Last Week in Security (LWiS) - 2024-01-10

QR phishing (@pfiatde), SOCKS as C2 via SSH on Windows (@n00py1), Google Account takeover with persistence (@e11i0t_), Bitwarden access without password (@RedTeamPT), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-01-01 to 2024-01-10.

News

Techniques and Write-ups

Tools and Exploits

  • CVE-MAKER - Tool to find CVEs and Exploits. It's a CLI.
  • SharpGhostTask - A C# port from Invoke-GhostTask.
  • Handly - Abuse leaked token handles. Token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain.
  • SSH-Snake - A self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • Swarm - Formerly known as axiom, swarm is the next generation of distributed cloud scanning and attack surface monitoring.
  • Moriarty - Moriarty is a comprehensive .NET tool that extends the functionality of Watson and Sherlock, originally developed by @_RastaMouse. It is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
  • pendulum - Linux Sleep Obfuscation.
  • CanaryTokenScanner - CanaryTokenScanner is a script designed to proactively identify Canary Tokens within office documents (docx, xlsx, pptx).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • One Supply Chain Attack to Rule Them All - How self-hosted runners + supply chain attack led to these bounty hunters pwning a ton of orgs. Dope write-up!
  • sessionprobe - A multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.
  • msoffcrypto-tool - Python tool and library for decrypting MS Office files with passwords or other keys.
  • ContinuousMage - Continuousmage is automated testing PoC for the Mythic framework.
  • jsluice - Extract URLs, paths, secrets, and other interesting bits from JavaScript.
  • COFF-Loader - A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader.
  • DirtyCLR - An App Domain Manager Injection DLL PoC on steroids and it came with a blog post.
  • deskhop - Fast Desktop Switching Device.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.