from {{domain_controller}} using {{policy_query_tool}} +1. Document the policy settings including minimum length at {{min_length}}, complexity requirement at {{complexity_setting}}, lockout threshold at {{lockout_threshold}}, and maximum password age at {{max_age}} +1. Compare the observed policy against industry benchmarks such as {{benchmark_reference}} +1. Demonstrate the weakness by performing a password spray or hash cracking exercise against {{test_target}} using {{attack_tool}} +1. Confirm that {{number_of_accounts}} accounts are compromised due to the weak policy settings + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md b/submissions/description/active_directory/dacl_abuse/guidance.md similarity index 100% rename from submissions/description/active_directory/passwords_found_within_domain_user_account_description/guidance.md rename to submissions/description/active_directory/dacl_abuse/guidance.md diff --git a/submissions/description/active_directory/dacl_abuse/recommendations.md b/submissions/description/active_directory/dacl_abuse/recommendations.md new file mode 100644 index 00000000..415acaf9 --- /dev/null +++ b/submissions/description/active_directory/dacl_abuse/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Audit DACLs across the directory and remove dangerous permissions such as GenericAll, GenericWrite, WriteDACL, WriteOwner, and ForceChangePassword from non-administrative accounts and groups. Additionally, use tools such as BloodHound in a defensive capacity to map all attack paths through DACL permissions and prioritize remediation of the shortest paths to Domain Admins. Implement AdminSDHolder protections for sensitive accounts and groups. diff --git a/submissions/description/active_directory/dacl_abuse/template.md b/submissions/description/active_directory/dacl_abuse/template.md new file mode 100644 index 00000000..d65d7e1c --- /dev/null +++ b/submissions/description/active_directory/dacl_abuse/template.md @@ -0,0 +1,20 @@ +Discretionary Access Control List (DACL) abuse is a vulnerability in Active Directory where misconfigured object permissions grant low-privileged users dangerous rights over other objects in the directory. Common exploitable permissions include GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, and AddMember on user accounts, groups, computer objects, or organizational units. An attacker with a low-privileged domain account can enumerate DACLs across the directory to identify objects where they (or their group memberships) hold excessive permissions, then escalate their privilege from a low-privileged domain user to a domain administrator. + +**Business Risk** + +Misconfigured DACLs allow low-privileged users to modify critical Active Directory objects without needing to exploit a software vulnerability. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Enumerate DACL permissions across Active Directory objects in {{domain_name}} using {{enumeration_tool}} +1. Identify the target object {{target_object}} where {{low_privileged_user}} or a group it belongs to holds {{dangerous_permission}} +1. Exploit the identified permission on {{target_object}} by executing {{exploitation_action}} using {{exploitation_tool}} +1. Confirm that {{exploitation_result}} was achieved, such as group membership change or password reset +1. Validate the escalated access by authenticating to {{domain_controller}} with the modified privileges + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md b/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md deleted file mode 100644 index 5815df37..00000000 --- a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/template.md +++ /dev/null @@ -1,21 +0,0 @@ -A system configured with unconstrained delegation was compromised during the assessment, leading to domain privilege escalation. - -Unconstrained delegation is a Kerberos feature introduced with Server 2000 which allows a service to impersonate any user who authenticates to it and subsequently access any other service in the domain on behalf of that user. This is a highly permissive configuration and the least restrictive form of delegation available in an active directory environment. - -When a user authenticates to a service configured with unconstrained delegation, the Key Distribution Center (KDC) issues a Ticket-Granting Ticket (TGT) for the user, and a copy of this TGT is forwarded to and stored in the memory of the delegating service. If this delegating service account is compromised, an attacker can extract these cached TGTs. With a user's TGT, the attacker can then request service tickets for any service within the domain, effectively impersonating that user to any resource. - -Rather than waiting for a highly privileged user to authenticate to the service, unconstrained delegation is usually combined with authentication coercion techniques where the target account is forcibly triggered to authenticate to the controlled service. A typical abuse pathway is to coerce authentication from a Domain Controller (DC) machine account, which is then leveraged to perform a DCSync attack. The DCSync simulates the replication process of one DC to another in order to retrieve the stored credentials/hashes of domain-wide user accounts. With access to these hashes, the attacker can then forge additional TGT’s on behalf of any arbitrary user in the domain (including privileged domain administrator accounts), resulting in full domain compromise. - -**Business Risk** - -This vulnerability could be abused by an attacker to gain unauthorised access to any user account, effectively leading to full domain compromise. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md b/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md deleted file mode 100644 index 21b1c07e..00000000 --- a/submissions/description/active_directory/excessive_domain_admin_membership/recommendations.md +++ /dev/null @@ -1,6 +0,0 @@ -# recommendation(s) - -The Domain Administrators group should contain only accounts that strictly require such authority to complete their roles. The accounts themselves should be used infrequently, so as to further reduce the chance of compromise. - -Ensure that regular auditing of security group membership and user access rights is undertaken to prevent unnecessary permissions from being granted to user accounts. - \ No newline at end of file diff --git a/submissions/description/active_directory/excessive_domain_admin_membership/template.md b/submissions/description/active_directory/excessive_domain_admin_membership/template.md deleted file mode 100644 index b2578875..00000000 --- a/submissions/description/active_directory/excessive_domain_admin_membership/template.md +++ /dev/null @@ -1,19 +0,0 @@ -The Active Directory (AD) domain had a large number of user accounts belonging to the highly privileged “Domain Admins” security group. - -The "Domain Admins" group possesses the highest level of administrative authority within an Active Directory domain, granting full control over all domain controllers, workstations, servers, and every object in the domain. - -Having an excessive number of Domain Admins (DA) enlarges the attack surface by presenting a broad range of high-value targets, in turn increasing the likelihood of domain compromise. - -**Business Risk** - -Having an excessive number of highly privileged accounts in the domain expands the attack surface and increases the risk of an attacker compromising the domain. In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md deleted file mode 100644 index cc75dcb8..00000000 --- a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Install the KB2962486 patch on all affected systems to prevent new credentials from being placed in Group Policy Preferences. As this patch will not fix existing Group Policy Preference files, refer to the vendor security bulletin MS14-025, where Microsoft has provided a PowerShell script to detect existing stored passwords for removal. diff --git a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md b/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md deleted file mode 100644 index fdd66583..00000000 --- a/submissions/description/active_directory/group_policy_preferences_password_elevation_of_privilege/template.md +++ /dev/null @@ -1,19 +0,0 @@ -The Group Policy implementation was vulnerable to Microsoft Security Bulletin MS14-025, which allows an attacker to retrieve and decrypt passwords stored within Group Policy Preferences (GPP). - -In Older Windows servers, when GPP are used to deploy local user accounts, the passwords for these accounts are stored as encrypted strings within XML files (e.g., Groups.xml, Services.xml, ScheduledTasks.xml) hosted on the SYSVOL share. The private key used to encrypt the stored passwords has been publicly shared by Microsoft. - -As SYSVOL is accessible to all authenticated users, an attacker in possession of a domain account can search the SYSVOL share for XML files containing stored passwords. With access to the XML file(s), the attacker could then use the publicly available encryption key to decrypt the GPP password and retrieve the plaintext credential(s). This presents a trivial attack vector for a malicious user to escalate privileges or gain lateral movement within the domain. - -**Business Risk** - -An attacker could leverage the credentials obtained through this vulnerability to escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md deleted file mode 100644 index ced9ce00..00000000 --- a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/recommendations.md +++ /dev/null @@ -1,15 +0,0 @@ -# recommendation(s) - -Disable LLMNR and NBT-NS protocols across the network. - -To disable LLMNR, the Group Policy Object (GPO) “Turn off multicast name resolution” should be set to ‘Enabled’ and applied to all domain-joined devices. - -NBT-NS can be disabled on a network adaptor of a machine by navigating to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and selecting “Disable NetBIOS over TCP/IP”. - -Whilst there is no GPO to disable NBT-NS across the domain, as a workaround, the following PowerShell script can be added to Group Policy under the path: Computer Configuration > Policies > Windows Settings > Scripts > Startup > PowerShell: - -``` - -Scripts.$regkey = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces” -Get-ChildItem $regkey |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name NetbiosOptions -Value 2 -Verbose} -``` diff --git a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md b/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md deleted file mode 100644 index 42289484..00000000 --- a/submissions/description/active_directory/insecure_name_resolution_protocols_enabled/template.md +++ /dev/null @@ -1,21 +0,0 @@ -Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows protocols for name resolution – translating hostnames to IP addresses. - -Windows systems will fall back to name resolution via LLMNR and NBT-NS when DNS (Domain Name System) has failed to resolve a hostname in the local network. To resolve hostnames, these protocols initiate a broadcast message to the network requesting the address of the resource it needs. - -An attacker situated within the same network segment can exploit LLMNR and NBT-NS queries by replying with spoofed responses impersonating the requested hostname. This process, known as poisoning, tricks victims into communicating with the attacker-controlled system. If the query is for a resource that requires authentication (such as a fileshare), the victim's system will send the user’s Net-NTLM(v1/2) hash to the attacker's machine. - -After poisoning a hostname resolution query, an attacker can proceed by attempting to crack the retrieved password hash offline using brute force methods. More commonly, the attacker will relay the authentication to another target in order to perform actions on the targeted system with the privileges of the impersonated user. - -**Business Risk** - -This vulnerability could allow an unauthenticated attacker situated within the network to compromise domain user accounts and gain lateral movement across systems in the domain. In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/insecure_service_account_management/recommendations.md b/submissions/description/active_directory/insecure_service_account_management/recommendations.md deleted file mode 100644 index 423e6092..00000000 --- a/submissions/description/active_directory/insecure_service_account_management/recommendations.md +++ /dev/null @@ -1,6 +0,0 @@ -# recommendation(s) - -Ensure that service accounts follow the principle of least privilege such that only the minimum permissions necessary to perform their required functions are granted, thereby limiting their potential for misuse if compromised. A strong password policy should also be enforced, ensuring that all service account passwords are long, complex, and unique. - -For a more robust and sustainable solution, organizations should consider transitioning to the use of Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs) wherever possible. These accounts offer automatic password management and rotation, in turn reducing administrative burden and preventing the risk of using weak or reused passwords. - diff --git a/submissions/description/active_directory/insecure_service_account_management/template.md b/submissions/description/active_directory/insecure_service_account_management/template.md deleted file mode 100644 index b88059b3..00000000 --- a/submissions/description/active_directory/insecure_service_account_management/template.md +++ /dev/null @@ -1,19 +0,0 @@ -Insecure service account management occurs when an overly privileged domain user is configured to run a service. - - - -When a domain account is configured to run a service, a Service Principal Name (SPN) is used in the domain to associate the service with a login account. Any valid (including low privileged) domain user can request an SPN for a registered service and receive a Kerberos service ticket that is signed with the NTLM password hash of the account running that service. This data can then be extracted and subjected to offline brute-force password guessing with the aim of recovering the account's plaintext password. This attack pathway is referred to as 'Kerberoasting' and is used by an adversary to escalate their privileges within a domain. Accounts which use short and non-complex passwords increase the likelihood of a successful Kerberoasting attack. - -**Business Risk** - -This vulnerability could allow a low-privileged malicious user to escalate their privileges over the domain. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md b/submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/guidance.md similarity index 100% rename from submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/guidance.md rename to submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/guidance.md diff --git a/submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md b/submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/recommendations.md similarity index 100% rename from submissions/description/active_directory/domain_compromise_via_unconstrained_delegation/recommendations.md rename to submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/recommendations.md diff --git a/submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/template.md b/submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/template.md new file mode 100644 index 00000000..215cd388 --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/domain_compromise_unconstrained_delegated/template.md @@ -0,0 +1,20 @@ +Unconstrained Kerberos delegation is a misconfiguration where a computer or service account in Active Directory is trusted to delegate any user's credentials to any service. When a user authenticates to a server configured with unconstrained delegation, their Ticket Granting Ticket (TGT) is cached in memory on that server. An attacker who compromises a server with unconstrained delegation can extract these cached TGTs and use them to impersonate any user who has authenticated to the compromised server. If a domain administrator authenticates to the compromised server, the attacker can extract the administrator's TGT and use it to authenticate to any service in the domain, including domain controllers. This allows an attacker to gain full domain compromise through credential impersonation. + +**Business Risk** + +This vulnerability could be abused by an attacker to gain unauthorised access to any user account, effectively leading to full domain compromise. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Enumerate Active Directory for computer accounts with unconstrained delegation enabled using {{enumeration_tool}} against {{domain_controller}} +1. Identify the delegated server at {{delegated_server_hostname}} with the TRUSTED_FOR_DELEGATION flag set +1. Obtain local administrator access on {{delegated_server_hostname}} using {{initial_access_method}} +1. Use a tool such as `Rubeus` or `Mimikatz` on {{delegated_server_hostname}} to monitor for and extract cached TGTs from memory +1. Coerce or wait for a privileged user to authenticate to {{delegated_server_hostname}}, or trigger authentication using {{coercion_method}} +1. Extract the cached TGT for {{privileged_account}} and use it to authenticate to {{domain_controller}} to confirm domain-level access + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md b/submissions/description/active_directory/kerberos_abuse/guidance.md similarity index 100% rename from submissions/description/active_directory/sensitive_data_in_domain_file_shares/guidance.md rename to submissions/description/active_directory/kerberos_abuse/guidance.md diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md b/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/guidance.md similarity index 100% rename from submissions/description/active_directory/user_does_not_require_preauthentication/guidance.md rename to submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/guidance.md diff --git a/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/recommendations.md b/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/recommendations.md new file mode 100644 index 00000000..5c2728f9 --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Use Group Managed Service Accounts (gMSA) which automatically rotate 240-character cryptographically random passwords. For accounts that cannot use gMSA, enforce passwords of at least 25 characters with regular rotation. + +Additionally, audit all accounts with registered SPNs and remove SPNs from accounts that do not require them. Apply the principle of least privilege to all service accounts. Monitor for high volumes of TGS requests from single accounts using Windows Security Event 4769, a pattern which indicates Kerberoasting activity. diff --git a/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/template.md b/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/template.md new file mode 100644 index 00000000..38b760fe --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/insecure_service_account_management/template.md @@ -0,0 +1,20 @@ +Kerberoasting is an attack against Active Directory service accounts that have a Service Principal Name (SPN) registered. Any authenticated domain user can request a Kerberos service ticket (TGS) for any SPN in the domain. The service ticket is encrypted using the service account's password hash. An attacker with a low-privileged domain account can request TGS tickets for all accounts with SPNs and then perform offline brute-force or dictionary attacks against the ticket encryption to recover the service account's plaintext password. Service accounts frequently have weak or long-lived passwords and elevated domain privileges. This allows an attacker to recover service account credentials and use them for lateral movement or privilege escalation. + +**Business Risk** + +Kerberoasting allows any authenticated domain user to target service account credentials for offline cracking. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Enumerate accounts with registered SPNs in {{domain_name}} using {{enumeration_tool}} +1. Identify the target service account {{service_account}} with SPN {{spn_value}}. +1. Request a TGS ticket for {{spn_value}} using {{ticket_request_tool}} +1. Export the TGS ticket and perform offline password cracking using {{cracking_tool}} with {{wordlist}} +1. Confirm that the plaintext password for {{service_account}} is recovered + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/weak_machine_account_password/guidance.md b/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/guidance.md similarity index 100% rename from submissions/description/active_directory/weak_machine_account_password/guidance.md rename to submissions/description/active_directory/kerberos_abuse/no_pre_authentication/guidance.md diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md b/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/recommendations.md similarity index 58% rename from submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md rename to submissions/description/active_directory/kerberos_abuse/no_pre_authentication/recommendations.md index 10b0e61f..9f53b8e3 100644 --- a/submissions/description/active_directory/user_does_not_require_preauthentication/recommendations.md +++ b/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/recommendations.md @@ -1,4 +1,3 @@ # recommendation(s) -For all user accounts, ensure that the "Do not require Kerberos preauthentication" option is disabled in Active Directory. This setting can be found in the user account properties under the "Account" tab. - +For all user accounts, ensure that the "Do not require Kerberos preauthentication" option is disabled in Active Directory. This setting can be found in the user account properties under the "Account" tab. Additionally, enforce a strong domain password policy with a minimum of 15 characters to make offline cracking significantly more difficult. diff --git a/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/template.md b/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/template.md new file mode 100644 index 00000000..71457dcb --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/no_pre_authentication/template.md @@ -0,0 +1,20 @@ +A domain user was vulnerable to an attack referred to as ASREPRoasting due to preauthentication being disabled for the account. ASREPRoasting targets Active Directory user accounts that have the "Do not require Kerberos preauthentication" flag enabled. When preauthentication is disabled, an attacker can send an AS-REQ request for the account without providing a valid password. The domain controller responds with an AS-REP containing a portion encrypted with the user's password hash. An attacker does not need any domain credentials to perform this request against accounts with preauthentication disabled. This allows an attacker to gain authenticated domain access or, if the targeted account has elevated privileges, to escalate privileges within the domain. + +**Business Risk** + +This vulnerability could result in an attacker gaining a foothold or escalating privileges in the domain. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Enumerate accounts with preauthentication disabled in {{domain_name}} using {{enumeration_tool}} from {{attacker_host}} +1. Identify the target account {{target_account}} with the DONT_REQUIRE_PREAUTH flag set +1. Send an AS-REQ request for {{target_account}} to the domain controller at {{domain_controller}} using {{asrep_tool}} +1. Capture the AS-REP response containing the encrypted portion of the ticket +1. Perform offline password cracking against the AS-REP hash using {{cracking_tool}} with {{wordlist}} +1. Confirm that the plaintext password for {{target_account}} is recovered + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/kerberos_abuse/recommendations.md b/submissions/description/active_directory/kerberos_abuse/recommendations.md new file mode 100644 index 00000000..1b9cf4e4 --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Disable Unconstrained Delegation on the affected system/account. Where delegation is strictly necessary, consider migrating more restrictive delegation types (such as Resource-Based Constrained Delegation (RBCD)). + +Ensure that highly privileged accounts are protected from delegation by enabling the "Account is sensitive and cannot be delegated" option in Active Directory. diff --git a/submissions/description/active_directory/kerberos_abuse/template.md b/submissions/description/active_directory/kerberos_abuse/template.md new file mode 100644 index 00000000..5c554291 --- /dev/null +++ b/submissions/description/active_directory/kerberos_abuse/template.md @@ -0,0 +1,15 @@ +Kerberos is the default authentication protocol in Active Directory environments. Misconfigurations such as unconstrained delegation, weak service account passwords with registered SPNs, and disabled preauthentication each provide a distinct attack path. An attacker can exploit these weaknesses to extract Ticket Granting Tickets from delegated servers, crack service ticket encryption offline to recover service account passwords, or request AS-REP hashes for accounts without preauthentication. + +**Business Risk** + +Kerberos abuse can result in credential theft, privilege escalation, and full domain compromise depending on the specific misconfiguration. