road to OSCP

https://x.com/anyrun_app/status/1861024182210900357

Креативно!

Introduction to the Exploitation of Xamarin Apps

TL;DR: This article covers methods of analyzing Xamarin applications for beginners. It explains the differences between Xamarin and native applications, provides a step-by-step guide for static analysis, and demonstrates app modification techniques.

https://www.justmobilesec.com/en/blog/introduction-to-the-exploitation-of-xamarin-apps

Ways to use templates in SQL-map to bypass WAFs from vendors like FortiWAF, F5, Barracuda, Akamai, Cloudflare, and Imperva

https://redteamrecipe.com/awesome-sqlmap-tampers

Gotta cache 'em all: bending the rules of web cache exploitation

This article examines the behavior of different HTTP servers and proxies when parsing specially crafted URLs. It also introduces techniques that exploit parser discrepancies, enabling arbitrary web cache poisoning and deception across numerous websites and CDN providers.

https://portswigger.net/research/gotta-cache-em-all

Listen to the whispers: web timing attacks that actually work

The article considers ways of conducting web timing attacks in real conditions by reducing network and server noise
This method of detecting hidden parameters and headers is already implemented in Param Miner.

https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work

Source Code Review Bug Patterns

This repository contains Regex patterns to look for while performing manual application source code analysis.

https://github.com/va1da5/manual-source-code-review

JS to find endpoints on a site in HTML code, in the developer console execute:

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

from:
https://www.youtube.com/@criticalthinkingpodcast

Реквізити Охматдит. Думаю, не треба пояснювати, чому вони тут з'явились.

Можливо, скоро буде збір від DC8044. Тачка, яку ми купували спільнотою - приїхала на то, і рамі повна пизда...

https://www.ohmatdytfund.org/donate?fbclid=PAZXh0bgNhZW0CMTEAAaYWu24k4BrghTfey5q64dBXnLk9Wd25oUVdh7jIY9HgYn4ybXthXVIkz-8_aem_kbb-zZtAqdqfp5A_2OYpFQ

WiFi Exploitation Framework

Nothing new. Just a pretty shell for convenient work

Supported attacks:
- Deauthentication attack
- WIDS Confusion attack
- Authentication attack
- Beacon Flood attack
- TKIP attack (Michael Shutdown Exploitation)
- Pixie Dust attack
- Null Pin attack
- PIN Bruteforce attack
- ARP Replay attack
- HIRTE attack
- Caffe Latte attack
- Fake Authentication attack
- WPA/WPA2 handshake capture attack
- PMKID attack
- EvilTwin attack


https://github.com/D3Ext/WEF

[ Bypassing SSRF Filters Using r3dir ]

r3dir: redirection service designed to help bypass SSRF filters that do not validate the redirect location. It allows you to:
- Set the redirection target via URL parameters or subdomains;
- Control HTTP response codes;
- Obfuscate the target URL with Base32 encoding;
- Bypass some allowlist filters.

Author: Senior Security Consultant Vladyslav H.

Blog: https://www.leviathansecurity.com/blog/bypassing-ssrf-filters-using-r3dir

Tool itself: https://github.com/Horlad/r3dir

Mobile Pentest Like a Pro

Great article that discusses the following topics in detail:
-IOS Jailbreak Methods
-Android Root Methods
-Important Folders & Files
-Static Analytics
-Hooking
-SSL Pin
-Root Detection
-Insecure Logging
-Insecure Storage
-Content Provider
-Static Scanner

https://redteamrecipe.com/mobile-pentest-like-a-pro

Не так давно зі мною сталася дивовижна історія - прям повноцінне пентестерське родео

Отримав дозвіл на частковий disclosure, і тепер можу поділитись нею з вами

Приємного читання 🌝

https://telegra.ph/Ne-bag-a-f%D1%96cha-%D0%86stor%D1%96ya-hitrozhopoi-vrazlivost%D1%96-06-05

Pwning the Domain: AD CS

-Domain Escalation
-Domain Persistence
-Account Persistence
-Domain Certificate Theft

https://hadess.io/pwning-the-domain-ad-cs/

macOS Red Teaming

A little bit about reconnaissance, exploitation, persistence in macOS.

https://redteamrecipe.com/macos-red-teaming

Great articles on exploiting Deep Links and WebViews in mobile apps

Part 1:

- XSS in WebViews
- Information Theft in WebViews

https://www.justmobilesec.com/en/blog/deep-links-webviews-exploitations-part-I

Part 2:

