News

• SMB NTLM blocking now supported in Windows Insider. The beginning of the end for NTLM relay attacks, but you know enterprise will still have it enabled for "legacy" support for 20 years.
• WASI support in Go. The Sliver crew is already looking at doing fun things with this.
• When MFA isn't actually MFA. "The caller claimed to be one of the members of the IT team, and deepfaked our employee'≈s actual voice." It finally happened. It's time to buy hardware keys for all your employees. There is no better defense against this type of advanced attack.
• 38TB of data accidentally exposed by Microsoft AI researchers. In the cloud, a signed URL can become a single factor that exposes a lot of data.
• Fileless Remote Code Execution on Juniper Firewalls. I can't decide if we should laugh or cry. Firewalls, do your one job!
• Cobalt Strike 4.9: Take Me To Your Loader. The Forta team is working hard to make Cobalt Strike even more modular as well as a bunch of other great enhancements.

Techniques and Write-ups

• Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter. Detailed write up of how to use a file delete for much more than denial of service.
• Azure Active Directory Domain Services Escalation of Privilege. Curious if the patch was just the PetitPotam patch...
• Bypassing UAC with SSPI Datagram Contexts. It's messy in the PoC state (creates a service) but a nice UAC bypass.
• Attacking an EDR - Part 2. With EDR going to the cloud for the heavy lifting in detection, if you can tamper with that network traffic, you can often blind the EDR.
• Using AI for extracting Usernames, Emails, Phone Numbers, and Personal Names from large datasets. Neat, but you'll need a local model to operate on any sensitive data.
• Hypervisor Detection with SystemHypervisorDetailInformation. Detect those sandboxes a little easier with cpuid - A class to emulate the behavior of NtQuerySystemInformation when passed the SystemHypervisorDetailInformation information class.
• Okta for Red Teamers - This is fuego 🔥. The addition of a SAML authentication endpoint has been used by threat actors recently.
• CVE-2023-38146: Arbitrary Code Execution via Windows Themes. Looks like the fix might be incomplete - more research needed here! The PoC is: themebleed.
• Peeling back the curtain with call stacks. The elastic team has been on a good run recently with very technical posts.
• I hacked macOS!!! CVE-2022-32947 - With Lina✨ & Cyan💎. Very creative site to explain an extremely technical exploit. The final "demo" is impressive. Some people are truly wizards and Lina is one of them.
• Android 14 Still Allows Modification of System Certificates. Lots of claims stating Android 14 would break TLS interception, turns out, its still possible.
• The Not So Pleasant Password Manager. Some tough restrictions on XXS were bypassed to successfully leak credentials.

Tools and Exploits

• EchoDrv - Exploitation of echo_driver.sys.
• Caro-Kann - Encrypted shellcode Injection to avoid Kernel triggered memory scans
• malrdp-deploy - Automated (kinda) deployment of MalRDP infrastructure with Terraform & Ansible
• Periscope - Fully Integrated Adversarial Operations Toolkit (C2, stagers, agents, ephemeral infrastructure, phishing engine, and automation). Note: purposely broken by the author.
• NetExec - Crack Map Exec fork with different maintainers. Queue the drama.
• POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• donut-decryptor - Retrieve inner payloads from Donut samples
• TierZeroTable - About Table of AD and Azure assets and whether they belong to Tier Zero
• Evilginx3-Phishlets - This repository provides penetration testers and red teams with an extensive collection of dynamic phishing templates designed specifically for use with Evilginx3.
• tracker-radar - Good for OSINT.
• GPOZaurr - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
• electroniz3r - Take over macOS Electron apps' TCC permissions.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Mullvad on Tailscale: Privately browse the web - In case the Tailscale/Mullvad fans missed it.
• Active North Korean campaign targeting security researchers - Researchers have been and will always be a target. Share with those starting out in security research as well. You opened that project in a disposable VM, right?
• DEF CON 31 recordings are out! - In case you missed it.
• BLASTPASS NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild. Another zero click for iOS? Perhaps this prompted the new Apple Security Research Device Program.
• Google is aware that an exploit for CVE-2023-4863 exists in the wild.. Not to be left out of the 0day fun, Chrome also got an update to in-the-wild 0day.
• Results of Major Technical Investigations for Storm-0558 Key Acquisition. So a debug log contained the key due to a race condition, and it eventually got moved to a compromised machine (or so they think). Did the Storm-0558 actors get "lucky?" I suppose, but if you aren't waiting for a debug log containing the key by having compromised workstations, you won't get "lucky." And then to figure out how to use it to pillage emails from government customers... clearly this APT is serious.

Techniques and Write-ups

• Leveraging VSCode Extensions for Initial Access - Targeting developers? Try this for initial access.
• Bypassing Defender's LSASS dump detection and PPL protection In Go - A little PPL bypass with sysinternal drivers. Sysinternal drivers tend to flag against EDRs so test before use. Blog came with a tool.
• 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets - Friendly reminder to include repos and source-code analysis in your recon workflow. Don't forget to try API keys even if they came from a previous commit, the developer may or may not have revoked those keys...
• GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more! - "A new versatile attack vector: spoofing GPO location through the gPCFileSysPath attribute." Check out the GPOddity tool release as well.
• Lolbins for connoisseurs… Part 2 - Follow up to part 1. Good reminder that LOLbins may be used by other third-part software. This could break basic detections.
• Revisiting the User-Defined Reflective Loader Part 2: Obfuscation and Masking - "...introduced the User-Defined Reflective Loader Visual Studio (UDRL-VS) template"
• RE of LR3 - Peeking under the bonnet of the Litter Robot 3. Great, in depth, physical and mobile app hacking.
• Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023. A great Linux LPE write up and exploit code as well. This is the first LPE I've seen written in Go!
• From NTAuthCertificates to “Silver” Certificate. Some novel if not too sneaky persistence for a Windows domain.
• Shadow Wizard Registry Gang: Structured Registry Querying. Full steam ahead with the structured data train. Really excited to watch (and help?) Nemesis expand. The day tools adapt to it as the industry standard we'll know it has won.

Tools and Exploits

• guestlist - Labor day release from a DEF CON 31 talk. A tool for identifying guest relationships between companies.
• ETWListicle - List the ETW provider(s) in the registration table of a process.
• Issue 2451: Windows: System Drive Replacement During Impersonation EoP. Windows LPE patched 2023-08-14 with PoC.
• Introducing Session Hijacking Visual Exploitation (SHVE): An Innovative Open-Source Tool for XSS Exploitation. This is the coolest browser tool since the OG beef and Shadow Workers.
• Introducing Free Attack Surface Recon API by RedHunt Labs. Limited for now but free!
• caldera-ot - Caldera OT Plugin & Capabilities.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• PurpleOps - An open-source self-hosted purple team management web application.
• Sekiryu - Comprehensive toolkit for Ghidra headless.
• Supernova - Real shellcode encryption tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Introducing Python in Excel: The Best of Both Worlds for Data Analysis and Visualization. Looks like macros are back on the menu!
• X33fcon talks. Some good talks this year as usual.
• Microsoft Defender for Identity expands its coverage with new AD CS sensor!. Yes but you have to pay 💰

Techniques and Write-ups

• Living Off the Foreign Land. As EDR gets better, the move is to simply get a reverse SOCKS agent on a target machine and run all the "malware" on the comfort of your own machine. This series is a great intro to the world of "living off the foreign land."
• Real World Examples: The top AVs in the world missed all of these attacks. Some excellent examples of real world phishing documents that are currently getting past most AV.
• Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG. Those bitwise operations will bite ya.
• Smashing the state machine: the true potential of web race conditions. Paper by @albinowax discussing the impact of race conditions and real world use cases (like gitlab) of exploitation.
• LAPS 2.0 Internals. @_xpn_ Dropping some knowledge on how LAPS 2.0 works along with BOF code 🫶.
• Demystifying DLL Hijacking. Some insight into some DLL Hijacking detection logic and methodology.
• DLL Notification Injection. New “threadless” process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes.
• Track The Planet. Super cool talk from DEF CON 31. How username enumeration via the Microsoft cloud leads to tracking the world. Talk title is 👌
• A broken marriage. Abusing mixed vendor Kerberos stacks. DEF CON 31 talk -> Blog. Accounts are susceptible to user spoofing when providing Kerberos tickets to *nix based services joined to an Active Directory realm. Gssapi-abuse is the tool section of this post.
• Journey into Windows Kernel Exploitation: The Basics. Driver exploitation and abuse has been around forever. Here's a quick intro.
• SharpSCCM Demos - 2023 Black Hat USA Arsenal. The SCCM train continues. If you have not dove into SCCM abuse primatives, get on it! Don't believe us? Just faster forward to 4:46...
• Site Takeover via SCCM's AdminService API. The SCCM AdminService API is vulnerable to NTLM relaying 🤑
• Offensive Tool Development - The Shellcode Compiler Was Right There All Along.... TLDR; Linker scripts can be used to generate shellcode via C in a fairly platform agnostic way.
• The Client/Server Relationship — A Match Made In Heaven. @exploitph and @jsecurity101 share some insight into detecting Kerberos-based attacks.
• Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping. "...which render sensitive data such as the keystrokes that users type decipherable to network eavesdroppers"
• mTLS: When certificate authentication is done wrong. Any post that starts with an RFC screenshot is going to be a good time. Turns out you can do lots of nasty things with certificate parsing.
• Introducing Cloudflare's 2023 phishing threats report. How would your red team campaigns stack up?
• Naughty Hooking Detoxifying Memory Before Doing Crime. An impressive amount of step-by-step screenshots and basics here.
• Forget vulnerable drivers - Admin is all you need. Perhaps the most exciting research of this post? Tons of fun can be had in the kernel, and if you don't need vulnerable drivers (easy detection point) then its game on...
• DES Is Useful... Sometimes. Probably worth throwing an asktgt with the des option at every DC in your next assessment. Maybe you'll get lucky?
• CVE-2022-41099 - Analysis of a BitLocker Drive Encryption Bypass. There is going to be a long tail on this one as it requires some manual intervention to apply the patch fully.

Tools and Exploits

• Ensemble - A Bug Bounty Platform that allows hunters to issue commands over a geo-distributed cluster. Gives some botnet like feels 🤔.
• ContainYourself - DEF CON 31 Tool. Abuses the Windows containers framework to bypass EDRs.
• NoFilter - DEF CON 31 Tool. Abuses the Windows Filtering Platform for privilege escalation.
• DllNotificationInjection - DEF CON 31 Tool. POC of a new “threadless” process injection technique.
• CloudRecon - DEF CON 31 Tool. Suite of tools for red teamers and bug hunters to find ephemeral and development assets in their campaigns and hunts.
• EasyEASM DEF CON 31 Tool. Zero-dollar attack surface management tool. "The industry is dominated by $30k vendors selling "Attack Surface Management," but OG bug bounty hunters and red teamers know the truth" 👀
• gssapi-abuse - DEF CON 31 Tool. Impersonating AD users on *nix based hosts? Noice. Looks like rubeus was updated as well.
• DoubleDrive - BH23 Tool. A fully-undetectable ransomware that utilizes OneDrive to encrypt target files.
• apppoolcreddecrypt - A POC to show how IIS App Pool credentials are decrypted without appcmd.exe.
• NtRemoteLoad - Remote Shellcode injector using indirect native syscalls to inject shellcode into another process (based on HWSyscalls by ShorSec)
• konstellation - Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j. Think Bloodhound for k8s.
• mellon - Open Supervised Device Protocol attack tool (and the Elvish word for friend).
• CVE-2023-36874_BOF - Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE.
• SharpShellPipe - This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• From Domain User to Domain Admin (DA), From DA to Global Admin (GA) - Nice walkthrough of one method of escalating from DA to GA.
• Evade signature-based phishing detections - Quick reminder that evading security controls doesn't always have to be complex. Safe browsing isn't immune.
• ProjectDiscovery Tools in 180 seconds - A bit sales-y but if you don't know about PD tools, this is a quick intro of their open-source tooling and capabilities.
• Vista UAC: The Definitive Guide - UAC under the hood hidden gem from 2008!
• NTDoc - Native API online documentation, based on the System Informer (formerly Process Hacker).
• SSH Cheatsheet - Friendly reminder that when you'll forget SCP/SSH commands
• html-obfuscator - Easily obfuscate your html!
• Nimperiments - Random projects written in Nim. Check out EvilLsassTwin!
• tiny_tracer - A Pin Tool for tracing API calls and instructions.
• windows-api-function-cheatsheets - A reference of Windows API function calls.
• xnLinkFinder - HTTP Crawling and Javascript scraping/extraction for enumeration.
• e9patch - Static binary rewriting tool.
• Infinite-Storage-Glitch - I wonder a red teamer would use this for 🤔

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Summary: MTE As Implemented. Good series from Project Zero on ARM's new memory tagging extension coming to v9 chips. TLDR: memory exploitation is getting harder. However, just like pointer authentication in iOS/macOS, exploitation is of course still possible.
• Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards. Maybe they should have spent more? Microsoft... The Truth Is Even Worse Than You Think.
• CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability. Who needs ARM MTE when you can just browse to a link and get access to all the endpoints of an organization.
• Hackers exploit BleedingPipe RCE to target Minecraft servers, players. With huge user bases, games are becoming real targets for hackers.
• Your new best friend: Introducing BloodHound Community Edition. "On August 8, 2023, BloodHound CE will be made available in its entirety." Hyped!

Techniques and Write-ups

• Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform. Sam Curry doesn't miss - great web app hacking content.
• Analysis and Exploitation of CVE-2023-3519. The Citrix ADC RCE (exploit here) is possible because exploit mitigation from 1997 (stack canaries) are not present on network edge devices. Forget about ARM memory tagging, let's just do some basics.
• Breaking Fortinet Firmware Encryption. Some great cryptanalysis to decrypt firmware images. This feels like a CTF challenge in real life.
• Blindsiding auditd for Fun and Profit. Very legit post-ex Linux tools and great explanation.
• Attacking an EDR - Part 1. What if you found an allowlisted process and spawned it suspended and then injected. Turns out, it works!
• Universal and Transferable Adversarial Attacks on Aligned Language Models. Automated attacks on LLMs.
• Challenges In Post-Exploitation Workflows. My body is ready. Inject Nemesis (currently 404s) into my veins. Man I hope this delivers, but the gang at Specter Ops has a great track record.
• “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing Facebook Accounts In-The-Wild. Any system that can send email will be used for phishing.
• Hook, Line, and Phishlet: Conquering AD FS with Evilginx. The EvilNginx hype continues. Phishing ADFS in your next assessment? This one's for you.
• [PDF] Evading EDR Chapter 6. One chapter of Matt Hand’s upcoming book is available now. It’s also open for early access, and rumor has it this blog gets a mention!
• [PDF] The LOLBAS Odyssey: Finding New LOLBAS, and How You Can, Too. We love LOLBAS and this paper proposes and interesting automation framework for finding them.
• What To Expect When You're “Expecting" — Purple Team Edition. A lot of talks recently about the different types of purple team engagements, the value of purple teaming, etc. Nice to see Cedric dropping some wisdom for us on execution of a purple team.
• Abusing app role assignment actions in Entra ID. This blog provides some insight into the potential security risks and implications associated with the new action in the Entra ID role. Who else is monitoring these changes? 🤔
• Guarding the Bridge: New Attack Vectors in Azure AD Connect. MITM or ADCS + Azure AD Connect can lead to NT hashes. Good summary from some existing work on attacking Azure AD Connect.

