Last Week in Security (LWiS) - 2022-09-26

AttachMe Oracle Cloud vuln (@eladgabay_), JuicyPotatoNG service to SYSTEM privesc (@decoder_it + @splinter_code), personal phishing (@Direct_Defense), AD CS pwnage (@theluemmel), Kerberos FAST protection (@4ndr3w6S), service exploitation via pipes (@x86matthew), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-19 to 2022-09-26.


Techniques and Write-ups

Tools and Exploits

  • AutoHoneyPoC. Automatically generate "HoneyPoC" scripts to catch people running things without understanding them.
  • SandboxSpy. Code for profiling sandboxes - Initially an idea to profile sandboxes, the code is written to take enviromental variables and send them back in a Base32 string over HTTP to an endpoint.
  • githubC2 - Abusing Github API to host our C2 traffic, useful for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure, now you have a free one.
  • monomorph- MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash.
  • FilelessRemotePE - Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique.
  • mordor-rs - Rusty Hell's Gate / Halo's Gate / Tartarus' Gate and FreshyCalls / Syswhispers2 Library.
  • GwisinMsi - PoC MSI payload based on ASEC/AhnLab's blog post.
  • - A Python based ingestor for BloodHound, now with kerberos support on Linux.
  • DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
  • CVE-2022-2588 This linux LPE effects 3.17 to 5.19 (Ubuntu 17-22).
  • Cronos PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
  • spycast A crossplatform mDNS enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • bbot - OSINT automation for hackers.
  • NetCoreServer - Ultra fast and low latency asynchronous socket server & client C# .NET Core library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution.
  • A Free Pen Testing Learning Platform. Spin up your own cloud scenarios using these free templates.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.