WB Скидосы

Много позиций по сладким ценам

Нумерология и поиск себя

Путь к правильному мышлению, осознанности и пониманию

Zerofield News

Важные новости из мира криптовалют

Статистика Избранное

1N73LL1G3NC3

Гео и язык канала: не указан, Английский

Категория: Даркнет

Any misuse of this info will not be the responsibility of the author, educational purposes only.
Admin: @X0red

Связанные каналы | Похожие каналы

Гео и язык канала

не указан, Английский

Категория

Даркнет

Статистика

Избранное

Фильтр публикаций

Скрывать удаленные

Скрывать репосты

1N73LL1G3NC3

23 Jun, 15:26

FetchPayloadFromDummyFile

A tool to obfuscate your payload while reducing entropy by converting the payload to arrays of offsets.

Using the OffsetArrayBuilder program, one can create an array of DWORD values, where each element in this array represents an offset of where a payload's byte is located in a dummy file specified by the user. For example, if we go to the 0x30A offset (778 in decimal) in the dummygif.gif file. We'll find the first byte of our payload (0xFC).

The PoC reads the dummygif.fig file and searches for matching bytes with the payload, saving the indexes of where the elements matched in an array. In the execution implementation, you only need the offset array and the same dummy file.

973 0 33

1N73LL1G3NC3

22 Jun, 00:17

00:06

Видео недоступно для предпросмотра

Смотреть в Telegram

GrimResource - Microsoft Management Console for initial access and evasion

Elastic Security Labs has discovered a new method for initial access and evasion in the wild, termed GrimResource. It allows attackers to gain full code execution in the context of mmc.exe after a user clicks on a specially crafted MSC file.

Pop Calc POC: https://gist.github.com/joe-desimone/2b0bbee382c9bdfcac53f2349a379fa4

1.4k 0 62

1N73LL1G3NC3

21 Jun, 19:08

LogHunter

Opsec tool for finding user sessions by analyzing event log files through RPC (MS-EVEN)

Youtube POC

2.9k 1 96

1N73LL1G3NC3

19 Jun, 09:06

00:34

Видео недоступно для предпросмотра

Смотреть в Telegram

The Dark Side of EDR: Repurpose EDR as an Offensive Tool

See how a SafeBreach Labs researcher bypassed the anti-tampering mechanism of a leading EDR to execute malicious code within one of the EDR’s own processes and altered the mechanism to gain unique, persistent, and fully undetectable capabilities.

2k 0 60

1N73LL1G3NC3

16 Jun, 22:09

Репост из: APT

🌀Voidgate

A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.

🔗 Source
https://github.com/vxCrypt0r/Voidgate

#av #edr #evasion #hwbp #cpp

1.9k 0 57

1N73LL1G3NC3

14 Jun, 18:06

CVE-2024-28995: High-Severity Directory Traversal Vulnerability affecting SolarWinds Serv-U.

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

POC: https://github.com/rapid7/metasploit-framework/pull/19255

Query:
Hunter: protocol.banner="Serv-U FTP"
FOFA: app="SolarWinds-Serv-U-FTP"
SHODAN: product:"Serv-U ftpd"

5.1k 1 78

1N73LL1G3NC3

14 Jun, 12:02

RdpStrike

Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP

The RdpStrike is basically a mini project I built to dive deep into Positional Independent Code (PIC) referring to a blog post , chained with RdpThief tool. The project aims to extract clear text passwords from mstsc.exe, and the shellcode uses Hardware Breakpoint to hook APIs. It is a complete positional independent code, and when the shellcode injects into the mstsc.exe process, it is going to put Hardware Breakpoint onto three different APIs (SspiPrepareForCredRead, CryptProtectMemory, and CredIsMarshaledCredentialW), ultimately capturing any clear-text credentials and then saving them to a file. An aggressor script makes sure to monitor for new processes; if the process mstsc is spawned, it injects the shellcode into it.

2.3k 0 54

1N73LL1G3NC3

14 Jun, 07:13

00:08

Видео недоступно для предпросмотра

Смотреть в Telegram

CVE-2024-29855 Veeam Recovery Orchestrator Authentication Bypass

Veeam Recovery Orchestrator is affected by an authentication bypass allowing an unauthenticated attacker to bypass the authentication and log in to the Veeam Recovery Orchestrator web UI with administrator privilges. the CVSS for this vulnerability is 9.0

Technical Analysis: https://summoning.team/blog/veeam-recovery-Orchestrator-auth-bypass-CVE-2024-29855/

2.2k 0 24

1N73LL1G3NC3

13 Jun, 18:13

Репост из: Offensive Twitter

😈 [ 𝙻𝚊𝚠𝚛𝚎𝚗𝚌𝚎 @zux0x3a ]

Released .NET tool for extracting Windows Defender exclusions & ASR rules! 🌟

🔹 Works from low user context .
🔹 Supports local & remote queries
🔹 Extracts paths from Event ID 5007 and ASR from Event ID 1121 using regex
🔹 Enumerates ASR rules from MSFT_MpPreference WMI class(works perfectly from low user context as well).
🔹 Displays results in a clean, tabulated format
works smoothly with inline-assembly!

🔗 https://github.com/0xsp-SRD/MDE_Enum

🐥 [ tweet ]

1.9k 0 19

1N73LL1G3NC3

13 Jun, 14:43

CVE-2024-26229-BOF (Windows LPE)

Beacon Object File (BOF) implementations from NVISO of CVE-2024-26229 for Cobalt Strike and BruteRatel.

2.1k 0 34

1N73LL1G3NC3

11 Jun, 22:01

00:16

Видео недоступно для предпросмотра

Смотреть в Telegram

Progressive Web Apps (PWAs) Phishing

More fake URL bars :)

A user lands on index.html and clicks the "Install Microsoft Application" button. The install app prompt appears and once it is installed by the user, the JavaScript embedded in index.html redirects the PWA window to the phishing page that hase a fake URL bar at the top (i.e. mrd0x.html). Ensure that you're testing this over HTTPS to avoid encountering issues.

POC: https://github.com/mrd0x/PWA-Phishing

2.6k 0 75

1N73LL1G3NC3

11 Jun, 12:10

CVE-2024-23692: Unauthenticated RCE Flaw in Rejetto HTTP File Server

It allows remote attackers to execute arbitrary code on affected servers without authentication, potentially leading to data breaches, ransomware attacks, and complete system compromise.

Blog: https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

Query:
Hunter: /product.name="HTTP File Server" and web.body="Rejetto"
FOFA: product="HFS"
SHODAN: product:"HttpFileServer httpd"

2.3k 0 46

1N73LL1G3NC3

11 Jun, 10:24

CVE-2024-26229 Windows LPE (PoC)

Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code in the csc.sys driver

3.1k 0 66

1N73LL1G3NC3

10 Jun, 12:52

Репост из: APT

🖥 Veeam Enterprise Manager Authentication Bypass

May 21st, