👹 [ snovvcrash, sn🥶vvcr💥sh ]

Rewritten #DirtyVanity PoC injector to C# and #DInvoke. Great stuff @eliran_nissan!

https://t.co/ifQLPMSFpb

Happy upcoming New Year to everyone! 🎄

🔗 https://gist.github.com/snovvcrash/09deab831d49028e194e8ee83f2616a9

🐥 [ tweet ][ quote ]

✨ Happy New Year!

Happy holiday to you, dear friends and subscribers of my channel!

This year has brought a lot of trouble and a lot of joyful moments. In the new year, I wish you more vulnerabilities found, interesting research and all the best.

Thank you for all the support, feedback, and messages this year!

Love you all ♥️

😈 Microsoft Exchange: OWASSRF + TabShell
(CVE-2022-41076)

The TabShell vulnerability its a form of Privilege Escalation which allows breaking out of the restricted Powershell Sandbox after you have successfully gained access through OWASSRF.

For a detailed write see research:
https://blog.viettelcybersecurity.com/tabshell-owassrf/

PoC:
https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e

#owa #ssrf #tabshell #poc

Inline-Execute-PE

Is a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time.

⚙️ Meterpreter BOFLoader

In this guide, you'll learn how the new BOFLoader extension allows BOFs to be used from a Meterpreter session. Discover new attacks made possible in Meterpreter and avoid common errors.

https://www.trustedsec.com/blog/operators-guide-to-the-meterpreter-bofloader

#msf #meterpreter #bof #loader

😈 [ 0x0SojalSec, Md Ismail Šojal ]

The shortest payload for a tiny php reverse shell written in 19 bytes using only non-alphanumeric characters. Hex values inside ⛶ indicate raw bytes.
This will help to bypass WAF and execute PHP reverse shell for RCE.
get more detail about this👇

🔗 https://gist.github.com/0xSojalSec/5bee09c7035985ddc13fddb16f191075

#bugbountyTips #bugbounty

🐥 [ tweet ]

⭐️ Privileger

Privilger allows you to work with privileges in Windows as easily as possible. There are three modes:

— Add privileges to an account;
— Start a process by adding a specific privilege to its token;
— Remove privilege from the user.

Thanks to:
@Michaelzhm

https://github.com/MzHmO/Privileger

#ad #windows #privilege #lsa

certsync

certsync is a new technique in order to dump NTDS remotely, but this time without DRSUAPI: it uses golden certificate and UnPAC the hash. It works in several steps:
1) Dump user list, CA informations and CRL from LDAP
2) Dump CA certificate and private key
3) Forge offline a certificate for every user
4) UnPAC the hash for every user in order to get nt and lm hashes

Псс, гайс, слышали об уязвимости CVE-2022-48109? Вот и я нет до сегодняшнего дня, а ведь это CVE ID моего инфосек-братишки @Acrono! Хочу первым поздравить Пашу с потерей цвйешной девственности – ура-ура! Ждем от него покорения новых вершин на поприще киберсесурити 💪🏻

Следите за каналом @APT_Notes, чтобы узнать подробности 😉

И ещё одна новая картошка! RasMan service for privilege escalation

https://github.com/crisprss/RasmanPotato

#git #lpe #soft #pentest #redteam

🔧 Windows LPE via StorSvc Service

StorSvc is a service which runs as NT AUTHORITY\SYSTEM and tries to load the missing SprintCSP.dll DLL when triggering the SvcRebootToFlashingMode RPC method locally.

PoC:
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc

#windows #lpe #storsvc #service

⚙️ Joomla Web Service Endpoint Access (CVE-2023-23752)

An issue was discovered in Joomla 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

PoC:

httpx -l targets.txt -sc -ct -ip -path '/api/index.php/v1/config/application?public=true' 

Research:
https://unsafe.sh/go-149780.html

Nuclei Template:
https://github.com/thecyberneh/nuclei-templatess/blob/main/cves/2023/CVE-2023-23752.yaml

#joomla #endpoint #access #cve

🔥 NimPlant С2

This is a new light-weight, first-stage C2 implant written in Nim, with a supporting Python server and Next.JS web GUI.

https://github.com/chvancooten/NimPlant

#c2 #nim #python #redteam

🧪 NtQueueApcThreadEx — NTDLL Gadget Injection

This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.

Source:
https://github.com/LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection

#apc #ntdll #injection #clang #redteam

💥 Fortinet FortiNAC Unauthenticated RCE

On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.

PoC:
https://github.com/horizon3ai/CVE-2022-39952

Research:
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

#fortinet #fortinac #rce #cve

Это реально круто!

Вкратце: позволяет записывать файлы, созданные маяком кобальта (на примере кобальта), в память, а не на диск в системе.

https://github.com/Octoberfest7/MemFiles

#redteam #pentest #git #cs #bypass

📜 Abusing Code Signing Certificates

Abusing code signing certificates is not new. In the past few years alone, it has proven to be an effective method of bypassing certain security controls to allow malicious software to run and look seemingly benign. This article describes code signing methods, as well as tools for copying the signature from legitimate PE files.

Source:
https://axelarator.github.io/posts/codesigningcerts/

#sign #code #certificate #abuse #redteam

​​​⚛️ AtomLdr

A DLL loader with advanced evasive.

Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb

https://github.com/NUL0x4C/AtomLdr

#loader #dll #edr #evasion #redteam

🌐 DroppedConnection — Cisco ASA Anyconnect Emulator

Fake VPN server that captures credentials and executes code via the Cisco AnyConnect client.

Source:
https://github.com/nccgroup/DroppedConnection

Research:
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-cisco-anyconnect-client-to-drop-and-run-payloads/

#cisco #asa #anyconnect #credentials #redteam

🔑 KeePass2: DLL Hijacking and Hooking API

This new article about a way to get the Master Password of a KeePass database.

https://skr1x.github.io/keepass-dll-hijacking/

#keepass #dll #hijacking #redteam