رفتن به مطلب

انجمن هک و امنیت گروه امنیتی ایران - Iran Security Group

قوانین و شرایط استفاده از سایت ISG

تمامی فعالیت ها

این جریان به طور خودکار بروزرسانی می شود     

  1. امروز
  2. Dr Beam

    حل چالش Control از hack the box

    00:00 - Start 01:02 - Begin of nmap 04:00 - Checking out the webpage, notice an IP in the comments and run GoBuster to discover /uploads/. Run GoBuster on /uploads/ looking for PHP files 07:50 - Begin fuzzing Proxy Headers with wfuzz to access admin.php 12:30 - Using Python's netaddr to generate an IP List based upon subnet, discovering X-Forwarded-For: 192.168.4.28 allows access to admin.php 15:30 - Having BurpSuite automatically add the x-forwarded-for header to our requests 16:45 - Explaining a reason why this header exists in the first palce 19:25 - Discovering Union injection on the admin page 22:45 - Telling SQLMap to run in the background, while we manually enumerate this ourselves. 24:00 - Using Group_Concat to return multiple rows in a union injection and enumerate the INFORMATION_SCHEMA Database 33:30 - Using LOAD_FILE and TO_BASE64 in our SQL Injection to extract source code from the webserver 39:30 - Enumerating who has the FILE privilege in the database, showing SQLMAP gives us some bad info 48:50 - Grabbing user hashes out of the database with our injection then cracking them to discover hector's password 51:30 - Using OUTFILE in our injection to drop a php webshell to the server 58:05 - Having trouble getting a reverse shell back, assuming it is defender so changing the name of some functions to bypass it 1:04:02 - Using powershell to run a command as hector with the password we cracked from the database 1:08:15 - Running WinPEAS and going over what it finds, looks like it misses some permissions around editing services 1:14:30 - Looking at the PSReadLine directory to get some powershell history and a hint at enumerating permissions in the registry 1:15:40 - Running ConvertFrom-SddlString to make sense of the registry permissions 1:21:20 - Listing services on the box, then shrinking the number by only showing ones that run as LocalSystem with a Manual startup type 1:26:00 - Shrink the list some more by only showing the services that our user has permission to startup 1:35:30 - Showing the "SC" command cannot set the BinPath of services, need to do this via registry 1:38:00 - Changing the ImagePath of the wuauserv service in the registry via PowerShell 1:41:15 - Setting the ImagePath to be a reverse shell via netcat, then starting the service to get a shell as LocalSystem
  3. Root SmasheЯ

    Codetective-Detect crypto/encoding

    Sometimes we run into hashes and other artefacts and can't figure out where did they come from and how they were generated. This tool is able to recognise the output format of many different algorithms in many different possible encodings for analysis purposes. It also infers the levels of certainty for each finding based on traces of its representation . This may be useful e.g. when you are testing systems from a security perspective and are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory. This may also be useful as a part of a fingerprinting process or simply to verify valid implementations of different algorithms. You may also try running this tool against network traffic captures or large source code repositories to look out for interesting stuff. Supported filters are: win, web, unix, db, personal, crypto and other. web-cookie mssql2000 md5 URL md4 phone number credit cards mssql2005 lm hash ntlm hash MySQL4+ MySQL323 base64 SAM(*:ntlm) SAM(lm:*) SAM(lm:ntlm) RipeMD320 sha1 sha224 sha256 sha384 sha512 whirpool CRC des-salt-unix sha256-salt-django sha256-django sha384-salt-django sha384-django sha256-salt-unix sha512-salt-unix apr1-salt-unix md5-salt-unix md5-wordpress md5-phpBB3 md5-joomla2 md5-salt-joomla2 md5-joomla1 md5-salt-joomla1 blowfish-salt-unix uuid JWT secrets in code Download Codetective [Hidden Content]
  4. This scanner will check for a random meeting id and return information if available. Download Tangalanga [Hidden Content]
  5. Root SmasheЯ

