Last Week in Security (LWiS) - 2022-03-28

RCE on a NAS (@alexjplaskett, @saidelike, and @FidgetingBits), Double Fetch vulns (@N1ckDunn), Razer LPE (@matthiasdeeg), DFIR cloud automation (@ZawadiDone), Ubuntu LPE (@ETenal7), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-03-21 to 2022-03-28.

News

Techniques and Write-ups

Tools and Exploits

  • tetanus is a Mythic C2 agent targeting Linux and Windows hosts written in Rust.
  • DelegationBOF uses LDAP to check a domain for known abusable Kerberos delegation settings. Currently, it supports RBCD, Constrained, Constrained w/Protocol Transition, and Unconstrained Delegation checks.
  • OffensivePascal is a Pascal Offsec repo for malware dev and red teaming 🚩.
  • CVE-2019-0708 is a BlueKeep proof of concept allowing pre-auth RCE on Windows 7.
  • YouMayPasser is an x64 implementation of Gargoyle. Don't sleep on this one ;)
  • ctfd-parser is a python script to dump all the challenges locally of a CTFd-based Capture the Flag.
  • wireproxy is a Wireguard client that exposes itself as a socks5 proxy
  • TCC-ClickJacking is a proof of concept for a clickjacking attack on macOS.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

New to Me

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cronos-Rootkit is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  • reverse_ssh is a cross platform RAT that uses SSH as the transport protocol. This allows the use of native SSH with all the niceties that SSH offers (port forwarding, scp, etc).
  • ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
  • OffensiveNotion uses Notion as a platform for offensive operations.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.