"Always Notify" UAC bypass (@hFireF0X + @axagarampur), NTLM relaying to AD CS (@_dirkjan), 2x AD tools (@_nwodtuhs), from Jira advisory to RCE (@dozernz), BitLocker key from a TPM (@DolosGroup), PetitPotam + ESC8 easy button (@_batsec_ + @Flangvik), eBPF LPE (@chompie1337), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-07-26 to 2021-08-02.
News
- Welcome to Bug Hunter University. Google launches their own educational content aimed at bug hunters that are working on Google products. Don't expect technique walkthroughs, this is more of a detailed guide on how to bug hunt against Google (i.e. what is in scope, what is considered auth bypass, etc).
- CISA Announces New Vulnerability Disclosure Policy (VDP) Platform. The US federal government is getting into the bug bounty game with the help of BugCrowd. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.
- Amazon hit by record $887 million EU privacy fine. The EU says Amazon processed personal data in ways that violated GDPR requirements, Amazon said the decision was "without merit." Looks like the real winners in this case will be the lawyers.
- MDSec pushes Nighthawk C2 framework PR via Twitter. The upcoming commercial C2 from MDSec looks like it has some pretty interesting features: hot swappable C2 profiles, in memory encryption for evasion, BOF compatibility, etc. "Coming soon."
- Introducing BloodHound Enterprise: Attack Path Management for Everyone. The enterprise version of the extremely popular BloodHound tool is out now! If you have a massive AD environment, it is likely worth the cost to get what amounts to a top tier AD penetration test with helpful interactive remediation and retesting.
- PortSwigger launches Burp Suite Certified Practitioner. All the training material and even a practice exam are available for free, and the cost is very reasonable at $99. The certification expires after five years with no word on if you have to pay to "maintain" it beyond that time.
Techniques
- NTLM relaying to AD CS - On certificates, printers and a little hippo. The AD GOAT is back to lay it down on NTLM relaying, and even add a little bit of his own twist with PKINITtools. If you only read one post about the latest AD CS relaying and PetitPotam, read this one. Want to use Cobalt Strike for this? Read NTLM Relaying via Cobalt Strike.
- Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239). I love this kind of post. It walks through every step from reading a bug advisory to RCE and all the struggles, blog posts, and different attempts along the way.
- From Stolen Laptop to Inside the Company Network. Think your BitLocker encrypted laptop is safe from a determined adversary? Think again. The trusted platform module (TPM) sends the BitLocker encryption key via Serial Peripheral Interface (SPI) in plaintext. A bit of research and a quick hookup with Saleae <https://www.saleae.com/> spill the beans. The SSD was then extracted, and decrypted. Because the target a pre-logon tunnel, the assessors were able to build a test VM and connect to internal file shares. Very nice work against a hardened laptop. Enable that pre-boot authentication!
- Stealing Tokens In Kernel Mode With A Malicious Driver. This post walks through building a simple driver to copy access tokens between PIDs to allow user spoofing or privilege escalation. Bypassing driver signing is another topic all together, but the basics of kernel development and userspace to kernel communication are covered here nicely.
- Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438. Last week's SSPORT.sys printer driver vulnerability may have been oversold! VoidSec breaks down the root cause and describes why it can be, at best, a denial of service exploit.
- WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer. If nothing else, this is good proof of "parallel discovery" even against a "hard target" like iOS. The POC is available, but without the arbitrary read/write needed to finish it.
- Fuzzing Windows RPC with RpcView introduces the process to enumerate RPC servers with RpCView. Expect some good stuff from itm4n as a result of this.
- The path to code execution in the era of EDR, Next-Gen AVs, and AMSI introduces inceptor, a template-based PE packer for Windows, designed to help penetration testers and red teamers to bypass common AV and EDR solutions. Inceptor has been designed with a focus on usability, and to allow extensive user customization. Inceptor is a framework that wraps many other useful tools, sgn, sRDI, donut, DInvoke, Syswhispers, ConfuserEx, Chameleon, LLVM-Obfuscator, and others to create an easy to use tool chain to wrap, compile, and obfuscate input shellcode or PE files. This could be a very useful base to extend with private templates and incorporate into your own workflow.
- Universal Privilege Escalation and Persistence – Printer. the PrintNightmare saga may have cooled off, but this post explores how to set up your own rogue printer for that double-click to system privilege escalation.
Tools and Exploits
- byeintegrity8-uac is a Windows 7 to Windows 11 compatible "Always Notify" UAC bypass. It's also been implemented in UACME as technique #69.
- Issue 2186: Exchange: AD Schema Misconfiguration Elevation of Privilege. Installing Exchange in an AD environment modified the AD schema in a way that allowed computer accounts to create arbitrary AD objects as children (users, etc). This was patched in the Exchange cumulative updates release on 2021-06-29 but is worth checking for on your next assessment.
- Introducing Mimikatz Kit. HelpSystems has decoupled Mimikatz from CobaltStrike releases with Mimikatz Kit. With the rapid rate of new features in Mimikatz recently this is a welcome change.
- raider is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticated tests, they don't provide features to test the authentication process itself, i.e. manipulating the relevant input fields to identify broken authentication. Most authentication bugs in the wild have been found by manually testing it or writing custom scripts that replicate the behaviour. Raider aims to make testing easier, by providing the interface to interact with all important elements found in modern authentication systems. It uses a Lisp like configuration language to control the authentication flows.
- ADCSPwn is a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service. This is your easy button for PetitPotam + ESC8 exploitation.
- NinjaC2 V2.1 : New webshell agent, more features and updated AV bypass. The update adds a webshell and a few other AV bypass features.
- Linux_LPE_eBPF_CVE-2021-3490 is an LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. Full details in Kernel Pwning with eBPF: a Love Story.
- pywhisker is a Python equivalent of the original Whisker made by Elad Shamir and written in C#. This tool allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object. It's based on Impacket and on our Python equivalent of Michael Grafnetter's DSInternals called PyDSInternals. This tool, along with Dirk-jan's PKINITtools allow for a complete primitive exploitation on UNIX-based systems only.
- targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.
- scarecrow_wrapper is wrapper payload for Mythic that wraps any agent shellcode with the ScareCrow loader. This wrapper currently supports CPL, EXE, and DLL payload types from ScareCrow.
- MicrosoftWontFixList. Are you lost in all the "Won't fix" vulnerabilities released or discovered in July? This page has them all summarized for you.
- spawn is a Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
- hallucinate is a one-stop TLS traffic inspection and manipulation using dynamic instrumentation. For more information check out the introductory blog post.
- ligolo-ng is an advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.
- revealin is a tool to uncover the full name of a target on Linkedin by taking advantage of the autocomplete feature.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.