Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)

👤 by testanull

While analyzing CVE-2022-41082, also known as Proxy Not Shell, researcher discovered CVE-2023-21707 vulnerability which he has detailed in this blog.
The vulnerability allows a privileged user to trigger RCE during a deserialization of untrusted data.

📝 Contents:
● Introduction
● The new variant
● Payload delivery
● Demo
● References

https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-deserialization-leading-to-rce-cve-2023-21707/

😈 [ mpgn_x64, mpgn ]

The sponsor version of CrackMapExec just receive an update from @MJHallenbeck 🚀

▶️ cme is now using rich logging from @willmcgugan
▶️ a progress bar has been added 🚄🚃🚃
▶️ protocol ssh is now working with a key
▶️ cmedb now store creds found with ssh

@porchetta_ind 🪂

🐥 [ tweet ]

ETWHash

ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E}

https://labs.nettitude.com/blog/etwhash-he-who-listens-shall-receive/

🥶 Freeze

Freeze.rs is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze.rs utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

Research:
https://www.optiv.com/insights/source-zero/blog/sacrificing-suspended-processes

Source:
https://github.com/optiv/Freeze.rs

#av #edr #etw #windows #maldev

🕳 Resocks

This is a reverse/back-connect SOCKS5 proxy tunnel that can be used to route traffic through a system that can't be directly accessed (e.g. due to NAT). The channel is secured by mutually trusted TLS with auto-generated certificates based on a connection key.

Blog:
https://blog.redteam-pentesting.de/2023/introducing-resocks/

Source:
https://github.com/RedTeamPentesting/resocks

#socks #proxy #tunnel #mtls

Для дампа памяти процессов, защищённых PPL.
Работает с Windows 11 25346.1001 (April 2023).

https://github.com/gabriellandau/PPLFault

#creds #git #soft

CVE-2023-32233 LPE

In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.

Once the PoC is started on a vulnerable system, it may leave that system in an unstable state with corrupted kernel memory. We strongly recommend to test the PoC on a dedicated system to avoid potential data corruptions.

Для получения паролей пользователей SSH в открытом виде

https://github.com/jm33-m0/SSH-Harvester

#redteam #pentest #creds #git

🔀 Direct Syscalls vs Indirect Syscalls

This post discusses Indirect Syscalls as a solution to eliminate indicators of compromise and avoid detection by EDRs. Indirect Syscalls allow the execution of Syscall and Return statements in the memory of ntdll.dll, which is the usual behavior in Windows.

https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls

#maldev #syscall #edr #bypass

😈 [ kleiton0x7e, Kleiton Kurti ]

We took a Cobalt Strike profile, modified it, and bypassed Crowdstrike & Sophos without encrypting the shellcode. Also bypassed all published YARA rules, sleep detections, and string detections around a CS beacon.

Blog: https://t.co/m7FNOwV6Nx

#CyberSecurity #redteam #infosec

🔗 https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/

🐥 [ tweet ]

🎯 GitLab CE/EE Path Traversal Vulnerability (CVE-2023-2825)

On May 23, 2023, GitLab released version 16.0.1, which addressed a critical vulnerability, CVE-2023-2825, impacting both the Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. This vulnerability enables unauthenticated users to read arbitrary files by exploiting a path traversal bug. Additionally, an unauthenticated malicious user can leverage a path traversal vulnerability to read arbitrary files on the server if there is an attachment present in a public project nested within a minimum of five groups.

Shodan Dork:
application-77ee44de16d2f31b4ddfd214b60b6327fe48b92df7054b1fb928fd6d4439fc7e.css

Research:
https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/

PoC:
https://github.com/Occamsec/CVE-2023-2825

#gitlab #path #traversal #poc #cve

#ad #relay #webdav #ldap

[ DavRelayUp ]

A  port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced.

