[ CookieKatz ]
Dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory.
— Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
— Access cookies of other user's browsers when running elevated
— Dump cookies from webview processes
— No need to touch on-disk database file
— DPAPI keys not needed to decrypt the cookies
— Parse cookies offline from a minidump file
https://github.com/Meckazin/ChromeKatz
Dump cookies from Chrome, Edge or Msedgewebview2 directly from the process memory.
— Support dumping cookies from Chrome's Incogntio and Edge's In-Private processes
— Access cookies of other user's browsers when running elevated
— Dump cookies from webview processes
— No need to touch on-disk database file
— DPAPI keys not needed to decrypt the cookies
— Parse cookies offline from a minidump file
https://github.com/Meckazin/ChromeKatz
[ How to Give your Phishing Domains a Reputation Boost ]
When we send out our phishing emails, we are reckoning with giants. Spamhaus, SpamAssassin, SpamTitan, Barracuda, and many more giants wish to grind your bones to bake their bread. They are big. They are scary. But they don’t catch everything. Just like Edward Bloom learned; the best way to deal with giants is to make a good first impression.
Posts By SpecterOps Team Members:
https://posts.specterops.io/one-phish-two-phish-red-teams-spew-phish-1a2f02010ed7
When we send out our phishing emails, we are reckoning with giants. Spamhaus, SpamAssassin, SpamTitan, Barracuda, and many more giants wish to grind your bones to bake their bread. They are big. They are scary. But they don’t catch everything. Just like Edward Bloom learned; the best way to deal with giants is to make a good first impression.
Posts By SpecterOps Team Members:
https://posts.specterops.io/one-phish-two-phish-red-teams-spew-phish-1a2f02010ed7
#k8s #kubernetes
[ A Guide To Kubernetes Logs That Isn't A Vendor Pitch ]
Part of being a a good red teamer is avoiding showing up in logs. In this blog Graham Helton will share what he learned after investigating how logs are generated in Kubernetes.
Turns out there are some detection mistakes that are very easy to make... Check it out 👇
https://grahamhelton.com/blog/k8slogs
[ A Guide To Kubernetes Logs That Isn't A Vendor Pitch ]
Part of being a a good red teamer is avoiding showing up in logs. In this blog Graham Helton will share what he learned after investigating how logs are generated in Kubernetes.
Turns out there are some detection mistakes that are very easy to make... Check it out 👇
https://grahamhelton.com/blog/k8slogs
[ Introducing The Shelf ]
By TrustedSec: We love OST here and want to continue contributing to the community. Going forward, we plan to publish internal retired tools, PoCs, and unfinished capabilities to a catch all repo.
Blog: https://trustedsec.com/blog/introducing-the-shelf
Repo: https://github.com/trustedsec/The_Shelf
VenomousSway looks interesing, check it out!
By TrustedSec: We love OST here and want to continue contributing to the community. Going forward, we plan to publish internal retired tools, PoCs, and unfinished capabilities to a catch all repo.
Blog: https://trustedsec.com/blog/introducing-the-shelf
Repo: https://github.com/trustedsec/The_Shelf
VenomousSway looks interesing, check it out!
[ CVE-2024-4577 - Yet Another PHP RCE: Make PHP-CGI Argument Injection Great Again! ]
New research by Orange Tsai!
This is a side story/extra bug while I’m preparing for my Black Hat USA presentation. I believe most of the details have already been covered in the official advisory (should be published soon). Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.
Blog: https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
PoC: https://github.com/watchtowrlabs/CVE-2024-4577
New research by Orange Tsai!
This is a side story/extra bug while I’m preparing for my Black Hat USA presentation. I believe most of the details have already been covered in the official advisory (should be published soon). Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.
This vulnerability affects all versions of PHP installed on the Windows operating system. Please refer to the table below for details:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
Blog: https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
PoC: https://github.com/watchtowrlabs/CVE-2024-4577
#veeam #cve
[ Bypassing Veeam Authentication ]
‼️ CVE-2024-29849 ‼️
TLDR:
Veeam published a CVSS 9.8 advisory for a authentication bypass vulnerability CVE-2024-29849, Following is a full analysis and exploit for this issue.
Blog:
https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass
PoC:
https://github.com/sinsinology/CVE-2024-29849
[ Bypassing Veeam Authentication ]
‼️ CVE-2024-29849 ‼️
TLDR:
Veeam published a CVSS 9.8 advisory for a authentication bypass vulnerability CVE-2024-29849, Following is a full analysis and exploit for this issue.
Blog:
https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass
PoC:
https://github.com/sinsinology/CVE-2024-29849
#xxe #sharepoint
SharePoint XML eXternal Entity (XXE) Injection Vulnerability
‼️ CVE-2024-30043 ‼️
https://cybersecuritynews.com/poc-exploit-xxe-injection-vulnerability/
SharePoint XML eXternal Entity (XXE) Injection Vulnerability
‼️ CVE-2024-30043 ‼️
https://cybersecuritynews.com/poc-exploit-xxe-injection-vulnerability/
#windows #lpe
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code in the csc.sys driver
‼️ CVE-2024-26229 ‼️
https://github.com/RalfHacker/CVE-2024-26229-exploit
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code in the csc.sys driver
‼️ CVE-2024-26229 ‼️
https://github.com/RalfHacker/CVE-2024-26229-exploit
#outlook #rce
Critical Microsoft Outlook Vulnerability Executes as Email is Opened
https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability
Critical Microsoft Outlook Vulnerability Executes as Email is Opened
https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability
[ ScriptBlock Smuggling ]
ScriptBlock Smuggling is a new technique, that allows for the spoofing of PowerShell security logs & bypasses AMSI without the need for reflection or memory patching.