Tools and Exploits

• daphne - Proof-of-Concept to evade auditd by tampering via ptrace.
• apollon - Proof-of-Concept to evade auditd by writing /proc/PID/mem.
• web-check - 🌐 All-in-one OSINT tool for analyzing any website.
• grove - A Software as a Service (SaaS) log collection framework from Hashicorp.
• EmailFlare - Send emails from your domain through Cloudflare for free. Self host on your account.
• ACCD - Active C&C Detector. Includes a deck on how it works.
• RogueSliver - A suite of tools to disrupt campaigns using the Sliver C2 framework.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• CVE-2023-28130 - Command Injection in Check Point Gaia Portal. Seems rough for a firewall vendor to get RCE'd. Again. At least its authenticated this time?
• semgrep-rules-manager - Manager of third-party sources of Semgrep rules 🗂.
• Night_Walker
• Pywerview - A (partial) Python rewriting of PowerSploit's PowerView for when you’re proxing your traffic or operating from a linux device.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Citrix ADC and NetScaler Gateway RCE (CVE-2023-3519)

  • Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway and Part 2.
  • 53% of them are unpatched. Bishop Fox has the best breakdown of the vulnerability landscape.

• Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places. I like the idea of a base, stable tool and then a service to make it more useful (i.e. less detectable). However, if this service is as popular as Cobalt Strike itself, won't it be a target for EDR? I wonder if OST subscriptions will be more limited than Cobalt Strike licenses.

• Researchers Find 'Backdoor' in Encrypted Police and Military Radios. Who would have thought a closed source encryption scheme from the 90's was vulnerable?

• JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity. Bad day when your SSO/Identity provider is hacked. As we move to the cloud the companies are usually more secure then on-prem, but the blast radius of a succssful hack is huge.

• Russia Sends Cybersecurity CEO to Jail for 14 Years. In Soviet Russia, anti-crime sends you to jail. Not the first case of defenders being jailed in Russia with no public evidence either.

• Threat Actor Targeting Developers via Trojanized MS Visual Studio. Reminds me of XcodeGhost.

• The Legacy of Stagefright. Not often do we look back at the legacy of a bug.

Techniques and Write-ups

• Abusing Amazon VPC CNI plugin for Kubernetes. "By abusing the privileges of the Amazon VPC CNI plugin, it's possible for workloads to manipulate the networking of other unrelated EC2 instances. This can be leveraged by an attacker with a foothold in an EKS cluster to access and attack other instances living in other VPCs."
• Shifting boundaries: Exploiting an Integer Overflow in Apple Safari. A detailed look at a 2020 WebKit vulnerability and exploitation.
• #FuckStalkerware pt. 2 - SpyHide couldnt hide forever. It's not often people write about their actual hacks (not bug bounty). Makes me miss Phineas Fisher.
• Introducing CS2BR pt. II - One tool to port them all. I still don't get why you would create a C2 that doesn't just have BOF compatibility out of the box, but here we are.
• Zenbleed. You should get nervous if Tavis hasn't posted anything in a while, because you know he's cooking up a banger. Use-after-free in a CPU, pretty awesome research.
• CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent. A very "meh" bug but an epic exploit. From cannot "control anything except the order in which we load (and immediately unload) shared libraries from /usr/lib* in ssh-agent" to RCE is just the kind of creative hacking that gets me excited. This has my vote for coolest hack of the year so far.
• Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646). The assetnote guys really know how to pwn a webapp.
• An Approach to A9. Did you know hashcat had an -a9 attach mode?
• Escaping the Google kCTF Container with a Data-Only Exploit. Some great Linux kernel exploitation content.
• Mockingjay - What is old is new again. "Riding the hype train to see if we can get something useful out of it." That's like 90% of what I do.
• On (Structured) Data. Yes. Please someone with authority (CISA? MITRE?) or commonly used tools (Forta? Specter Ops?) define the schema that all C2 and post-ex tools can use so we can standardize all this mess! In the meantime people will write adaptors (think Extract, transform, and load [ETL] pipelines) for tools that lag behind. If there is a good enough aggregator, people will be compelled to conform.
• Prefetch: The Little Snitch That Tells on You. Make sure to clean up after yourself.
• GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux affect 40% of Ubuntu cloud workloads. Ubuntu moves fast, and sometimes breaks things.
• [PDF] Andrew_Charlie_Ive_Got_A_Forged_Twinkle_In_My_Eye.pdf. Some creative, unique slides on ticket forging attacks and detections.
• Automated Testing Handbook. When some of the masters of app testing (Trail of Bits) write a book, you might want to give it a read.
• Playing with Bubbles: An Introduction to DLL-Sideloading. A good intro, and uses my favorite DLL sideloading tool: Spartacus.
• Advanced Module Stomping & Heap/Stack Encryption. These days you best be doing some type of heap/stack encryption or any advanced EDR will detect all your unobfuscated strings in memory. Grab the code here .

Tools and Exploits

• Introducing BucketLoot - An Automated Cloud Bucket Inspector.
• KRBUACBypass - UAC Bypass By Abusing Kerberos Tickets.
• CVE-2023-35078-Exploit-POC - Remote Unauthenticated API Access vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8.
• dcomhijack - Lateral Movement Using DCOM and DLL Hijacking.
• AADInternals OSINT. This web based tool will extract openly available information for the given tenant.
• LdrFunctionEx - "should evade EAF and maybe (haven't tested it) EATGuard"
• DarkWidow - Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing.
• StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability. [First published in 2023-07-10 LWiS - Now includes an exploit]
• TGSThief - My implementation of the GIUDA project (Ask a TGS on behalf of another user without password) in C++.
• msi-search - This tool simplifies the task for red team operators and security teams to identify which MSI files correspond to which software and enables them to download the relevant file to investigate local privilege escalation vulnerabilities through MSI repairs. Read more about MSI repair vulnerabilities at Escalating Privileges via Third-Party Windows Installers.
• S4UTomato - Escalate Service Account To LocalSystem via Kerberos.
• WSPCoerce - PoC to coerce authentication from Windows hosts using MS-WSP.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• canTot - quick and dirty canbus h4xing framework.
• chrome-sbx-db - A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
• GIUDA - Ask a TGS on behalf of another user without password.
• Frack - Keep and Maintain your breach data.
• exe_to_dll - Converts a EXE into DLL.
• dploot - DPAPI looting remotely in Python.
• sysplant - Your syscall factory.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Analysis of Storm-0558 techniques for unauthorized email access. This was the story of the week. TLDR stolen Microsoft account (MSA) consumer signing key (still unclear how it was stolen) was used to forge Azure AD tokens. This shouldn't be possible, but due to a bug in the Azure code it was. The actor used these forged tokens to pillage 25 private and US government unclassified Office365 accounts.
• CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated). You have the attack surface reduction rule enabled that blocks this (Block all Office applications from creating child processes) already, right?
• Microsoft Revokes Malicious Drivers in Patch Tuesday Culling Over 100 malicious drivers were revoked this month. 100 were signed by Microsoft themselves. 🤦
• France set to allow police to spy through phones. "Covering laptops, cars and other connected objects as well as phones, the measure would allow the geolocation of suspects in crimes punishable by at least five years' jail. Devices could also be remotely activated to record sound and images of people suspected of terror offenses, as well as delinquency and organized crime." Curious how this will work with open source software/hardware. Will all devices sold in france require this backdoor? Will it then be illegal to use devices without the backdoor?
• Senate bill crafted with DEA targets end-to-end encryption, requires online companies to report drug activity. Not to be outdone by France, the DEA tries to kill end-to-end encryption by including wording holding companies accountable for conduct they don't report if they “deliberately blind” themselves to the violations. Apple's latest iCloud encryption updates surely violate this. Hopefully their lobbying can stop this.
• CVSS v4.0 calculator - PUBLIC PREVIEW. Get those 9.8's ready!
• SonicWall GMS and Analytics affected by multiple vulnerabilities. I just want 1 week where there isn't an edge security device with a 9+ CVSS bug...
• Azure AD is being renamed to Microsoft Entra ID. You must get a bonus for a rename at Microsoft. Shoutout to the SMS/SCCM/MECM/ConfigMgr/Microsoft Endpoint Manager team. Hey, at least we get Phishing PoC for Entra Rebranding.

Techniques and Write-ups

• From Blackbox .NET Remoting to Unauthenticated Remote Code Execution. I respect the struggle to find obscure DLLs (he says, with two Windows Embedded installs running just to find DLLs).
• Tales From the Road: A Cyber Security Breach is Only A Phone Call Away. If you don't have a phone call capability (spoofing) in your red team offering, you are behind the curve as even teenagers are doing it.
• Cat & Mouse - or Chess?. What if you can hook the function in ntdll.dll that loads DLLs and prevent it from loading EDR dlls? A great question, and it turns out, you can!
• Modeling Malicious Code: Hacking in 3D. It's goofy, but why not store some shellcode in a 3D model?
• Performance, Diagnostics, and WMI. "Performance Monitor offers some interesting ways for attackers to extend their lateral movement or persistence opportunities by hijacking a service's performance DLL. With this, we gain a novel WMI lateral movement primitive and I do believe there is a lot more to be explored here." Grab the PoC.
• SSD Advisory - EdgeRouters and AirCube miniupnpd Heap Overflow. It's LAN side, thankfully.
• Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability. Update those LibreOffice installs.
• PoC Exploit: Fake Proof of Concept with Backdoor Malware. The disclaimer at the bottom of this post isn't just for fun.
• Poch, Poch, is this thing on? Bypass AMSI with Divide & Conquer. Defender is the first level boss of any malware dev.
• macOS Atlassian Companion Remote Code Execution. Click edit on a confluence page, believe it or not, straight to RCE.
• How small is the smallest .NET Hello World binary?. 834 bytes (with additional trailing zero bytes). But boy are there some hacks to get there.

Tools and Exploits

• BOF_Development_Docker - A VSCode devcontainer for development of COFF files with batteries included.
• BlackLotus is an innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal.
• WubbabooMark - Debugger Anti-Detection Benchmark.
• HadesLdr - Shellcode Loader Implementing Indirect Dynamic Syscall, API Hashing, Fileless Shellcode retrieving using Winsock2.
• curlshell - reverse shell using curl.
• BadZure - BadZure orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
• RecycledInjector - Native Syscalls Shellcode Injector.
• Resource Based Constrained Delegation - Practical Guide for Active Directory Privilege Escalation and Lateral Movement. Very thorough article on RBCD.
• Cookie-Graber-BOF - C or BOF file to extract WebKit master key to decrypt user cookie.
• MagicSigner - Signtool for expired certificates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Gmail client-side encryption: A deep dive. People continue to glue on things to a protocol (email) that was never intended to be secure or private. This implementation looks pretty seamless (unlike PGP) actually.
• CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable. Firewall, you had one job...
• SEC Targets SolarWinds' CISO for Rare Legal Action Over Russian Hack. 🌶️🌶️🌶️
• About the security content of Rapid Security Responses for macOS Ventura 13.4.1. I believe this is the second deployment of the "Rapid Security Response" from Apple.
• Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking. The attention from the social media wars is a good thing for Mastodon. More eyes make shallow bugs.

Techniques and Write-ups

• Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911). While the CVE is a bit aged, the write up is high quality.
• AWS CodeBuild + S3 == Privilege Escalation. The cloud is just someone else's computer foot guns.
• Reversing Citrix Gateway for XSS. These gateways are everywhere in enterprise, I wonder how many are still vulnerable... Check the vulnerable versions in the advisory.
• Debugging with gdb - Fixing a NULL Pointer Dereference in dhcpcd. Some good basic gdb triage.
• CVE-2023-26258 - Remote Code Execution in ArcServe UDP Backup. "Within minutes of analysing the code, a critical authentication bypass was discovered." 😬 The disclosure timeline is also... interesting.
• Sowing Chaos and Reaping Rewards in Confluence and Jira. Comes with a new tool: AtlasReaper - A command-line tool for reconnaissance and targeted write operations on Confluence and Jira instances.
• Chaining Vulnerabilities to Exploit POST Based Reflected XSS. Comes with its own learning lab!
• Developing Winsock Communication in Malware. Tired: named pipes. Inspired: Winsock over TCP.
• Mockingjay Memory Allocation Primitive. Some good code examples linked.
• Linux rootkits explained - Part 1: Dynamic linker hijacking. Covers the first of the three major types of rootkits: LD_PRELOAD (the others being kernel modules and eBPF).
• Executing Arbitrary Code & Executables in Read-Only FileSystems. As everything moves to k8s as a service, its only a matter of time before you land in a read-only file system.
• Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489). Another great writeup from assetnote.
• Patch Diffing CVE-2023-28121 to Compromise a WooCommerce. Lots of web app hacking this week!

Tools and Exploits

• ShellGhost - A memory-based evasion technique which makes shellcode invisible from process start to end.
• StackRot - CVE-2023-3269: Linux kernel privilege escalation vulnerability.
• CVE-2023-28252 - Common Log File System (CLFS) LPE for Windows patched in April 2023.
• evilgophish - evilginx + gophish. Bow with evilginx3 support!
• shortscan - An IIS short filename enumeration tool.
• BOFMask is a proof-of-concept for masking Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF).
• BounceBack - ↕️🤫 Stealth redirector for your red team operation security.
• TeamsPhisher - Send phishing messages and attachments to Microsoft Teams users.
• clauneck - A tool for scraping emails, social media accounts, and much more information from websites using Google Search Results.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Artemis - A modular web reconnaissance tool and vulnerability scanner.
• golddigger is a simple tool used to help quickly discover sensitive information in files recursively. Originally written to assist in rapidly searching files obtained during a penetration test.
• mailpit - An email and SMTP testing tool with API for developers.
• multitail - Tail on steroids.
• kbtls - Establishes mutually trusted TLS connections based on a pre-shared connection key.
• skyhook - A round-trip obfuscated HTTP file transfer setup built to bypass IDS detections.
• webhook is a lightweight incoming webhook server to run shell commands.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Google Cloud Awards $313,337 in 2022 VRP Prizes. This is how you incentivize bug bounty hunters.
• Donning a MASQUE: building a new protocol into Cloudflare WARP. Lookout WireGuard, there is a new standard in town.
• 2023 Breaches and Incidents: Personal Notes. Stolen credentials are up, phishing is down. Use a good password manager appropriately.
• Proxmox VE 8.0 released!. Proxmox is a free and open source hypervisor that will feel familiar to VMWare ESXi users. I switched years ago and have been quite happy.

