Forwarded from PT SWARM
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
👤 by Antoine Cervoise, Wilfried Bécard
ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users.
In this article research team explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the server.
📝 Contents:
• First steps
• Authentication Bypass
• Arbitrary file upload through the API
• Arguments injection
• Chaining everything together to get code execution
• Conclusion
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
👤 by Antoine Cervoise, Wilfried Bécard
ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users.
In this article research team explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the server.
📝 Contents:
• First steps
• Authentication Bypass
• Arbitrary file upload through the API
• Arguments injection
• Chaining everything together to get code execution
• Conclusion
https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
Synacktiv
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
HackTheBox - PivotAPI
https://youtu.be/FbTxPz_GA4o
https://youtu.be/hzsGMj9C8Nw
https://0xdf.gitlab.io/2021/11/06/htb-pivotapi.html
#htb #writeup #ad #reverse
https://youtu.be/FbTxPz_GA4o
https://youtu.be/hzsGMj9C8Nw
https://0xdf.gitlab.io/2021/11/06/htb-pivotapi.html
#htb #writeup #ad #reverse
YouTube
HackTheBox - PivotAPI
00:00 - Intro
01:00 - Start of nmap, downloading files over FTP
05:25 - The contents of all the PDF's don't really help. Using exiftool to extract authors.
08:20 - Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat…
01:00 - Start of nmap, downloading files over FTP
05:25 - The contents of all the PDF's don't really help. Using exiftool to extract authors.
08:20 - Using Kerbrute to bruteforce valid users and getting ASREP Hash. It is ETYPE 18, which hashcat…
Keycloak POST-based Reflected XSS
1. POST
#bugbounty #keycloak #xss
1. POST
/auth/realms/master/clientsregistrations/openid-connect
2. Content-Type: application/json
3. Request {"<svg onload=alert(document.domain)>":1}
4. Unfiltered user-input in error message will triggered XSS#bugbounty #keycloak #xss
KubiScan
KubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters. This can be especially helpful on large environments where there are lots of permissions that can be challenging to track. KubiScan gathers information about risky roles\clusterroles, rolebindings\clusterrolebindings, users and pods, automating traditional manual processes and giving administrators the visibility they need to reduce risk.
https://github.com/cyberark/KubiScan
#kubernetes #rbac #scan #security #tools
KubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters. This can be especially helpful on large environments where there are lots of permissions that can be challenging to track. KubiScan gathers information about risky roles\clusterroles, rolebindings\clusterrolebindings, users and pods, automating traditional manual processes and giving administrators the visibility they need to reduce risk.
https://github.com/cyberark/KubiScan
#kubernetes #rbac #scan #security #tools
GitHub
GitHub - cyberark/KubiScan: A tool to scan Kubernetes cluster for risky permissions
A tool to scan Kubernetes cluster for risky permissions - cyberark/KubiScan
MacOS — CVE-2021-30657 (POC)
A vulnerability in syspolicyd allows specially crafted application bundle downloaded from internet to
bypass foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization.
Armed with this capability attackers could hack macOS systems with a simple user (double)-click.
https://github.com/shubham0d/CVE-2021-30657
#macos #poc #cve #syspolicyd
A vulnerability in syspolicyd allows specially crafted application bundle downloaded from internet to
bypass foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization.
Armed with this capability attackers could hack macOS systems with a simple user (double)-click.
https://github.com/shubham0d/CVE-2021-30657
#macos #poc #cve #syspolicyd
GitHub
GitHub - shubham0d/CVE-2021-30657: A sample POC for CVE-2021-30657 affecting MacOS
A sample POC for CVE-2021-30657 affecting MacOS. Contribute to shubham0d/CVE-2021-30657 development by creating an account on GitHub.
OffSec/OSINT Resources
https://Urlscan.io
https://Hunter.io
https://snov.io
https://Osint.link
https://DNSdumpster.com
https://osintframework.com
https://shodan.io
https://censys.io
https://zoomeye.org
https://opencorporates.com
https://kitploit.com
https://ipv4info.com
https://robtex.com
https://securitytrails.com
https://intelx.io
https://crt.sh
https://spyse.com
#offsec #osint
https://Urlscan.io
https://Hunter.io
https://snov.io
https://Osint.link
https://DNSdumpster.com
https://osintframework.com
https://shodan.io
https://censys.io
https://zoomeye.org
https://opencorporates.com
https://kitploit.com
https://ipv4info.com
https://robtex.com
https://securitytrails.com
https://intelx.io
https://crt.sh
https://spyse.com
#offsec #osint
Obscure-IP-Obfuscator
Simple script you can use to convert and obscure any IP address of any host.
https://github.com/C-REMO/Obscure-IP-Obfuscator
#ip #obfuscate #tools
Simple script you can use to convert and obscure any IP address of any host.
https://github.com/C-REMO/Obscure-IP-Obfuscator
#ip #obfuscate #tools
NanoDump
Dumping LSASS has never been so stealthy
Features
#dump #lsass #syswhispers
Dumping LSASS has never been so stealthy
Features
• It uses syscalls (with SysWhispers2) for most operationshttps://github.com/helpsystems/nanodump
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike
#dump #lsass #syswhispers
SMBSR
Well, SMBSR is a python script which given a CIDR/IP/IP_file/HOSTNAME(s) enumerates all the SMB services listening (445) among the targets and tries to authenticate against them; if the authentication succeed then all the folders and subfolders are visited recursively in order to find secrets in files and ... secret files. In order to scan the targets for SMB ports open the masscan module is used.
https://github.com/oldboy21/SMBSR
#smb #share #secrets #redteam
Well, SMBSR is a python script which given a CIDR/IP/IP_file/HOSTNAME(s) enumerates all the SMB services listening (445) among the targets and tries to authenticate against them; if the authentication succeed then all the folders and subfolders are visited recursively in order to find secrets in files and ... secret files. In order to scan the targets for SMB ports open the masscan module is used.
https://github.com/oldboy21/SMBSR
#smb #share #secrets #redteam
GitHub
GitHub - oldboy21/SMBSR: Lookup for interesting stuff in SMB shares
Lookup for interesting stuff in SMB shares. Contribute to oldboy21/SMBSR development by creating an account on GitHub.
Taking the pain out of C2 Infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4
#c2 #redteam #infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure
# https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4
#c2 #redteam #infrastructure
Substack
Taking the pain out of C2 Infrastructure (Part 1)
Caddy is good. Caddy is life.