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + + + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/misconfigured_active_directory_certificate_services/guidance.md b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/misconfigured_active_directory_certificate_services/recommendations.md b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/recommendations.md new file mode 100644 index 00000000..1519201e --- /dev/null +++ b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Audit all certificate templates and remove the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag from templates that enable client authentication. Restrict enrollment permissions to only the accounts and groups that require each template. Additionally, enable Manager Approval on sensitive templates so that certificate requests require CA administrator authorization before issuance. Remove unnecessary templates from publication on the CA. diff --git a/submissions/description/active_directory/misconfigured_active_directory_certificate_services/template.md b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/template.md new file mode 100644 index 00000000..89233e38 --- /dev/null +++ b/submissions/description/active_directory/misconfigured_active_directory_certificate_services/template.md @@ -0,0 +1,20 @@ +Misconfigured Active Directory Certificate Services (ADCS) is a vulnerability where certificate templates or enrollment permissions are configured in a way that allows a low-privileged user to request certificates that grant elevated privileges. An attacker with a low-privileged domain account can identify vulnerable templates, request a certificate with a SAN specifying a domain administrator, and use the issued certificate to authenticate as that administrator. This allows full domain compromise through certificate-based impersonation. + +**Business Risk** + +Misconfigured ADCS templates allow a low-privileged user to obtain certificates that impersonate domain administrators or other privileged accounts. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}} +1. Enumerate vulnerable certificate templates on {{ca_server}} using {{enumeration_tool}} +1. Identify the vulnerable template {{template_name}} with {{misconfiguration_detail}} +1. Request a certificate from {{ca_server}} using template {{template_name}} with a SAN specifying {{target_privileged_account}} +1. Receive the issued certificate and use it to authenticate to {{domain_controller}} as {{target_privileged_account}} using {{authentication_tool}} +1. Confirm domain administrator access by executing {{verification_action}} on {{domain_controller}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md deleted file mode 100644 index e2c8474e..00000000 --- a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/recommendations.md +++ /dev/null @@ -1,5 +0,0 @@ -# recommendation(s) - -Apply the Microsoft security updates addressing CVE-2019-1040 and CVE-2019-1166 to the affected system. These patches modify how the server validates the MIC, preventing the bypass. - -Additionally, for comprehensive protection across the domain, consider enforcing signing requirements on all servers where possible. diff --git a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md b/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md deleted file mode 100644 index 5f0bace0..00000000 --- a/submissions/description/active_directory/ntlm_tampering_vulnerability_drop_the_mic/template.md +++ /dev/null @@ -1,19 +0,0 @@ -The server was vulnerable to a NT LAN Manager (NTLM) tampering vulnerability referred to as “Drop the Mic”, which allows Message Integrity Code (MIC) protections to be bypassed. - -The MIC is a cryptographic checksum designed to provide integrity protection for the NTLM authentication exchange. It serves as a protection mechanism against attempts to downgrade security features such as session signing which are negotiated during the exchange. - -Drop the Mic (CVE-2019-1040) and Drop the Mic 2 (CVE-2019-1166) are vulnerabilities which allow the protections provided by the MIC to be circumvented, in turn permitting the attacker to overcome session signing negotiation. As a result, affected servers which do not enforce session signing become vulnerable to NTLM relay attacks. In an NTLM relay attack, an attacker intercepts an NTLM authentication attempt from a client and "relays" it to the targeted server in order to perform actions with the privileges of the impersonated user. - -**Business Risk** - -This vulnerability could allow an unauthenticated attacker to gain a foothold on the domain or pursue lateral movement vectors using NTLM relay attack(s). In turn, this could allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md deleted file mode 100644 index 00bbe5e8..00000000 --- a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/recommendations.md +++ /dev/null @@ -1,4 +0,0 @@ -# recommendation(s) - -Reconfigure PXE deployment to disable unknown computer support. Additionally, ensure that boot media is protected with a suitably complex password. - diff --git a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md b/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md deleted file mode 100644 index d5a02ad3..00000000 --- a/submissions/description/active_directory/pre_boot_execution_environment_boot_media_theft/template.md +++ /dev/null @@ -1,20 +0,0 @@ -An insecure Pre-Boot Execution Environment (PXE) configuration was identified which would allow an attacker to retrieve boot media and obtain secrets contained within. - -The PXE is a mechanism which allows clients to request and deploy operating systems over the network. Instead of booting from a CD drive, USB key or hard disk, the PC will use the network to retrieve boot media from the PXE server. - -When PXE deployment is configured to support unknown computers, and the PXE media is protected with either a blank or weak password, then an attacker may abuse this configuration to retrieve and decrypt boot media. In turn, this enables access to any secrets and credential material held within the media file. This may include local administrator passwords that are reused in other devices, or credentials for potentially privileged domain-joined accounts. - - -**Business Risk** - -An attacker could leverage the credentials obtained through this vulnerability to gain a foothold in the domain, escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/guidance.md b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/recommendations.md b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/recommendations.md new file mode 100644 index 00000000..0ed268c9 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Disable anonymous LDAP binds by modifying the `dsHeuristics` attribute on the Directory Service configuration object. Additionally, enforce LDAP signing and channel binding on all domain controllers to prevent LDAP interception attacks. Restrict network access to LDAP ports using firewall rules to limit connections to authorized management networks. diff --git a/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/template.md b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/template.md new file mode 100644 index 00000000..9bf021cd --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/ldap_anonymous_bind_enabled/template.md @@ -0,0 +1,20 @@ +The Active Directory domain controller accepts LDAP queries without authentication. An unauthenticated attacker with network access to the domain controller can query the directory for user accounts, group memberships, organizational units, computer objects, and other directory metadata. This exposes the full structure of the Active Directory environment without requiring any credentials. An attacker can use this information to identify high-value targets, map trust relationships, enumerate privileged group membership, and plan further attacks against the domain. + +**Business Risk** + +Anonymous LDAP access exposes the full Active Directory directory structure to any network-connected attacker. User account names, email addresses, group memberships, and organizational hierarchy can be enumerated without authentication. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the domain controller at {{domain_controller_ip}} with LDAP service available on port {{ldap_port}} +1. Attempt an anonymous LDAP bind to {{domain_controller_ip}} using {{ldap_tool}} +1. Confirm the bind succeeds without providing credentials +1. Execute an LDAP search query for {{search_base}} to enumerate user objects at {{search_filter}} +1. Retrieve directory information including {{enumerated_attributes}} for the returned objects +1. Confirm that sensitive directory data such as {{example_data}} is returned without authentication + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/guidance.md b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/recommendations.md b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/recommendations.md new file mode 100644 index 00000000..62c843ab --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/recommendations.md @@ -0,0 +1,3 @@ +# recommendation(s) + +Audit all network shares and replace broad access groups with specific security groups that use the principle of least privilege. Additionally, audit NTFS permissions on the underlying folders to ensure they align with share-level permissions. Remove sensitive files such as credentials, database backups, and PII from general-purpose file shares. diff --git a/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/template.md b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/template.md new file mode 100644 index 00000000..a1814a22 --- /dev/null +++ b/submissions/description/active_directory/sensitive_data_exposure/sensitive_data_in_open_file_shares/template.md @@ -0,0 +1,20 @@ +Sensitive data was identified in network file shares within the Active Directory environment and are accessible without authentication, or with permissions that are overly broad for authenticated domain users. These shares may contain documents with credentials, internal infrastructure diagrams, database backups, source code, financial records, or personally identifiable information. An attacker who can access these shares can browse and download sensitive content without exploiting any application vulnerability. The exposure results from misconfigured share permissions, inherited NTFS permissions, or the use of the "Everyone" or "Authenticated Users" groups for share access. + +**Business Risk** + +Open file shares expose sensitive organizational data to any user or attacker with network or domain access. Credentials found in shared documents can be used for lateral movement and privilege escalation. This could result in indirect financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Authenticate to the domain as {{low_privileged_user}} from {{attacker_host}}, or connect to the network without authentication +1. Enumerate network file shares across the domain using {{enumeration_tool}} targeting {{target_network_range}} +1. Identify the accessible share at {{share_path}} with {{permission_level}} permissions +1. Browse the share contents and locate sensitive data at {{file_path}} +1. Download {{sensitive_file}} from the share +1. Confirm that {{sensitive_data_description}} is present in the downloaded file + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md deleted file mode 100644 index 082a900e..00000000 --- a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/recommendations.md +++ /dev/null @@ -1,4 +0,0 @@ -# recommendation(s) - -Conduct a thorough audit to identify, review and restrict access to all sensitive network file shares based on the principle of least privilege to ensure that only authorized individuals or groups with a legitimate business need have access to sensitive data. The practice of storing plaintext credentials within files should be avoided and replaced with secure credential management solutions (e.g., password vaults, secrets management systems). -Furthermore, consider educating employees on data handling policies, the