[ CookieKatz ]

Dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory.

— Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
— Access cookies of other user's browsers when running elevated
— Dump cookies from webview processes
— No need to touch on-disk database file
— DPAPI keys not needed to decrypt the cookies
— Parse cookies offline from a minidump file

https://github.com/Meckazin/ChromeKatz

[ How to Give your Phishing Domains a Reputation Boost ]

When we send out our phishing emails, we are reckoning with giants. Spamhaus, SpamAssassin, SpamTitan, Barracuda, and many more giants wish to grind your bones to bake their bread. They are big. They are scary. But they don’t catch everything. Just like Edward Bloom learned; the best way to deal with giants is to make a good first impression.

Posts By SpecterOps Team Members:

https://posts.specterops.io/one-phish-two-phish-red-teams-spew-phish-1a2f02010ed7

#k8s #kubernetes

[ A Guide To Kubernetes Logs That Isn't A Vendor Pitch ]

Part of being a a good red teamer is avoiding showing up in logs. In this blog Graham Helton will share what he learned after investigating how logs are generated in Kubernetes.

Turns out there are some detection mistakes that are very easy to make... Check it out 👇

https://grahamhelton.com/blog/k8slogs

[ Introducing The Shelf ]

By TrustedSec: We love OST here and want to continue contributing to the community. Going forward, we plan to publish internal retired tools, PoCs, and unfinished capabilities to a catch all repo.

Blog: https://trustedsec.com/blog/introducing-the-shelf

Repo: https://github.com/trustedsec/The_Shelf

VenomousSway looks interesing, check it out!

[ CVE-2024-4577 - Yet Another PHP RCE: Make PHP-CGI Argument Injection Great Again! ]

New research by Orange Tsai!

This is a side story/extra bug while I’m preparing for my Black Hat USA presentation. I believe most of the details have already been covered in the official advisory (should be published soon). Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.

This vulnerability affects all versions of PHP installed on the Windows operating system. Please refer to the table below for details:

PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29

Blog: https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html

PoC: https://github.com/watchtowrlabs/CVE-2024-4577

#veeam #cve

[ Bypassing Veeam Authentication ]

‼️ CVE-2024-29849 ‼️

TLDR:
Veeam published a CVSS 9.8 advisory for a authentication bypass vulnerability CVE-2024-29849, Following is a full analysis and exploit for this issue.

Blog:
https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass

PoC:
https://github.com/sinsinology/CVE-2024-29849

#xxe #sharepoint

SharePoint XML eXternal Entity (XXE) Injection Vulnerability

‼️ CVE-2024-30043 ‼️

https://cybersecuritynews.com/poc-exploit-xxe-injection-vulnerability/

#windows #lpe

Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code in the csc.sys driver

‼️ CVE-2024-26229 ‼️

https://github.com/RalfHacker/CVE-2024-26229-exploit

#outlook #rce

Critical Microsoft Outlook Vulnerability Executes as Email is Opened

https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability

[ ScriptBlock Smuggling ]

ScriptBlock Smuggling is a new technique, that allows for the spoofing of PowerShell security logs & bypasses AMSI without the need for reflection or memory patching.

https://bc-security.org/scriptblock-smuggling

GitHub repo: https://github.com/BC-SECURITY/ScriptBlock-Smuggling

Вышла вторая серия остросюжетного сериала:

первая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

вторая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p2

[ The Big Bind Theory: Enhancing LDAP Security via LDAPS, LDAP Signing, and Channel Binding ]

During this webcast, ace Identity Security Consultant Darryl Baker will deep-dive into LDAP Signing and Channel Binding, how they function, and how to implement them to increase Active Directory Security. He will discuss common vulnerabilities exploited through unsecured LDAP channels and demonstrate how implementing these measures can prevent these attacks.

https://www.youtube.com/watch?v=Jvp1akW2kKM

#vCenter #cve

VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities
CVE-2024-37079, CVE-2024-37080, CVE-2024-37081

Марш обновляться!

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

#proxy #ssh #tunel

[ TREVORproxy ]

A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!

https://github.com/blacklanternsecurity/TREVORproxy

#windows #lpe

Windows LPE ( CVE-2024-30088)
Уважаемые люди говорят что работает.

https://github.com/tykawaii98/CVE-2024-30088

https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/

Лучше он не станет, это понятно. Остается единственный шанс, взываю к "рисёрчерам": Пожалуйста, перестаньте искать в нем баги! Я устал его обновлять.

[ Bypassing SSRF Filters Using r3dir ]

r3dir: redirection service designed to help bypass SSRF filters that do not validate the redirect location. It allows you to:
- Set the redirection target via URL parameters or subdomains;
- Control HTTP response codes;
- Obfuscate the target URL with Base32 encoding;
- Bypass some allowlist filters.

Author: Senior Security Consultant Vladyslav H.

Blog: https://www.leviathansecurity.com/blog/bypassing-ssrf-filters-using-r3dir

Tool itself: https://github.com/Horlad/r3dir

[ regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server ]

CVE-2024-6387

Affected OpenSSH versions:
— OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
— Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
— The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
— OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

Blog by Qualys:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

Check FAQ for any other questions and...
Update ASAP (+ fail2ban)

POC: НА СВОЙ СТРАХ И РИСК
Чтобы сработал POC нужно чтобы все планеты выстроились в ряд, и не только в нашей галактике, но как правильно заметил Ralf: Poc, не эксплоит (с)