Last Week in Security (LWiS) - 2022-08-30
AceLdr (@kyleavery_), DLL fun (@Wietze + @ConsciousHacker), CI/CD pwnage (@smarticu5), Kerberos LPE (@monoxgas + @tiraniddo), Burp ➡️ C2 profile (@codex_tf2), AD CS + PIV (@_EthicalChaos_), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-07-25 to 2022-08-30.
News
- Unauth XXE (CVE-2022-2414) in FreeIPA Check the image here.
- Red Team Ops II RTO II is a continuation (not a replacement) of Red Team Ops and aims to build on its foundation. The primary focus of this course is to provide more advanced OPSEC tactics and defense bypass strategies.
- Leaked documents show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day access as a service... service.
- Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
- Cobalt Strike 4.7: The 10th Anniversary Edition. Seeing some issues with UDRLs that were working on 4.6, be sure to test before you update prod!
- Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor
- Offensive Lateral Movement Workshop - Free and online in September.
- How a Third-Party SMS Service Was Used to Take Over Signal Accounts. TLDR: Set up a Signal PIN if you don't have one yet!
- Announcing Google's Open Source Software Vulnerability Rewards Program
- Former security chief claims Twitter buried 'egregious deficiencies'. Getting hired to report security issues and being ignored? Mudge could be a red team consultant.
- IAM Whoever I Say IAM :: Infiltrating VMWare Workspace ONE Access Using a 0-Click Exploit
- Introducing BloodHound 4.2 — The Azure Refactor
- SANS ICS HyperEncabulator. Not as good as the Rockwell iteration, but pretty solid.
Techniques and Write-ups
- Discovering Domains via a Time-Correlation Attack on Certificate Transparency
- 10 real-world stories of how we've compromised CI/CD pipelines
- [PDF] Taking Kerberos To The Next Level
- CVE-2022-30216 - Authentication coercion of the Windows “Server” service. The latest coercion technique for Windows.
- WMI Internals Part 2 - Reversing a WMI Provider
- Malware sandbox evasion in x64 assembly by checking ram size - Part 2
- DevAttackOps: Containerizing Red Team Infrastructure (Part 1) and DevAttackOps: Container CI/CD Pipelines (Part 2)
- Masky release (v0.0.3) - Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily harvest PFX, NT hashes and TGT on a larger scope.
- Living off the land, AD CS style. This post introduces the PIVert tool to abuse AD CS.
- Harvesting Active Directory credentials via HTTP Request Smuggling
- Maelstrom: Static OpSec Review. This series continues to be superb.
- Anatomy of a basic extension. As the world moves to SaaS, the browser becomes the OS, and malware will be written as extensions.
- The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors. How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
- Abusing SharedUserData For Defense Evasion and Exploitation
- Shellcode: Base-N Decoding for Text-Only Compression and Obfuscation
- Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!. When Orange writes, you should read.
- The LDT, a Perfect Home for All Your Kernel Payloads. Using the HIB segment to bypass KASLR on x86-based macOS.
- Bypassing AppLocker by abusing HashInfo
- ClipboardInject - Abusing the clipboard to inject code into remote processes
- Sleeping With Control Flow Guard
- Blind exploits to rule WatchGuard firewalls. This is one of the craziest exploit development writeups I've read in a while. Impressive ability to keep going in the face of adversity.
Tools and Exploits
- TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrieval which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
- EntropyFix is a tool with no ascii art that reduces the entropy of your payload.
- BlueHound is an open-source tool that helps blue teams pinpoint the security issues that actually matter. By combining information about user permissions, network access and unpatched vulnerabilities, BlueHound reveals the paths attackers would take if they were inside your network.
- AceLdr Cobalt Strike UDRL for memory scanner evasion. [This is the best UDRL yet.]
- Hijack Libs - The database contains 341 Sideloading, 88 Environment Variable, 8 Phantom and 5 Search Order entries.
- Burp2Malleable Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles.
- ExportDumper A small tool to dump the export table of PE files. The primary use case was intended for use within DLL proxying.
- WFH - Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common “vulnerabilities” or “features” within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.
- jscythe - Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
- DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.
- SilentHound - Quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.
- jwt-reauth is a Burp plugin to cache authentication tokens from an "auth" URL, and then add them as headers on all requests going to a certain scope.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure - You'll also want WebclientServiceScanner.
- Defaultinator is a data repository for storing and querying default passwords for common devices and applications.
- hakscale - Distribute ordinary bash commands over many systems.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.