Last Week in Security (LWiS) - 2024-04-01

XZ backdoor (@fr0gger_ + @amlweems), best LPE since DirtyCOW (@notselwyn), SCCM pwnage (@AndrewOliveau + @__Mastadon), kernel fuzzing (@R00tkitSMM), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-03-25 to 2024-04-01.


Techniques and Write-ups

Tools and Exploits

  • TeamsNTLMLeak - Leak NTLM via Website tab in teams via MS Office.
  • Atexec-pro - Fileless atexec, no more need for port 445.
  • SharpConflux - SharpConflux is a .NET application built to facilitate Confluence exploration. It allows Red Team operators to easily investigate Confluence instances with the goal of finding credential material and documentation relating to objectives without having to rely on SOCKS proxying. Here is the related blog.
  • SQL-BOF - A library of beacon object files to interact with remote SQL servers and data.
  • CspReconGo - It automates the extraction and analysis of domains from Content Security Policy (CSP) headers and JavaScript files on websites.
  • CVE-2024-1086 - Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
  • CcmPwn - Lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
  • ChaiLdr - AV bypass while you sip your Chai!.
  • curlrevshell - Kooky cURL-powered replacement for reverse shell via /dev/tcp.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Cookie dumper for Chrome and Edge - Dump cookies directly from Chrome process memory
  • RustRedOps - 🦀 | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.