The iscsicpl.exe binary is vulnerable to a DLL Search Order hijacking vulnerability when running 32bit Microsoft binary on a 64bit host via SysWOW64. The 32bit binary, will perform a search within user %Path% for the DLL iscsiexe.dll. This can be exploited using a Proxy DLL to execute code via "iscsicpl.exe" as autoelevate is enabled.

https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC

#UACbypass #redteaming

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
https://github.com/optiv/Mangle

pretender, a cross-platform tool to obtain a machine-in-the-middle position inside Windows networks in the spirit of Responder and mitm6.

https://blog.redteam-pentesting.de/2022/introducing-pretender/

https://github.com/RedTeamPentesting/pretender

​​Randy

This is a pre-authenticated RCE exploit for Inductive Automation Ignition that impacts versions <= 8.1.16. We failed to exploit the bugs at Pwn2Own Miami 2022 because we had a sloppy exploit and no debug environment, but since then we have found the time and energy to improve it!

https://github.com/sourceincite/randy

Apache Spark rce

https://github.com/W01fh4cker/cve-2022-33891

#apache #spark #rce

Intercepter-NG 1.2

* SSL MiTM rewritten (SNI support)
* SSL Strip updated
* X-Scan updated
+ Forced capturing on PPP interfaces

********
+ Captive Portal test template
- eXtreme mode, iOS killer
- Heartbleed exploit
- DHCP\RAW Mode
* WayBack Mode (restores hidden modes)
* OUI db updated
* Fixes, improvements, optimizations
********

http://sniff.su/download.html

PowerView.py is an alternative for the awesome original PowerView.ps1 noscript. Most of the modules used in PowerView are available in this project ( some of the flags are changed ).

Interesting Features

Embedded user session

Mini PowerView.py console to make you feel at home when using PowerView in Powershell

Auto-completer, so no more memorizing commands

Cross-Domain interactions

https://github.com/aniqfakhrul/powerview.py

#powerview

LPE exploit for CVE-2022-34918. This exploit has been written for the kernel Linux ubuntu 5.15.0-39-generic

Blog:

https://www.randorisec.fr/crack-linux-firewall/

POC:

https://github.com/randorisec/CVE-2022-34918-LPE-PoC

#Linux #LPE

Mandiant Azure Workshop For Redteaming and detection
Requirements
Azure tenant
Azure CLI
Terafform version 1.2.2 or above
Azure User with Global Admin role in the AAD tenant
add your external IP on lines 248-249 in kc1.tf

https://lnkd.in/g752YaTa
#Azure #redteam

Detectree is a data visualisation tool for blue teams. It provides a graphical representation of detection data, which allows an analyst to generate almost instant opinions about the nature of the underlying activity and to understand complex relationships between the data points. Ultimately, this can help reduce response time, reduce alert fatigue and facilitate communication between analysts within the teams.
https://lnkd.in/dE5b-P62

Open Sourcing Pulsar, the Runtime Security Observability Tool for IoT, Powered by eBPF

blog.exein.io/pulsar

Tool website: pulsar.sh
GitHub: github.com/exein-io/pulsar

Reading an arbitrary ThinkPHP 5.X file

Nuclei Template :https://github.com/momika233/TP5_Arbitrary_file_read/blob/main/TP5_Arbitrary_file_read.yaml


PoCs: {{BaseURL}}/?s=index/think\\Error/appError&errno=1&errstr=1&errline=1&errfile=../../../etc/passwd


Dork for Shodan: "X-Powered By: ThinkPHP"

A standalone noscript that adds information about unpatched vulnerabilities to BloodHound based on parsed vulnerability scanners reports. Security teams can then use this data to define starting points for paths (e.g. paths to Domain Admins from vulnerable hosts) or write queries that consider lateral movement to vulnerable hosts.

Supported Scanners

Tenable Nessus

Qualys

Greenbone OpenVAS

Nmap Vuln NSE Script


https://github.com/zeronetworks/BloodHound-Tools/tree/main/VulnerabilitiesDataImport

Stealer in just 3 lines with sending to telegram
https://github.com/FallenAstaroth/stink

Apache Spark Shell Command Injection CVE-2022-33891

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. An authentication filter checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

https://github.com/AmoloHT/CVE-2022-33891

#Apache #spark

CVE-2022-26712: The POC for SIP-Bypass
https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/

wget-root :

If the wget binary has the SUID bit set, It does not drop the elevated privileges and may be abused to access the file system. It may be used to do privileged writes or write files outside a restricted file system. This noscript automates the rewriting of the passwd file of the victim's machine.

https://github.com/CopernicusPY/wget-root

Apache Tomcat Vulnerability Scanner:
https://github.com/p0dalirius/ApacheTomcatScanner

ATLAS - Malware Analysis Denoscription
https://github.com/MALWARE-ATLAS/ATLAS

Linux kernel through 5.18.9 LPE

POC:

https://github.com/veritas501/CVE-2022-34918

#Linux #Kernel #LPE