Sep 06 2022 Last Week in Security (LWiS) - 2022-09-06

Nmap turns 25 (@nmap), PersistAssist (@Grimmie), SCM attack toolkit (@h4wkst3r), nf_tables privesc (@saidelike), the BloodHound Attack Research Kit (@_wald0), MS Teams Phreaking (@moritz_abrell), blinding Sysmon (@testert01 + @thefLinkk), EvilnoVNC (@JoelGMSec), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-08-29 to 2022-09-06.

News

Nmap 7.93 - 25th Anniversary Release!. The network scanner you know and love turns 25.
China Accuses NSA of Hacking Its Military Research University “Regardless of whether the claims are true or false, this coordination of official statements and covert activity may be part of a broader propaganda campaign to negatively portray the U.S. and show off Chinese cybersecurity capabilities,” Zhang told VICE World News.
Clop ransomware gang published screenshots that show SCADA interfaces for a UK water supplier. This is not the first ICS hack, and will not be the last. The stakes of cybersecurity are only increasing as we become more connected and reliant on connected infrastructure.
Was tiktok hacked by a user 'Against the West'?. It's still not clear if this was an actual breach or a breach of a 3rd party scraping service.
HelpSystems welcomes Outflank. The Dutch cybersecurity startup with some impressive tooling and initial access work gets acquired by the US based HelpSystems who also scooped up Cobalt Strike. This may aid US based purchases of Outflanks "Offensive Security Toolkit."

Techniques and Write-ups

Sharkbot is back in Google Play. Good breakdown of Android malware.
How to Decrypt Manage Engine PMP Passwords for Fun and Domain Admin - a Red Teaming Tale. It's a great day when you can find and decrypt password managers on red team engagements. The use of a password manager to diversify passwords across sites and generate truly random passwords still greatly outweighs the risk of having all passwords centralized. My go-to recommendation is Bitwarden, an open source option that just raised $100 million. You can self-host the backend with vaultwarden and use the official applications, but their free tier is good enough for many use cases.
PersistAssist: Your Persistence Assistant!. PersistAssist is a fully modular persistence framework written in C# which automates persistence deployment and clean up. Code here.
Automating Azure Abuse Research — Part 2. This post dives into the BloodHound Attack Research Kit (BARK) and explains how the BloodHound Enterprise team uses BARK to perform so-called “continuous abuse primitive validation.”
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250). The amount of work for a modern Linux privesc to work is impressive. This post breaks down each step of the exploitation discovery process.
Abusing Microsoft Teams Direct Routing. An external, unauthenticated attacker is able to send specially crafted SIP messages, that pretend to originate from Microsoft and are therefore correctly classified by the victim's Session Border Controller. As a result, unauthorized external calls are made through the victim's phone line (toll fraud).
Attacks on Sysmon Revisited - SysmonEnte. The state of the art in blinding Sysmon has arrived. SysmonEnte is an impressive tool.
Living-Off-the-Blindspot - Operating into EDRs' blindspot. Signed, widely used tools combined with lack of dynamic code introspection makes the perfect storm for EDR evasion.

Tools and Exploits

SSD Advisory - Linux CONFIG_WATCH_QUEUE LPE. A vulnerability in the way Linux handles the CONFIG_WATCH_QUEUE allows local attackers to reach a race condition and use this to elevate their privileges to root. PoC and Exploit included.
EvilnoVNC - Ready to go Phishing Platform built on noVNC. Why intercept creds when you can have your victim use a real browser you control?
PXEThief is a set of tooling that can extract passwords from the Operating System Deployment functionality in Microsoft Endpoint Configuration Manager. You'll probably also want configmgr-cryptderivekey-hashcat-module, a Hashcat module that can crack a password used to derive an AES-128 key with CryptDeriveKey from CryptoAPI.
MsSettingsDelegateExecute. Bypass UAC on Windows 10/11 x64 using ms-settings DelegateExecute registry key.
NoFaxGiven. Code Execution & Persistence in NETWORK SERVICE FAX Service.
CVE-2022-2639-PipeVersion. It was taken down before I even got to it. Untested. Kernels 3.13 to 5.18 are vulnerable (fix committed 2022-04-15).
Origami - Packer compressing .net assemblies, (ab)using the PE format for data storage. Updated last week with .NET Core support, Costura support, and a simplified loader.
reinschauer - A PoC to remotely control Windows machines over Websockets.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

SCMKit allows the user to specify the Source Code Management system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence.
Headway Self-hostable maps stack, powered by OpenStreetMap.
Use TouchID to Authenticate sudo on macOS. Your TouchID equipped Mac can easily be configured to use your fingerprint to approve sudo commands.
The Immediate Sound of Distant Hammers. The first sci-fi short story from Universal Shards in over a year!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.