Hello everyone!

We are Positive Technologies Offensive Team.

This channel is created to share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting.

New version of pypykatz is out.

New features: asyncio support+added aiosmb as requirement = lsass files can be parsed over SMB (without downloading them) with a non-blocking IO.

https://github.com/skelsec/pypykatz

Shubs aka infosec_au on hacking IIS at NahamCon2021: "HTTPAPI 2.0 assets, VHost Hopping, LFD escalation, DNSpy, Complex XXEs and Logical Fuzzing for Shortname Enumeration".

The slides are concise and to the point, giving a good overview of popular techniques.

Slides: https://drive.google.com/file/d/1O0IARjqP4Pwa-ae1nAP8Nr9qb0ai2XPu/view

Nice write-up of CVE-2021-22986 (F5 iControl REST) from wvu

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986

1-Click RCE in TikTok for Android by @dPhoeniixx

Bugs:
1. Universal XSS on TikTok WebView
2. Another XSS on AddWikiActivity
3. Start Arbitrary Components
4. Zip Slip in TmaTestActivity
5. RCE!

https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105

"H2C Smuggling in the Wild" by @seanyeoh takes a look at real world waf, routing, and access control bypasses in different cloud environments.

Contents:
• HTTP2 Over Cleartext (H2C)
• Exploitation
• Cloudflare
• Azure
• Google Cloud Platform
• Other Cloud Providers
• Takeaways on Security Research
• Assetnote

https://blog.assetnote.io/2021/03/18/h2c-smuggling/

Three brand new OAuth2 and OpenID Connect vulnerabilities discovered by @artsploit with demos on MITREid Сonnect and ForgeRock OpenAM implementations.

Contents:
• Dynamic Client Registration - SSRF by design (CVE-2021-26715)
• "redirect_uri" Session Poisoning (CVE-2021-27582)
• "/.well-known/webfinger" makes all user names well-known

https://portswigger.net/research/hidden-oauth-attack-vectors

Rocket.Chat fixed a persistent XSS found by our researcher Igor Sak-Sakovskiy.

The vulnerability was triggered by sending a text message, resulting in an arbitrary file read or RCE on the recipient's desktop system.

https://hackerone.com/reports/1014459

This blog post will describe a class of vulnerability detected in several SSO services assessed by NCC Group, specifically affecting Security Assertion Markup Language (SAML) implementations. The flaw could allow an attacker to modify SAML responses generated by an Identity Provider, and thereby gain unauthorized access to arbitrary user accounts, or to escalate privileges within an application.

Exploit techniques:
• Attribute injections – where the injection occurs in a SAML attribute associated with the account in the Identity Provider.
• InResponseTo injections – where the injection affects the “InResponseTo” attribute of the SAML response.

https://research.nccgroup.com/2021/03/29/saml-xml-injection/

VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.

The vulnerabilities were found by our researcher Egor Dimitrenko.

Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0004.html