https://bc-security.org/scriptblock-smuggling
GitHub repo: https://github.com/BC-SECURITY/ScriptBlock-Smuggling
ScriptBlock Smuggling is a new technique, that allows for the spoofing of PowerShell security logs & bypasses AMSI without the need for reflection or memory patching.
https://bc-security.org/scriptblock-smuggling
GitHub repo: https://github.com/BC-SECURITY/ScriptBlock-Smuggling
Вышла вторая серия остросюжетного сериала:
первая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
вторая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p2
первая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
вторая часть:
https://www.ambionics.io/blog/iconv-cve-2024-2961-p2
Ambionics
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway…
Windows Wi-Fi Driver Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078
[ The Big Bind Theory: Enhancing LDAP Security via LDAPS, LDAP Signing, and Channel Binding ]
During this webcast, ace Identity Security Consultant Darryl Baker will deep-dive into LDAP Signing and Channel Binding, how they function, and how to implement them to increase Active Directory Security. He will discuss common vulnerabilities exploited through unsecured LDAP channels and demonstrate how implementing these measures can prevent these attacks.
https://www.youtube.com/watch?v=Jvp1akW2kKM
During this webcast, ace Identity Security Consultant Darryl Baker will deep-dive into LDAP Signing and Channel Binding, how they function, and how to implement them to increase Active Directory Security. He will discuss common vulnerabilities exploited through unsecured LDAP channels and demonstrate how implementing these measures can prevent these attacks.
https://www.youtube.com/watch?v=Jvp1akW2kKM
YouTube
The Big Bind Theory: Enhancing LDAP Security via LDAPS, LDAP Signing, and Channel Binding
In today’s cyber security landscape, attacks against Active Directory protocols are frequent and more tools to exploit them are being developed every day. At Trimarc, one of the protocols that we see attacked quite frequently (often due to misconfigurations)…
#vCenter #cve
VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities
CVE-2024-37079, CVE-2024-37080, CVE-2024-37081
Марш обновляться!
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities
CVE-2024-37079, CVE-2024-37080, CVE-2024-37081
Марш обновляться!
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
#proxy #ssh #tunel
[ TREVORproxy ]
A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
https://github.com/blacklanternsecurity/TREVORproxy
[ TREVORproxy ]
A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
https://github.com/blacklanternsecurity/TREVORproxy
#windows #lpe
Windows LPE ( CVE-2024-30088)
Уважаемые люди говорят что работает.
https://github.com/tykawaii98/CVE-2024-30088
Windows LPE ( CVE-2024-30088)
Уважаемые люди говорят что работает.
https://github.com/tykawaii98/CVE-2024-30088
https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/
Лучше он не станет, это понятно. Остается единственный шанс, взываю к "рисёрчерам": Пожалуйста, перестаньте искать в нем баги! Я устал его обновлять.
Лучше он не станет, это понятно. Остается единственный шанс, взываю к "рисёрчерам": Пожалуйста, перестаньте искать в нем баги! Я устал его обновлять.
GitLab
GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5
Learn more about GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
[ Bypassing SSRF Filters Using r3dir ]
r3dir: redirection service designed to help bypass SSRF filters that do not validate the redirect location. It allows you to:
- Set the redirection target via URL parameters or subdomains;
- Control HTTP response codes;
- Obfuscate the target URL with Base32 encoding;
- Bypass some allowlist filters.
Author: Senior Security Consultant Vladyslav H.
Blog: https://www.leviathansecurity.com/blog/bypassing-ssrf-filters-using-r3dir
Tool itself: https://github.com/Horlad/r3dir
r3dir: redirection service designed to help bypass SSRF filters that do not validate the redirect location. It allows you to:
- Set the redirection target via URL parameters or subdomains;
- Control HTTP response codes;
- Obfuscate the target URL with Base32 encoding;
- Bypass some allowlist filters.
Author: Senior Security Consultant Vladyslav H.
Blog: https://www.leviathansecurity.com/blog/bypassing-ssrf-filters-using-r3dir
Tool itself: https://github.com/Horlad/r3dir
[ regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server ]
CVE-2024-6387
Blog by Qualys:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Check FAQ for any other questions and...
Update ASAP (+ fail2ban)
POC: НА СВОЙ СТРАХ И РИСК
Чтобы сработал POC нужно чтобы все планеты выстроились в ряд, и не только в нашей галактике, но как правильно заметил Ralf: Poc, не эксплоит (с)
CVE-2024-6387
Affected OpenSSH versions:
— OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
— Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
— The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
— OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.
Blog by Qualys:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
Check FAQ for any other questions and...
POC: НА СВОЙ СТРАХ И РИСК
Чтобы сработал POC нужно чтобы все планеты выстроились в ряд, и не только в нашей галактике, но как правильно заметил Ralf: Poc, не эксплоит (с)
https://www.youtube.com/watch?v=1DseeBdRU3U&list=PLJK0fZNGiFU_Zh8PkjCws_Rw_8WdWKyd7
Свеженькие "аудиокниги" выложили, может кто-то уснуть не может.
Свеженькие "аудиокниги" выложили, может кто-то уснуть не может.
YouTube
Domain Persistence: Detection, Triage, and Recovery - Josh Prager & Nico Shyne [SO-CON 2024]
We'll dive into Active Directory domain persistence techniques focused on identifying attacks and reclaiming control over organizational domains after a breach. The presentation explores various advanced adversarial techniques such as credential theft on…