Techniques and Write-ups

• LibreOffice Arbitrary File Write (CVE-2023-1883). Did you know that LibreOffice has an MS Access competitor? Did you know you it can do arbitrary file writes?
• The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022. An open redirect doesn't sound exciting, but it can turn a tap into a shell.
• Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit. Some great embedded systems hacking here. If you want to talk embedded systems hacking, or try your had hacking some devices be sure to stop by the @EmbeddedVillage at DEF CON.
• CVE-2023-27997 Vulnerability Scanner for FortiGate Firewalls. A vulnerability scanner sounds boring, but the technique to validate this heap overflow without crashing the firewall is pretty unique.
• No Alloc, No Problem: Leveraging Program Entry Points for Process Injection. Up your process injection game with some lesser known techniques.
• FortiNAC - Just a few more RCEs. "Shortly after the first CVE-2022-39952 disclosures I thought, why not looking at this product in the patched version 9.4.1 to find some more vulnerabilities?" Love it.
• AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice. SQL is tricky and WAFs can get tripped up by "unique" query syntax.
• chonked pt.2: exploiting cve-2023-33476 for remote code execution. This is some hardcore exploit development content.
• Exploring Android Heap allocations in jemalloc 'new'. If you like the previous post, you'll love this deep dive into heap allocation in Android.
• Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware. This was reported and "did not meet the bar for immediate servicing." "When this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more. By comparison, it makes social engineering via email feel very stagnant, and stop-start." Guess what I am trying out tomorrow?
• Potential Risk of Privilege Escalation in Azure AD Applications. Email claims for authorization can lead to easy privilege escalation. Don't use it!
• Bypassing Defender with ThreatCheck & Ghidra. A good short tutorial on finding signature bytes, translating them back to source code, and making modifications as appropriate.
• Exploiting a Video Camera's Rolling Shutter to Recover Secret Keys from Devices Using Video Footage of Their Power LED. Camera has to be at 6ft or less and record constant signing activity for a period of minutes but still, very cool side channel.
• Automating String Decryption and Other Reverse Engineering Tasks in radare2 With r2pipe. Automate some tedious RE work with radare2.
• Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2). This is turning into some interesting work. The skeleton of an ICMP rootkit is taking shape.
• What is Tier Zero — Part 1. Good discussion of AD design principles for security, what really needs protecting, and how to think about it.

Tools and Exploits

• SSH-Harvester - Harvest passwords automatically from OpenSSH server. More details here.
• CVE-2023-29343 - LPE in Sysmon version 14.14.
• CVE-2023-20178 - PoC for Arbitrary File Delete vulnerability in Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect (tested on 4.10.06079).
• Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
• NimExec - Fileless Command Execution for Lateral Movement in Nim.
• CS_COFFLoader - a COFF loader written in C#.
• Spartacus-v2.0.0. Not a new tool but a big release for the DLL/COM Hijacking Toolkit (2.0 added COM hijacking).
• bof-launcher - Beacon Object File (BOF) launcher - library for executing BOF files in C/C++/Zig applications.
• GhostFart - Unhook NTDLL without triggering "PspCreateProcessNotifyRoutine".

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• msLDAPDump - LDAP enumeration tool implemented in Python3.
• SharpToken - Windows Token Stealing Expert.
• docker-swarm-proxy - What if you wanted a docker exec, but for Docker swarm? - Control any node in the swarm from your CLI.
• PageSplit - Splitting and executing shellcode across multiple pages.
• ropci - So, you think you have MFA? AAD/ROPC/MFA bypass testing tool.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

MOVEIt

• Patch Diffing Progress MOVEIt Transfer RCE (CVE-2023-34362)
• MOVEIt Transfer RCE Part Two (CVE-2023-34362)
• MOVEit! An Overview of CVE-2023-34362
• CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief (Updated)
• MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise

• Barracuda Urges Replacing — Not Patching — Its Email Security Gateways. Yikes.
• Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign. Also yikes.
• Operation Triangulation: iOS devices targeted with previously unknown malware. Related: Russian FSB Accuses U.S. of Hacking Thousands of iPhones in Russia
• Announcing the Chrome Browser Full Chain Exploit Bonus. $180,000 for a full chain Chrome exploit? Seems low.
• Time to challenge yourself in the 2023 Google CTF!
• Google Trust Services ACME API available to all users at no cost
• Kali Linux 2023.2 Release (Hyper-V & PipeWire)
• Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
• VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors

Techniques and Write-ups

• Messing Around With AWS Batch For Privilege Escalations
• Abusing undocumented features to spoof PE section headers
• CodeQL zero to hero part 2: getting started with CodeQL
• [PDF] UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests. Finally a paper that actually released the source code.
• How I choose a security research topic
• A More Complete Exploit for Fortinet CVE-2022-42475
• Active Directory Spotlight: Attacking The Microsoft Configuration Manager (SCCM/MECM). Don't skip this one.
• Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
• Ligolo: Quality of Life on Red Team Engagements
• Red Team Story Time!. You don't even need code execution to get impactful data compromise.
• CVE-2022-32902: Patch One Issue and Introduce Two
• Pre-authenticated RCE in VMware vRealize Network Insight CVE-2023-20887
• Understanding Telemetry: Kernel Callbacks
• Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Great "new" initial access method.
• Bypassing An Industry-Leading WAF and Exploiting SQLi
• OneDrive to Enum Them All
• Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver
• can I speak to your manager? hacking root EPP servers to take control of zones

Tools and Exploits

• CVExploits Search - Your comprehensive database for CVE exploits from across the internet.
• cloudfoxable - Create your own vulnerable by design AWS penetration testing playground.
• CVE-2023-2825 - GitLab CVE-2023-2825 PoC. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
• CVE-2023-20887 - VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887).
• elevationstation - elevate to SYSTEM any way we can!
• SharpFtpC2 - A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems.
• limba - compile-time control flow obfuscation using mba.
• Banshee - Experimental Windows x64 Kernel Driver/Rootkit.
• RDPCredentialStealer - steals credentials provided by users in RDP using API Hooking with Detours in C++.
• HiddenDesktop - HVNC for Cobalt Strike.
• DropSpawn_BOF - CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking.
• Terminator - Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes.
• superman - Kill processes protected by antivirus during offensive activities.
• Blackout - kill anti-malware protected processes (BYOVD).
• EPI - Process injection through entry points hijacking.
• Ruy-Lopez This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• mcfridafee
• plane - Open Source JIRA, Linear and Height Alternative. Plane helps you track your issues, epics, and product roadmaps in the simplest way possible.
• PythonMemoryModule - pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory.
• deepsecrets - Secrets scanner that understands code.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Recapping Developer Week. Cloudflare continues to release new products and make (good) changes to existing products. And yes, they did release an AI product.
• infosec company owned completely by 4chan user. Ouch.
• New ZIP domains spark debate among cybersecurity experts. I don't think there is debate, I think there are people claiming .zip will be a threat, but the only case I can see that being true is with programs that have interpreted .zip as a file since forever and may be fooled now that it can resolve as a URL. The "it looks like a file" argument strikes me as silly, since the anchor tag has been used to "disguise" URLs since the existence of the HTML standard. Oh look here's one now: legit.zip
• Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug. Is this the first case of a disabled by default mitigation being shipped in response to an active, in the wild exploit?
• RFC: Override HTTP response headers locally with DevTools. Now one of the most common use cases for Burp Suite is part of Chrome! For how see: How to Override Response Headers with Chrome DevTools.
• DEF CON 31 Badge Update - SAO support!. This year's DEF CON badges will support an add on "thing" shaped like a cyber punk wedge.
• First Look: Ghidra 10.3 Emulator. Everyone is pumped about native dark mode, but the emulator is pretty sweet.

Techniques and Write-ups

• From DA to EA with ESC5. "There's a new, practical way to escalate from Domain Admin to Enterprise Admin." Sign me up. Another banger from Andy Robbins.
• C2 and the Docker Dance: Mythic 3.0's Marvelous Microservice Moves. I can't say I love the extreme microservice-y architecture of Mythic, but it's the easiest open source C2 to write a totally custom agent for at this point. Perhaps SpecterOps can use some of that Series A to contract a web UI pro to help with the front end. I say this out of love, as I actually use Mythic C2 for production operations.
• The printer goes brrrrr, again!. 2 bytes is all it takes to RCE a Cannon printer.
• Nighthawk 0.2.4 - Taking Out The Trash. The new version supports .NET memory sleep encryption, using a custom allocator to protect and encrypt not only the executed .NET assembly but also any of its allocations during runtime. It also adds reverse port forwards, improvements to hidden desktop, "extra life" exception hooking, and other minor improvements.
• PwnAssistant - Controlling /home's via a Home Assistant RCE. Awesome write up from recon to RCE against the popular home automation software.
• Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3. Another recon to RCE web app hacking write up.
• Malicious code in PDF Toolbox extension. Browsers are the new OS, but there is zero visibility or "anti-virus" for them. It's like the Windows 98 wild west days.
• Cobalt Strike and YARA: Can I Have Your Signature?. Probably the best article on Cobalt Strike OPSEC that exists. Advanced teams have known about the satic loader signatures and other things for a while, but this post spells it all out and even gives examples of how to get around static detections. We're at a point where to be truly successful as an adversary you need to know assembly pretty well. Seems like the offensive security community has made the defenses better and raised the barrier to entry. Almost like the goal was to... @ImposeCost...
• NixImports a .NET loader using HInvoke. API Hashing in C# makes the dnSpy output a mess. Neat loader!
• CVE-2023-26818 - Bypass TCC with Telegram in macOS. While this is a write up on dylib injection in Telegram, many apps are vulnerable to a similar technique, especially third party apps.
• Introducing CS2BR pt. I - How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs. If you've used BRC4 you know the pain of BOF conversion. Nviso teases a tool to automate it, hopefully it's released soon!
• SQLi - WAF Detection & Bypass Techniques That Still Work in 2023. For the web app assessors out there.
• Avast Anti-Virus privileged arbitrary file create on virus restore (CVE-2023-1586). More Avast privescs!
• CS:GO: From Zero to 0-day. Sure it's a video game exploit, but the writeup is top tier.
• Walking the Tightrope: Maximizing Information Gathering while Avoiding Detection for Red Teams. Finally, a blog on red teaming, not just penetration testing! For anyone looking to get into adversary simulation, this is a good intro.
• FriendlyName Buffer Overflow Vulnerability in Wemo Smart Plug V2. Some solid hardware hacking.
• LOLBINed — Finding “LOLBINs” In AV Uninstallers. AV makes the best traitorware.

Tools and Exploits

• CypherDog - PoSh BloodHound Dog Whisperer.
• buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
• keepass-password-dumper - Original PoC for CVE-2023-32784 (keepass master password disclosure).
• PPLFaultDumpBOF - Takes the original PPLFault and the original included DumpShellcode and combines it all into a BOF targeting cobalt strike.
• PPEnum - Simple BOF to read the protection level of a process.
• ADCSKiller - An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer.
• Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities.
• chromecookiestealer - Steal/Inject Chrome cookies over the DevTools (--remote-debugging-port) protocol.
• GoBelt - Golang programmatically invoking the SwiftBelt-JXA macOS system enumerator project (Golang running SwiftBelt-JXA via cgo).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• avred - Analyse your malware to chirurgicaly obfuscate it.
• smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares.
• Goshawk is a static analyze tool to detect memory corruption bugs in C source codes. It utilizes NLP to infer custom memory management functions and uses data flow analysis to abstract their behaviors and then adopts these summaries to enhance bug detection.
• dumpulator - An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
• EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances. It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• So long passwords, thanks for all the phish. The passwordless future is much like the year of the Linux desktop - long promised, yet to be delivered. Google's adoption of passkeys is a huge step however, and this kind of authentication "raw material" is much more scoped and secure than the name of your dog your mom uses as a password for every online account.
• Apple Fails to Revive Copyright Case Over iPhone iOS Simulator. "The US Court of Appeals for the Eleventh Circuit on Monday ruled that Corellium's CORSEC simulator is protected by copyright law's fair use doctrine, which allows the duplication of copyrighted work under certain circumstances." With this, the 2019 case should finally be fully settled.
• Senator Asks Big Banks How They're Going to Stop AI Cloned Voices From Breaking Into Accounts. How voice as authentication was ever greenlight will continue to amaze me.
• Mojo🔥. Mojo is a new programming language that bridges the gap between research and production by combining the best of Python syntax with systems programming and metaprogramming. With Mojo, you can write portable code that's faster than C and seamlessly inter-op with the Python ecosystem. Mojo is currently in closed beta.
• FYI: Intel BootGuard OEM private keys leak from MSI cyber heist. BootGuard isn't so secure any more. Check the impacted devices.
• Russian-Linked Malware Targets U.S. Critical Infrastructure. "Since being discovered in March 2022, no known disruptive or destructive attacks leveraging PIPEDREAM have been carried out on ICSs in the U.S."
• The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed. Sophisticated attacks are hard to put together from the blue side.
• Palantir AIP | Defense and Military. "Alexa, destroy that enemy tank for me using the best available asset."

Techniques and Write-ups

• [PDF] Hunting Russian Intelligence “Snake” Malware. A very detailed write up from American intelligence on the FSB's "Snake" Windows implant.
• Privilege Escalations through Integrations. Some good "modern" web app testing. And by that I mean YOLOing between auth providers that don't do proper session handoff.
• CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service. Good news is that DHCP is limited to a broadcast domain?
• Brewing Hash Cracking Rules with The Twin Cats. Some great hashcat rule analysis and generation. Lots of good tools linked in the post as well.
• A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF…. Quite the web app bug chain, which did require user interaction, but is impressive none the less.
• Leveraging XFG to help with reverse engineering. If you reverse engineer on Windows with extended flow guard, this x64dbg plugin is a must!
• ETWHash - “He who listens, shall receive”. Extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider.
• Apache Solr 8.3.1 RCE from exposed administration interface. A good write up on exploring a web app to find RCE.
• Exploring Impersonation through the Named Pipe Filesystem Driver. This post covers file system drivers, specifically the named pipe driver (npfs.sys), as well as shows a proof of concept for calling NtFsControlFile directly to perform named pipe impersonation instead of calling the Win32 API, ImpersonateNamedPipeClient.
• Building a Red Team Infrastructure in 2023. The phishing setup is interesting - specifically the use of postfix to clean mail headers.
• Fantastic Rootkits and Where to Find Them (Part 2). Not much is written about rootkits these days, especially for Windows.
• CVE-2023-25394 - VideoStream Local Privilege Escalation. A great writeup about finding a privesc in a common 3rd party macOS app. The process is well documented from start to finish.