Thanks to: Руслан

https://github.com/Dec0ne/DavRelayUp

🦾 SharpTerminatator

Terminate AV/EDR Processes using kernel driver. SharpTerminatator is a C# port of ZeroMemoryEx's art piece called Terminator. It can be used with Cobalt Strike's execute-assembly or as a standalone executable.

https://github.com/mertdas/SharpTerminator

#av #edr #cobaltstrike #csharp

​Отлично! Теперь шелл можно и через SMS пропихнуть.
Пока безопасники бьются с DLP, настраивают политики и заливают порты эпоксидкой, просто отправь SMS на номер.TCPoverSMS, my ass.
https://github.com/persistent-security/SMShell

🔥 VMware vRealize Network Insight — Pre-authenticated RCE (CVE-2023-20887)

This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.

Exploit:
https://github.com/sinsinology/CVE-2023-20887

Research:
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

#VMware #vRealize #rce #cve

☁️ Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust

In this blog we will look at how this trust can be abused by an attacker that obtains Global Admin in Azure AD, to elevate their privileges to Domain Admin in environments that have the Cloud Kerberos Trust set up. Since this technique is a consequence of the design of this trust type, the blog will also highlight detection and prevention measures admins can implement.

https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust

#ad #azure #kerberos #research

Exposing hidden risks through ACLs in Active Directory

The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain.

Obfuscated LSASS dumper command

A quick walkthrough for a obfuscated PowerShell LSASS dump command via comsvcs.dll.

CVE-2023-20178 Cisco AnyConnect LPE

When a user connect to vpn, vpndownloader.exe process is started in background and it will create directory in c:\windows\temp with default permissions in following format: <random numbers>.tmp After creating this directory vpndownloader.exe will check if that directory is empty and if its not it will delete all files/directories in there. This behaviour can be abused to perform arbitrary file delete as NT Authority\SYSTEM account.

Кража KeyTab.

Во время тестирования на проникновение часто встречаются системы Linux с настроенным Keytab. Keytab хранит пары принципала кербероса и его зашифрованных ключей. С помощью этих зашифрованных ключей можно получить TGT. В результате чего появляется возможность запросить TGT на имя принципала без ввода пароля. Kerberos на Linux уже далеко не редкость - гетерогенные сети становятся все более популярными по ряду причин. Например, может быть такой сценарий, что на Linux бекапится содержимое какой-либо шары, при этом получить доступ к этой шаре могут только пользователи домена. В таком случае пишется простенький скрипт на баш, в котором реализуется логика по запросу TGT тикета на основе KeyTab, а затем копирования файлов с шары. Причем для периодичности запуска скрипт добавляется в crontab.

Нам, как атакующим, конечно же, интересен процесс запроса TGT билета на основе KeyTab. Для этого можно использовать команду kinit со следующим синтаксисом:
kinit –kt <keytab> <принципал>

Например, если файл /tmp/admin.keytab служит для аутентификации пользователя [email protected] , то делаем вот так:
kinit -kt /tmp/admin.keytab [email protected]

Остается лишь одна проблема - обнаружение самих KeyTab файлов. Конечно, можно ручками через find искать эти файлы, потом также муторно проверять разрешения на них, что не есть хорошо. Поэтому я накалякал следующий командлет, который автоматически найдет все .keytab файлы , а затем подсветит интересные разными цветами:
1. Зеленым подсвечиваются те файлы, которые принадлежат текущему пользователю.
2. Желтым подсвечиваются те файлы, которые принадлежат пользователю, отличному от текущего, при этом текущий пользователь не имеет достаточных прав (чтение/запись) на этот самый KeyTab.
3. Наконец, красным подсвечиваются файлы, которые принадлежат пользователю, отличному от текущего, при этом текущий пользователь имеет достаточные права на этот самый KeyTab.

find / -iname '*.keytab' -type f -exec ls -l {} \; 2>/dev/null | awk -v user="$(whoami)" 'BEGIN { FS = OFS = " "; red = "\033[31m"; yellow = "\033[33m"; green = "\033[32m"; reset = "\033[0m" } { if ($3 == user && $9 ~ /.keytab$/) { printf green } else if ($3 != user && $9 ~ /.keytab$/ && $1 ~ /^-.w.r../) { printf red } else if ($3 != user && $9 ~ /.keytab$/ && ($1 !~ /^.w.r../ || $1 !~ /^-.w../)) { printf yellow } print $0; printf reset }'