Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege EscalationIn this blog I’ll introduce SQL Server credential objects and discuss how they can be abused by threat actors to execute code as either a SQL Server login, local Windows user, or Domain user. I’ll also cover how to enable logging that can be used to detect the associated behavior. This should be interesting to penetration testers, red teamers, and DBAs looking for legitimate authentication work arounds. 

P.S. powerupsql.com includes the PowerUpSQL code, SQL attack templates, Detection Templates, privilege escalation cheatsheets, blogs, videos, and presentations focused on hacking SQL Server.

Опубликовали видеоролик о том, как прошла ежегодная независимая премия Pentest award 2024!

Радостные лица, толпа заряженных специалистов, и, конечно, счастливые победители с наградами в руках — настоящий праздник этичного хакинга.

Здорово было встретится в офлайне со старыми друзьями и коллегами, познакомиться с новыми людьми, обменяться знаниями и идеями, поговорить о важном, профессиональном, наболевшем.

До встречи в 2025 году ?

Отдельная благодарность партнерам проекта: BI.ZONE Bug Bounty, VK Bug Bounty, OFFZONE и CyberED.

? Полное видео
? Pentest award (архив)
❤ @justsecurity

CVE-2024-28995: High-Severity Directory Traversal Vulnerability affecting SolarWinds Serv-U.

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

POC: https://github.com/rapid7/metasploit-framework/pull/19255

Query:

Hunter: protocol.banner="Serv\-U FTP" FOFA: app="SolarWinds\-Serv\-U\-FTP" SHODAN: product:"Serv\-U ftpd"

Evil Lsass Twin

Originally, a port of the Dirty Vanity project to fork and dump the LSASS process. Has been updated upon further research to attempt to duplicate open handles to LSASS. If this fails (and it likely will), it will attempt to obtain a handle to LSASS through the NtGetNextProcess function instead of OpenProcess/NtOpenProcess.

How this works:
1) MiniDumpWriteDump function is used to dump forked LSASS process's memory into a file on-disk.
2) File is marked with Delete on Close and does not allow other threads to access it simultaneously.
3) File is mapped into memory
4) File is deleted after open handle to it is closed
5) Mapped Data (memory dump) is encrypted and saved to disk or sent to server

GitHub

Nimperiments/EvilLsassTwin at main · RePRGM/Nimperiments

Various one-off pentesting projects written in Nim. Updates happen on a whim. - RePRGM/Nimperiments

IronSharpPack

IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project. IronPython and the DLR have very little, if any, instrumentation that makes it an effective language for the execution of these assemblies. It was inspired by S3cur3Th1sSh1t's popular PowerSharpPack project. The C# assemblies were pulled from Flangvik's Sharp Collection.

LetMeowIn

A sophisticated, covert LSASS dumper using C++ and MASM x64.

Avoids detection by using various means, such as:

\- Manually implementing NTAPI operations through indirect system calls \- Breaking telemetry features (i.e ETW) \- Polymorphism through compile\-time hash generation \- Obfuscating API function names and pointers \- Duplicating existing LSASS handles instead of opening new ones \- Creating offline copies of the LSASS process to perform memory dumps on \- Corrupting the MDMP signature of dropped files

obfus.h

obfus.h is a macro-only library for compile-time obfuscating C applications, designed specifically for the Tiny C (tcc). It is tailored for Windows x86 and x64 platforms and supports all versions of the compiler.

• Function Call Obfuscation: Confuse function calls to make your code less readable to unauthorized eyes. • Anti\-Debugging Techniques: Built\-in mechanisms to prevent code analysis during runtime. • Control Flow Code Mutation: Turns code into spaghetti, making it difficult to parse conditions and loops