⚙️From COM Object Fundamentals To UAC Bypasses

A 25-minute crash course covering Tokens, Privileges, UAC, COM, and ultimately bypassing UAC.

🔗Research:
https://www.youtube.com/watch?v=481SI_HWlLs

🔗Source:
https://github.com/tijme/conferences/tree/master/2024-09%20OrangeCon/code

#windows #com #uac #bypass

🍪 GlobalUnProtect

PoC tool for decrypting and collecting GlobalProtect configuration, cookies, and HIP files from windows client installations.

🔗 Research:
https://rotarydrone.medium.com/decrypting-and-replaying-vpn-cookies-4a1d8fc7773e

🔗 Source:
https://github.com/rotarydrone/GlobalUnProtect

#paloalto #globalprotect #cookie #vpn

👻 Ghost in the PPL Part 3: LSASS Memory Dump

In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling MiniDumpWriteDump, loading arbitrary DLLs into LSASS via the WinSock2 Autodial feature, and dynamically resolving addresses.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/

#lsa #lsass #ppl #dll #maldev

😈 [ Aleem Ladha @LadhaAleem ]

I've fully automated the lab used for @_leHACK_ Active Directory 2024 workshop done by @mpgn_x64 and it's available for everyone ! 🔥
Also big kudos to @M4yFly for the playbooks and NetExec dev teams for this awesome tool !
Hope you enjoy, more to come

🔗 https://github.com/Pennyw0rth/NetExec-Lab

🐥 [ tweet ]

🔑 Three-Headed Potato Dog: NTLM and Kerberos Coercion

New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.

🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/

🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py

#ad #windows #dcom #relay #potato

Эксплуатация ядерных уязвимостей - довольно рискованное дело, особенно когда нет уверенности, что эксплойт отработает корректно.
@hummelchen0 специально для нашего сообщества разобрал вопрос применения таких эксплойтов в статье (https://hummelchen.gitbook.io/linux_lpe) "Ядерные LPE в Linux на практике". В ней вы сможете узнать, как на своей системе протестировать ядерный сплойт для практически любого ядра Linux и автоматизировать такие проверки для самых популярных дистрибутивов.

📜 DGPOEdit

Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines

🔗 Source:
https://github.com/CCob/DGPOEdit

#ad #windows #gpo #policy

Yeehaw! In TrustedSec new blog post, CSO & VP of Consulting Services Martin Bos highlights some new command line interface (CLI) tools so you can navigate your workflow like a console cowboy 🤠 Read it now!

https://trustedsec.com/blog/console-cowboys-navigating-the-modern-terminal-frontier

Table of contents:
1. tldr
2. cheat
3. bat
4. lsd
5. Atuin
5. Delta
6. Fastfetch
7. bottom
8. zoxide
9. fd
10. ripgrep
11. Broot
12. fzf
13. gping
14. procs
15. HTTPie
16. dust
17. speedtest-cli
18. Putting it all together

🔐 Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation

This article explains how attackers use malware virtualization, custom virtual machines, code obfuscation, and polymorphic packers to evade detection by EDR systems, allowing Red Teams to remain undetected in secure environments.

🔗 Source:
https://blog.fox-it.com/2024/09/25/red-teaming-in-the-age-of-edr-evasion-of-endpoint-detection-through-malware-virtualisation/

#edr #evasion #virtualization #obfuscation #redteam

ATTACKING UNIX SYSTEMS VIA CUPS, PART I

👤 by Simone Margaritelli

A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).

Entry Points
• WAN / public internet: a remote attacker sends an UDP packet to port 631. No authentication whatsoever.
• LAN: a local attacker can spoof zeroconf / mDNS / DNS-SD advertisements and achieve the same code path leading to RCE.

RCE chain
• Force the target machine to connect back to our malicious IPP server.
• Return an IPP attribute string that will inject controlled PPD directives to the temporary file.
• Wait for a print job to be sent to our fake printer for the PPD directives, and therefore the command, to be executed.