    Gasmask

    GasMask is an all-in-one Open-Source Intelligence (OSINT) tool, designed to help Penetration Testers and Red Teams effectively gather information from publicly available sources. GasMask is useful for Penetration Testers and Red Teams that wish to collect as much information as possible about a target client. Information gathering is the most critical step to discover preliminary information about the systems, their software and the people involved with the target. Download Gasmask [Hidden Content]
  6. Kubernetes Goat یک محیط آسیب پذیر است برای آزمایش آسیب پذیری ها بر روی محیط کوبرنتیز. The Kubernetes Goat designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security. Scenarios Sensitive keys in code bases DIND(docker-in-docker) exploitation SSRF in K8S world Container escape to access host system Docker CIS Benchmarks analysis Kubernetes CIS Benchmarks analysis Attacking private registry NodePort exposed services Helm v2 tiller to PwN the cluster Analysing crypto miner container Kubernetes Namespaces bypass Gaining environment information DoS the memory/cpu resources Hacker Container preview Download Kubernetes Goat [Hidden Content]
  7. دیروز
  8. Dr Beam

    حل چالش sniper از hack the box

    01:05 - Begin of Nmap scans 02:30 - Checking out the website and running a few GoBuster dir searches 04:50 - Examining Links on the blog page and discover a LFI Vulnerability in the LANG Parameter 08:20 - Discovering .. is a bad character, working around it by starting the path with a slash 10:28 - Testing RFI via SMB, then failing to steal a hash and use impackets SMBServer 12:50 - Configuring SMBd to host a share that is accessible by anonymous users 15:00 - Testing the SMB Share locally, then testing the RFI with just text, and finally putting a PHP Script for code execution. 19:10 - Powershell Reverse Shells fail, find out we are in constrained language mode, switch to netcat for reverse shell 24:30 - Reverse Shell Returned! 29:00 - Discovering Chris's password then using Powershell to run a command as him to upgrade the shell. 40:10 - Going over to Windows to create a malicious CHM file with Nishang's out-chm (via NC on a SMB Share) 46:55 - Copying the malicious CHM File to c:\Docs and not getting any shell. Simplify the exploit to run ping instead. 51:30 - Using Out-CHM to have it execute NC out of c:\users\chris\downloads\ instead of a SMB Share and getting shell as administrator 53:25 - Start of doing the box the second way. 54:15 - Explaining the LFI + PHP Session Exploit Chain 56:30 - Identify bad characters by creating a in python to to create accounts and test logins 1:07:00 - Testing minimal php code for code execution 1:08:30 - Testing Code exeuction with Powershell Encoded commands 1:18:26 - Downloading Netcat to the box then executing it for a reverse shell 1:23:00 - Uploading Chisel to the box then forwarding ports 3306 and 5985 to us 1:31:40 - Using Evil-WinRM to get a shell on the box as chris through our chisel tunnel 1:32:20 - Creating a CHM File that includes a file off a SMB Server so we can use Responder to steal the hash 1:40:00 - Uploading the CHM and stealing the hash with Responder 1:31:20 - Using Hashcat to crack a NetNTLMv2 hash from Hashcat (5600) 1:42:40 - Using PSexec to remote into the boxh
  9. هفته گذشته
  10. Dr Beam

    حل چالش Forest از hack th box

    01:15 - Running NMAP and queuing a second nmap to do all ports 05:40 - Using LDAPSEARCH to extract information out of Active Directory 08:30 - Dumping user information from AD via LDAP then creating a wordlist of users 12:10 - Creating a custom wordlist for password spraying with some bashfu and hashcat 18:30 - Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray 22:00 - Enumerating information out of AD using rpcclient and null authentication 28:10 - Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works. 29:30 - Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it. 36:20 - Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials 37:30 - Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS 42:20 - Going over WinPEAS Output 44:20 - Downloading Bloodhound and the SharpHound Ingestor 48:50 - Importing the Bloodhound Results and finding an AD Attack Path 52:10 - Going over the Account Operators Group (will allow us to create an account) 53:30 - Using Net User to create a new user, then adding it to the Exchange Group 58:40 - Downloading the PowerSploit Dev Branch to utilize the function "Add-DomainObjectAcl" 01:01:40 - Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights 01:02:30 - Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access 01:07:10 - Going over the "--users" option in hashcat so you can easily identify whos hash was cracked 01:10:43 - Using the KRBTGT Hash to perform the GoldenTicket attack from Linux 01:35:11 - Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there.
  11. Dr Beam

