DoH has not yet become a global standard on the Internet; most connections still rely on basic DNS. So far, only Google and Mozilla have ventured into this field. Google is currently testing this feature with some users. In addition, there are applications for mobile devices that can also surf the web via DoH. Android Pie also offers an option to enable HTTPS-based DNS through network settings.
Penetrate background permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
Penetrate background permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
Because the AD domain service is a server function, the "Server" service must be enabled in the services of the Windows Server machine.
Check "Control Panel" - "System and Security" - "Administrative Tools" - "Services" (or directly enter "services.msc" in "Run"), select "Server" there, double-click to enter its properties page, change the startup type to "Automatic", then "Apply" and "Start" the service:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
Check "Control Panel" - "System and Security" - "Administrative Tools" - "Services" (or directly enter "services.msc" in "Run"), select "Server" there, double-click to enter its properties page, change the startup type to "Automatic", then "Apply" and "Start" the service:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
At this time, I add the computer (web-2012) to the parent domain controller for management. The computer here is Windows Server 2012 R2.
1. Right-click "Computer" - "Properties" - "Change settings":
2. Then change the computer name to join the parent domain: redteam.com
Before confirming, we need to set the current machine's IP address and DNS, otherwise it cannot join the domain:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
1. Right-click "Computer" - "Properties" - "Change settings":
2. Then change the computer name to join the parent domain: redteam.com
Before confirming, we need to set the current machine's IP address and DNS, otherwise it cannot join the domain:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
VMware vCenter RCE Vulnerability Pitfalls Record — What Knowledge Can a Simple RCE Vulnerability Really Reveal
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
CNCF (Cloud Native Computing Foundation) mentions in its definition of cloud native that "representative technologies of cloud native include containers, service mesh, microservices, immutable infrastructure, and declarative APIs";
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
This video demonstrates how an unauthenticated attacker can access any user's files.
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts
Because 0xac9650d8 is the function signature of the multicall function, it will call the token-agreed multicall function, and the data value determined by the multicall function is 0x42966c68000000000000000000000000000000000000000c9112ec16d958e8da8180000760dc1e0 43d99394a10605b2fa08f123d60faf84
Penetrate backend permissions, database, server
Custom cracking of scripts for domestic and overseas sites and apps
Penetrate backend permissions, database, server
Custom cracking of scripts for domestic and overseas sites and apps