Tools and Exploits

• sccmhunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. The basic function of the tool is to query LDAP with the find module for potential SCCM related assets.
• exec2shell - Extracts TEXT section of a PE, ELF, or Mach-O executable to shellcode.
• chophound - Some scripts to support with importing large datasets into BloodHound.
• HASH - HASH (HTTP Agnostic Software Honeypot).
• cloudtoolkit - Cloud Penetration Testing Toolkit.
• CVE-2023-0386 - Privilege escalation exploit for Ubuntu 22.04.
• PECheck - A tool to verify and create PE Checksums for Portable Executable (PE) files.
• CustomEntryPoint - Select any exported function in a dll as the new dll's entry point.
• resocks - mTLS-Encrypted Back-Connect SOCKS5 Proxy.
• stealthscraper - A social media scraper that attempts to be stealthy by simulating a user using gui automation.
• Freeze.rs - Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The best laptop deal I have ever seen. If you need a DEF CON burner, this is it ($279 and free shipping at the time of publishing).
• backgroundremover - Background Remover lets you Remove Background from images and video using AI with a simple command line interface that is free and open source.
• Course Review: "Practical Web Application Security and Testing". The course is $1 during May if you are interested.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Triple Threat: NSO Group's Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains. Good thing we have Rapid Security Response?
• Google Authenticator now supports Google Account synchronization. This was a huge downside to using the Goole provided MFA code generation app. Lost, stolen, or simple device upgrades were a struggle. I have been pushing Raivo OTP, an open source MFA app with encrypted seed synicning support because of the drawbacks for Google's own app. They release says that the new sync feature makes MFA codes "more durable by storing them safely in users' Google Account," but does not explicitly say if the seeds will be symetrically encrypted. Does this open a new level of compromise to Google Account takeovers? Can attackers sync the seeds to a device without an authenticator specific password? Like always, FIDO2 keys and Advanced Protection are the answer.
• Mullvad VPN was subject to a search warrant. Customer data not compromised. The feds showed up with a warrant, but left without taking anything. Commercial VPNs have a very narrow use case, and if your threat model warrents one, you probably shouldn't trust any one provider.
• 3CX Breach Was a Double Supply Chain Compromise. Yo dawg, I heard you like supply chain compromises...
• Git security vulnerabilities announced. No surprise that GitHub found some git vulnerabilities. Update your git clients today!
• Zyxel security advisory for OS command injection vulnerability of firewalls. Unauthenticated remote command execution in a firewall... You had one job.
• Microsoft shifts to a new threat actor naming taxonomy. Ah yes... Standards.
• An open letter. The UK's Online Safety Bill could destroy end-to-end encryption in the UK. Privacy is a human right.

Techniques and Write-ups

• Windows secrets extraction: a summary. Excellent overview of the current state of windows credential material extraction.
• I hack, U-Boot. A very detailed and technical post on the most common bootloader in the embedded space.
• Classifying Malware Packers Using Machine Learning. ML models have gotten very good at clasifying images (thanks im part to your capcha clicks), why not covert binaries to images and have the ML classify them?
• Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB. This won't be effective against EDR in the kernel (Defender, Crowdstrike, etc), but could be useful to hide from userspace detections.
• How to Proxy VM Traffic through Burp Suite. A simple trick, but if you weren't aware of the system wide proxy setting in Windows, this is a useful tip.
• Securely Hosting User Data in Modern Web Applications. Ever wonder why domains like githubusercontent.com or googleusercontnet.com exist? For your protection!
• CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution. Always change the default key values! Developers, generate random values on first startup to prevent this.
• PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise. If only all patch diffs were this simple. Good write up from initial news to full RCE.
• Eating 4 Day Old Sushi - Replicating the SushiSwap Hack. DeFi continues to be the ultimate black hat bug bounty.
• CVE-2023-23525: Get Root via A Fake Installer. Fake installers could use the permission granted by users during install to gain root access. Update to macOS 13.3 to apply the fix.
• Finding XSS in a million websites (cPanel CVE-2023-29489). Good web vulnerability hunting process in this post. If you liked that you'll also enjoy Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera.
• Never Connect to RDP Servers Over Untrusted Networks. You can collect Net-NTLMv2 without showing a certificate warning (MitM) to the user. Microsoft says this is "by design" and won't fix it.
• Creating an IR Nightmare Drop Box. A good drop box can be crucial to success on a physical engagement. For bonus points, wire this up with LoRa as a Side Channel.
• So you think you can block Macros?. Macros aren't quite dead yet. Turns out it's pretty hard to completely lock down an arbitrary scripting system that enterprises rely on for business.
• Stealing GitHub staff's access token via GitHub Actions. A ten second sleep was all it took to steal some access tokens. Well done!
• NightHawk Memory Obfuscation. What's old is new again. titanldr-ng has a Cobalt Strike compatible variant (check out Obf.c).
• Avast Anti-Virus privileged arbitrary file create on virus quarantine (CVE-2023-1585 and CVE-2023-1587). You either die a hero or...
• Process injection in 2023, evading leading EDRs. Vincent always drops succinct, high quality content.

Tools and Exploits

• Introducing BloodHound 4.3 — Get Global Admin More Often. More Azure and MS Graph features!
• ScareCrow. Not a new tool but a big update to the payload creation framework for v5.0.
• nanodump - Not new, but the recent updates allows for PPL dumping!
• DCVC2 - A Golang Discord C2 unlike any other. DCVC2 uses RTP packets over a voice channel to transmit all data leaving no operational traces in text chats.
• maskcat - Utility tool for Hashcat Masks and Password Cracking.
• mac-monitor - Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• highlight - highlight.io: The open source, full-stack monitoring platform. Error monitoring, session replay, logging and more. I haven't seen a self-hostable web session recording system before highlight.
• KeePwn - A python tool to automate KeePass discovery and secret extraction.
• Maintaining this site fucking sucks. This guy needs my blog CI/CD pipeline. When I finish a blog post it's one command to publish it and set up the env for next week. Maybe, just maybe, you don't need all that javascript (hint: there isn't a single line of functional javascript on this site).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Announcing the deps.dev API: critical dependency data for secure supply chains. 5 million packages and more than 50 million versions from the Go, Maven, PyPI, npm, and Cargo ecosystems have been documented by Google and are available via an API for you.
• Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says. In this edition of "attribution is hard..." (alternative theory: the attackers were so good the FBI couldn't find any trace, but ya know, Occam's razor).
• Amazon CodeWhisperer. GitHub Copilot X price got you down? Feed your code into a different megacorp Amazon for free and get code completion suggestions from an AI. At least this one tells you the license of the code you're stealing it got inspiration from.
• Birds at (Tail)scale. Now you can one-click deploy a honeypot to your tailscale network. I have yet to see a better signal to noise ratio for any detection technology.
• Are Internet Macros Dead or Alive?. Betteridge never fails. Some good lure/prompt images to borrow for red teaming in this article. The template location lure would work against up to date Word installs.
• Rizin Silhouette Server. The Rizin team is running a public symbol server!
• Rooting a Common-Criteria Certified Printer to Improve OPSEC. Some serious dedication to privacy. But why print the reports in the first place?

Techniques and Write-ups

• Shell in the Ghost: Ghostscript CVE-2023-28879 writeup. "This write-up details how CVE-2023-28879 - an RCE in Ghostscript - was found and exploited. Due to the prevalence of Ghostscript in PostScript processing, this vulnerability may be reachable in many applications that process images or PDF files (e.g. ImageMagick, PIL, etc.), making this an important one to patch and look out for."
• Java Exploitation Restrictions in Modern JDK Times. With lots of enterprise software still being written in Java, the exploitation isn't slowing down, just adapting.
• Extending (and Detecting) PersistAssist: Act II. Write some C# to persist with WMI event subscriptions.
• Introducing AutoFunkt: Automated Cloud Redirector Generation. Cloud functions are very useful for redirecting C2 traffic through high reputation domains, but they can be a pain to set up - until now!
• On self-healing code and the obvious issue. It's like command injection, but you get to write it in plain english.
• Butting Heads with a Threat Actor on an Engagement. Now ask what would happen if the actor cleaned up properly, and then patched the vulnerability (or at least mitigated it). Detection must have layers!
• Stepping Insyde System Management Mode. It's a bit wild that as a result of a code leak Insyde got a free audit and 5 vulnerabilities found.
• D/Invoke v1.0.5. A few new functions to make your C# tooling a bit more ergonomic.
• Multiple vulnerabilities in Aten PE8108 power distribution unit. Even your PDU is trying to get you pwned.
• Simple PHP webshell with php filter chains. In memory PHP webshell!?
• Losing control over Schneider's EcoStruxure Control Expert. Unauthenticated RCE, this time in your SCADA workstation.
• CAN Injection: keyless car theft. Woah. You wouldn't download a car exploit?
• Popping Tags: Exploiting Template Injections in PRTG Network Monitor. Currently an 0day. Careful what links your PRTG admin is clicking.
• Hacking Your Cloud: Tokens Edition 2.0. A great post on Azure/Office tokens and how to pivot them to more access.
• GCP Pentesting Guide. Some Google specific cloud hacking.
• Bypassing Windows Defender (10 Ways). Nothing novel here but a nice collection of techniques.

Tools and Exploits

• PatchlessCLRLoader - .NET assembly loader with patchless AMSI and ETW bypass. Also comes in BOF form: PatchlessInlineExecute-Assembly.
• KillerVuln2 - Files for PoC of vulnerability in Intel Killer Performance Suite
• PowerShell-Obfuscation-Bible - A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
• 2D-Injector - Hiding unsigned DLL inside a signed DLL.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• scriptkiddi3 - Streamline your recon and vulnerability detection process with SCRIPTKIDDI3, A recon and initial vulnerability detection tool built using shell script and open source tools.
• BackupOperatorToolkit - contains different techniques allowing you to escalate from Backup Operator to Domain Admin
• homebox - Homebox is the inventory and organization system built for the Home User.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• The Cure Tried to Stop Scalpers. Brokers Are Selling Entire Ticketmaster Accounts Instead. That's the thing about hackers, they will find a way around arbitrary restrictions.
• CVE-2023-1671: Critical Pre-Auth Command Injection Vulnerability in Sophos Web Appliance. "A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code."
• Stopping Cybercriminals From Abusing Security Tools. Is this the first time a C2 vendor has taken "proactive" action against hosted copies of its own software?
• Meta Manager Was Hacked With Spyware and Wiretapped in Greece. Unsure of the phone's OS (the capability covers both Android and iOS), but it was an SMS link that appears to be the infection vector (1-click). This is your reminder to reboot your phone often - persistence of Predator was an extra 2.4 million euro add on in 2021.
• 3CX DesktopApp Security Alert. One of hte bigger supply chian attacks since SolarWinds.

Techniques and Write-ups

• Build a secure code mindset with the GitHub Secure Code Game. Learn CodeQL in a fun CTF-style "game." For pointers, be sure to read: CodeQL zero to hero.
• Windows Installer EOP (CVE-2023-21800). "This blog post describes the details and methodology of our research targeting the Windows Installer (MSI) installation technology." Spoiler: "the environment variables set by the unprivileged user were also used in the context of the SYSTEM user invoked by the repair operation."
• In-Memory Disassembly for EDR/AV Unhooking. Have your cake and eat it too. Without using hooked functions, Christopher Vella is able to call unhooked functions without direct syscalls. The code is nicely commented. It's in rust too (and probably written on arch btw).
• Dynamic Linking Injection and LOLBAS Fun. Some very sneaky DLI exploitation using system binaries to drop and run secondary payloads.
• Veeam Backup and Replication CVE-2023-27532 Deep Dive. Unauthenticated access to cleartext credentials? Yikes.
• Obfuscating C2 Traffic with Google Cloud Functions. Tired of the blue team blocking your egress domains? Why not use a high reputation domain like cloudfunctions.net?
• Microsoft Defender for Identity OWIN HTTP Listener. An interesting dive into MS Defender for identity's API (localhost only and cert auth protected). It has some interesting features like the ability to get a handle to the Group Managed Service Account token. Staying tuned for more.
• Bypassing software update package encryption - extracting the Lexmark MC3224i printer firmware. This part 1 is cut off in the opening summary, but part 2 has some great low level exploitation.
• Living Off The Land Drivers. loldirvers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks.
• Pwning Pixel 6 with a leftover patch. Excellent low level android exploitation content.
• Escaping Adobe Sandbox: Exploiting an Integer Overflow in Microsoft Windows Crypto Provider. Some good low level windows Exploitation.
• Shellcode: Entropy Reduction With Base-32 Encoding.. A custom Base-32 encoding can help data appear less random.
• Attacking Visual Studio for Initial Access. It turns out you don't even have to compile a malicious solution, just open it, to get pwned.
• I'd TAP That Pass. Temporary Access Passwords can bypass MFA in some situations to allow pivoting into Azure from a compromised user context.
• Disabling AV With Process Suspension. AV giving you a hard time? Put it on ice while you do your detected actions then bring it back like nothing happened. Be sure to test this as it can cause instability while the AV is suspended.
• BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover. Wiz has proven again and again they are the undisputed kings of cloud. Always scared/excited when a new technical post drops from Wiz.

Tools and Exploits

• Tool Release - shouganaiyo-loader: A Tool to Force JVM Attaches. Inject your own Java code into processes that have disabled the agent attach API.
• PoC for CVE-2023-28206 - exploit for an out-of-bounds write in the IOSurfaceAccelerator, allowing a malicious actor to execute arbitrary code with kernel privileges on macOS/iOS by utilizing a specially crafted application. Note this is just a kernel panic PoC.
• EPScalate - Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.
• OffensiveCpp - This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
• Implant execution via PrintBrm.exe - use PrintBrm to extract & execute an implant from an ISO.
• EntropyReducer - Reduce Entropy And Obfuscate Your Payload With Serialized Linked Lists.
• PhoenixC2 - Command & Control-Framework created for collaboration in python3. This looks very alpha.
• HardHatC2 - A C# Command & Control framework. Another alpha C2, but this one has a lot of features in the agent already.
• dir2json - Tool for efficient directory enumeration. Read the blog post.
• DPAPISnoop - A C# tool to output crackable DPAPI hashes from user MasterKeys.
• GodPotato - ImpersonatePrivilege == SYSTEM. At this point I think its just a feature of Windows.
• Chaos-Rootkit - x64 ring0 Rootkit with Process Hiding and Privilege Escalation Capabilities.
• rogue - A barebones template of 'rogue' aka a simple recon and agent deployment I built to communicate over ICMP. Well, without the ICMP code.
• wmiexec-Pro - Lateral movement with WMI using only port 135.
• inline-syscall - Inline syscalls made for MSVC supporting x64 and x86.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• serge - A web interface for chatting with Alpaca through llama.cpp. Fully dockerized, with an easy to use API.
• Game Hacks: Among Us - IL2CPP Walkthrough. The same techniques can be used to locate sensitive data and craft exploits in more serious applications.
• espanso - Cross-platform Text Expander written in Rust.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems. RCE with no user interaction to basically any modern Samsung phone. All you need is the phone number, no user interaction. Wild. Turn off Wifi Calling and VoLTE until you are sure this one is patched.

• AI news

  • LLM + Clean Room: Will LLMs be the death of code copyrights?. Find code you want to use, but isn't licensed right, and just have GPT4 re-write it for you.
  • GPT-4 Hired Unwitting TaskRabbit Worker By Pretending to Be 'Vision-Impaired' Human. Remember, at its core GPT-4 is just a model that predicts what should come next in a sequence. It's just scarily good at that task. If you feed it bad instructions it will do bad things. The "novel" part of the article is that GPT-4 "lied" on purpose. But all it really did was predict (correctly) what it should say next based on the context. What's really going to bake your noodle later on is wondering - are you doing anything different? Daniel Miessler thinks GPT-4 understands.
  • GPT_Vuln-analyzer - Uses ChatGPT API and Python-Nmap module to use the GPT3 model to create vulnerability reports based on Nmap scan data.
  • Dalai - Run LLaMA and Alpaca on your computer.. The the 7B and 13B models are quick and easy to install. Models up to 64B parameters are available.

• The privacy loophole in your doorbell. Ring, like every cloud connected camera/smart speaker is trading security for convenience. People pull out slippery slope arguments about government overreach because governments have a history of collecting as much data as possible and sorting it out later. Plus Ring maybe got hacked recently.

• Kali Purple. The Offensive Security team is taking on defense with the release of Kali Purple.

• Thousands scammed by AI voices mimicking loved ones in emergencies. I called this years ago (LWiS 2021-06-21). Next up: your IT guy or boss telling you to click the link and run the exe.

Techniques and Write-ups

• Parallels Desktop Toolgate Vulnerability. A guest with Parallels tools installed can write crash dumps to the host, and there existed a path traversal vulnerability that allowed an escape and code execution via the shell login script.
• Bypassing PPL in Userland (again). The PPL master delivers yet again: PPLmedic - Dump the memory of any PPL with a Userland exploit chain.
• Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability. Leak NTLM hashes from targets as soon as the Outlook thick client processes an email (they don't even have to open it!). The patch does not prevent UNC paths without dots, so internal assessors can still make use of this on fully patched Outlook clients. PoC here.
• VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress. I once coded an entire personnel intake validation pipeline in Access and VBA. It was painful. Low level programming in VBA is insane.
• Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development. UDRL developmet just got a bit easier.
• External Trusts Are Evil. There is no such thing - in reality - as non-transitive trust. Any domain in a forrest can authenticate and create machine accounts in any other domain in the forrest unless special precautions are taken. Microsoft Active Directory is the ultimate job security for cybersecurity professionals.
• Microsoft Defender for Identity Sensor Identification. Defender for Identity seemingly always opens two uniquely named pipes that can be remotely enumerated.
• Making New Connections - Leveraging Cisco AnyConnect Client to Drop and Run Payloads. This tool was in last LWiS, but this walks thorough it in detail.
• A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM. Intel BIOS bug!
• CVE-2023-26604. Get root on a systemd Linux machine with... less?! Yes.
• Espressif ESP32: Glitching The OTP Data Transfer. Very cool glitching hacks. Hundreds of thousands of trials to find just the right location and power and time!
• Producing a POC for CVE-2022-42475 (Fortinet RCE). A great start to finish walk through of a vulnerability.
• Uncovering Windows Events. How does ETW work? Find out in this post.
• Red vs. Blue: Kerberos Ticket Times, Checksums, and You!. Up your kerberos opsec or detection skills with this post.

Tools and Exploits

• MacOSThreatTrack - Bash tool used for proactive detection of malicious activity on macOS systems.
• Updates to C2-Tool-Collection - Psm: BOF to show detailed information on a specific process ID; ReconAD: BOF that uses ADSI to query Active Directory (AD and GC) objects and attributes.
• Azure-App-Tools - Collection of tools to use with Azure Applications. Just updated with an IPFS dropper.
• ekko-rs - Rusty Ekko - Sleep Obfuscation in Rust.
• PSBits - Windows 10 offline admin creation? 😈 Why not?! Everything happens through built-in offlinelsa and offlinesam DLLs. Official, but not very documented.
• Elevate-System-Trusted-BOF - This BOF can be used to elevate the current beacon to SYSTEM and obtain the TrustedInstaller group privilege. The impersonation is done through the SetThreadToken API.
• Black-Angel-Rootkit - Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
• bootdoor - An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ScrapPY is a Python utility for scraping manuals, documents, and other sensitive PDFs to generate wordlists that can be utilized by offensive security tools to perform brute force, forced browsing, and dictionary attacks against targets. The tool dives deep to discover keywords and phrases leading to potential passwords or hidden directories.
• Demystifying Security Research - Part 1. This resonated with me, with a heavy emphasis on blog posts and tweets.
• UPnProxyChain - A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s).

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Cobalt Strike 4.8: (System) Call Me Maybe. Some great new features (multi-byte XOR for DLL loading), and bug fixes including the age old impersonation bug (that would always say "Impersonated <current user>"). Welcome changes in a competitive landscape.
• Mythic 2.3 -> 3.0 Updates. Not to be left behind, Mythic is moving to 3.0 with an all new Go backend.
• Google Trust Services now offers TLS certificates for Google Domains customers. Google Domains customers can now use DNS-01 challenges to get certificates!
• LastPass breach update: The few additional bits of information. The saga continues. A Plex Media Server RCE on a DevOps engineer's home computer led to the theft of all LasPass data. This should have been stopped at a few different levels, and they subtle blame shift to the engineer isn't good. You have to assume that any device you don't control is fully compromised and monitor access from it appropriately (or deny it).
• We're going teetotal: It's goodbye to The Daily Swig. Pour one out for this great news source.
• How I Broke Into a Bank Account With an AI-Generated Voice. I've been warning about this for a while. Even Sneakers (1992) showed how easy voice based authentication was to spoof.
• Highlights from the New U.S. Cybersecurity Strategy. Grab the highlights here or dig into the full PDF.
• Sensitive US military emails spill online. But remember, if you don't use FIPS validated and certified crypto modules, you are putting sensitive information at risk!

Techniques and Write-ups

• CI/CD secrets extraction, tips and tricks Synacktiv drops Nord Stream, a tool that allows you to list the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines. It currently supports Azure DevOps and GitHub. Don't be fooled by "secret" files and "masked" variables. If the pipeline needs it to build, it can be extracted.
• The code that wasn't there: Reading memory on an Android device by accident. These low level exploits are always somewhat magic to me.
• Red Teaming macOS 101. Excellent write-up for those involved in attacking/defending MacOS assets!
• Windows Hotpatching & Process Injection. Did you know the latest Windows insider builds and Azure server ISOs can hotpatch running processes? Expect both malware and EDRs to (ab)use this feature in the future.
• Microsoft Azure Account Takeover via DOM-based XSS in Cosmos DB Explorer. Regex is hard for everyone. In this case, a single unescaped dot led to a 1-click Azure account takeover.
• A New Vector For “Dirty” Arbitrary File Write to RCE. Lax config parsers allow arbitrary data/files to be used to "smuggle" configuration files. This technique was used with Redis a while back.
• OneNote Embedded File Abuse. Not caught up on the latest hotness (.one)? Get with the program!
• From on-prem to Global Admin without password reset. An "On-prem to Global admin" attack path that requires quite a foothold but still good to have in your bag as it might bypass some Conditional Access configurations.
• From CVE-2022-33679 to Unauthenticated Kerberoasting. If you missed the kerberos exploit from 2022-10, this post does a good job of introducing the concept of pre-authentication, explaining the flaw, and how to exploit it.
• Microsoft Word RTF Font Table Heap Corruption. Just a crash PoC, but with a CVSS of 9.8, and Word 2007 to Insider Preview - 2211 Build 15831.20122 CTR affected, expect to see it in the wild soon.
• Maldoc Transfers in the Google Cloud. Host your payloads on a high reputation Google domain (cloudfunctions.net).
• Let's build a Chrome extension that steals everything. Red teamers should have an extension like this ready to deploy as we move to a SaaS world and the browser is the only security control after initial access. Code here.
• Having fun with KeePass2: DLL Hijacking and hooking APIs. Hooking via DLL hijacking is a powerful primitive.
• Introducing Aladdin. A new tool and technique for red teamers to bypass misconfigured Windows Defender Application Control (WDAC) and AppLocker. Aladdin exploits a deserialisation issue over .NET remoting in order to execute code inside addinprocess.exe, bypassing a 2019 patch released by Microsoft in .NET Framework version 4.8.

Tools and Exploits

• MemFiles - A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk.
• Amsi-Killer - a "lifetime AMSI bypass."
• Thunderstorm - Modular framework to exploit UPS devices. Only 2 exploits for now.
• msidump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
• lolbin-poc - Small PoC of using a Microsoft signed executable as a lolbin.
• Kraken - a modular multi-language webshell coded by @secu_x11.
• DroppedConnection - Emulates a Cisco ASA Anyconnect VPN service, accepting any credentials (and logging them) before serving VBS to the client that gets executed in the context of the user.
• Timeroast - Scripts that execute timeroasting and trustroasting attack techniques by discovering weak computer or trust passwords within an Active Directory domain.
• AtomLdr - A DLL loader with advanced evasive features.
• bootlicker - A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Locksmith. A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services. Quick wins for Sysadmins!
• APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.
• Coercer. A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods. #onetorullethemall
• curl-impersonate - A special build of curl that can impersonate Chrome & Firefox.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• New legal framework for reporting IT vulnerabilities. Belgium's CSIRT can give researchers legal protection granted they meet some conditions when reporting (ethics stuff like acting without intent to harm, no public disclosure without consent, etc). To see this codified in law is awesome. Hack the planet!
• ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published. HFS+ file parsing could lead to remote code execution. As ClamAV is used in many mail gateways, the potential to get code execution by emailing an HFS+ file is exiting/terrifying.
• telnet-client. The Google Chrome team put a telnet client into Chrome. Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
• [Twitter] Activision was breached December 4th, 2022.. How'd they do it? SMS phishing, and you can see the screenshots in the tweet. All it takes is one, however, the attackers appear to have their access from a different location (i.e. no code running on the user's system). Would your systems catch this (impossible travel, etc)?
• GoDaddy says a multi-year breach hijacked customer websites and accounts. Ever since GoDaddy bought and then tried to resell me a domain I searched for on their site in 2012 I have sworn to never touch them. Intuition was right on.

Techniques and Write-ups

• Disabling ClamAV as an Unprivileged User. Socketfile permissions claim another victim. With write access to kick off scans comes the ability to shut down the AV altogether.
• EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” - CVE-2022-37955. Symbolic links on Windows have led to lots of LPEs over the past few years. This one uses a GPO's "Files" windows setting to write arbitrary files as SYSTEM.
• Bypassing Okta MFA Credential Provider for Windows. A little walkthrough on how to flip off MFA for RDP once you have admin on the machine.
• Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers. Attackers in your kernel is a certified "bad thing." How bad? This post shows a few ways to blind ETW from the kernel. Not just theory, there is an example from Lazarus in the post as well.
• What the Vuln: Zimbra. This new post series looks fun! First up: a web app with a path traversal vulnerability.
• Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. How did this get past the internal security team, static analysis, and external audits? Amazing. Are you kidding me?
• A Practical Tutorial on PCIe for Total Beginners on Windows (Part 1). The amount of high quality free learning on the internet is amazing, and the people that put it together are awesome.
• Abusing Azure App Service Managed Identity Assignments. Azure is a scary place, and fully understanding the connections of services, apps, principles, etc is a constant struggle.
• New headless Chrome has been released and has a near-perfect browser fingerprint. TLDR: --headless=new will make your headless browser look nearly the same as regular chrome.

Tools and Exploits

• CVE-2022-44666 - Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
• ntqueueapcthreadex-ntdll-gadget-injection - This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
• Split - Apply a divide and conquer approach to bypass EDRs.
• COFF_With_Exception_handler.c. Make your BOFs safer.
• LsaParser - A shitty (and old) lsass parser. [authors original description]
• NimPlant - A light-weight first-stage C2 implant written in Nim.
• ThreadlessInject-BOF - BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
• graphcat - Generate graphs and charts based on password cracking result.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• OpenSSL Ported to the web browser with WebAssembly. WebAssembly is coming for everything. Chrome/Firefox/Safari are the OSs of the future.
• heap_detective - The simple way to detect heap memory pitfalls in C++ and C. Beta.
• Open Software Supply Chain Attack Reference (OSC&R). Its ATT&CK for releasing software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• VALL-E - Neural Codec Language Models are Zero-Shot Text to Speech Synthesizers. New research from Mircosoft shows how the new model can clone a voice to a high degree of accuracy with only 3 seconds of sample audio from the target. Previous techniques required at least 30 minutes of audio and had worse results. Think how easy it will soon be to call some, record their voice, and then have "them" say things generated in real time. This will be used for vishing, and it will be extremely effective.
• Truffle Security revealed data collection in XSS Hunster. Infosec Twitter was quick to denounce the data collection and suggest running your own instance.
• About the security content of iOS 16.3.1 and iPadOS 16.3.1. WebKit exploit and "Apple is aware of a report that this issue may have been actively exploited."
• Namcheap/Namecheap's SendGrid account compromised to send phishing emails. Namecheap says its SendGrid, SendGrid hasn't said anything (that I can find).
• Canarytokens.org welcomes Azure Login Certificate Token. Canarytokens are still the best free security tool you aren't using.
• We had a security incident. Here's what we know.. Phish to cloned internal gateway gives an attacker valid credentials and second-factor token. FIDO2/U2F would have made this impossible. Props to the user for self-reporting.
• Announcing Nuclei Cloud. The undisputed champions of the open source attack surface management tooling game are here with their hosted solution. This is not one to dismiss given their incredible history of high quality tool releases.
• Reinventing search with a new AI-powered Microsoft Bing and Edge, your copilot for the web. ChatGPT++ comes to Bing. This actually made me create a Microsoft account and sign up for the waitlist. Well done Microsoft.