    حل چالش Fatty از hack the box

    00:00 - Intro 02:10 - Using wget to recursively download files off an annonymous FTP Server 06:00 - Attempting to execute the Java Thick Client, then switching to Java version 8 and trying again 08:00 - Seeing the Thick Client makes some DNS Requests, make the DNS Request resolve and attempt to intercept with Burp 11:00 - BurpSuite failed us, using SOCAT to forward the traffic and exploring the Thick Client features 15:20 - Using CFR to decompile a Java JAR File then VS Studio Code to analyze the source 20:40 - Downloading Eclipse and then configuring it to utilize Java 8 and creating a Hello World Java Application 25:30 - Importing a Java JAR File into our Java Project then calling Login 33:40 - Replicating the functionality to identify what Role we are, then other functions 37:45 - Calling the Invoker Class to execute methods on the server 42:50 - Attempting to call methods that the GUI prohibited us from 45:30 - Using ShowFiles to see we can list files in our parent directory, then using Open to download files 53:40 - Failing to download the fatty-server.jar file due to encoding issues 58:40 - Unsealing the JAR File so we can edit the Invoker Class Object to fix our encoding issue by creating a binaryOpen function 1:10:00 - Utilizing our new binaryOpen function to write to a file 1:14:45 - Debugging a null pointer error, our binaryOpen function returned nothing! 1:21:00 - Decompiling the downloaded fatty server and analyzing it to discover a SQL Injection and Deserialization vector 1:28:50 - Playing with SQL Injections in the username to get an admin session 1:40:00 - Modifying the ChangePW Function to allow us to send malicious payloads, then using ysoserial to generate a payload 1:48:30 - Using CommonsCollections5 to generate a malicious payload to send and getting a reverse shell 1:57:17 - Getting PsSpy on the box and discovering SCP is pulling files 1:59:50 - Explaining what our exploit path is, having a tar overwrite itself and point to authorized_keys then the next time it is copied to it overwrites auth_key 2:04:50 - Reverse shell returned, attempting to explain the exploit vector again
  12. Root SmasheЯ

    Evasor

    The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase. Download Evasor [Hidden Content]
  13. Root SmasheЯ

    OSS-Fuzz

    Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community. In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution. Currently, OSS-Fuzz supports C/C++, Rust, and Go code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds. Download OSS-Fuzz [Hidden Content]
  14. Root SmasheЯ

    BrowseSpy

    Be sure to change the ftp variables throughout the code, these variables contain the username, password, & IP address of the FTP server which receives the files. This code will do the following: Copy itself into the %TMP% directory & name itself ursakta.exe Add a registry entry to execute itself each time the user logs in Verify which browser the user is using (Chrome, Firefox or Brave) Search for files within the Chrome, Firefox, or Brave browser directories Create a directory on our FTP server then send the files in the browser's directory to the FTP server Download BrowseSpy [Hidden Content]
  15. Root SmasheЯ

    CSnitch

    cnitch (snitch or container snitch) is a simple framework and command line tool for monitoring Docker containers to identify any processes which are running as root. At present cnitch has the capability of reporting to StatsD and StdOut. Reporting backends are extensible to make it easy to support any backend, for example it would be a fairly trivial process to build a backend to support log stash or another log file aggregation tool. StatsD The exceptions are sent to the statsD endpoint as a count using the cnitch.exception.root_process metric. The metrics are also tagged with the host name of the cnitch instance and the container name. StdOut The StdOut logger is a simple output logger which sends the reported exceptions to StdOut. Download CSnitch [Hidden Content]
  16. بتازگی اطلاعات محرمانه شرکت Intel توسط یک هکر ناشناس در اینترنت پخش گردید که شامل مستندات معماری پردازنده های Intel و دیگر اسناد محرمانه این شرکت است. این اطلاعات هم اکنون ازطریق تورنت زیر قابل دریافت است: magnet:?xt=urn:btih:38f947ceadf06e6d3ffc2b37b807d7ef80b57f21&dn=Intel%20exconfidential%20Lake%20drop%201 اطلاعات بیشتر پیرامون این درز اطلاعاتی
  17. جدیدا
  18. Dr Beam

