Last Week in Security (LWiS) - 2024-08-19

DEF CON 32 Tools and Talks, Apache confusion (Orange Tsai), private TLDs (@N7WEra), UDL 🎣 (@Oddvarmoe), crash analysis (@patrickwardle), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-07-29 to 2024-08-19.

News

Techniques and Write-ups

Tools and Exploits

  • sccm-http-looter - Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) shares via HTTP(s).
  • tldfinder - A streamlined tool for discovering TLDs, associated domains, and related domain names.
  • Tempest - A command and control framework written in rust.
  • cloudgrep - cloudgrep is grep for cloud storage.
  • DriverJack - Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths.
  • RpcProxyInvoke - Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar.
  • Deep-Live-Cam - real time face swap and one-click video deepfake with only a single image.
  • tryharder - C++ Staged Shellcode Loader with Evasion capabilities.
  • 4n6pi - 4n6pi is a forensic imager for disks, designed to run on a Raspberry Pi powered by libewf. It provides a simple and portable solution for creating disk images in forensic investigations.
  • QuickShell - A library and a set of tools for exploiting and communicating with Google's Quick Share devices.
  • certainly - Certainly is a offensive security toolkit to capture large amounts of traffic in various network protocols in bitflip and typosquat scenarios.
  • PyRIT - The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
  • Shwmae - Shwmae (shuh-my) is a Windows Hello abuse tool that was released during DEF CON 32 as part of the Abusing Windows Hello Without a Severed Hand talk. The purpose of the tool is to abuse Windows Hello from a privileged user context.
  • CVE-2024-38077 - MadLicense Windows RCE CVE-2024-38077: A Simple Heap Overflow Vulnerability for the terminal licensing server. [As always verify the code before use.]
  • ShimMe - Tools from the DEFCON 32 talk "SHIM me what you got - Manipulating Shim and Office for Code Injection". "Office Injector" and "Shim Injector"
  • koppeling-p - Adaptive DLL hijacking / dynamic export forwarding - EAT preserve.
  • httpxui - HTTP flyover tool based on the httpx library by ProjectDiscovery.
  • .NET_PROFILER_DLL_LOADING - .NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.
  • DockerSpy - DockerSpy searches for images on Docker Hub and extracts sensitive information such as authentication secrets, private keys, and more.
  • LocalKdc - Info on how to use Kerberos KDC on a non-domain joined host.
  • CVE-2024-36401 - GeoServer Remote Code Execution.
  • smbtakeover - BOF and Python3 implementation of technique to unbind 445/tcp on Windows via SCM interactions.
  • LeakedWallpaper - Leak of any user's NetNTLM hash. Fixed in KB5040434.
  • DeadPotato - DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.
  • SCCMSecrets - SCCMSecrets.py aims at exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement.
  • BOF_NativeAPI_Definitions-VSCode - A VSCode plugin to assist with BOF development.
  • rogueapps - When good OAuth apps go rogue. Documents observed OAuth application tradecraft.
  • sshamble - SSHamble: Unexpected Exposures in SSH.
  • Maestro - Maestro is a post-exploitation tool designed to interact with Intune/EntraID from a C2 agent on a user's workstation without requiring knowledge of the user's password or Azure authentication flows, token manipulation, and web-based administration console.
  • Invoke-Maldaptive - MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection.
  • hookchain - HookChain: A new perspective for Bypassing EDR Solutions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • azure-tiering - Azure administrative tiering based on known attack paths.
  • ASRepCatcher - Make everyone in your VLAN ASRep roastable.
  • TrickDump - Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later!.
  • neuvik-terraform-workshop - Neuviks Terraform Red Team Workshop.
  • SafeLine - serve as a reverse proxy to protect your web services from attacks and exploits.
  • RemoteSessionEnum - Remotely Enumerate sessions using undocumented Windows Station APIs.
  • SpoofDPI - A simple and fast anti-censorship tool written in Go.
  • repopack - 📦 Repopack is a powerful tool that packs your entire repository into a single, AI-friendly file. Perfect for when you need to feed your codebase to Large Language Models (LLMs) or other AI tools like Claude, ChatGPT, and Gemini.
  • Gato-X - GitHub Attack Toolkit - Extreme Edition.
  • apeman - AWS Attack Path Management Tool - Walking on the Moon.
  • Cloudflare Workers as an API gateway - From the sofware engineering community but infosec can learn from some of this 🙂.
  • Advanced_Initial_access_in_2024_OffensiveX - Resources linked to my presentation at OffensiveX in Athens in June 2024 on the topic "Breach the Gat, Advanced Initial Access in 2024".
  • An Opinionated Ramp Up Guide to AWS Pentesting - Hot takes on cloud pentesting. Does this resonate with anyone?
  • MsRdpEx - Microsoft RDP Client Extensions.
  • NetAlertX - 🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
  • timelinize - Store your data from all your accounts and devices in a single cohesive timeline on your own computer.
  • TONY HAWK'S PRO STRCPY - Exploit game consoles with a bad strcpy in the custom park load function of Tony Hawk's Pro Skater.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.