Last Week in Security (LWiS) - 2022-06-27
Pre-auth RCE on Oracle Cloud (@peterjson + @testanull), Global Jacuzzi hack (@XeEaton), goodfaith scoping (@ryanelkins), Tailscale SSH (@MayaKaczorowski), WerFault lsass dumper (@asaf_gilboa + @s4ntiago_p), ADFSRelay (@praetorianlabs), modern C2 (@preemptdev), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-06-20 to 2022-06-27.
News
- Arsenal Kit Update: Thread Stack Spoofing. A new-ish (~6 months) EDR evasion technique comes to the most popular C2 framework out there.
- Introducing Tailscale SSH. The ability to ssh to servers using Tailscale as an auth provider without changing SSH configs is pretty awesome.
- The legacy Local Administrator Password Solution product (aka “LAPS”) is now a native part of Windows and includes many new features:. Microsoft is taking real steps (finally) to lock down Windows (a little).
- [PDF] MEGA: Malleable Encryption Goes Awry. If you were counting on the mega.io encryption to protect your files, you're in for a bad time.
- Splunk Enterprise deployment servers allow client publishing of forwarder bundles. Imagine you land a phish on a workstation managed by the same Splunk forwarder as the Domain Controller and you can pull off a local privilege escalation. You can use Splunk to get a SYSTEM shell on the DC from the workstation. Pretty gnarly.
- Hacking a Samsung Galaxy for $6,000,000 in Bitcoin!?. This video plays up the drama of the situation, but the hack is legit.
- Cloudflare outage on June 21, 2022. Yes, cloudflare went down, but it had the root cause analysis published in six hours. In my view, an excellent PR move.
Techniques and Write-ups
- WarCon 2022 - Modern Initial Access and Evasion Tactics. If you only read one post from this week as a red team, read this one and review the deck. Great modern red team tactics and techniques all in one spot.
- Hacking into the worldwide Jacuzzi SmartTub network. This is in the running for the best LWiS headline of 2022. Some impressively bad design (think my first web ctf challenge) was used to "secure" the global Jacuzzi network.
- Hack with 'goodfaith' - A tool to automate and scale good faith hacking. The tough part about hacking is to stay in scope. Hacker and security researcher Ryan Elkins (@ryanelkins) revealed a new tool that is intended to help hackers and security researchers avoid generating traffic against out-of-scope targets.
- The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP. Even the Equation Group used port 4444 at one point.
- Miracle - One Vulnerability To Rule Them All. "We successfully achieved pre-auth RCE on login.oracle.com" is a pretty crazy sentence to read. Even more crazy, they say they have another pre-auth RCE. If you have any interest in Java bugs, deserialization attacks, or massive pre-auth RCE on a cloud provider, don't skip this one.
- Relaying to ADFS Attacks. Relay that NTLM to the cloud! Tool here.
- Maelstrom: Writing a C2 Implant. These posts from pre.empt.dev have been a great resource for anyone starting to develop "modern" C2.
- Hacking Some More Secure USB Flash Drives (Part II). This hardware hack has some extra fun, like emulating the "installer" of the USB drive to deliver malware.
- Dealing with large BloodHound datasets. This is a great overview of Bloodhound, collectors, and processors once the data is in the DB.
- Attacking With WebView2 Applications. If you open a site in a "WebView2" application, you can inject all kinds of goodies into it. WebView2-Cookie-Stealer has the source.
Tools and Exploits
- Add WerFault Silent Process Exit: --werfault to nanodump. You can now force WerFault.exe to dump LSASS for you.
- FLOSS Version 2.0. "Over the last few months, we've added new functionality and improved the tool's performance. In this blog post we will share exciting new features and improvements including a new string deobfuscation technique, simplified tool usage, and much faster result output."
- awesome-hacker-search-engines - A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty, and more.
- kernel-mii - Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
- Chrome-Android-and-Windows-0day-RCE-SBX - Chrome Android and (patched) Windows 0day RCE+SBX... from the DPRK (in 2021).
- Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
- callback_injection-Csharp - this repo is to cover the other undocumented or published / in different languages to achieve shellcode injection via windows callback functions.
- tlsx - Fast and configurable TLS grabber focused on TLS based data collection.
- dismember - 🔪 Scan memory for secrets and more (linux).
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Damn Vulnerable DeFi - The offensive security playground for decentralized finances. Learn up and get those massive bounties. Also check out CryptoVulhub.
- HTTPLoot - An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.