    حل چالش Rope از HackTheBox

    00:00 - Intro 01:10 - Nmap the box, then play with the WebServer. 404 msg are interesting 05:15 - Discovering Directory Traversal and then grabbing the webserver by going to /proc/self/cwd/ 09:25 - Opening the binary up in Ghidra and exploring the binary to understand what it does 18:35 - Discovering we have control over the first argument in log_access/printf 20:05 - Showing one of my most hated things about debugging forks. Be sure to always kill the process! 21:05 - Using GDB to help us analyze the log_access call, by breaking and examining the stack 24:00 - Begin of PrintF Exploitation, leak a bunch of memory addresses, then identify a spot in memory where we control 28:40 - Starting to write an exploit script 30:50 - Grabbing /proc/self/maps to obtain a memory map which helps bypass ASLR. Analyze the binary again and see it supports the "RANGE" HTTP Header which is required to grab these special files 34:30 - Back to Coding the exploit script, now that we can grab the process map 41:25 - Testing our leaking/rebasing code to verify we are leaking correctly then using fmtstr_payload to automate the exploit 47:00 - Running the exploit, seeing the output of "GET" on the Server's STDOUT... Lots of fighting with a debugger to show exactly what happened (explain it later, may want to skip to the next part) 01:01:30 - Replacing GET in our request with commands, to see it is running them. Placing a reverse shell here using IFS as space. 01:03:50 - Changing the exploit to use the target... For some reason we have the wrong libc version, once we figure that out it works. 01:08:25 - Going to /proc/self/maps again to leak the path of libc, redownloading it and then we instantly get a shell. Drop SSH Keys and SSH in 01:11:30 - Going back.. the issues with debugging the printf exploit, to explain it. The issues had was system() calls fork and we followed it 01:17:00 - John can sudo the readlogs binary, analyze it with ghidra/ldd to see it calls a printlog() option in a custom library that is chmod'd to 777 1:21:10 - Creating a custom library that replaces printlog() with a system("/bin/bash") call, uploading and getting our shell. Drop an SSH Key and go in via ssh 1:26:00 - Examining the contact bin in Ghidra, this one is stripped so it will be a bit more pain to navigate 1:31:20 - Explaining the buffer overflow in the recv() call -- Then lots of fighting with gdb to get to a part of the code to explain overwriting the canary 1:46:49 - Partially overwriting the canary and showing it in GDB, then explaining how its like a padding oracle attack due to it not changing. 1:50:10 - Begin the exploit script, start off with creating our threaded bruteforcer() class. 2:02:45 - Explaining what our code will do, then running it and fixing errors 2:11:30 - Testing our program to see we can leak the canary. Then leaking RBP and RIP 2:14:50 - Using VMMAP to aid us in rebase the binary to bypass ASLR. 2:18:22 - Using pwntools to create a write() gadget to leak a libc address, then rebase libc 2:23:35 - Since Canary/RBP/RIP are always the same, lets just hard code those variables for now to save time 2:25:30 - Going over the ROP Gadget, then verifying the libc address is correct and doing dup2,dup2,execve for code execution 2:35:40 - Found why the ExecVE wasn't working, didn't update the rop variable name, so ran libc leak twice 2:36:30 - Updating the code to work remotely. Use Chisel to forward port 1337 to our box 2:45:30 - Printing a few more debug things so we know the code is working, downgrading the # of workers, then running it remotely, to get a shell 2:48:50 - Showing we don't need the Pop RDI because RDI is already set as the FD 2:54:19 - Removing the first 16 bytes of our libc leak, to skip over RDI 2:56:40 - Removing the RDI's from our Dup2 calls 3:00:35 - Removing all the PwnTools magic from our binary, manually rebasing 3:02:30 - Manually specifying the addresses for everything, gadgets (ropper), objdump (PLT), ReadElf (GOT), Strings (binsh) 3:14:00 - Leaking libc gadget works. Repeating everything we did here with LibC and building the execve gadget 3:23:30 - Begin of manual PrintF, showing the liveoverflow videos I recommend watching. 3:35:15 - Creating the printf payload (have a typo, should be %4x) 3:38:35 - Going to the pritnf call in GDB, examining the GOT PUTS address before/after to see we screwed up 3:42:30 - Had the wrong address for PUTS in our printf payload, put the correct one in and examine the call in GDB to see [email protected] is now 0xc 3:44:17 - Explaining why we want to break the SYSTEM() address into two 2 byte pieces instead of one 4 byte... Modifying our PrintF Payload to allow this. This piece should really show what the "n" variable does in printf 3:47:09 - Our memory address is close to what we want for SYSTEM, modifying the number slightly 3:49:20 - Address matches! Running the exploit with our reverse shell and hand crafted printf payload to show it works.
  19. Dr Beam