importance of protecting sensitive information, and the risks associated with unauthorized access. diff --git a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md b/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md deleted file mode 100644 index c446d275..00000000 --- a/submissions/description/active_directory/sensitive_data_in_domain_file_shares/template.md +++ /dev/null @@ -1,26 +0,0 @@ -Sensitive data was disclosed in network file shares which were accessible to all authenticated users in the Active Directory domain. - -Due to the permissive access controls, an attacker who had successfully compromised a domain user account could abuse this access to obtain a variety of sensitive data, including: - -- Employee PII (e.g., HR records, payroll information) -- Customer data (e.g., contact lists, contract details) -- Financial documents (e.g., budgets, invoices, bank statements) -- Proprietary business plans or intellectual property - -< Customise the above as needed > - -Furthermore, plaintext credentials were also discovered within the exposed shares. Equipped with these credentials, an attacker could look to compromise additional systems and accounts, or elevate privileges within the domain. - -**Business Risk** - -This vulnerability could be abused by an attacker to view, exfiltrate and potentially modify sensitive data. This could result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/automatic_device_approval/guidance.md b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/automatic_device_approval/recommendations.md b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/recommendations.md new file mode 100644 index 00000000..5411c51a --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/recommendations.md @@ -0,0 +1,7 @@ +# recommendation(s) + +There is no single technique to protect fromdDistribution point anonymous access abuse. However, the following best practices should be adhered to: + +- Change the site setting to require manual approval for new clients or to enforce PKI-based client authentication. +- Deploy SCCM in PKI mode so that only devices with a valid client certificate issued by the internal CA can register. +- Regularly review collection membership rules to limit which deployments are available to newly approved devices, and audit the list of approved clients on a regular schedule. diff --git a/submissions/description/active_directory/sscm_abuse/automatic_device_approval/template.md b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/template.md new file mode 100644 index 00000000..8a1de169 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/automatic_device_approval/template.md @@ -0,0 +1,19 @@ +Automatic device approval is a misconfiguration in System Center Configuration Manager (SCCM) where new client devices are automatically approved for management without administrator review. An attacker can register a rogue device with the SCCM site by installing the SCCM client and pointing it at the management point. The rogue device is automatically approved and receives all policies, software deployments, and configuration baselines assigned to its collection. This may include applications containing credentials, scripts with privileged account details, or compliance policies that reveal internal security configurations. + +**Business Risk** + +Automatic device approval can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Install the SCCM client on {{attacker_device}} and configure it to register with the management point at {{management_point_hostname}} +1. Submit a client registration request from {{attacker_device}} to {{management_point_hostname}} +1. Confirm that {{attacker_device}} is automatically approved without administrator intervention by checking the client status at {{sccm_console_path}} +1. Wait for policy and deployment assignments to be applied to {{attacker_device}} +1. Examine the received policies and software deployments on {{attacker_device}} at {{local_policy_path}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/guidance.md b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/recommendations.md b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/recommendations.md new file mode 100644 index 00000000..ef391553 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/recommendations.md @@ -0,0 +1,7 @@ +# recommendation(s) + +There is no single technique to protect from distribution point anonymous access abuse. However, the following best practices should be adhered to: + +- Disable anonymous access on all distribution points and require HTTPS client communication. +- Audit all hosted packages and scripts for hardcoded credentials and replace them with secure credential retrieval methods such as task sequence variables stored with encryption. +- Enable Enhanced HTTP or full PKI mode for SCCM client communication to enforce mutual authentication. diff --git a/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/template.md b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/template.md new file mode 100644 index 00000000..99fee0f4 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/distribution_point_anonymous_access/template.md @@ -0,0 +1,19 @@ +System Center Configuration Manager (SCCM) distribution point anonymous access is a misconfiguration where the SCCM distribution point allows unauthenticated HTTP access to software packages, operating system images, and scripts hosted for client deployment. An attacker with network access to the distribution point can browse and download all hosted content without authentication. This content may include application installers, scripts containing hardcoded credentials, configuration files with internal infrastructure details, and operating system deployment packages. This access allows an attacker to harvest sensitive data, recover credentials, and map internal infrastructure for further attacks. + +**Business Risk** + +Distribution point anonymous access can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the SCCM infrastructure components including the site server, management point, and distribution points at {{sccm_infrastructure_targets}} +1. Send an unauthenticated HTTP request to `{{distribution_point_url}}/SMS_DP_SMSPKG$/` to list available packages +1. Browse the directory listing at {{package_directory_url}} to identify available content +1. Download {{package_or_file}} from the distribution point without providing credentials +1. Examine the downloaded content for credentials, scripts, or sensitive configuration data at {{file_path}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/guidance.md b/submissions/description/active_directory/sscm_abuse/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/guidance.md b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/recommendations.md b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/recommendations.md new file mode 100644 index 00000000..b2506a9f --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/recommendations.md @@ -0,0 +1,6 @@ +# recommendation(s) + +There is no single technique to protect fromd SSCM abuse. However, the following best practices should be adhered to: + +- Disable automatic client push installation and use alternative client deployment methods, such as Group Policy-based installation, manual push with Kerberos enforcement, or task sequence-based deployment. +- If client push installation must remain enabled, restrict the push installation account to the minimum required permissions, enforce SMB signing on all endpoints, and enable EPA. Remove local administrator rights from the push installation account where possible. Consider using PKI-based client authentication to eliminate NTLM dependency. diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/template.md b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/template.md new file mode 100644 index 00000000..8bb7eb4e --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_automatic_push_installation/template.md @@ -0,0 +1,20 @@ +NTLM relay via System Center Configuration Manager (SCCM) automatic client push installation is a vulnerability where the site server automatically connects to newly discovered devices to install the SCCM client using a configured push installation account, which authenticates to the target device using NTLM. An attacker who controls a device or DNS entry on the network can cause the site server to initiate a push installation to an attacker-controlled host. The attacker can then relay the push installation account's NTLM credentials to a high-value target such as a domain controller or the site database server. The push installation account is often granted local administrator privileges across managed devices. + +**Business Risk** + +Successful NTLM relay of this account allows an attacker to gain administrative access to domain controllers, site database servers, or other critical infrastructure. This can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the SCCM site server at {{site_server_hostname}} with automatic client push installation enabled +1. Register a new device or DNS record for {{attacker_controlled_hostname}} on the network to trigger automatic client push discovery +1. Set up an NTLM relay tool on {{attacker_host}} configured to relay captured authentication to {{target_hostname}} on port {{target_port}} +1. Wait for the site server to initiate a client push installation to {{attacker_controlled_hostname}} +1. Capture the NTLM authentication from the push installation account and relay it to {{target_hostname}} +1. Confirm that the relayed authentication grants administrative access on {{target_hostname}} by executing {{verification_action}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/guidance.md b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/recommendations.md b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/recommendations.md new file mode 100644 index 00000000..72765fd0 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/recommendations.md @@ -0,0 +1,8 @@ +# recommendation(s) + +There is no single technique to protect fromd SSCM abuse. However, the following best practices should be adhered to: + +- Enforce Kerberos authentication between the management point and the site database +- Enable SMB signing on all SCCM site systems +- Disable NTLM authentication where possible via Group Policy +- Ensure the management point and site database communicate over a secured and segmented network diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/template.md b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/template.md new file mode 100644 index 00000000..e7ba6b88 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_management_point_site_database/template.md @@ -0,0 +1,20 @@ +NTLM relay from the System Center Configuration Manager (SCCM) management point to the site database is a vulnerability where the management point authenticates to the SQL Server site database using NTLM rather than Kerberos. An attacker who can intercept or coerce NTLM authentication from the management point can relay those credentials to the site database server. Successful relay grants the attacker the management point's database permissions, which typically include read and write access to the SCCM site database. This allows an attacker to modify site configuration, inject malicious deployments, elevate SCCM privileges, or extract credentials stored in the database. + +**Business Risk** + +Successful NTLM relay to the site database grants an attacker direct read and write access to SCCM configuration and deployment data. This can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the SCCM management point at {{management_point_hostname}} and the site database server at {{site_database_hostname}} +1. Set up an NTLM relay tool on {{attacker_host}} configured to relay captured authentication to {{site_database_hostname}} on port {{sql_port}} +1. Coerce NTLM authentication from {{management_point_hostname}} to {{attacker_host}} using {{coercion_method}} +1. Observe the relayed authentication succeeding against {{site_database_hostname}} +1. Execute a SQL query against the SCCM site database at {{site_database_hostname}} using the relayed session to confirm access, such as querying {{query}} +1. Confirm that {{database_output}} is returned, demonstrating read or write access to the site database + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/guidance.md b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/recommendations.md