📝 Contents:
● Summary
● Intro
● What is cups-browsed?
● Stack Buffer Overflows and Race Conditions
● Back to found_cups_printer
● Internet Printing Protocol
● PostScript Printer Description
● The problematic child: foomatic-rip
● Remote Command Execution chain
● Personal Considerations
● One More Thing


https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

🚀 Elevating Privileges in Windows via Activation Cache Poisoning

A deep dive into CVE-2024-6769, which leverages two chained bugs to escalate privileges from medium to high integrity. The first stage involves remapping the root drive, followed by a DLL hijacking exploit. The second stage poisons the Activation Cache through the CSRSS process to gain full administrator access.

🔗 Research:
https://www.coresecurity.com/core-labs/articles/cve-2024-6769-poisoning-activation-cache-elevate-medium-high-integrity

🔗 Source:
https://github.com/fortra/CVE-2024-6769

#windows #privesc #dll #hijacking

Underconf

Конференция получилась просто огонь! Полезные доклады, превосходные спикеры и невероятная атмосфера. Отдельный респект за ностальгическую игровую зону, которая вернула в прошлое, и трек Pentest AD.

Особая благодарность ISTINA lounge за уют и потрясающие чаи ❤️
«12 мундштуков из 10!»

Спасибо организаторам за крутой эвент! 🔥

CVE-2024-26808 Linux kernel Netfilter Use-After-Free leads to LPE

CVE-2024-26808 is a use-after-free vulnerability within the Linux Kernel Netfilter, a powerful framework integral to the Linux networking stack. Netfilter provides essential networking operations such as packet filtering, network address translation (NAT), and port forwarding. The flaw arises from improper handling of network packet processing, leading to the potential for unauthorized memory access.

Writeup: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-26808_cos/docs/exploit.md

📖 Тем временем в NetExec (nxc) подвезли поддержку протокола NFS.
Из функций сейчас доступен энум файловых шар (права и файлы рекурсивно), погрузка и разгрузка файлов.


Базовый энум

NetExec nfs IP --shares

Рекурсивный энум

NetExec nfs IP --enum-shares

Забираем файл

NetExec nfs IP --get-file /home/user/Desktop/test/lolkekpohek.txt lolkekpohek.txt

Заливаем файл

NetExec nfs IP --put-file lolkekpohek.txt /home/user/Desktop/

🔗 Где почитать подробнее:
Энум
https://www.netexec.wiki/nfs-protocol/enumeration

Льем/качаем файлы
https://www.netexec.wiki/nfs-protocol/download-and-upload-files

Исходники
https://github.com/Pennyw0rth/NetExec/tree/main/nxc/protocols/nfs

CVE-2024-9465: Palo Alto Expedition Unauthenticated SQL Injection

Firing up the SQLMAP tool, and supplying it the endpoint and parameter to inject and table to dump, it successfully dumps the entire users table:

python3 sqlmap.py -u "https://10.0.40.64/bin/configurations/parsers/Checkpoint/CHECKPOINT.php?action=im port&type=test&project=pandbRBAC&signatureid=1" -p signatureid -T users --dump

CVE-2024-5910: Expedition: Missing Authentication Leads to Admin Account Takeover for attackers with network access

curl -k 'https://10.0.40.64/0S/startup/restore/restoreAdmin.php'

CVE-2024-9464: Palo Alto Expedition Authenticated Command Injection Exploit

CVE-2024-9466: Cleartext Credentials in Logs

/home/userSpace/devices/debug.txt

This world-readable file contained the raw request logs of the Expedition server when it exchanged cleartext credentials for API keys in the device integration process. The Expedition server only stores the API keys, and is not supposed to retain the cleartext credentials, but this log file showed all the credentials used in cleartext. This issue was reported and assigned CVE-2024-9466.

Blog: https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/

Shodan dork:

html:"Expedition Project"