    حل چالش Resolute از HackTheBox

    00:00 - Intro 01:08 - Talking about my switch to Parrot 02:00 - Begin of nmap, discovering it is likely a Windows Domain Controller 04:30 - Checking if there are any open file shares 06:11 - Using RPCClient to enumerate domain users (enumdomusers) 07:55 - Using CrackMapExec to dump the PasswordPolicy 08:45 - Using RPCClient to dump Active Directory information (querydispinfo) 10:45 - Bruteforcing accounts via CrackMapExec with password of Welcome123! 14:30 - Using Evil-WinRM to remote into the server as Melanie 15:40 - Building the latest version of Seatbelt on CommandoVM (The DotNet version is incompatible) 17:40 - Explaining some cool bash one line tricks, then linking Egypt's "One liners to rule them all" talk 24:40 - Changing Seatbelt to compile to Version 4.0 then trying again. 26:30 - Finally examining the Seatbelt output, see the PSTranscript Directory and a Custom group in DNSAdmins 29:50 - Using RPCClient to Enumerate members of the Contractors group (enumdomgroups/querygroupmem) 35:30 - Running WinPEAS to compare the differences 38:30 - Exploring hidden directories to see PSTranscripts, then finding credentials in a powershell log 44:20 - Using Evil-WinRM with the password from a PSTranscript File to get shell as Ryan 45:40 - Quickly going over how to execute code on a Domain Controller as a DNS Admin 46:10 - Using MSFVenom to create a Reverse Shell DLL (we'll do this better at end of the video) 49:10 - Using DNSCMD to have the DNS Server execute our MSFVenom created DLL from a SMB Network Path... Works but hangs the DNS Server 52:50 - Using the DNS-EXE-Persistance to help us create a better to do the Reverse Shell 53:03 - Explaining the DNSCMD Exploit path on how it can be used both foor lateral movement and privesc 54:50 - Start of creating the DLL to use with this DNS Exploit 56:45 - Grabbing a C++ Reverse Shell program from github to add to our DNS Exploit Project, then modify it to execute as a thread 01:02:20 - Showing that we get a Reverse shell and DNS Keeps running 01:03:52 - Removing the "CreateThread" portion of our code to show that was needed, without CreateThread the DNS Server hangs because it stops on the RevShell code
  20. Root SmasheЯ

    CWFF - Custom wordlists for fuzzing

    CWFF is a tool that creates a special High quality fuzzing/content discovery wordlist for you at the highest speed possible using concurrency. Download CWFF [Hidden Content]
  21. Root SmasheЯ