b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/recommendations.md new file mode 100644 index 00000000..cf51e60b --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/recommendations.md @@ -0,0 +1,9 @@ +# recommendation(s) + +There is no single technique to protect fromd SSCM abuse. However, the following best practices should be adhered to: + +- Enforce Kerberos authentication between all SCCM site systems and enable SMB signing and EPA on all site system roles. +- Disable NTLM authentication for SCCM inter-site communication where supported +- Segment SCCM site systems on a dedicated management network +- Apply the principle of least privilege to the site server account +- Enable HTTPS communication between all site system roles diff --git a/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/template.md b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/template.md new file mode 100644 index 00000000..98e2bc6b --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/ntlm_site_server_site_system/template.md @@ -0,0 +1,20 @@ +NTLM relay from the System Center Configuration Manager (SCCM) site server to site systems is a vulnerability where the site server uses NTLM authentication when communicating with other SCCM site system roles such as distribution points, management points, or software update points. An attacker who can intercept NTLM authentication from the site server can relay those credentials to other site systems. The site server typically authenticates with high-privilege domain credentials, so a successful relay grants the attacker administrative access to the target site system. This can be used to compromise site system roles, inject malicious content, or pivot to additional infrastructure within the SCCM hierarchy. + +**Business Risk** + +Successful NTLM relay of the site server's credentials allows an attacker to take administrative control of distribution points, management points, or other site roles. This can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the SCCM site server at {{site_server_hostname}} and a target site system at {{target_site_system_hostname}} +1. Set up an NTLM relay tool on {{attacker_host}} configured to relay captured authentication to {{target_site_system_hostname}} on port {{target_port}} +1. Coerce NTLM authentication from {{site_server_hostname}} to {{attacker_host}} using {{coercion_method}} +1. Observe the relayed authentication succeeding +1. Execute a privileged action on {{target_site_system_hostname}} using the relayed session, such as {{privileged_action}} +1. Confirm that {{action_result}} demonstrates administrative access to the target site system + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/guidance.md b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/guidance.md new file mode 100644 index 00000000..ee88d9d2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/recommendations.md b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/recommendations.md new file mode 100644 index 00000000..b2506a9f --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/recommendations.md @@ -0,0 +1,6 @@ +# recommendation(s) + +There is no single technique to protect fromd SSCM abuse. However, the following best practices should be adhered to: + +- Disable automatic client push installation and use alternative client deployment methods, such as Group Policy-based installation, manual push with Kerberos enforcement, or task sequence-based deployment. +- If client push installation must remain enabled, restrict the push installation account to the minimum required permissions, enforce SMB signing on all endpoints, and enable EPA. Remove local administrator rights from the push installation account where possible. Consider using PKI-based client authentication to eliminate NTLM dependency. diff --git a/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/template.md b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/template.md new file mode 100644 index 00000000..48a35ded --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/privileged_credentials_exposed/template.md @@ -0,0 +1,20 @@ +Privileged credential exposure in System Center Configuration Manager (SCCM) occurs when sensitive credentials are stored in task sequences, collection variables, or the Network Access Account (NAA) in a manner that allows retrieval by low-privileged users or managed devices. SCCM encrypts these credentials using a key that is available to any approved SCCM client. An attacker with access to a managed device or a low-privileged domain account can query the SCCM management point for policy data and decrypt the stored credentials. These credentials are often domain accounts with elevated privileges such as domain join accounts, local administrator accounts, or service accounts. This allows an attacker to recover plaintext credentials and use them for lateral movement or privilege escalation within the Active Directory environment. + +**Business Risk** + +Exposed privileged credentials in SCCM configuration data can grant an attacker access to domain join accounts, service accounts, or local administrator accounts. This can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Log in to a managed SCCM client at {{managed_device}} as {{low_privileged_user}} +1. Use a tool such as `SharpSCCM` or `sccmhunter` to request policy data from the management point at {{management_point_hostname}} +1. Retrieve the encrypted credential blob from {{policy_source}} containing {{credential_type}} +1. Decrypt the recovered credential blob using the SCCM client's policy decryption key at {{decryption_method}} +1. Confirm that the plaintext credential for {{account_name}} is recovered +1. Validate the recovered credential by authenticating to {{validation_target}} without elevated privileges + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/guidance.md b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/guidance.md new file mode 100644 index 00000000..7baa231f --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/guidance.md @@ -0,0 +1,4 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. +Include screenshots showing the PXE boot request and successful retrieval of the boot image. Show extracted credentials or sensitive data found within the image. Do not use recovered credentials to authenticate to production systems. Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/recommendations.md b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/recommendations.md new file mode 100644 index 00000000..74e498bb --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/recommendations.md @@ -0,0 +1,5 @@ +# recommendation(s) + +Reconfigure PXE deployment to disable unknown computer support. Require a PXE boot password on all task sequences and enable the "Require a password when computers use PXE" option in the distribution point properties. + +Additionally, configure SCCM to use HTTPS for client communication, remove sensitive credentials from task sequences and boot images, and segment the PXE deployment network from general user VLANs. Use network access accounts with least privilege and consider migrating to Enhanced HTTP or PKI-based certificate authentication. diff --git a/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/template.md b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/template.md new file mode 100644 index 00000000..85e5ced2 --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/pxe_boot_media_theft/template.md @@ -0,0 +1,19 @@ +Pre-Boot Execution Environment (PXE) Boot media theft is a vulnerability in Microsoft System Center Configuration Manager (SCCM) where the PXE boot process exposes operating system deployment media to unauthorized network access. An attacker with access to the same network segment as the PXE-enabled distribution point can intercept PXE boot responses and retrieve the boot image. The boot image may contain domain join credentials, task sequence variables, or other sensitive configuration data embedded during the OS deployment process. This allows an attacker to extract credentials and configuration details that can be used to move laterally within the Active Directory environment. + +**Business Risk** + +An attacker could leverage the credentials obtained through this vulnerability to gain a foothold in the domain, escalate privileges or exploit lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Connect to the same network segment as the SCCM PXE-enabled distribution point at {{distribution_point_hostname}} +1. Configure a PXE client or use a tool such as `pxethief` to send a DHCP PXE boot request to {{distribution_point_ip}} +1. Capture the PXE boot image file returned by {{distribution_point_hostname}} +1. Mount or extract the captured boot image +1. Search the extracted contents for credentials, task sequence variables, or sensitive configuration data at {{file_path}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/sscm_abuse/recommendations.md b/submissions/description/active_directory/sscm_abuse/recommendations.md new file mode 100644 index 00000000..2d18cfaf --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/recommendations.md @@ -0,0 +1,14 @@ +# recommendation(s) + +There is no single technique to protect from SSCM abuse. However, the following best practices should be adhered to: + +- Enforce HTTPS communication between all site systems, require PKI-based client authentication, disable automatic client push installation, and remove all stored credentials from task sequences and the Network Access Account. +- Enforce SMB signing on all SCCM site systems and enable Extended Protection for Authentication on the site database SQL instance, and segment SCCM management traffic on a dedicated network. +- Audit all task sequences and collection variables for embedded credentials and replace them with secure alternatives. +- Require PXE boot passwords on all deployment task sequences. + +For more information, view the following resources: + +- +- +- diff --git a/submissions/description/active_directory/sscm_abuse/template.md b/submissions/description/active_directory/sscm_abuse/template.md new file mode 100644 index 00000000..b52b4cce --- /dev/null +++ b/submissions/description/active_directory/sscm_abuse/template.md @@ -0,0 +1,21 @@ +System Center Configuration Manager (SCCM) abuse is a class of vulnerabilities where misconfigurations in the SCCM deployment hierarchy allow an attacker to compromise managed endpoints, escalate privileges, or move laterally within the Active Directory environment. SCCM manages operating system deployment, software distribution, and client policy enforcement across domain-joined devices. An attacker could leverage the credentials obtained through this vulnerability to gain a foothold in the domain, escalate privileges or exploit lateral movement vectors. The specific impact depends on which component is misconfigured and the privilege level of the credentials or access exposed. + + +**Business Risk** + +SCCM abuse can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. + +**Steps to Reproduce** + +1. Identify the SCCM infrastructure components including the site server, management point, and distribution points at {{sccm_infrastructure_targets}} +1. Determine the specific SCCM misconfiguration present at {{misconfiguration_detail}} +1. Exploit the identified misconfiguration from {{attacker_position}} using {{exploitation_tool}} +1. Capture or demonstrate the resulting access, credential exposure, or policy manipulation at {{exploitation_output}} +1. Validate the impact by confirming {{impact_evidence}} on {{affected_system}} +1. Document the scope of affected systems or credentials at {{scope_detail}} + +**Proof of Concept (PoC)** + +The screenshot(s) below demonstrate(s) the vulnerability: +> +> {{screenshot}} diff --git a/submissions/description/active_directory/user_does_not_require_preauthentication/template.md b/submissions/description/active_directory/user_does_not_require_preauthentication/template.md deleted file mode 100644 index d608d2f0..00000000 --- a/submissions/description/active_directory/user_does_not_require_preauthentication/template.md +++ /dev/null @@ -1,21 +0,0 @@ -A domain user was vulnerable to an attack referred to as ASREPRoasting due to preauthentication being disabled for the account. - -The ASREPRoast attack targets the first step of the Kerberos authentication process, where the client supplies their User Principal Name (UPN) in a request to receive a ticket from the Authentication Service. Importantly, the resultant ticket is signed with the associated user’s password hash. - -Kerberos preauthentication performs checks to validate the identity of the requestor against the UPN supplied in the request, to ensure that only a requestor in possession of the associated user password will receive a ticket. - -When preauthentication is disabled, an unauthenticated attacker can request a ticket on behalf of the vulnerable user and attempt to crack the password hash in order to retrieve their plaintext password. Accounts which use short and non-complex passwords increase the likelihood of a successful ASREPRoast attack. - -**Business Risk** - -This vulnerability could result in an attacker gaining a foothold or escalating privileges in the domain. