💥 Shellcode Mutator
New tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
Research:
https://labs.nettitude.com/blog/shellcode-source-mutations/
Source:
https://github.com/nettitude/ShellcodeMutator
#shellcode #mutator #nasm #redteam
New tool to help red teamers avoid detection. Shellcode is a small piece of code that is typically used as the payload in an exploit, and can often be detected by its “signature”, or unique pattern. Shellcode Mutator mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
Research:
https://labs.nettitude.com/blog/shellcode-source-mutations/
Source:
https://github.com/nettitude/ShellcodeMutator
#shellcode #mutator #nasm #redteam
🔥5👍1
👾 Windows Drivers Reverse Engineering Methodology
This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.
https://voidsec.com/windows-drivers-reverse-engineering-methodology/
#reverse #driver #analysis
This blog post details a methodology for reverse engineering and finding vulnerable code paths in Windows drivers.
Including a guide for setting up a lab for (the pesky) kernel debugging.
https://voidsec.com/windows-drivers-reverse-engineering-methodology/
#reverse #driver #analysis
🔥6👍4
🎲 PowerShell Obfuscation
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
❤7👍4👎2
🔑 Pass-the-Challenge
This blog post introduces new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.
Research:
https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Source:
https://github.com/ly4k/PassTheChallenge
#ad #windows #ntlm #challenge
This blog post introduces new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.
Research:
https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Source:
https://github.com/ly4k/PassTheChallenge
#ad #windows #ntlm #challenge
👍6👎1
Forwarded from Offensive Xwitter
👹 [ snovvcrash, sn🥶vvcr💥sh ]
Rewritten #DirtyVanity PoC injector to C# and #DInvoke. Great stuff @eliran_nissan!
https://t.co/ifQLPMSFpb
Happy upcoming New Year to everyone! 🎄
🔗 https://gist.github.com/snovvcrash/09deab831d49028e194e8ee83f2616a9
🐥 [ tweet ][ quote ]
Rewritten #DirtyVanity PoC injector to C# and #DInvoke. Great stuff @eliran_nissan!
https://t.co/ifQLPMSFpb
Happy upcoming New Year to everyone! 🎄
🔗 https://gist.github.com/snovvcrash/09deab831d49028e194e8ee83f2616a9
🐥 [ tweet ][ quote ]
👍3👎2
✨ Happy New Year!
Happy holiday to you, dear friends and subscribers of my channel!
This year has brought a lot of trouble and a lot of joyful moments. In the new year, I wish you more vulnerabilities found, interesting research and all the best.
Thank you for all the support, feedback, and messages this year!
Love you all ♥️
Happy holiday to you, dear friends and subscribers of my channel!
This year has brought a lot of trouble and a lot of joyful moments. In the new year, I wish you more vulnerabilities found, interesting research and all the best.
Thank you for all the support, feedback, and messages this year!
Love you all ♥️
❤18👍2🎉2👎1
😈 Microsoft Exchange: OWASSRF + TabShell
(CVE-2022-41076)
The TabShell vulnerability its a form of Privilege Escalation which allows breaking out of the restricted Powershell Sandbox after you have successfully gained access through OWASSRF.
For a detailed write see research:
https://blog.viettelcybersecurity.com/tabshell-owassrf/
PoC:
https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e
#owa #ssrf #tabshell #poc
(CVE-2022-41076)
The TabShell vulnerability its a form of Privilege Escalation which allows breaking out of the restricted Powershell Sandbox after you have successfully gained access through OWASSRF.
For a detailed write see research:
https://blog.viettelcybersecurity.com/tabshell-owassrf/
PoC:
https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e
#owa #ssrf #tabshell #poc
YouTube
Exchange TabShell RCE PoC (CVE-2022-41076)
Copy paste PoC from VCS blog: https://blog.viettelcybersecurity.com/tabshell-owassrf/
🔥9👍2👎1
Forwarded from 1N73LL1G3NC3
Inline-Execute-PE
Is a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time.
Is a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time.
👍6🔥4👎1
⚙️ Meterpreter BOFLoader
In this guide, you'll learn how the new BOFLoader extension allows BOFs to be used from a Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors.
https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader
#msf #meterpreter #bof #loader
In this guide, you'll learn how the new BOFLoader extension allows BOFs to be used from a Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors.
https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader
#msf #meterpreter #bof #loader
👍8👎1
Forwarded from Offensive Xwitter
😈 [ 0x0SojalSec, Md Ismail Šojal ]
The shortest payload for a tiny php reverse shell written in 19 bytes using only non-alphanumeric characters. Hex values inside ⛶ indicate raw bytes.