Techniques and Write-ups

• Behind the Mask: Spoofing Call Stacks Dynamically with Timers. The Cobalt Strike team is hard at work pushing the boundries of call stack spoofing.
• LocalPotato - When Swapping The Context Leads You To SYSTEM. The Potatos never die! This is the 21st potato in my collection. Patching in 2023-01 (as CVE-2023-21746 ), this potato allows for local privilege escaltion through some tricky SPN manipulation.
• Fearless CORS: a design philosophy for CORS middleware libraries (and a Go implementation). This is the best post on CORS on the internet. DM me anything better. I dare you.
• Offphish - Phishing revisited in 2023. This is a great rundown of modern phishing techniques. Keep in mind the ISO MOTW bypass was patched by Microsoft in November.
• [PDF] POPKORN: Popping Windows Kernel Drivers At Scale. Some interesting work on "large scale" (212 unique singed Windows kernel drivers) driver fuzzing. Unlike seemingly every other interesting paper, they actually published the code!.
• A-Salt: attacking SaltStack. SaltStack is a desired state configruation platform and less popular member of the Ansible, Puppet, SaltStack triad. Unlike Ansible, which is agentless, SaltStack uses an agent-server model and is basically a remote access tool (and potential traitorware!).
• Security Code Review With ChatGPT. The ChatGPT craze is still with us. Stop feeding it your code. I almost daily have it write me things in languages I'm not fully familair with and it does a decent job at getting me started.
• XXE with Auto-Update in install4j. Update attacks are great since they are usually 0-click. This is a great walkthrough of a Java installer XML External Entity (XXE) attack that reads arbitrary file contents in the PoC.
• CVE-2022-22655 - TCC - Location Services Bypass. I had no idea that location access wasn't part of TCC directly, but rather locationd's responsibility.
• Binance Smart Chain Token Bridge Hack. Ever wanted to steal ~$500,000,000 from the comfort of your own home? Thanks to the magic of smart contracts, you can!
• Exploiting a remote heap overflow with a custom TCP stack. "The funkiest part was undoubtedly implementing a custom TCP stack to trigger the bug. This is quite uncommon for an user land and real life (as not in a CTF) exploit, and we hope that was entertaining for the reader." It was!
• Elevation of privileges from Everyone through Avast Sandbox to System AmPPL (CVE-2021-45335, CVE-2021-45336 and CVE-2021-45337). Someting about a local privilege escaltion via an anti-virus sandbox just warms my heart. It's red teaming schadenfreude.
• Azure AD Kerberos Tickets: Pivoting to the Cloud. Domain Admin is cool, but impersonation of any non-MFA account via Azure SSO is cooler.
• How your messenger used for internal communication might compromise your company. Skype for business. Teams. Lync. Take your pick, get your access.
• Learning Semgrep. You've seen the power of Semgrep on this blog before, so why not learn it?

Tools and Exploits

• TeamFiltration V3.5.0 - Improve All the Things!. Lots of new features and improvements to this cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Office 365 Azure AD accounts.
• ThreadlessInject - Threadless Process Injection using remote function hooking.
• LPE via StorSvc - Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL Hijacking).
• FilelessPELoader - Loading Remote AES Encrypted PE in memory, decrypt and run it.
• D1rkSleep - Improved version of EKKO by @5pider that Encrypts only Image Sections.
• HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
• firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly provides the advantage of testing a target with a large number of built-in checks to detect behaviors in the target.
• UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
• OperatorsKit - Collection of Beacon Object Files (BOF) for Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• wildebeest is an ActivityPub and Mastodon-compatible server.
• grepmarx - A source code static analysis platform for AppSec enthusiasts.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Taking the next step: OSS-Fuzz in 2023. Increased bounties for integrating projects into OSS-Fuzz. Nice!
• Dutch Police Read Messages of Encrypted Messenger 'Exclu'. If you messenger is not open source and the server is not self-hosted, someone could be reading your messages. Yes, this includes Signal (what is actually running on the servers?).
• CVE-2023-0045. Speculative execution bugs are going to be with us for a while. "The current implementation of the prctl syscall for speculative control fails to protect the user against attackers executing before the mitigation. The seccomp mitigation also fails in this scenario."
• An important next step on our AI journey. Google's response to ChatGPT is... a blog post and no working product? Meanwhile, I'm out here having GPT-3 write my commit messages.
• Checksum mismatches on .tar.gz files. GitHub temporarily broke a lot of deployments after changing the default compression algorithm for releases. The change has been reverted, but showed how fragile the some software release ecosystems are and how reliant they are on a single third party.

Techniques and Write-ups

• Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails. The first of two great posts from Assetnote this week.
• RCE in Avaya Aura Device Services. This is the second post. They're pwning your phone system too...
• 2023-02-05: Solving a VM-based CTF challenge without solving it properly. A neat solve of a hard challenge with using side channels to not "actually" solve it. Hey, a flag is a flag.
• Onenote Malware: Classification and Personal Notes. '.one' based droppers are on the rise. Grab yourself OneNoteAnalyzer, a C# based tool for analyzing malicious OneNote documents, and dig in.
• Rustproofing Linux (Part 1/4 Leaking Addresses). While Rust provides some very nice memory safety, it also has to exist in the real world, where programmers will use 'unsafe' blocks to interact with raw memory and hardware. This series aims to show what can go wrong with 'unsafe' rust. Rust is pretty awesome though, as it can regex search 45 million repos in seconds.
• Hacking into Toyota's global supplier management network. I like these "real world" hacks that don't stop at "oh I can get access," but build on that to show how bad the combination of flaws can be. Bravo. The $0 bounty is rough.

Tools and Exploits

• Spoofy: An Email Domain Spoofing Tool. This is the new gold standard of "can I spoof this domain?" tools.
• GoAnywhere MFT - A Forgotten Bug. Some serious Java web app code review leads to - you guessed it - hard coded keys and a deserialization vulnerability.
• sh1mmer chromebook jailbreak. This is a cool "jailbreak" for Chromebooks that uses a modified Google signed RMA shim to boot into an environment that allows unenrolling Chromebooks from their parent organization.
• PipeViewer - A tool that shows detailed information about named pipes in Windows. For why, read Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 1.
• RasmanPotato - Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do.
• BypassAV This map lists the essential techniques to bypass anti-virus and EDR.
• AMSI-patches-learned-till-now - all of the AMSI patches that I learned till now.
• AMSI_patch - Patching AmsiOpenSession by forcing an error branching.
• Bloodhound python from @_dirkjan is now integrated to CrackMapExec as a core feature.
• Ghostwriter. Automate those reports!
• ReverseSocks5 - Single executable reverse socks5 proxy written in Golang.
• certsync - Dump NTDS with golden certificates and UnPAC the hash.
• comfortably-run - A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol.
• D1rkLrd - Shellcode Loader with Indirect Dynamic syscall Implementation , shellcode in MAC format, API resolving from PEB, Syscall calll and syscall instruction address resolving at run time.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• FirmAE - Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis.
• wa-tunnel -Tunneling Internet traffic over Whatsapp.
• RToolZ - A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Hackers Demand $10M From Riot Games to Stop Leak of 'League of Legends' Source Code. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." Is it?
• Protecting Against Malicious Use of Remote Monitoring and Management Software. Someone at CISA finally watched my talk on Traitorware?
• U.S. Department of Justice Disrupts Hive Ransomware Variant. Don't do crimes.
• Yandex Services Source Code Leak. No git history, no ML models, but lots of source code.
• The Microsoft Edge team no longer offers VM image downloads for the testing of Microsoft Edge and Internet Explorer.. The go-to source for quick, legitimate test VMs is gone. This on the back of the news that detection lab is not being maintained has opened a hole in the test VM/lab/management area... (stay tuned).

Techniques and Write-ups

• At the Edge of Tier Zero: The Curious Case of the RODC. Just because its read-only doesn't mean it can't lead to domain dominance.
• Operator's Guide to the Meterpreter BOFLoader. BOFs come to Meterpreter - they are truly the cross-C2 primitive of modern red teaming. You can run them from Python3 now with pybof. Hell, I even put them in osquery.
• Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI. Hardcode a private key == hardcode a bad time.
• Password strength explained. This is a good explainer. Dice-chosen word-based passwords are the way to go.
• Abusing Exceptions for Code Execution, Part 2. This one is meaty and really cool. If you though SEH exploitation died in 2008, buckle up.
• Extending PersistAssist: Act I. How to add your own modules and stick around even after a reboot.

• Web Hacking

  • Using 0days to Protect the United Nations. Some web apps are frighteningly bad at security - this is one of them.
  • Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315). A nice authenticated RCE chain.
  • MyBB <= 1.8.31: Remote Code Execution Chain. This is just quality web app hacking.

• Insomni'hack 2023 CTF Teaser - InsoBug. CTF writeups don't usually make the blog, but this one is particularly interesting and Windows based which is extremely rare.
• gaylord M FOCker - ready to pwn your MIFARE tags. If you're getting started in the RFID card space, this post will give you a quick overview of the various attacks.
• Microsoft Defender Vulnerability Management Authenticated Scan Security Risks. Authenticated scans can give attackers hashes when 'Negotiate' is enabled.
• CVE-2023-23504: XNU Heap Underwrite in dlil.c. "This can be triggered by a root user creating 65536 total network interfaces." Seems pretty far fetched, but a physical attack (malicious USB) is a potential vector.
• How to access data secured with BitLocker? Do a system update. BitLocker effectively disables itself during updates.
• Give me a browser, I'll give you a Shell. The javascript to create a browse button was neat.
• Fun with macOS's SIP. A nify trick to "bypass" (but not really) System Integrity Protection on macOS.
• Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks. Loader/AV bypassers take note.

Tools and Exploits

• gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
• starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
• azbelt - AAD related enumeration in Nim.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• yaralyzer Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
• Forking Chrome to render in a terminal. Simply amazing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• how to completely own an airline in 3 easy steps. The US "No fly list" was found on an exposed jenkins server belonging to CommuteAir. 80MB of NOFLY.CSV. Classic.
• Introducing LogSlash and The End of Traditional Logging. An interesting idea so save the "meaning" of a series of logs without all the raw data. I think large firms will still be saving all the raw data as all their detections are built on it, but I like the idea.
• HC-tree. A very non-descriptive title for a really cool feature. HC-tree is a high performance backend for SQLite that enables concurrency, replication, and massive size SQLite DBs. There aren't many small applications that shouldn't be using SQLite today as their DB, but with HC-tree, there will be almost none that need anything but SQLite.
• Visual Studio Spell Checker Preview Now Available. Misspellers of the world, untie! (it won't help in this case... oh well.)
• Pirate Bay Proxy Portal Taken Down by Github. Opinions of The Pirate Bay aside, GitHub took down a page that was hosting links to proxies, not even The Pirate Bay itself. The Tor Project is still on GitHub. Strange to see where the line is drawn sometimes.

Techniques and Write-ups

• CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion. ColdFusion is not only still a thing, but it's also still full of holes.
• Pwning the all Google phone with a non-Google bug. The bug here is cool, and the patch gap between ARM and Android on a hardware controlled by it's OS maker (Pixel 6) is worrying.
• CVE from 2018 Strikes Again. I've said it before and I'll say it again, just because a vulnerability is patched, doesn't mean its fixed. This is a one such case, albeit a simple one.
• Bitwarden design flaw: Server side iterations. With LastPass's recent issue, many have been searching for a new password manager, and researchers have been taking a look too. Positive change has already taken place because of this, and the open source BitWarden is getting more secure. However, you may want to manually increase your PBKDF2 iteration setting (Vaultwarden is also set at 100,000 by default as of 2023-01-23). The use of a secret key like 1Password has is a feature many would like to see implemented in other password managers. Need more password manager (patched) flaws? Unsandboxed Password Manager has them.
• Client-Side SSRF to Google Cloud Project Takeover [Google VRP]. A combo of Google properties (FeedBurner + VertexAI) combined for a nice Google Cloud takeover. It's not just Google, as Microsoft resolves four SSRF vulnerabilities in Azure cloud services.
• AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass. Why is a CloudTrail bypass a big deal? When you are looking for ways to validate AWS keys without falling victim to a Canary Token finding a method to use them without showing up in CloudTrail is the only way. Speaking of canary tokens they just released new credit card tokens.
• ManageEngine CVE-2022-47966 Technical Deep Dive. A quick run through of the RCE starting with the patch.
• [PDF] Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809. A simple command injection-style bug in the EDITOR environement variable allowed a user with sudoedit permissions on a single file to write to arbitray files as root. Perhaps not a common setup to have sudoedit enabled, but an easy LPE if it is!
• CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite. Some excelent creative hacking that will become more important as more things move to SaaS.
• Exploiting null-dereferences in the Linux kernel. Not crashing the kernel and instead "oops"-ing is better, but can have unintended consequences.
• making malware #0. Not sure a public "API" is the best for tooling's long term evasion, but it might help in some cases.

Tools and Exploits

• CVE-2022-42864 - Proof-of-concept for the CVE-2022-42864 IOHIDFamily race condition that was fixed in iOS 16.2 / macOS Ventura 13.1. Read more at Diabolical Cookies.
• Credmaster2. Your favorite credential spraying tool is back with more plugins.
• pdtm - ProjectDiscovery's Open Source Tool Manager.
• Caido - A lightweight web security auditing toolkit. Built from the ground up in Rust, Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.
• Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.
• git-sim: Visually simulate Git operations in your own repos. Complex git operations can be scary. They're less scary if you can see a pretty picture of what is happening.
• a.socks.proxy.shellcode is SOCKS4 server in shellcode for armv5, armv7, mipseb, and x64.
• SeeProxy - Golang reverse proxy with CobaltStrike malleable profile validation.
• golddigger is a simple tool used to help quickly discover sensitive information in files recursively.
• APCLdr - Payload Loader With Evasion Features.
• CVE-2023-0179-PoC. This is the Linux CVE from last week where the PoC was pulled. It's out now!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
• sh4d0wup - Signing-key abuse and update exploitation framework. This thing is fully featured and scary!
• ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
• SANS SEC760: Advanced Exploit Development for Penetration Testers - Review. The review isn't the interesting part here, its section 3: Recommendations that are gold.
• infisical ♾ Infisical is an open-source, end-to-end encrypted tool to sync secrets and configs across your team and infrastructure.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Supporting the Use of Rust in the Chromium Project. Rust is coming, and its taking down memory safety bugs/exploits as its spreads.
• Sustaining Digital Certificate Security - TrustCor Certificate Distrust. As previously reported, reporting from the Washington Post has led to questions about TrustCor, and this is the official announcement that Google is dropping them from the Chrome CA root store.
• CircleCI incident report for January 4, 2023 security incident. There is still some detail missing (no detail on how they know "the third party extracted encryption keys from a running process" and no public samples of the malware), but the incident report does shed light on how all of CircleCI was compromised. A single employee had their SSO session cookie stolen, and the production system fell. Now is a good time to tabletop what would happen at your company if your lead engineer had their SSO cookie stolen... In the meantime, follow this IR guide.
• [PDF] P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk. People still choose terrible passwords. Arm your users with a password manager and teach them how to use it. Enforce MFA everywhere you can. Hand out hardware tokens and enforce their use. With the rise of passkeys, a passwordless future is possible, but legacy password support will be around for at least the next 25 years.
• Recovering from Attack Surface Reduction rule shortcut deletions. Friday the 13th saw Attack Surface Reduction users get an updated definition that "resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files." This manifested itself with users calling the help desk stating that "all my apps are gone," which sounds a lot like ransomware. Thanks Microsoft. AddShortcuts.ps1 might help recover shortcuts for users.