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/active_directory/weak_machine_account_password/recommendations.md b/submissions/description/active_directory/weak_machine_account_password/recommendations.md deleted file mode 100644 index 5c3f5af3..00000000 --- a/submissions/description/active_directory/weak_machine_account_password/recommendations.md +++ /dev/null @@ -1,9 +0,0 @@ -# recommendation(s) - -Reset the computer account password to a suitably secure value. - -To address weak machine account passwords and potential timeroasting vulnerabilities which may be present in the wider network: - -- **Audit Pre-Windows 2000 Compatibility:** For computers created for pre-Windows 2000 compatibility within the last 30 days, ensure passwords are reset to suitably secure values. These accounts are initialized with a default weak password (matches the first 14 characters of their computer name) which will persist until being rotated. -- **Enable Automated Rotation:** Ensure the GPO "Domain member: Disable machine account password changes" is not enabled, allowing the default 30-day password rotation for all machine accounts. -- **Identify and Reset Stale Passwords:** Identify any machine accounts whose passwords have not expired/rotated in the last 30 days to identify and rectify issues preventing automated rotation. diff --git a/submissions/description/active_directory/weak_machine_account_password/template.md b/submissions/description/active_directory/weak_machine_account_password/template.md deleted file mode 100644 index 0df404ef..00000000 --- a/submissions/description/active_directory/weak_machine_account_password/template.md +++ /dev/null @@ -1,21 +0,0 @@ -A workstation/server was configured with a weak computer account password, which allowed the system to be compromised via a “Timeroasting” attack. - -Timeroasting is a technique which abuses the Windows authentication mechanism of the Network Time Protocol (NTP) to extract password hashes for computer accounts. - -The Network Time Protocol enables domain-joined computers to synchronise their clocks with a Domain Controller (DC), which acts as the centralised time server. Due to concerns with time spoofing, Microsoft implemented an extension to the protocol (MS-SNTP) to provide a means for the time server (DC) to verify its identity. In this process, the clients (computer accounts) supply their RIDs in requests to the time server, which in turn looks up the corresponding computer account and generates a response using its password hash. Whilst this extension addresses time spoofing concerns, it also allows any unauthenticated user to retrieve and subject password hashes for any computer account in the domain to brute-force password cracking techniques. - -By default, machine account management for domain-joined systems is automated in Windows systems to ensure that suitably secure values are set for passwords and rotated every 30 days. As a result, machine account passwords typically do not represent attractive candidates for brute force cracking techniques. However, machine account passwords can become vulnerable when weak values are manually set by system administrators, or when the machine was enabled to be pre-windows 2000 compatible (in which case the initial password matches the first 14 characters of the computer name). - -**Business Risk** - -This vulnerability could allow an unauthenticated attacker to gain a foothold on the domain or pursue lateral movement vectors. In turn, this would allow unauthorized access, data theft, and malicious activities. Such incidents can result in financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} From 3de72a884150bb576b621b390e13b6fb5387bf93 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 1 Apr 2026 10:30:46 +1000 Subject: [PATCH 3/4] fixed linting errors and removed internal_infrastructure --- .../recommendations.md | 2 +- .../configuration_weaknesses/template.md | 10 ++++----- .../guidance.md | 5 ----- .../recommendations.md | 5 ----- .../template.md | 19 ----------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 19 ----------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 21 ------------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 21 ------------------- .../guidance.md | 5 ----- .../recommendations.md | 7 ------- .../template.md | 19 ----------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- .../guidance.md | 5 ----- .../recommendations.md | 5 ----- .../template.md | 19 ----------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 19 ----------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- .../guidance.md | 5 ----- .../recommendations.md | 5 ----- .../template.md | 21 ------------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- .../guidance.md | 5 ----- .../recommendations.md | 3 --- .../template.md | 17 --------------- 44 files changed, 5 insertions(+), 389 deletions(-) delete mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md delete mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md delete mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md delete mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md delete mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md delete mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md delete mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md delete mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md delete mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md delete mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md delete mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md delete mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md delete mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md delete mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md delete mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md delete mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md delete mode 100644 submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md diff --git a/submissions/description/active_directory/configuration_weaknesses/recommendations.md b/submissions/description/active_directory/configuration_weaknesses/recommendations.md index 4edfb56d..278be85b 100644 --- a/submissions/description/active_directory/configuration_weaknesses/recommendations.md +++ b/submissions/description/active_directory/configuration_weaknesses/recommendations.md @@ -1,3 +1,3 @@ # recommendation(s) -Remove passwords and other sensitive information from all AD user account description fields. +The specific remediation depends on the specific finding but should follow Microsoft's Active Directory security best practices. In general, enforce strong password policies, deploy LAPS for local administrator password management, remove unnecessary privileged group memberships, and implement an automated account lifecycle process. diff --git a/submissions/description/active_directory/configuration_weaknesses/template.md b/submissions/description/active_directory/configuration_weaknesses/template.md index 5356d769..93b27eb0 100644 --- a/submissions/description/active_directory/configuration_weaknesses/template.md +++ b/submissions/description/active_directory/configuration_weaknesses/template.md @@ -1,8 +1,4 @@ -Active Directory (AD) user accounts were discovered with plaintext or easily decipherable passwords (or password fragments/hints) stored within their "Description" attribute. - -Storing passwords or sensitive information in the Description fields of user accounts may be practiced for administrative convenience, however, these account descriptions are retrievable by any authenticated domain user without any special privileges. - -As a result, an attacker with access to any valid domain user could retrieve the sensitive data stored in account descriptions and leverage any resulting credentials to compromise the affected accounts. +Active Directory (AD) configuration weaknesses are insecure settings in the domain environment that increase the attack surface for credential theft, privilege escalation, and domain compromise. Common weaknesses include weak password policies, excessive privileged group membership, and shared local administrator passwords, amongst others. These confoguration weaknesses reduce the effort needed for an attacker to compromise the domain. **Business Risk** @@ -10,7 +6,9 @@ This vulnerability may lead to an attacker compromising the affected user accoun **Steps to Reproduce** - +1. Authenticate to the domain as a low privileged user from {{attacker_host}} +1. Enumerate the specific configuration weaknesses in the domain +1. Compare and the observed configuration against the security baseline at {{baseline_reference}} **Proof of Concept (PoC)** diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md deleted file mode 100644 index c1565227..00000000 --- a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/recommendations.md +++ /dev/null @@ -1,5 +0,0 @@ -# recommendation(s) - -Disable anonymous login on FTP if it is not required. - -In the event anonymous logins are required as part of a legitimate business need, compensating controls such as IP allow listing should be put in place to mitigate the risk of truly anonymous connections. Regularly audit the contents of the service and file system permissions to prevent inadvertent exposure of sensitive data. diff --git a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md b/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md deleted file mode 100644 index 3d2f3f02..00000000 --- a/submissions/description/internal_infrastructure/file_transfer_protocol_anonymous_login/template.md +++ /dev/null @@ -1,19 +0,0 @@ -A File Transfer Protocol (FTP) server running on the remote host allows anonymous logins. - -Any individual with remote connectivity to the service may gain access to the server without providing a password or unique credentials. - -This would permit an anonymous attacker to access any files made available by the FTP server within the folder to which the anonymous account has permission to view, potentially exposing sensitive material. - -**Business Risk** - -This vulnerability could lead to unauthorised access and data theft. The severity of the impact to the business is dependent on the sensitivity of the data exposed by the service. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md deleted file mode 100644 index d8378e43..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Disable support for cipher suite zero on the IPMI device. Enforce the use of strong, unique passwords for all IPMI user accounts. diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md deleted file mode 100644 index 58122d49..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_cipher_zero_authentication_bypass/template.md +++ /dev/null @@ -1,19 +0,0 @@ -The Intelligent Platform Management Interface (IPMI) on the host was affected by the “Cipher Zero” authentication bypass vulnerability. - -IPMI is used by a server's Baseboard Management Controller (BMC) to provide out-of-band management and monitoring capabilities for remote systems. When IPMI is configured to support cipher suite 0 (aka cipher zero), password requirements can be bypassed to authenticate to the BMC with only a valid username (which can be readily found in vendor documentation detailing default accounts). - -Once access has been obtained, an attacker would gain administrator-level control over the underlying hardware for that system. This may include the ability to remotely power cycle systems, modify BIOS settings, deploy firmware, mount remote media, and access keyboard/video/mouse (KVM) functionality. - -**Business Risk** - -This vulnerability could lead to a malicious user gaining unauthorised hardware-level access to the affected server(s). This access could be abused to compromise the integrity and availability of the vulnerable systems. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md deleted file mode 100644 index 7e4ee147..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -This vulnerability stems from an inherent design flaw within the IPMI v2.0 specification itself, and as such there is no patch for remediation. However, strong and unique passwords can be implemented to limit the likelihood of success for off-line dictionary attacks against retrieved hashes. Further mitigations may include implementing access controls or network-level isolation to limit access to IPMI management interfaces. diff --git a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md b/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md deleted file mode 100644 index 17364b83..00000000 --- a/submissions/description/internal_infrastructure/intelligent_platform_management_interface_v2_hash_disclosure/template.md +++ /dev/null @@ -1,21 +0,0 @@ -The host supported Intelligent Platform Management Interface (IPMI) version 2.0, which is affected by an information disclosure vulnerability. - -IPMI is used by a server's Baseboard Management Controller (BMC) to provide out-of-band management and monitoring capabilities for remote systems. - -The IPMI 2.0 authentication process requires the server to transmit a salted SHA1 or MD5 hash of the requested user's password to the client prior to authentication occurring. This can be leveraged by an attacker to obtain the password hash for any valid user account on the BMC. - -Once obtained, these password hashes can be subjected to offline brute-force or dictionary attacks to recover the plaintext credentials. Successful recovery of these credentials grants an attacker access to the BMC, which provides control over the underlying hardware for that system and any other systems in the IPMI managed group. This may include the ability to remotely power cycle systems, modify BIOS settings, deploy firmware, mount remote media, and access keyboard/video/mouse (KVM) functionality. - -**Business Risk** - -This vulnerability could lead to a malicious user gaining unauthorised hardware-level access to the affected server(s). This access could be abused to compromise the integrity and availability of the vulnerable systems. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md deleted file mode 100644 index 6b6217b2..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Consult vendor documentation to disable anonymous bind on the LDAP server and ensure that only authenticated users can retrieve sensitive information. diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md deleted file mode 100644 index 0214ed8d..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_anonymous_bind_enabled/template.md +++ /dev/null @@ -1,21 +0,0 @@ -The Windows Lightweight Directory Access Protocol (LDAP) server allows anonymous binds. - -By default, Microsoft Windows Server 2003 and later versions restrict anonymous LDAP operations, with the exception of rootDSE searches and binds. However, anonymous binds may still be encountered on older implementations, such as Windows 2000-based domain controllers, or in more modern environments where this default security setting has been overridden. - -When anonymous binds are permitted, any user can connect to the directory service and query it for information without providing authentication credentials (i.e., with an empty bind Distinguished Name (DN) and password). The information returned from the LDAP server can include details about users, group memberships, domain-joined devices, password policy, and more. - -This information can be leveraged by an attacker to inform further attacks with the aims of gaining a foothold on the domain. For example, the enumerated details may be used to perform targeted phishing attempts, identify valid users for brute-force password guessing attacks, and map valuable targets for further compromise. - -**Business Risk** - -This vulnerability may lead to indirect financial loss and reputational damage if the information exposed by the service is leveraged in more advanced attacks. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md deleted file mode 100644 index b15995d5..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/recommendations.md +++ /dev/null @@ -1,7 +0,0 @@ -# recommendation(s) - -Configure all LDAP servers and clients within the environment to require and enforce LDAP signing. This will ensure the integrity of LDAP communication and protect against tampering and NTLM relay attacks. - -For LDAP signing to be enforced, this requirement must be configured on both the domain controllers and clients. If the server requires signing but the client does not support signing, the session will be terminated by the server. On a domain controller LDAP signing is managed using the policy setting Domain controller: LDAP signing requirements. On a Windows LDAP client the signing is managed by the policy setting Network security: LDAP client signing requirements. - -After enforcing LDAP signing on the server, clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working. diff --git a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md b/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md deleted file mode 100644 index 55f22f6a..00000000 --- a/submissions/description/internal_infrastructure/lightweight_directory_access_protocol_signing_not_enforced/template.md +++ /dev/null @@ -1,19 +0,0 @@ -The Windows Lightweight Directory Access Protocol (LDAP) server did not require signing. - -LDAP signing is a security feature of the Simple Authentication and Security Layer (SASL) that ensures the integrity of LDAP communication by requiring messages to be digitally signed. This provides authenticity and integrity verification, by validating the identity of the requestor and ensuring that LDAP messages have not been altered in transit. - -Unsigned network traffic is susceptible to man-in-the-middle (MITM) and replay attacks. In such attacks, a client’s messages are intercepted by the attacker and relayed to the LDAP server, effectively allowing the attacker to perform actions on the LDAP server on behalf of the impersonated client. - -**Business Risk** - -When signing is not enforced, the integrity and authenticity of messages in transit across the network can be compromised. This can be abused by attackers to compromise user accounts and services within the domain, leading to unauthorized access, data theft, and potentially service disruption. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md deleted file mode 100644 index e3f0772d..00000000 --- a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Reconfigure the server to require Network Level Authentication (NLA). Note that once enforced, only client computers that support NLA can connect to the RDP server. diff --git a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md b/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md deleted file mode 100644 index 2ca98830..00000000 --- a/submissions/description/internal_infrastructure/remote_desktop_service_does_not_require_network_level_authentication/template.md +++ /dev/null @@ -1,17 +0,0 @@ -The Remote Desktop Protocol (RDP) server was not configured to use Network Level Authentication (NLA) only. - -Network level authentication is a security feature of Microsoft’s remote desktop protocol that requires users to authenticate before a session can be established with the remote device. Unlike traditional RDP connections, where the login screen is loaded before authentication, NLA ensures that credentials are validated prior to initiating the connection. This is a more secure authentication method which offers protection against Denial of Service (DoS) attacks which abuse unauthenticated requests to consume server resources, alongside reducing the risk of exposure to various threats that exploit the initial connection phase. - -**Business Risk** - -This vulnerability increases the service's exposure to attacks, including consumption of server resources, which may result in downtime for the affected host. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md deleted file mode 100644 index e8dc24d2..00000000 --- a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/recommendations.md +++ /dev/null @@ -1,5 +0,0 @@ -# recommendation(s) - -Implement strict access controls on all NFS shares, ensuring that only explicitly authorized IP addresses and hosts can mount them. Regularly audit NFS export configurations and file system permissions to prevent inadvertent exposure of sensitive data. Apply additional security features such as root_squash to prevent remote root users from having root privileges on the NFS share, nosuid to prevent set-user-ID or set-group-ID bits from taking effect, and noexec to prevent the execution of binaries on the mounted file system. - -If possible, consider employing NFSv4 with Kerberos for robust authentication and encryption, if available and compatible with your environment. diff --git a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md b/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md deleted file mode 100644 index 211e9030..00000000 --- a/submissions/description/internal_infrastructure/sensitive_data_exposed_in_nfs_shares/template.md +++ /dev/null @@ -1,19 +0,0 @@ -Sensitive data was discovered to be accessible without authentication from mountable NFS (Network File System) shares. - -NFS (Network File System) allows a server to share directories and files which can be mounted on client machines over the network. NFS Versions 2 and 3 do not support modern authentication standards. Instead, access controls are configured at the host and user level, with defined hostnames (or IP addresses) and specific usernames permitted to mount the shares without providing a password. The most lenient configuration permits any user from any host in the network to mount the available shares. - -When an NFS export is configured overly permissively (e.g., world-readable or accessible to broad IP ranges), any system on the network capable of mounting the share can access its contents without explicit user authentication. This places the files exposed by the NFS share at risk of unauthorised access by an attacker situated in the local network. These files may include sensitive data such as SSH keys, backups, or configuration files. If write access is enabled, an attacker may also make malicious modifications to the share, including actions such as overwriting configuration files or planting malicious executables in efforts to compromise networked systems. - -**Business Risk** - -This vulnerability can lead to data theft and modification and potentially the compromise of additional services or systems in the network. The severity of the impact to the business is dependent on the permissions available to an attacker and the sensitivity of the data exposed by the service. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md deleted file mode 100644 index f44a05bb..00000000 --- a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Enable and enforce SMB signing on all relevant hosts within the network. This will ensure the authenticity and integrity of SMB communications, protecting against tampering and relay attacks. diff --git a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md b/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md deleted file mode 100644 index 47e6bd33..00000000 --- a/submissions/description/internal_infrastructure/server_messaging_block_signing_not_required/template.md +++ /dev/null @@ -1,19 +0,0 @@ -Signing was not required on the Server Messaging Block (SMB) server. - -SMB signing is a security mechanism which ensures that every SMB message contains a cryptographic signature which incorporates a hash of the entire SMB message, alongside the original sender and intended recipient. If the message is tampered with, the hash verification will fail. In turn, this allows the recipient of the SMB traffic to confirm the authenticity and integrity of the data. - -An unauthenticated attacker can exploit a lack of SMB signing to conduct man-in-the-middle and relay attacks against the SMB server. - -**Business Risk** - -When signing is not enforced, the integrity and authenticity of messages in transit across the network can be compromised. This can be abused by attackers to compromise user accounts and services within the domain, leading to unauthorized access, data theft, and potentially service disruption. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md deleted file mode 100644 index 98231123..00000000 --- a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Disable the commands VRFY, RCPT and EXPN in the SMTP server configuration. If this functionality is required, ensure it is only available to authenticated users. diff --git a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md b/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md deleted file mode 100644 index e24c2387..00000000 --- a/submissions/description/internal_infrastructure/simple_mail_transfer_protocol_user_enumeration/template.md +++ /dev/null @@ -1,17 +0,0 @@ -The Simple Mail Transfer Protocol (SMTP) server allowed unauthenticated users to enumerate valid users on the host. - -When connected to a mail server, common mail commands including EXPN, VRFY and RCPT TO can be used to infer the presence of valid users based on the responses returned by the server. When this functionality is available without authentication, it can be abused by an unauthenticated attacker to identify valid accounts on the system and leverage the discovered users in brute-force password guessing attacks. - -**Business Risk** - -This vulnerability may lead to indirect financial loss and reputational damage if an attacker is able to chain this vulnerability with another to achieve user account compromise and data exfiltration. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md deleted file mode 100644 index 01f4ec0f..00000000 --- a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/recommendations.md +++ /dev/null @@ -1,5 +0,0 @@ -# recommendation(s) - -If possible, upgrade insecure SNMP versions (v1/2c) to SNMPv3, which provides more advanced security mechanisms, including encryption and password-based authentication. - -If it is not possible to upgrade the SNMP version, change all default community strings to suitably long, complex and unique values. diff --git a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md b/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md deleted file mode 100644 index e0874dc4..00000000 --- a/submissions/description/internal_infrastructure/simple_network_management_protocol_default_community_strings/template.md +++ /dev/null @@ -1,21 +0,0 @@ -The Simple Network Management Protocol (SNMP) server could be accessed using a default community string. - -SNMP provides monitoring capabilities to collect and poll information about devices (referred to as ‘agents’) on the network. In SNMP version 1 and 2c, access is commonly configured with default community strings to provide read-only and read-write access. - -If default community strings have not been updated to complex and secure values, an attacker located within the internal network could abuse this access to enumerate sensitive network configuration information. This may include; running processes, installed software, system info, hostnames, users, shares, services, listening ports, and any stored credentials. - -If write access is gained, an attacker could also modify configuration information. For example, it may be possible to change routing information, shutdown network interfaces, reboot systems, reset device passwords and more. In some cases, write access can also lead to remote code execution. - -**Business Risk** - -This vulnerability may lead to indirect financial loss and reputational damage if the information exposed by the service is leveraged in more advanced attacks or modified to compromise the system. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md deleted file mode 100644 index 71d0af85..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Disable password-based authentication for SSH and enforce the use of public-key authentication. Disable direct root login via SSH; instead, use a non-privileged user and then sudo to root if necessary. Furthermore, consider setting a strong password on the authentication keys and the use of multi-factor authentication where possible. diff --git a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md b/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md deleted file mode 100644 index afcd9bb4..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_password_authentication_supported/template.md +++ /dev/null @@ -1,17 +0,0 @@ -The SSH (Secure Shell) server was configured to accept password authentication and direct login by the root user. - -Password-based authentication is susceptible to brute-force attacks, especially when weak passwords are in use. This increases the likelihood of an attacker gaining unauthorised access to the host. Furthermore, if a brute-force attack is successful against the root user, this would grant the attacker administrator privileges over the vulnerable system. - -**Business Risk** - -Allowing weaker authentication mechanisms may lead to the system being compromised in the event that a brute-force password guessing attack is successful. Malicious actions such as data exfiltration, modification and service disruption from the compromised host may result in financial loss and reputation damage. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md deleted file mode 100644 index 5a8dc4b5..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Configure SSH servers to use only strong and modern key-exchange, host-key, encryption, and MAC algorithms. Disable all deprecated and insecure algorithms. Regularly review and update the allowed algorithms based on current security best practices. diff --git a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md b/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md deleted file mode 100644 index 225d29fe..00000000 --- a/submissions/description/internal_infrastructure/ssh_server_weak_cipher_suites_supported/template.md +++ /dev/null @@ -1,17 +0,0 @@ -The SSH (Secure Shell) server supported key-exchange, host-key, encryption, or message authentication code (MAC) algorithms that are considered insecure. - -The use of these weak algorithms makes SSH communication vulnerable to various cryptographic attacks, potentially allowing attackers to decrypt sensitive data or tamper with communications. - -**Business Risk** - -This vulnerability negatively impacts the confidentiality and integrity of data. The severity of the impact to the business is dependent on the sensitivity of the data being stored and transmitted by the service. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md deleted file mode 100644 index 7ec27943..00000000 --- a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Disable the "None" authentication method on the VNC servers. Configure VNC servers to enforce strong authentication, ideally using a robust password or, where supported and feasible, integrate with existing authentication mechanisms like user accounts or multi-factor authentication. Restrict VNC access to authorized personnel and specific IP addresses or subnets through firewall rules and network segmentation. Regularly update VNC server software to the latest patched version to address any known vulnerabilities. diff --git a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md b/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md deleted file mode 100644 index 24119e45..00000000 --- a/submissions/description/internal_infrastructure/virtual_network_computing_sever_accessible_without_password/template.md +++ /dev/null @@ -1,17 +0,0 @@ -The Virtual Network Computing (VNC) server had the "None" authentication method enabled. This configuration permits any client to connect to the VNC server and gain full graphical access to the remote desktop without requiring a valid password. - -An attacker situated in the local network may abuse this access to execute arbitrary commands on the host, install malicious software, read or exfiltrate sensitive data without leaving an authentication footprint, and leverage the system as a foothold from which target other internal network resources and/or pivot within the estate. - -**Business Risk** - -This vulnerability could lead to unauthorised system access, theft and manipulation of sensitive data. Such incidents can impact the organisation's operational security, result in financial losses, and damage the organisation's reputation, especially if customer data or critical business operations are compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md deleted file mode 100644 index ee88d9d2..00000000 --- a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/guidance.md +++ /dev/null @@ -1,5 +0,0 @@ -# Guidance - -Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. - -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md deleted file mode 100644 index ad9a2193..00000000 --- a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/recommendations.md +++ /dev/null @@ -1,3 +0,0 @@ -# recommendation(s) - -Disable unauthenticated access to X11 servers. Configure X11 to use secure authentication methods, or ideally, tunnel X11 connections over SSH using SSH X11 forwarding. Restrict X11 access to authorized users and IP addresses through proper configuration and firewall rules. diff --git a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md b/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md deleted file mode 100644 index cbabcb1e..00000000 --- a/submissions/description/internal_infrastructure/x11_server_accessible_without_authentication/template.md +++ /dev/null @@ -1,17 +0,0 @@ -An X11 (X Windows) server was accessible without requiring authentication. This configuration, often referred to as "Open" access, allows any client on the network to connect to the X server and interact with the graphical display environment. - -An attacker with network access can leverage this configuration to perform various malicious actions, including: capturing screenshots of the graphical display, logging keystrokes, and executing arbitrary commands on the system in the context of the user running the X server. - -**Business Risk** - -This vulnerability could lead to unauthorised system access, theft and manipulation of sensitive data. Such incidents can impact the organisation's operational security, result in financial losses, and damage the organisation's reputation, especially if customer data or critical business operations are compromised. - -**Steps to Reproduce** - - - -**Proof of Concept (PoC)** - -The screenshot(s) below demonstrate(s) the vulnerability: -> -> {{screenshot}} From 149d641572a842fa317cde3377c210c3d92343d4 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 1 Apr 2026 10:37:06 +1000 Subject: [PATCH 4/4] Fixing linter errors --- .../description/active_directory/kerberos_abuse/template.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/submissions/description/active_directory/kerberos_abuse/template.md b/submissions/description/active_directory/kerberos_abuse/template.md index 5c554291..ca5ff02a 100644 --- a/submissions/description/active_directory/kerberos_abuse/template.md +++ b/submissions/description/active_directory/kerberos_abuse/template.md @@ -1,4 +1,4 @@ -Kerberos is the default authentication protocol in Active Directory environments. Misconfigurations such as unconstrained delegation, weak service account passwords with registered SPNs, and disabled preauthentication each provide a distinct attack path. An attacker can exploit these weaknesses to extract Ticket Granting Tickets from delegated servers, crack service ticket encryption offline to recover service account passwords, or request AS-REP hashes for accounts without preauthentication. +Kerberos is the default authentication protocol in Active Directory environments. Misconfigurations such as unconstrained delegation, weak service account passwords with registered SPNs, and disabled pre-authentication each provide a distinct attack path. An attacker can exploit these weaknesses to extract Ticket Granting Tickets from delegated servers, crack service ticket encryption offline to recover service account passwords, or request AS-REP hashes for accounts without pre-authentication. **Business Risk** @@ -6,7 +6,9 @@ Kerberos abuse can result in credential theft, privilege escalation, and full do **Steps to Reproduce** - +1. Enumerate the Kerberos misconfiguration in {{domain_name}} using {{enumeration_tool}} against {{domain_controller}} +1. Identify the target account or system at {{target}} with {{kerberos_weakness}} +1. Exploit the identified weakness using {{exploitation_tool}} to obtain {{ticket_or_hash}} **Proof of Concept (PoC)**