[#thread π§΅] I've released a tool to automatically extract, parse #windows build numbers from #ISO files in order to automatically sort them π₯³π
This is pretty useful if, let's say, you have a few Terabytes of ISOs π
Simple! This tool mounts the ISO file to a temporary location, and extract the xml file [1].xml from the Windows imaging (WIM) image in ./sources/boot.wim:
[#thread π§΅(4/4)] You can also use the tool to identify build numbers on a batch of ISO files without moving or renaming them:
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
[#thread π§΅] Last week in #Microsoft#PatchTuesday, a critical vulnerability was patched that theoretically allows attackers to achieve Remote Code Execution on a target #IIS server (CVE-2022-21907). I'll explain how it works in this thread β¬οΈ
First of all, it is important to know that this vulnerability is a sibling of CVE-2021-31166 disclosed in May of last year. These two vulnerabilities occur in the parsing of HTTP headers of an incoming request, within the http.sys driver.
[#thread π§΅(3/9)] But what happens exactly π€ ?
To understand what happens in a kernel driver crash, It's important to analyze the kernel #crashdump generated at the moment of the blue screen! Let's open it in #WinDbg and analyze it!
[#thread π§΅] For this 23rd day of #CyberAdvent, we will talk about the LDAP structure and its naming contexts. π¦
[#thread π§΅(2/10) ] LDAP is a directory structure (a tree) containing objects with their attributes:
[#thread π§΅(3/10) ] You can search for objects in the LDAP with a query on a specified base object and a search scope. In return, you will then get a list of matching objects with the attributes you selected.
[#thread π§΅] For this 20th day of #CyberAdvent we'll be talking about the Local Admin Password Solution #LAPS of Microsoft, and how it can be used to reduce the risk of network pivoting of attackers.
[#thread π§΅(2/6)] One of the common vulnerabilities found in Windows domains is a distributed local administrator on the workstations (sometimes even servers). This means that if an attacker compromises one machine, all the machines with the same administrator password are owned.
[#thread π§΅(3/6)] The attacker can then connect to all the other machines of the network using LM:NT hashes found on one compromised host! π
[#thread π§΅] For this third day of #CyberAdvent (3/24), I'll tell you a story. The story of how I gained root access to a server by leveraging a really fun feature in a web application. This #pentest#writeup will explain the complete process from recon to root. π¦
[#thread π§΅(2/9)] In the recon phase of my pentest, as usual I was performing a port scan. In the output from nmap, I saw an uncommon port 86 with an HTTP server running "Micro Focus DSD 1.0.0":
[#thread π§΅(3/9)] When going on the page from a browser, surprise π₯³π we have an unauthenticated access! This is cool, but I never saw this app before so I didn't know whether we could exploit it simply or not!
[#thread π§΅] For this second day of #CyberAdvent (2/24), we will be talking about a common #PrivilegeEscalation when using the * (wildcard) in shell scripts. Almost everyone has used at least once the * (wildcard) in a shell script but what really happens with the #wildcard ? π¦
[#thread π§΅(2/7)] We will take as an example this shell script, performing a backup of a website using tar and a wildcard:
[#thread π§΅(3/7)] In this script, the shell replaces the wildcard with matching files from the current directory then executes the command. The * character is never sent to the command (TAR in our case) instead a list of matched files will be sent as arguments to the command.
[thread] Did you know that ssh tries to authenticate with stored keys BEFORE the key specified with -i in the command line ? I just noticed this, the hard way π.
Let's imagine you have more than 5 keys loaded in your ssh agent. When authenticating to a remote server, you get:
After this message, ssh tries to authenticate with the keys in the order listed above. Why is that a problem ?
Because most servers have a default configuration with MaxAuthTries set to 6. After 6 tries, you will get a "Too many authentication failures" error.
So, ssh tries to authenticate with the keys in the order listed above, but gets disconnected after 6 tries. This means that if your agent has more than 6 stored keys, the key specified with -i is never used. This means you can't login to a remote server and you might not know why