Techniques and Write-ups

• SCCM Site Takeover via Automatic Client Push Installation. SCCM is perhaps the best lateral movement technique against organizations that use it, but the issue for red teams was compromising the primary server. With this research, it's possible to land a single phish (get any authenticated domain user), and coerce/relay your way to SCCM site takeover, which enables you to push out arbitrary executables or run scripts on every machine managed by SCCM. If ransomware crews aren't already doing this, they soon will be. Protect the MSSQL endpoints that SCCM use!
• Microsoft Defender for Identity Lateral Movement from Forest to Forest without a Forest trust. Using Defender to jump between untrusted forests? Awesome.
• Malware-based attacks on ATMs - A summary. Perhaps not the most relevant article for red/blue teams, but still interesting.
• A LAPS(e) in Judgement. A good overview of the local admin password solution (LAPS) for Windows domains, how to set it up, how to abuse it, and how to detect that abuse.
• T95-H616-Malware. "Pre-Owned" malware in ROM on T95 Android TV Box (AllWinner H616).
• Sliver vs havoc. If you aren't familiar with two of the more popular non-Cobalt Strike C2s that are available, this post breaks them down.
• CVE-2021-31985: Exploiting the Windows Defender AsProtect Heap Overflow Vulnerability. The irony of using Windows Defender to get a SYSTEM shell is delicious.

Tools and Exploits

• secret_handshake - A prototype malware C2 channel using x509 certificates over mTLS.
• phishim is a phishing tool which reduces configuration time and bypasses most types of MFA by running a chrome tab on the server that the user unknowingly interacts with.
• CoffLoader - an implementation of in-house CoffLoader supporting CobaltStrike standard BOF and BSS initialized variables.
• latma - Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns.
• gophish - GoPhish automation.
• CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup. PoC has been pulled for the time being, but as this effects Linux from ~2019 and later, it could be a pretty widespread LPE and potentially some LAN crashes or RCE.
• LocalPotato is coming soon! - Watch this space.
• Issue 2361: XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings. Ian Beer drops his "MacDirtyCow" which is already being used in the jailbreaking scene to do non-persistent tweaks.
• OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. Version 2 just dropped.
• Open Sourcing Incident Management system. The HARP incident management system, designed to help teams quickly and effectively respond to and resolve any incidents that may occur, specifically in the tech industry, is now open source!

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Crassus - Windows privilege escalation discovery tool
• ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CircleCI security alert: Rotate any secrets stored in CircleCI (Updated Jan 7). Ouch. If you use any kind of secrets in CI (not bad by itself, depending on your threat model etc), please use canary tokens so you know when you need to drop everything and rotate secrets and take a hard look at your logs.
• Researchers Could Track the GPS Location of All of California's New Digital License Plates. Because of course they can. File this under "shockingly bad idea is still bad for all the reasons we thought." For all the car hacks of 2022 check out Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More.
• Security Update Guide Improvement - Representing Hotpatch Updates. You can now easily identify hotpatches for Windows Server VMs in Azure which can be applied without a reboot (feature introduced last year). Linux users heard saying "what took so long?"
• [PDF] Factoring integers with sublinear resources on a superconducting quantum processor. Researchers out of China claim to have a system where "traditional" lattice-reduction math is used to dramatically reduce the number of qbits a quantum computer needs to factor numbers (the basis of RSA). If correct, they could theoretically break 2048-bit RSA with 372 qbits (which IBM already has). However, "this destroys the RSA cryptosystem" is a statement other papers have made, and so far, failed to deliver.
• U.S. Targets Non-Compete Clauses That Block Workers From Better Jobs. A staple of any tech employment contract, the non-compete could be coming to an end.
• Making an SSH client the hard way. Your weekly reminder that the modern browser is the OS of tomorrow.

Techniques and Write-ups

• TouchEn nxKey: The keylogging anti-keylogger solution. Every article I read by Wladimir makes me more and more scared of any browser extension. In this case, an all-but-required extension for Korean banking can be repurposed as a keylogger easily among other scarry things.
• Escaping from bhyve. A sesonsed VM escaper (QEMU previously) tries their hand at bhyve, FreeBSD's hypervisor, and comes away with a new VM escape. It's impressive to witness people who can point their attention at something and have impressive bugs fall out.
• A study on Windows HTTP authentication (Part II). Kerberos over HTTP? Windows authentication options are impressive in their vastness. This is a great post for any Windows network assessor, and the Prox-Ez tool will certainly come in handy once inside your next corporate network.
• Bypass firewalls with of-CORs and typo-squatting. The dangers of "just clicking a link" are real in 2023, but not because your computer will get compromised (excluding browser 0day+SBX) but because your company's internal web apps are YOLOing their CORS and authentication, allowing any browser on the network to pull data. This is really neat attack that is only possible because of overpermissive internal web apps. Use of-CORS to pull off your own sweet CORS hacks.
• CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet. The cool part of this post isn't the Citrix exploits, its the method of getting your hands on different versions of Citrix ADC images and fingerprinting the versions.
• Microsoft Defender for Identity JSON API. The inner workings of the Microsoft Defender for Identity and its API can hold some secrets if you compromise a machine running a sensor. Use Microsoft-Defender-for-Identity-API-Fiddler to play with it.
• CVE-2022-25026 & CVE-2022-25027: Vulnerabilities in Rocket TRUfusion Enterprise. Some classic web app vulnerabilities in this post.
• DeTT&CT: Automate your detection coverage with dettectinator . This post introduces a new tool, dettectinator, which is a framework that helps blue teams in using MITRE ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviors.
• Passwordless Persistence and Privilege Escalation in Azure. TIL that Azure comes with its own privesc to Global Admin. Neat.
• Lateral movement risks in the cloud and how to prevent them - Part 2: from compromised container to cloud takeover. What can you do once you land in a prod pod? Depends on the cloud, but probably a lot.

Tools and Exploits

• iCDump. A Modern Objective-C Class Dump. Blog here.
• UnhookingPatch - Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime.
• HellHall is a combination of HellsGate and indirect syscalls.
• WalkerGate is a method to take syscall with memory parsing of ntdll.
• zsyscall is an implementation of the Hell's Gate VX technique. The main difference with the original implementation is the use of the zsyscall procedure instead of HellsGate and HellDescent for using syscalls.
• SOC-Multitool - A free and open source tool to aid in SOC investigations!
• Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe formats.
• sub-scout is a simple bash script to automate your inital recon and extend your attack surface using popular tools made by infosec community.
• MITRE_ATTACK_CLI - CLI Search for Security Operators of MITRE ATT&CK URLs.
• nuclearpond is a utility leveraging Nuclei to perform internet wide scans for the cost of a cup of coffee.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• A New PyRDP Release: The Rudolph Desktop Protocol!. The gosecure RSS feed was slow on this one?
• KubeStalk discovers Kubernetes and related infrastructure based attack surface from a black-box perspective.
• NTLMRecon - A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
• smudge - Passive OS detection based on SYN packets without Transmitting any Data

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• [LastPass] Notice of Recent Security Incident. The breach from August is worse than initially reported, with encrypted password vaults stolen. Despite their encryption, weak master passwords or perhaps other issues could lead to passwords and other information leaking to the perpetrators. If you use a password manager (cloud based or not), the loss of your vault has to be part of your threat model. Other services have been quick to capitalize on LastPass' failure.
• Announcing OSV-Scanner: Vulnerability Scanner for Open Source. Google launches an open source dependency vulnerability scanner based on their OSV database.
• OWASSRF, a new exploit for Exchange vulnerabilities, exploited in the wild: everything you need to know. At this point, self-hosting Microsoft Exchange is an extremely risky proposition. Unless it's behind a VPN or Zero Trust Network Access (making it hard to use with Outlook/etc), you're asking for compromise.
• 2022 Adversary Infrastructure Report. Cobalt Strike still dominates.
• Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability. In the unlikely case you are running SMB using the new kernel module and not samba, update now or face unauthenticated RCE.
• Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. The title is a bit bland, but this is official FBI communication encouraging the use of ad blockers. I've heard stories of companies that force uBlock Origin as part of their managed Chrome install to great effect.
• Sunsetting DetectionLab. One of the best automated lab tools is ending development. The scene is set for an open source, modular, lab infrastructure system to be released...
• Crack the ELF RE challenges - "Here are some reverse-engineering challenges I've made on my spare time."

Techniques and Write-ups

• Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg. Some great technical Linux exploitation detail in this write up.
• Spice up your persistence: loading PHP extensions from memory. This technique is neat as your backdoor lives in the PHP process with only some suspect memory maps to give it away after loading from disk (and unloading the disk backed copy of the backdoor).
• Writing x64dbg scripts and Writing x64dbg plugins will help you level up your x64dbg game.
• Puckungfu: A NETGEAR WAN Command Injection. This command injection requires control of DNS on the WAN side of the router.
• MeshyJSON: A TP-Link tdpServer JSON Stack Overflow. In contrast to the relatively simple command injection exploit in Puckungfu, this exploit is a address leak and heap spray to bypass KASLR to execute a ROP gadget. Impressive stuff.
• CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution. This is a great read for any web app pentesters. The inital bug doesn't look so bad, but the chain to RCE is impressive.
• Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1). This post is all lab/dev setup and a Hello World, but the series could get interesting quickly. For a finished series, check out Lord Of The Ring0.
• LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi). You've heard of bootkits, but what about pre-bootkits?
• Trend Micro drops 2x macOS LPE posts: Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities and A Technical Analysis of CVE-2022-22583 and CVE-2022-32800.
• Navigating the Vast Ocean of Sandbox Evasions. Palo Alto's sandbox is custom and has fixes for many common sandbox detections. Would your detections get caught in this sandbox?
• Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463. Part 3 of the amazingly detailed browser exploitation series is here!
• Gatekeeper's Achilles heel: Unearthing a macOS vulnerability. Microsoft digs into a strange "AppleDouble" file format and finds a Gatekeeper bypass.
• .NET Startup Hooks. If you can set environment variables for .NET programs, you can inject arbitrary code. Could be a useful persistence technique as there are built in .NET binaries in Windows.

Tools and Exploits

• Avoiding Detection with Shellcode Mutator. By randomly adding nops or nop equivalent instructions, ShellcodeMutator can break yara rules that look for specific assembly sequences in shellcode.
• Dirty-Vanity - A POC for the new injection technique, abusing windows fork API to evade EDRs. See the slides from BlackHat EU here.
• DirCreate2System - Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting.
• CVE-2022-2602-Kernel-Exploit and CVE-2022-2602 are Linux LPEs for Linux kernel upstream stable 5.4.x, 5.15.x, and later versions. 5.10.x may be vulnerable as well.
• Cohab_Processes - A small Aggressor script to help Red Teams identify foreign processes on a host machine.
• CaFeBiBa - COFF parser - a COFF parser for binaries compiled with MSVC.
• Offensive-Rust - Various offensive techniques in Rust.
• ASRenum-BOF - Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations.
• CVE-2022-42046 - CVE-2022-42046 Proof of Concept of wfshbr64.sys local privilege escalation via DKOM.
• linux_injector - A simple ptrace-less shared library injector for x64 Linux.
• Venom is a library that meant to perform evasive communication using stolen browser socket.
• wanderer - An open-source process injection enumeration tool written in C#.
• Invoke-Retractor - Build a Seatbelt executable containing only commands you specify.
• WTSRM2 - Writing Tiny Small Reliable Malware 2. This has a ton of cool features, worth a look.
• PassTheChallenge - Recovering NTLM hashes from Credential Guard. See the blog post for more details.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• pike is a tool for determining the permissions or policy required for IAC code.
• policies - Security policies for Tailscale.
• A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding. I use SSH tunnels on a daily basis, and this is a great visual guide to anyone new to the concept (or as a reference if you forget!).
• portable-secret - Better privacy without special software.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Apple advances user security with powerful new data protections. This is a great step forward for a company who has marketed "privacy" but technically had some work to do. While iMessage has always been end-to-end encrypted, iCloud backups, which contain all your iMessages conveniently have not been. Thus, with a simple court order, all your iPhone contents are available to any legally valid request. With this change, everything except Email, Contacts, and Calendar are encrypted on iCloud, rendering those data requests useless. iMessage Contact Key Verification feels a lot like Signal, and security key support for iCloud accounts is long overdue. While none of these steps are groundbreaking, Apple is pushing the boundaries for "mainstream" tech privacy.
• ChatGPT bid for bogus bug bounty is thwarted. It was inevitable. Perhaps bugs will be triaged by AI soon, and the AIs can fight it out amongst themselves.
• Anker's Eufy lied to us about the security of its security cameras. Last week's story was only about the notification image, but it appears that you could get an unencrypted stream URL from Eufy cameras that worked over the internet until recently. So much for local only. I repeat: Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Releasing Semgrep 1.0. Now you have no excuse for not using it to find vulns.

Techniques and Write-ups

• Precious Gemstones: The New Generation of Kerberos Attacks. This is a great refresher if you have missed the last few Kerberos attack releases and need to catch up.
• Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass. It boils down to an undocumented Windows kernel method and structure to implement syscall hooks. "This is a very brave and cool feature." This post contains good general investigative process documentation that will be applicable to kernel hackers and other low level devs.
• GOAD - part 11 - ACL. The latest in a series that walks through the excellent GOAD vulnerable active directory environment.
• Cool vulns don't live long - Netgear and Pwn2Own. Having two vulnerabilities patched the day before a competition is heartbreaking. Perhaps parallel discovery?
• Exploiting CVE-2022-42703 - Bringing back the stack attack "This exploit demonstrates a highly reliable and agnostic technique that can allow a broad spectrum of uncontrolled arbitrary write primitives to achieve kernel code execution on x86 platforms.""
• Part 3: I Hope This Vishing Call Finds You Well…. Vishing can be that extra push to get a phishing campaign across the line. It is being used by adversaries to great effect already; consider adding it to your next service offering.
• Replicating CVEs with KLEE. Symbolic execution engines for bug hunting aren't new, but KLEE is new to me.
• An open source SMS gateway for pentest projects. smsgate holds the code.
• Issue 2346: Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP. A tasty LPE (now patched).
• Assessing Standalone Managed Service Accounts. Managed Service Accounts (MSA) have automatic password management, but that doesn't mean the passwords can't be dumped, hashes reused, and account privileges abused.
• StealthHook - A method for hooking a function without modifying memory protection. "This post describes a method for stealthily hooking a function without modifying memory protection. By overwriting a global pointer or virtual table entry that is nested within the target function, it is possible to hook the function without raising suspicion because many of these memory regions already have write permissions enabled."
• Unauthenticated Command Injection (Cacti). An authentication bypass and a command injection combine for a deadly bug.
• [PDF] Knockout win against TCC, a.k.a. 20+ NEW ways to bypass your macOS privacy mechanisms. Two of the best macOS security researchers team up to take down TCC.