    Osintgram

    Osintgram is a OSINT tool on Instagram. It offers an interactive shell to perform analysis on Instagram account of any users by its nickname . - info Get target info - addrs Get all registered addressed by target photos - followers Get target followers - followings Get users followed by target - hashtags Get hashtags used by target - likes Get total likes of target's posts - comments Get total comments of target's posts - tagged Get list of users tagged by target - photodes Get description of target's photos - photos Download user's photos in output folder - captions Get user's photos captions - mediatype Get user's posts type (photo or video) - propic Download user's profile picture Download Osintgram [Hidden Content]
  22. Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device. Download Arcane [Hidden Content]
  23. با سلام راه های زیادی برای دور زدن Rate Limit وجود دارد. در این آموزش به تعدادی از این تکنیک ها اشاره می کنیم که می تواند راه آغازی برای ادامه در این مسیر باشد. دور زدن Rate Limit با استفاده از Headerها از تعداد ازی هدر ها می توان بگونه ای بهره برد که Rate Limit را دور زد که این مستلزم این است که در وب سرور و برنامه برای این گونه هدرها تدابیر امنیتی نداشته باشند. برای این کار کافیست از هدرهای زیر در هنگام ارسال درخواست استفاده نمایید: X-Forwarded-For : IP X-Forwarded-Host : IP X-Client-IP : IP X-Remote-IP : IP X-Remote-Addr : IP X-Host : IP هر زمان IP شما بلاک شد در قسمت IP یک IP جدید قرار دهید و درخواست خود را مجدد تست کنید. گاهی اوقات قرار دادن چند هدر باهم به خاطر نداشتن تنظیمات صحیح نیز منجر به دور زدن Rate Limit می شود. دور زدن Rate Limit با وجود Captcha حتما پیش آمده است که در هنگام بررسی سایت ها به کپچا گوگل برخورد کرده باشید. چند ترفند برای مواجه در این مواقع: ۱- حذف پارامتر های کپچا از body درخواست ۲- اضافه کردن یک رشته (string) دقیقا با همون طول کاراکتر از پارامتر امنیتی موجود ۳- اگر از Burp Suite استفاده می کنید Intercept را On کنید و درخواست را به Intruder ارسال نمایید. گاهی اوقات این عمل باعث می شود نتایجی که انتظار نمی رود در برنامه رخ دهد. دور زدن Rate Limit با کاراکترها ۱- گاهی اوقات استفاده از نال بایت (%00) در انتهای فیلد ایمیل باعث رد شدن از محدودیت می شود. ۲- اضافه کردن فاصله (بدون Encode کردن) در انتهای فیلد ایمیل. ۳- استفاده از کاراکترهای دیگر همچون %0d %2e %09 %20
  24. Dr Beam

    حل چالش Nest از HackTheBox

    00:00 - Intro 01:00 - Showing why we should run NMAP as root or sudo. 04:40 - Running nmap to see only SMB is open, start a full port scan and move on 05:45 - Enumerating SMB (Port 445) with CrackMapExec, SMBClient, and SMBMap to explore how each program works 08:20 - Running SMBClient to mount the share 09:20 - Installing CIFS-Utils so we can mount SMB and run commands like find against the share 11:30 - Discovering a password, doing a credential spray and getting some odd results 17:20 - Mounting the shares with as TempUser to discover we have access to more files 22:00 - Using iconv to cat a windows text file because it showed a bunch of bad characters 25:00 - Viewing the NotepadPlusPlus files to see the path of a file in the Secure$ Directory, we can get into this folder 27:00 - Downloading the source-code to RUScanner in the User share 29:30 - Switching to Windows so we can use Visual Studio to compile the RUScanner application and decrypt the password 32:20 - Dropping the config in bin/debug and setting a breakpoint on the line of code which decrypts the password to view the output 35:55 - Using CrackMapExec to validate these are valid credentials, then exploring the fileshares again 39:50 - Exploring the application on port 4386 and showing why we need to use TELNET and not NC or NETCAT 42:30 - Playing with the various options on port 4386 44:58 - Using SMBClient to mount the Users directory as C.SMITH so we can use "allinfo" to see an ADS (Alternate Data Stream) Exists, then downloading the hidden password 50:00 - Using the custom program on port 4386 and using the DEBUG Options to download the configuration file with an encrypted LDAP Password 52:30 - Using DNSPY to decompile HqkLdap.exe 56:00 - Editing the application to print the password 58:20 - Running HqkLdap to get the decrypted password, which is the administrator password 59:20 - Using psexec to get a shell on the box as the SYSTEM user
  25. Root SmasheЯ