This will help to bypass WAF and execute PHP reverse shell for RCE.
get more detail about this👇
🔗 https://gist.github.com/0xSojalSec/5bee09c7035985ddc13fddb16f191075
#bugbountyTips #bugbounty
🐥 [ tweet ]
The shortest payload for a tiny php reverse shell written in 19 bytes using only non-alphanumeric characters. Hex values inside ⛶ indicate raw bytes.
This will help to bypass WAF and execute PHP reverse shell for RCE.
get more detail about this👇
🔗 https://gist.github.com/0xSojalSec/5bee09c7035985ddc13fddb16f191075
#bugbountyTips #bugbounty
🐥 [ tweet ]
❤5👍3👎1
⭐️ Privileger
Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:
— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.
Thanks to:
@Michaelzhm
https://github.com/MzHmO/Privileger
#ad #windows #privilege #lsa
Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:
— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.
Thanks to:
@Michaelzhm
https://github.com/MzHmO/Privileger
#ad #windows #privilege #lsa
🔥6👍1👎1
Forwarded from 1N73LL1G3NC3
certsync
certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:
1) Dump user list, CA informations and CRL from LDAP
2) Dump CA certificate and private key
3) Forge offline a certificate for every user
4) UnPAC the hash for every user in order to get nt and lm hashes
certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:
1) Dump user list, CA informations and CRL from LDAP
2) Dump CA certificate and private key
3) Forge offline a certificate for every user
4) UnPAC the hash for every user in order to get nt and lm hashes
👍6
Forwarded from Offensive Xwitter
Псс, гайс, слышали об уязвимости CVE-2022-48109? Вот и я нет до сегодняшнего дня, а ведь это CVE ID моего инфосек-братишки @Acrono! Хочу первым поздравить Пашу с потерей цвйешной девственности – ура-ура! Ждем от него покорения новых вершин на поприще киберсесурити 💪🏻
Следите за каналом @APT_Notes, чтобы узнать подробности 😉
Следите за каналом @APT_Notes, чтобы узнать подробности 😉
🔥21❤3
Forwarded from Ralf Hacker Channel (Ralf Hacker)
И ещё одна новая картошка! RasMan service for privilege escalation
https://github.com/crisprss/RasmanPotato
#git #lpe #soft #pentest #redteam
https://github.com/crisprss/RasmanPotato
#git #lpe #soft #pentest #redteam
GitHub
GitHub - crisprss/RasmanPotato: Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do
Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do - crisprss/RasmanPotato
This media is not supported in your browser
VIEW IN TELEGRAM
🔧 Windows LPE via StorSvc Service
StorSvc is a service which runs as
PoC:
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
#windows #lpe #storsvc #service
StorSvc is a service which runs as
NT AUTHORITY\SYSTEM and tries to load the missing SprintCSP.dll DLL when triggering the SvcRebootToFlashingMode RPC method locally.PoC:
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
#windows #lpe #storsvc #service
🔥5👍1
⚙️ Joomla Web Service Endpoint Access (CVE-2023-23752)
An issue was discovered in Joomla 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
PoC:
https://unsafe.sh/go-149780.html
Nuclei Template:
https://github.com/thecyberneh/nuclei-templatess/blob/main/cves/2023/CVE-2023-23752.yaml
#joomla #endpoint #access #cve
An issue was discovered in Joomla 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
PoC:
httpx -l targets.txt -sc -ct -ip -path '/api/index.php/v1/config/application?public=true'Research:
https://unsafe.sh/go-149780.html
Nuclei Template:
https://github.com/thecyberneh/nuclei-templatess/blob/main/cves/2023/CVE-2023-23752.yaml
#joomla #endpoint #access #cve
👍9
🧪 NtQueueApcThreadEx — NTDLL Gadget Injection
This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
Source:
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
#apc #ntdll #injection #clang #redteam
This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
Source:
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
#apc #ntdll #injection #clang #redteam
🔥5👍1
💥 Fortinet FortiNAC Unauthenticated RCE
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
PoC:
https://github.com/horizon3ai/CVE-2022-39952
Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
#fortinet #fortinac #rce #cve
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
PoC:
https://github.com/horizon3ai/CVE-2022-39952
Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
#fortinet #fortinac #rce #cve
🔥4👍2❤1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Это реально круто!
Вкратце: позволяет записывать файлы, созданные маяком кобальта (на примере кобальта), в память, а не на диск в системе.
https://github.com/Octoberfest7/MemFiles
#redteam #pentest #git #cs #bypass
Вкратце: позволяет записывать файлы, созданные маяком кобальта (на примере кобальта), в память, а не на диск в системе.
https://github.com/Octoberfest7/MemFiles
#redteam #pentest #git #cs #bypass
👍7