Gateway

#RedTeam | #SpecterOps | #Jira | #Atlassian | #confluence | #Paper | #Pentest | #Hacking Sowing Chaos and Reaping Rewards in Confluence and Jira

Let me paint a picture for you. You’re on a red team operation, operating from your favorite C2, and have just landed on a user’s workstation. You decide to take a look at their DNS cache to get a list of internal resources the user has been browsing and as you look through the list, there are several that you recognize based on naming conventions. One in particular might be interesting: Atlassian. What do you do next? Do you immediately sleep your Beacon down to 0 and SOCKS proxy in browser traffic? No way. You have options!

I have created a new .NET tool named AtlasReaper that calls the Atlassian REST APIs for Confluence and Jira. It is designed to run in-memory from C2 agents, with the aim of minimizing the network overhead generated from a SOCKS proxy. This tool has several features, including listing spaces, pages, attachments, projects, issues (and comments), usernames, and emails, and has the ability to search by a provided keyword. I have also included some features for adding content to pages and issues.

https://specterops.io/blog/2023/06/28/sowing-chaos-and-reaping-rewards-in-confluence-and-jira/

#Redteam | #Teams | #Microsoft | #Phishing | #SpearPhishing | #TeamsPhisher Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as well as some detection opportunities.

https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/

#RedTeam | #Recon | #OSINT | #AvoidDetection | #NSA | #Post WALKING THE TIGHTROPE: MAXIMIZING INFORMATION GATHERING WHILE AVOIDING DETECTION FOR RED TEAMS “WE PUT THE TIME IN TO KNOW THAT NETWORK. WE PUT THE TIME IN TO KNOW IT BETTER THAN THE PEOPLE WHO DESIGNED IT AND THE PEOPLE WHO ARE SECURING IT. AND THAT’S THE BOTTOM LINE.”

The concept of truly understanding a network can be applied to the commercial side of testing. In the adversary simulation space, you usually land on endpoints with a list of client objectives. Most adversary attack simulations start from a zero knowledge perspective, and a fast ramp-up is needed. If you’re currently not in this space or have taken classes on red teaming, internal discovery is usually a couple of bullet points or hyper-focused on tools. What’s generally covered is in-depth AD exploration and concepts around specific tools like BloodHound or a single recon script. From my experience, I have found this lacking as there is a longer-form process many red teamers take, which is usually not exciting or easy to lab up. The discovery process includes many more things, like reviewing internal documentation, internal websites, and initial host configuration, to name a few.

https://www.trustedsec.com/blog/walking-the-tightrope-maximizing-information-gathering-while-avoiding-detection-for-red-teams/

#Hacking | #Mobile | #Bank | #Pentesting | #Reversing | #BrokenAccessControl | #BAC [Hacking Banks] Broken Access Control Vulnerability in Banking application [PART I]

This is the part I of the story about finding a critical Vulnerability in a banking mobile app that allows attackers to obtain full user information (Balance, transaction list), as well as the ability to transmit money with just the victim’s phone number. 
 
Introduction: 
Hacking a bank is one of the things you must cross off your bucket list as a credible hacker. Banks are supposed to have impenetrable security to the outside world, or at least that’s how they usually market themselves. Closer to reality and more in line with the can-do attitude of hackers, banks are just as vulnerable as other organizations and industries. 
 
A few months ago, I was performing freelance reverse engineering on a couple banks’ mobile apps to obtain their APIs. 
Typically, banking apps use client-side security protections like SSL pinning, root detection protection, and request and response encryption, which causes the backend team to overlook some security measures. In this case, I found a Broken Access Control Vulnerability.

Want to know more? https://medium.com/@protostar0/hacking-banks-broken-access-control-vulnerability-in-banking-application-part-i-c442ed5ae170

Uncovering Windows Events https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54

#CVE-2023-23397 | #MDSec | #Hacking | #Microsoft | #Outlook | #PrivEsc Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. 
 
However, no specific details were provided on how to exploit the vulnerability. 
 
At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. 
 
While no particular details were provided, Microsoft did provide a script to audit your Exchange server for mail items that might be being used to exploit the issue.

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/