    DeimosC2-Golang C&C

    DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods in order to control machines that have been compromised. DeimosC2 server and agents works on, and has been tested on, Windows, Darwin, and Linux. It is entirely written in Golang with a front end written in Vue.js. Listener Features Each listener has it's own RSA Pub and Private key that is leveraged to wrap encrypted agent communications. Dynamically generate agents on the fly Graphical map of listener and agents that are tied to it Agent Features Agent list page to give high level overview Agent interaction page containing info of agent, ability to run jobs against agent, filebrowser, loot data, and ability to add comments Supported Agents TCP HTTPS DoH (DNS over HTTPS) QUIC Pivot over TCP Frontend Features Multi-User support with roles of admin and user Graphs and visual interaction with listeners and agents Password length requirements 2FA Authentication using Google MFA Websocket API Calls Download DeimosC2 [Hidden Content]
  26. Dr Beam

    حل چالشMonteverde از HackTheBox

    00:00 - Into 00:54 - Begin of recon 03:36 - Using rpcclient with null authentication and dumping active directory users 06:26 - Building a password list with hashcat --stdout (Forest Video does it better) 08:41 - CrackMapExec shows SABatchJobs:SABatchJobs are valid credentials 12:06 - Using SMBMap to list contents of directories 16:20 - Using SMBMap to download azure.xml which has a hardcoded credential in it then testing with WinRM to see if we can get a shell 19:50 - Downloading and running Seatbelt on the server 25:20 - Running WinPEAS for a second opinion 27:45 - Talking about the Azure Admins group 28:55 - Playing with SQLCMD to view the MSSQL Database 30:45 - Downloading and running PowerUpSQL to see if there's any obvious escalation paths 37:00 - Using XP_DIRTREE to connect to our Responder Instance and leak an NetNTLMv2 hash (I should of noticed its the machine account due to username ending with a $, these are pretty much never crackable) 39:45 - Searching google to find XPNSec's post on "Azure AD Connect for Red Teamers" 43:00 - Running through the commands with SQLCMD to understand what is going on 48:20 - Executing the Azure AD Connectdecryption script and having Evil-WinRM Crash on us 49:10 - Stepping through the script to see where it is failing 51:25 - Updating the SQL Connection script to work with our MSSQL Configuration, then fixing the script 55:40 - Running the updated script, and getting the administrator password then using PSExec to get a system shell on the box 58:30 - Using DNSPY to decompile the MCRYPT.DLL binary to just explore what is going on 1:03:50 - Dumping the DNS Zone for MEGABANK.LOCAL via powershell
  27. Dr Beam

    حل چالش ServMon از HackTheBox

    00:00 - Intro 00:50 - Start of NMAP 03:45 - Using SMBClient to search for open shares (None) 04:30 - Checking out the web page, some light fuzzing on login and examining how the language selection works 07:55 - Taking a Screenshot on Parrot and pasting it into Cherry Tree (Shift+PrintScreen) 14:30 - Checking out FTP and downloading the two txt files 16:30 - Viewing port 8443, and realizing this page really hates firefox. Switch to Chromium 19:05 - Using searchsploit to find there's a directory traversal exploit in NVMS 20:05 - Grabbing Passwords.txt off Nathan's Desktop (filename was an FTP Note) 22:50 - Using CrackMapExec to bruteforce logins for SMB and SSH (SSH alread bug fixed in DEV Branch) 26:00 - Logging in with SSH, then looking for WebServer directories 30:20 - Examining the NSClient directory to view the config 33:40 - Using SSH to setup a port forward 35:50 - Lots of flailing around trying to get code execution 44:00 - Enough flailing, box reverted and do a clean run of this exploit 49:00 - Flailing around trying to get Nishang to run... Defender is giving me issues. 59:30 - Giving up with Defender Evasion, switching to nc.exe to get a reverse shell 1:01:20 - Reverse shell returned as System grabbing root.txt
  28. باگ (bug) چیست؟  باگ در لغت به معنای حشره است. این واژه در حوزه علم رایانه به معنای نقص یا اشکال نرم‌افزاری به کار می‌رود. نقص‌های نرم‌افزاری انواع مختلفی دارند و دارای منشا‌های متفاوتی هستند. بنابراین به خطاهایی که اجرای صحیح نرم‌افزار را با اختلال رو به رو می‌کنند، باگ می‌گویند
     

  29. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10. It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled). Demo: Download Koadic [Hidden Content]
  1. نمایش فعالیت های بیشتر
×
×
  • اضافه کردن...