Escalating Privileges via Third-Party Windows Installers
https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers
https://github.com/mandiant/msi-search
https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers
https://github.com/mandiant/msi-search
Google Cloud Blog
Escalating Privileges via Third-Party Windows Installers | Mandiant | Google Cloud Blog
GIUDA - Ask a TGS on behalf of another user without password
https://github.com/foxlox/GIUDA
https://github.com/foxlox/GIUDA
GitHub
GitHub - foxlox/GIUDA: Ask a TGS on behalf of another user without password
Ask a TGS on behalf of another user without password - foxlox/GIUDA
KRBUACBypass
By adding a KERB-AD-RESTRICTION-ENTRY to the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges.
Research:
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
Source:
https://github.com/wh0amitz/KRBUACBypass
By adding a KERB-AD-RESTRICTION-ENTRY to the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges.
Research:
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
Source:
https://github.com/wh0amitz/KRBUACBypass
www.tiraniddo.dev
Bypassing UAC in the most Complex Way Possible!
While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the features ...
👍1🥰1
It's a tool to interact with remote hosts using the Windows Search Protocol and coerce authentication. The target host will connect over SMB to the listener host using the machine account.
https://github.com/slemire/WSPCoerce
https://github.com/slemire/WSPCoerce
Proof of Concept for CVE-2023-38646
This vulnerability has been declared as critical, because it allows an unauthenticated attacker to execute arbitrary commands with the same privileges as the Metabase server. This vulnerability means the Metabase server can become a potential entry point for malicious attacks, which could compromise the integrity of the whole system it operates on.
https://github.com/Zenmovie/CVE-2023-38646
This vulnerability has been declared as critical, because it allows an unauthenticated attacker to execute arbitrary commands with the same privileges as the Metabase server. This vulnerability means the Metabase server can become a potential entry point for malicious attacks, which could compromise the integrity of the whole system it operates on.
https://github.com/Zenmovie/CVE-2023-38646
GitHub
GitHub - Zenmovie/CVE-2023-38646: Proof of Concept for CVE-2023-38646
Proof of Concept for CVE-2023-38646. Contribute to Zenmovie/CVE-2023-38646 development by creating an account on GitHub.
100 Methods for Container Attacks(RTC0010)
https://redteamrecipe.com/100-Method-For-Container-Attacks/
https://redteamrecipe.com/100-Method-For-Container-Attacks/
ExpiredDomains.com
redteamrecipe.com is for sale! Check it out on ExpiredDomains.com
Buy redteamrecipe.com for 195 on GoDaddy via ExpiredDomains.com. This premium expired .com domain is ideal for establishing a strong online identity.
👍2
🔥1
Diving into Windows Remote Access Service for Pre-Auth Bugs
https://i.blackhat.com/BH-US-23/Presentations/US-23-YukiChen-Diving-into-Windows-Remote-Access.pdf
https://i.blackhat.com/BH-US-23/Presentations/US-23-YukiChen-Diving-into-Windows-Remote-Access.pdf
This allows you to spoof emails from any of the +2 Million domains using MailChannels. It also gives you a slightly higher chance of landing a spoofed emails from any domain that doesn't have an SPF & DMARC due to ARC adoption.
https://github.com/byt3bl33d3r/SpamChannel
https://github.com/byt3bl33d3r/SpamChannel
GitHub
GitHub - byt3bl33d3r/SpamChannel: Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)
Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk) - byt3bl33d3r/SpamChannel
Cross Platform Telegram based RAT that communicates via telegram to evade network restrictions
https://github.com/machine1337/TelegramRAT
https://github.com/machine1337/TelegramRAT
GitHub
GitHub - root4031/TelegramRAT: Cross Platform Telegram based RAT that communicates via telegram to evade network restrictions
Cross Platform Telegram based RAT that communicates via telegram to evade network restrictions - root4031/TelegramRAT
Living Off the Foreign Land
Part 1/3: Setup Linux VM for SOCKS routing
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform
Part 2/3: Configuring the Offensive Windows VM
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2
Part 3/3: Using Windows as Offensive Platform
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3
Part 1/3: Setup Linux VM for SOCKS routing
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform
Part 2/3: Configuring the Offensive Windows VM
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2
Part 3/3: Using Windows as Offensive Platform
https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3
BITSADMIN Blog
Living Off the Foreign Land - Part 1/3: Setup Linux VM for SOCKS routing
Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The first part in this 3-part article discusses how to setup the Linux VM to transparently tunnel traffic over SOCKS. This enables…
Vcenter Comprehensive Penetration and Exploitation Toolkit
https://github.com/W01fh4cker/VcenterKit
https://github.com/W01fh4cker/VcenterKit
GitHub
GitHub - W01fh4cker/VcenterKit: Vcenter综合渗透利用工具包 | Vcenter Comprehensive Penetration and Exploitation Toolkit
Vcenter综合渗透利用工具包 | Vcenter Comprehensive Penetration and Exploitation Toolkit - W01fh4cker/VcenterKit
❤1
Leveraging VSCode Extensions for Initial Access
https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/
MDSec
Leveraging VSCode Extensions for Initial Access - MDSec
Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical...
Apache Superset Part II: RCE, Credential Harvesting and More
https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/
https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/
Horizon3.ai
Apache Superset Part II: RCE, Credential Harvesting and More
Apache Superset is a popular open source data exploration and visualization tool. In a previous post, we disclosed a vulnerability, CVE-2023-27524, affecting thousands of Superset servers on the Internet, that enables unauthorized attackers to gain admin…
👍1
Bypassing UAC with SSPI Datagram Contexts
https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html
https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html