- Open Redirect via Deep Link
- File Theft

https://www.justmobilesec.com/en/blog/deep-links-webviews-exploitations-part-II

Pwning the Domain: Persistence

The article discusses:
- Group Policy
- All types of tickets
- Golden Certificate
- AdminSDHolder
- GoldenGMSA
- SID History
- DC Shadow
- Persistence using Skeleton key
- Persistence using DSRM (Directory Service Restore Mode)
- Persistence using SSP (Security Service Provider)

https://hadess.io/pwning-the-domain-persistence/

RedTeam Tips: Orchestrating Chaos, Evading defense

Ways to make it harder to spot the red team and ways to confuse the blue team

https://redteamrecipe.com/redteam-tips-orchestrating-chaos-evading-defense

Pwning the Domain: Lateral Movement

Methods discussed in the article:
- Password
- WinRM
- RDP
- MSSQL
- SMB
- Interactive-shell
- NTHash
- Pass-the-Hash
- Overpass-the-Hash
- Pass-the-Key
- MSSQL
- Execute OS Commands
- Trusted Link Abuse in MS SQL
- SCCM (MECM)
- Credential Harvest
- Network Access Account
- Client Push Credentials
- Application & Script Deployment

https://hadess.io/pwning-the-domain-lateral-movement/

Today, we'll talk a bit about JavaScript recon in web applications. I've based my methodology on My Javascript Recon Process - BugBounty.

Collecting links to JS files can be done using gau:

gau example.com | grep -iE '\.js' | grep -ivE '\.json' | sort -u >> exampleJS.txt

Alternatively, you can use waymore, which seems to be better:

python3 waymore.py -i example.com -ko "\.js(\?|$)"

We can also try fuzzing to find hidden JS files:

ffuf -u https://www.example.com/js/ -w jsWordlist.txt -t 200

The wordlist for fuzzing can be found here: https://wordlists.assetnote.io/

After that, ping the JS links as some of them may be outdated.

httpx -l exampleJS.txt -mc 200

Now, let's look for secrets in these files using SecretFinder, a tool for detecting sensitive data such as apikeys, accesstokens, authorizations, jwt, etc. in a JS file:

cat exampleJS.txt | xargs -n2 -I @ bash -c 'echo -e "\n[URL] @\n";python3 SecretFinder.py -i @ -o cli' >> exampleJsSecrets.txt

Next, using availableForPurchase.py, we can check if the domains referenced in the JS files are available for purchase. This tool, combined with linkfinder and collector, is really powerful. Sometimes developers make mistakes when writing a domain, possibly the domain imports an external JavaScript file, etc.

cat exampleJS.txt | xargs -I @ bash -c 'python3 linkfinder.py -i @ -o cli' | python3 collector.py output
cat output/urls.txt | python3 availableForPurchase.py
[NO] www.googleapis.com
[YES] www.gooogleapis.com

After executing the above command, a list of potential endpoints that were discovered in the JS becomes available for review:

cat output/paths.txt

We can also immediately check for subdomain takeover using subzy

cat output/urls.txt |grep "https\{0,1\}://[^/]*\.example\.com/[^ ]*" >> subdomainExample.txt; subzy run --targets subdomainExample.txt

Also, excellent extensions for Burp:
JS Miner and JS Link Finder which perform similar tasks but in real-time, for greater coverage it's better to use both script scanning and plugins

Dependency Confusion

Поговорим об вот такой интересной язве, которая расстелет вам путь к RCE. В нескольких словах - эта уязвимость возникает, когда проект использует библиотеку с ошибкой в названии, несуществующей или с неуказанной версией. Атакующий может создать собственную библиотеку в базе общедоступных библиотек и залить свой код, который выполнится на уязвимом сервисе.

🔺Основные проблемы:
▫️Ошибка в названии: Import reqests, вместо requests;
▫️Несуществующая библиотека: Import flask-auth-company-name, внутренняя библиотека, которой не существует в списке общеизвестных библиотек;
▫️Неуказанная версия: Import company-requests , существующая библиотека пытается найти версию и обновиться до неё.

🔺Уязвимыми пакетными менеджерами могут выступать:
▫️NPM
▫️RubyGems
▫️PyPi
▫️JFrog
▫️NuGet

🔴Пример
Предположим вы нашли requirements.txt со следующими пакетами:

defusedxml
bandit
beautifulsoup4
flask
flask-auth-company-name

Можно конечно вручную поискать каждый пакет на pypi.org (или другом сайте пакетного менеджера) но проще использовать утилиту Confused:
confused -l pip requirements.txt
Issues found, the following packages are not available in public package repositories:
[!] flask-auth-company-name

Теперь осталось дело за малым, идем на pypi.org и создаем пакет с таким же названием. При следующем вызове процесса сборки на сервисе вредоносный пакет загружается из нашего репозитория и используется вместо локального пакета. Таким образом получаем РЦЕ.

Для наглядного понимания уязвимости, рекомендую посмотреть следующую и следующую статью.


#dependency

Attacking Azure

https://blog.devsecopsguides.com/attacking-azure

#lpe #linux #kernel

[ ExploitGSM ]
Exploit for 6.4 - 6.5 kernels

https://github.com/YuriiCrimson/ExploitGSM