On the left I have my attacking machine and on the right I have a Windows Server that I use as a Domain Controller.
[#thread 🧵] In the top left terminal of my attacking machine is the program to exploit this new vulnerability.
In the bottom left is Responder, a tool allowing to mimic the authentication step of many windows protocols in order to show the hashes (NTLMv1, NTLMv2, etc ...)
[#thread 🧵] Firstly I put my Windows Server and my attacking machine in the same network so they can communicate.
It will then call the remote #NetrDfsRemoveStdRoot function on the Windows Server (192.168.2.1) with the following parameters:
[#thread 🧵] This will force the Windows Server (192.168.2.1) to authenticate to the SMB share \\192.168.2.51\test\ and authenticate using its machine account (DC01$).
That's what we see in #Responder on the bottom left terminal of my attacking machine:
[#thread 🧵] Now that we have the hash of the machine account DC01$, we can relay it to authenticate elsewhere as DC01$ and perform privileged actions where we can.
This kind of vulnerabilities allows to quickly get from user to #domain#administrator in unprotected domains!
Simple! This tool mounts the ISO file to a temporary location, and extract the xml file [1].xml from the Windows imaging (WIM) image in ./sources/boot.wim:
[#thread 🧵] Last week in #Microsoft#PatchTuesday, a critical vulnerability was patched that theoretically allows attackers to achieve Remote Code Execution on a target #IIS server (CVE-2022-21907). I'll explain how it works in this thread ⬇️
First of all, it is important to know that this vulnerability is a sibling of CVE-2021-31166 disclosed in May of last year. These two vulnerabilities occur in the parsing of HTTP headers of an incoming request, within the http.sys driver.
To understand what happens in a kernel driver crash, It's important to analyze the kernel #crashdump generated at the moment of the blue screen! Let's open it in #WinDbg and analyze it!
[#thread 🧵] For this 23rd day of #CyberAdvent, we will talk about the LDAP structure and its naming contexts. 🦋
[#thread 🧵(2/10) ] LDAP is a directory structure (a tree) containing objects with their attributes:
[#thread 🧵(3/10) ] You can search for objects in the LDAP with a query on a specified base object and a search scope. In return, you will then get a list of matching objects with the attributes you selected.
[#thread 🧵] For this 20th day of #CyberAdvent we'll be talking about the Local Admin Password Solution #LAPS of Microsoft, and how it can be used to reduce the risk of network pivoting of attackers.
[#thread 🧵(2/6)] One of the common vulnerabilities found in Windows domains is a distributed local administrator on the workstations (sometimes even servers). This means that if an attacker compromises one machine, all the machines with the same administrator password are owned.
[#thread 🧵(3/6)] The attacker can then connect to all the other machines of the network using LM:NT hashes found on one compromised host! 😅
[#thread 🧵] For this third day of #CyberAdvent (3/24), I'll tell you a story. The story of how I gained root access to a server by leveraging a really fun feature in a web application. This #pentest#writeup will explain the complete process from recon to root. 🦋
[#thread 🧵(2/9)] In the recon phase of my pentest, as usual I was performing a port scan. In the output from nmap, I saw an uncommon port 86 with an HTTP server running "Micro Focus DSD 1.0.0":
[#thread 🧵(3/9)] When going on the page from a browser, surprise 🥳🎉 we have an unauthenticated access! This is cool, but I never saw this app before so I didn't know whether we could exploit it simply or not!
[#thread 🧵] For this second day of #CyberAdvent (2/24), we will be talking about a common #PrivilegeEscalation when using the * (wildcard) in shell scripts. Almost everyone has used at least once the * (wildcard) in a shell script but what really happens with the #wildcard ? 🦋
[#thread 🧵(2/7)] We will take as an example this shell script, performing a backup of a website using tar and a wildcard:
[#thread 🧵(3/7)] In this script, the shell replaces the wildcard with matching files from the current directory then executes the command. The * character is never sent to the command (TAR in our case) instead a list of matched files will be sent as arguments to the command.