Tools and Exploits

• RedditC2 - Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
• emailGPT - a quick and easy interface to generate emails with ChatGPT.
• noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history.
• CVE-2022-44721 Crowdstrike Falcon Uninstaller.
• DCOMPotato - Exploit collection for some Service DCOM Object local privilege escalation vulnerabilities (SeImpersonatePrivilege abuse).
• WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, vpn logins etc.
• Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.
• TProxy is an interception proxy for TCP traffic. It can be used to monitor, drop, modify or inject packets in an existing TCP connection. For monitoring purposes, TProxy has the ability to decrypt incoming TLS traffic and re-encrypt outgoing packets. It also leverages Wireshark dissectors to build a dissection tree of each intercepted packet.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• ChatGPT: Optimizing Language Models for Dialogue. Well, this exploded last week. If you haven't tried it, it's worth some specific technical queries. You can even jailbreak it or run a 'virtual machine' in it.
• Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent. While it was only thumbnail images being uploaded, still a bad look for a brand that is heavy on "local only" branding. Compared to Ring cameras that will find their own wifi to steam video to the cloud, this seems minor. Put your cameras on a VLAN without egress, and VPN in to view them - trust no one.
• Web browsers drop mysterious company with ties to U.S. military contractor. Props to The Washington Post for exposing the root CA and finally getting enough pressure to have it removed from browsers (12 years too late?).
• The FreeBSD Project - Stack overflow in ping(8). Despite the scary title, it only applies to ping responses, and the ping process "runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur." I doubt this will yield remote shells any time soon. LPE however...
• Memory Safe Languages in Android 13. No memory safety related bugs in the Rust code added to Android (yet). It's not a magic bullet, but the evidence shows it really does help prevent memory safety bugs.
• We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. Control character injection lets you register emails that "matched" actual users, and thereby take over their car via the internet. What a time to be alive. Not broad enough? What about taking over multiple brands of cars via SiriusXM?.
• Hell's Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access. Potential access to the CI of the IBM cloud. Yikes!

Techniques and Write-ups

• Shedding Light on Huawei's Security Hypervisor. This post tears apart the encrypted security hypervisor used in Huawei devices and nets a CVE: CVE-2021-39979 OOB Accesses Using the Logging System.
• CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You. The rebinding attacks are neat (if a bit hard to pull off in the real world), but the vendor response is downright amazing, and in a good way this time!
• Pre-Auth RCE with CodeQL in Under 20 Minutes. CodeQL is a force multiplier, I've said it before and I'll say it again.
• Debugging Protected Processes. Debugging protected processes on Windows can be tricky, so what if you made your debugger have the same level of protection instead? Now you can with PPLcontrol.
• Stalking inside of your Chromium Browser. Browsers are where lots of important information is accessed. If you don't have good access methods to leverage endpoint access to dump browser information, or better yet live inside the browser, you should prioritize development.
• How to mimic Kerberos protocol transition using reflective RBCD. Kerberos contains more foot-guns than any authentication protocol I've seen.
• Making unphishable 2FA phishable. Thanks to non-input enabled devices, even the best 2FA can be phished (sometimes).

Tools and Exploits

• SysmonEoP - Proof of Concept for arbitrary file delete/write in Sysmon (CVE-2022-41120).
• Visual Studio Code: Remote Code Execution. Jypiter notebook links could have led to RCE in vscode when clicked.
• SilentMoonwalk is a PoC implementation of a true call stack spoofer, implementing a technique to remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow. Want it in rust? Try Unwinder.
• PrintNotifyPotato - Another potato, using PrintNotify COM service for lifting rights.
• BumbleCrypt - A Bumblebee-inspired Crypter.
• google_lure.py - Generate phishing lures that exploit open-redirects from www.google.com using Google Docs.
• NimDllSideload allows you to easily generate Nim DLLs you can use sideloading/proxy loading. If you're unfamiliar with what DLL sideloading is, take a gander at this blog post.
• Defender_Exclusions-BOF - A BOF to determine Windows Defender exclusions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Neton is a tool for getting information from Internet connected sandboxes.
• kubeshark , the API Traffic Viewer for kubernetes, provides deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster. Think of a combination of Chrome Dev Tools, TCPDump and Wireshark, re-invented for Kubernetes.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• A Confused Deputy Vulnerability in AWS AppSync. The cloud is just someone else's computer. And sometimes it has vulnerabilities too. This one is particularly bad; case insensitivity led to the ability to access resources in other AWS accounts - aka the worst thing possible in a cloud provider. There is a reason some workloads should stay on prem - but only if your on prem security is better than AWS's ability to prevent cross account access (unlikely).
• Stable Diffusion 2.0 Release. AI is shaping up to be a major disruptor. Play with it locally with DiffusionBee. Want to be more awed by the power of AI? Read this.
• Researchers Quietly Cracked Zeppelin Ransomware Keys. Score one for the good guys.
• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures. Another border device manufacturer with RCE...

Techniques and Write-ups

• Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. This post digs into some of the technical details of the Nighthawk commercial C2 agent. MDSec claims the same was collected as part of legitimate red team activity and posted their own rebuttal: Nighthawk: With Great Power Comes Great Responsibility.
• Mind the Gap. TLDR: The patch gap is real, take advantage of it.
• A dive into Microsoft Defender for Identity. Some good ideas for detecting MDI after you land a phish or start an internal assessment with low privileges.
• Microsoft Defender for Identity Encrypted Password. More MDI fun, along with a tool release: Microsoft-Defender-for-Identity-Encrypted-Password.
• An End to KASLR Bypasses?. The new THREATINT_PROCESS_SYSCALL_USAGE ETW event coming to Windows 11 23H2 might make API based kernel address leaks, VM detection, and hardware persistence more difficult to get away with undetected.
• CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management. "A remote authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges."
• Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan. Another meaty post on Chrome internals and exploitation - the best browser exploit series since Connor McGarr's posts on Edge exploitation.
• Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10). Back in the day I worked on an app with a firebase backend and the permission model was non-trivial. Not surprised this research showed that 20% of tested firebase instances exposed data. Want to try your hand at it? Check out firebaseExploiter.
• Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment. .NET may be easy to decompile but it can still be tricky to trace a mutli-stage dropper all the way back.
• The Art of Bypassing Kerberoast Detections with Orpheus. Kerberoasting becomes fully customizable with the orpheus tool. Beware of honeySPNs, but otherwise, targeted-roast away!
• macOS Sandbox Escape vulnerability via Terminal. One ENV variable could be set to escape the sandbox on macOS!
• Yet Another Azure VM Persistence Using Bastion Shareable Links. Convenient.

Tools and Exploits

• Sapling: A Scalable, User-Friendly Source Control System. Meta open sourced their in house version control system. Don't worry, it's written in Rust.
• BrokenFlow A simple PoC to invoke an encrypted shellcode by using an hidden call.
• nanorobeus COFF file (BOF) for managing Kerberos tickets.
• GCTI CobaltStrike rules. 165 yara rules for CobaltStrike. More info here.
• ReverseSock5Proxy A tiny Reverse Sock5 Proxy written in C.
• psmsi Create MSIs using PowerShell.
• MemoryEvasion A Cobalt Strike memory evasion loader for redteamers.
• geacon_pro A cross-platform Cobalt Strike Beacon written in Go, supports 4.1+.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
• ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• Russian Hackers Are Publishing Stolen Abortion Records on the Dark Web. Much like the Finnish mental health breach and hospital attacks this shows that no targets are off limits for criminals. Putting a digital red cross probably won't help.
• ISOs from the internet will have MotW. It was fun while it lasted. On to the next one.
• About the security content of iOS 16.1.1 and iPadOS 16.1.1. XML parsing bugs could lead to RCE. The bug details are here and here. The update also limits AirDrop 'Everyone' option to 10 minutes in China with the speculation being that censors can't monitor airdropped content.
• Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack. It is a little wild to me that in 2022 we still use protocols developed for use among friendly research institutions as the underlying infrastructure for cryptocurrencies whose original goal was to survive in a network of adversarial participants.
• Mysterious company with government ties plays key internet role. I said last week, "your OS is just a bootloader for your browser." Perhaps we should take a look at who gets trusted by default in our browsers...
• A Russian Missile Crew Was Geolocated From Just This Photo. OSINT is wild.
• Intel 471 Acquires SpiderFoot. Attack surface monitoring is hot right now.
• Github code search launches. I've been impressed with GitHub since the Microsoft acquisition. Let's see how long it lasts but so far so good.

Techniques and Write-ups

• Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration. Dirk-jan is in the pantheon of researchers where every post is a must read. When it comes with a tool release... oh baby..
• Certificates and Pwnage and Patches, Oh My!. After a year, AD CS attacks have proven more pervasive than I thought they would be, led to more discoveries, and even patches from Microsoft to the way certs were mapped to identities. I guess you could say releasing their tooling really... imposed cost... as opposed to keeping it closed source.
• Accidental $70k Google Pixel Lock Screen Bypass. This would be a perfect "bugdoor" (intentional bug used as a backdoor), but it looks like an honest mistake with a complex system of overlapping lockscreen.
• Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg. Well laid out post on malware analysis.
• Untangling Azure Active Directory Permissions II: Privileged Access. Building on part 1, this post explores more Azure Active Directory access concepts.
• Microsoft Defender for Identity Recent Bypasses Comments. Some good tips for defenders.
• Tales of Windows detection opportunities for an implant framework. Some interesting detection techniques in here with code samples.
• Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server. RCE, privilege escalation, and directory traversal - the holy trinity.
• CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS. A good post that also shows the Apple commitment to "old" OSs isn't there. Monterey's latest release (12.6.1) does not include the fix...

Tools and Exploits

• EDD - FindEmptySystem. More details here
• laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
• Tool Release - Web3 Decoder Burp Suite Extension. Get those obnoxious cryptocurrency bounties!
• TelemetrySource - Project created to map functions responsible for triggering events from various telemetry sources. Details here.
• Introducing cnquery and cnspec. Imagine osquery but with GraphQL. Very cool.
• CInject Windows Kernel inject (no module no thread).
• SharpGmailC2 Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol.
• cve-2022-41352-zimbra-rce Zimbra <9.0.0.p27 RCE.
• AMSI-ETW-Patch Patch AMSI and ETW using a single byte patch for both.
• CVE-2022-3699 Lenovo Diagnostics Driver EoP - Arbitrary R/W.
• drv-vuln-scanner Finds imports that could be exploited, still requires manual analysis.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• squarephish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
• Digital detritus. As a digital hoarder (look at me right now trying to collect and label all the relevant security stuff from last week) this post resinated with me.
• GPT-4 Rumors From Silicon Valley. AI is getting scary.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.

News

• CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows. Sometimes the hype is just hype. This looks extremely hard to exploit with modern mitigations and a limited userbase.
• [PDF] How security professionals are being attacked: A study of malicious CVE proof of concept exploits in GitHub. Over 10% of PoCs were malicious! There is a reason there is a disclaimer at the end of each of these posts.
• LinkedIn Adds Verified Emails, Profile Creation Dates. Your favorite profile backstop just got a little harder to fake.
• Nighthawk 0.2.1 - Haunting Blue. Some cool features in the latest release of this commercial red team tool.
• Meet Fortra™ The new face of HelpSystems. HelpSystems (Cobalt Strike/Outflank's buyers) have rebranded - now with more generic corporate stock photos.
• [SimpleX] Security assessment by Trail of Bits. I've been playing with this new messenger app for a while and I think it has the potential to unseat Signal in a few versions. No shady CIA money, "open source" (but not really), blockchain silliness, etc. The pace of development is also impressive. They list their Monero address above their Bitcoin address - legit.
• urlscan.io's SOAR spot: Chatty security tools leaking private data. Careful what you auto-submit to external vendors.
• radare2.online. Your OS is just a bootloader for your browser. HTML/CSS/Javascript won the language war and will be the universal language of the future. Scary.
• [PDF] VX-Underground's Black Mass. Tmp.out and vx-underground keep the zine scene alive.

Techniques and Write-ups

• Exploiting Static Site Generators: When Static Is Not Actually Static. File this under "Serverless and other myths."
• A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. Mobile exploit chains are always a trip. This one look surprisingly easy to understand compared to most.
• Lessons Learned from Cloning Windows Binaries and Code Signing Implants. Some good lessons here. Another option is to just used signed binaries for other purposes ...
• How one misconfiguration in ADCS can lead to full AD Forest compromise. ADCS is the gift that keeps on giving.
• CVE-2022-26730 | ColorSync | Hoyt LLC. macOS memory corruption in the processing of image ICC profiles can lead to RCE. Comes with the shorted PoC I have seen in a while (now patched).
• BYODC - Bring Your Own Domain Controller. This meme makes a comeback. This is some great traitorware - why fake a DCSync, if you can just do an actual DCSync? DCShadow is a previously discovered/implemented version of this.
• Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3). Quite a chain for unauth RCE across different tech/lanugages.

Tools and Exploits

• Volumiser is a command line tool and interactive console GUI for listing, browsing and extracting files from common virtual machine hard disk image formats.
• katana - A next-generation crawling and spidering framework from projectdiscovery.
• KeeFarceReborn - A standalone DLL that exports databases in cleartext once injected in the KeePass process.
• CVE-2022-33679 One day based on RC4 is still considered harmfrul.
• stager_libpeconv A basic meterpreter protocol stager using the libpeconv library by hasherezade for reflective loading.
• CVE-2022-40146_Exploit_Jar. Apache Batik SSRF to RCE Jar Exploit.
• awsrecon - Tool for reconnaissance of AWS cloud environments.
• exe_who - Executables on Disk? Bleh 🤮.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• The Information Security Kardashev Scale. Interesting way to tier out cybersecurity.
• PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
• Kernelhub 🌴Kernel privilege escalation vulnerability collection, with compilation environment, demo GIF map, vulnerability details, executable file (Windows only).
• grace It's strace, with colors.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.