Sep 16 2024 Last Week in Security (LWiS) - 2024-09-16

MSSQL domain privesc (@_nullbind), .mobi whois takeover (@watchtowrcyber), LLM CTF (@bishopfox), mac filesystem 🪄 (@gergely_kalman), AlcaWASM writeup (@suidpit), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-09-09 to 2024-09-16.

News

[X] Activation Lock for iPhone components - iOS 18 will lock replaceable components of an iPhone to the iCloud account, making the steal-and-part-out pipeline much more difficult. Thieves would have to phish the phone's original owner, or defeat the activation lock on each component when parting out the phone. Apple is making iPhones less attractive to steal with each release.
Fake recruiter coding tests target devs with malicious Python packages - 🇰🇵 is at it again, this time serving malware to software development recruits while posing as financial services firm (in this case Capital One) recruiters on LinkedIn. North Korean Threat Groups have been very active recently.
Bug Left Some Windows PCs Dangerously Unpatched - "Build version numbers crossed into a range that triggered a code defect." The build system for Windows and Windows Updates must be a wild place.
Mastercard invests in continued defense of global digital economy with acquisition of Recorded Future - A cool $2.65 billion for threat intel company Recorded Future. Some say Intelligence is the Most Important and Most Lucrative Asset in Cybersecurity.
K1 Acquires MariaDB, a Leading Database Software Company, and Appoints New CEO - You were using Postgres anyway, right? History repeats itself.
Docker Raises Prices Up to 80 Percent and More - You were using Podman Desktop or OrbStack anyway, right? Note: this does not affect the docker CLI, only Docker Desktop.
Notice of Recent Security Incident - Been a while Fortinet, welcome back!
Former CIA Officer Sentenced to 10 Years in Prison for Conspiracy to Commit Espionage - To be convicted for this at 71 years old! Wild!

Techniques and Write-ups

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI - This is worth a careful read. An expired domain leads to complete chaos, from RCE to TLS certificates for any .mobi domain. A post that makes you wonder how we've gotten this far with the underlying infrastructure of the internet.
CloudGoat Official Walkthrough Series: 'glue_privesc' - There isn't a ton of "cloud" based offensive resources out there so it's great to see a practical walkthrough.
Defend Against Vampires With 10 Gbps Network Encryption - If your fiber transits uncontrolled spaces (or even if it doesn't), you can use WireGuard and Linux routers on either end to encrypt all trunk'd VLAN traffic with almost no overhead when tuned properly.
Exploring Large Language Models: Local LLM CTF & Lab - I believe this is the first local LLM CTF. Code is: local-llm-ctf.
The forgotten art of filesystem magic - Alligatorcon 2024 slides - Over $150,000 from Apple in bug bounty dollars from understanding filesystems better than the developers. If you're interested in macOS security, this is a must-read.
Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey - Until the September 2024 patch Tuesday, you could use some Windows MSI installers to escalate to SYSTEM during a "repair." SEC Consult released msiscan a scanning tool for identifying local privilege escalation issues in vulnerable MSI installers, as well as a few Yara rules with the post.
AlcaWASM Challenge Writeup - Pwning an In-Browser Lua Interpreter - The Factorio hacker released a challenge along with the write-up. This post is a well-written walkthrough of the more interesting parts of the challenge.
Feeld Dating App - Your Nudes and Data Were Publicly Available - Looks like the 🌶️ dating app Feeld had more indirect object reference (IDOR) vulnerabilities than secured endpoints. GraphQL and IDOR, name a more iconic duo.
Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation - "In this blog I'll introduce SQL Server credential objects and discuss how they can be abused by threat actors to execute code as either a SQL Server login, local Windows user, or Domain user. I'll also cover how to enable logging that can be used to detect the associated behavior. This should be interesting to penetration testers, red teamers, and DBAs looking for legitimate authentication work arounds."
[PDF] Standardizing Privileged Access Architecture for Multi-Cloud 85 page white paper on securing IAM in AWS, Azure, and GCP.
Living off the land, GPO style - "The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what steps were taken to find out why domain joined machines are needed in the first place and what options we had to trick the Group Policy Manager MMC snap-in into believing the computer was domain joined."

Tools and Exploits

CVE-2024-29847 - Ivanti EPM AgentPortal RCE Vulnerability.
VulnCheck go-exploit External C2s - New go-exploit feature in 1.25.0 allows anyone to easily develop and integrate their own C2.
recaptcha-phish - Phishing with a fake reCAPTCHA.
JarPlant - Java archive implant toolkit.
GlobalUnProtect - Decrypt GlobalProtect configuration and cookie files.
msiscan - Scanning tool for identifying local privilege escalation issues in vulnerable MSI installers.
cloudkicker - self-hosted Azure OSINT tool.
binsider - Analyze ELF binaries like a boss 😼🕵️‍♂️.
CVE-2024-40711 - Exploit for Veeam backup and Replication Pre-Auth Deserialization CVE-2024-40711.
No-Consolation - A BOF that runs unmanaged PEs inline. Updated to run PE's in the main thread with the --inthread option!
Introducing Bettercap 2.4.0: Can-Bus Hacking, Wifi Bruteforcing and Builtin Web UI - Bettercap is my favorite modern wireless tool. Now it's even better!
DGPOEdit - Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines.
BEAR - Bear C2 is a compilation of C2 scripts, payloads, and stagers used in simulated attacks by Russian APT groups, Bear features a variety of encryption methods, including AES, XOR, DES, TLS, RC4, RSA and ChaCha to secure communication between the payload and the operator machine.
EXE-or-DLL-or-ShellCode - Just a simple silly PoC demonstrating executable "exe" file that can be used like exe, dll or shellcode...
alpt4ats - A Lazy Programmer's Tips for Avoiding the SOC ~ BSides Belfast 2024.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions - A missing 's' at the end of 'actions' could mean the difference between a standard GitHub action deployment and a supply chain attack.
Linux Detection Engineering - A Sequel on Persistence Mechanisms - A good catalog of less stealthy Linux persistence techniques.
DGPOEdit - Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines.
Azure Config Review - Nuclei Templates v10.0.0 🎉 - The fan favorite continues to crank out new features!
zpoline - system call hook for Linux.
Yaak Is Now Open Source - The latest desktop API client (think postman) is now MIT licensed and open source.
macho-loader - POC position-independent reflective loader for Mach-O dylibs.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.