JetBrains TeamCity - account takeover via CSRF in GitHub authentication (PoC)

https://github.com/yuriisanin/CVE-2022-24342

Amsi-Bypass-Powershell

This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Most of the noscripts are detected by AMSI itself. So you have to find the trigger(https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. You can also take a look at blog(https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) post about manually changing the signature to get a valid bypass again.


https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

Source:
https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Korkos-AMSI-and-Bypass.pdf

For more and Reference :

https://twitter.com/ShitSecure

use a Kerberos relay attack to authenticate as that user to an RDP server due to a lack of user checking in the ticket authentication process
https://bugs.chromium.org/p/project-zero/issues/detail?id=2268

UAC bypass
https://github.com/Wh04m1001/IDiagnosticProfileUAC

Abusing functionality to exploit a super SSRF in #Jira Server (CVE-2022-26135)

Jira is vulnerable to SSRF which requires authentication to exploit.

Exploit:

https://github.com/assetnote/jira-mobile-ssrf-exploit

https://blog.assetnote.io/2022/06/26/exploiting-ssrf-in-jira/…

A vulnerability (CVE-2022-34265) in Django is due to improper string processing when executing SQL for the arguments of the functions Trunc and Extract used for date data in Django. By specifying the request parameters as is in the kind argument of Trunc or the lookup_name argument of Extract, there is a risk that arbitrary SQL minutes can be executed. By exploiting this vulnerability, a third party can send commands to the database to access unauthorized data or delete the database.

Affected Versions

Django 3.2.x prior to 3.2.14

Django 4.0.x prior to 4.0.6


Countermeasures

Update to Django 3.2.14 or higher.

Update to Django 4.0.6 or higher.

https://github.com/aeyesec/CVE-2022-34265

Get persistence via freaky scheduled task download cradles.
https://github.com/VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles

A python noscript to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
features :
Automatically detects open SMB pipes on the remote machine.
Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
Analyze mode with --analyze, which only lists the vulnerable protocols and functions listening, without performing a coerced authentication.
Perform coerce attack on a list of targets from a file with --targets-file
https://github.com/p0dalirius/Coercer

Security firm SpectreOps has open-sourced a new tool called Koh that can be used to capture Windows account authentication tokens for new logon sessions and reuse them for future attacks
https://github.com/GhostPack/Koh
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6

Microsoft Threat Intelligence Python Security Tools.

msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:

query log data from multiple sources
enrich the data with Threat Intelligence, geolocations and Azure resource data
extract Indicators of Activity (IoA) from logs and unpack encoded data
perform sophisticated analysis such as anomalous session detection and time series decomposition
visualize data using interactive timelines, process trees and multi-dimensional Morph Charts
It also includes some time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment.

https://github.com/microsoft/msticpy

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking. With a valid access token / kerberos ticket (e.g., golden ticket) of the session owner, you will be able to hijack the session remotely without dropping any beacon/tool on the target server.

https://github.com/netero1010/RDPHijack-BOF

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
https://github.com/h3xduck/TripleCross

BokuLoader : Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities
Stomp MZ Magic Bytes
Find-Self EggHunter
Direct NT Syscalls via HellsGate & HalosGate
PE Header Obfuscation
PE String Replacement
NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
XGetProcAddress for resolving symbols
100k UDRL Size
Caesar Cipher for string obfuscation
Prepend ASM Instructions
https://github.com/xforcered/BokuLoader

SeBackupPrivilegePoC
https://github.com/daem0nc0re/PrivFu/blob/main/PrivilegedOperations/SeBackupPrivilegePoC/SeBackupPrivilegePoC.cs

All About Bug Bounty

Collection of notes about on the most important BugBounty-related topics.

https://github.com/daffainfo/AllAboutBugBounty

#bugbounty

RDLL (requires SeDebugPrivilege privilege) will automatically locate sysmon process and patch its EtwEventWrite API, causing sysmon malfunctioning while the process and its threads are still running.

https://github.com/ScriptIdiot/SysmonQuiet
#redteam

hijagger
This tool checks every maintainer from every package in the NPM and Python Pypi registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.

https://github.com/firefart/hijagger

simple rust stealer

https://github.com/luca364/rust-stealer

Android remote administration tool with C2 server codebase

https://github.com/Tomiwa-Ot/moukthar

tor_ip_switcher is useful for making any DoS attack look like a DDoS attack. Works with toriptables2.

https://github.com/ruped24/tor_ip_switcher

Abusing forgotten permissions on computer objects in Active Directory for lateral movement :

tl;dr:

first should run BloodHound and use ACL noscript to find the misconfigured Computer accounts in Active Directory and then use Resource-Based Constrained Delegation Attack for dumping credentials (use impacket tool).

https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/

#redteam #activedirectory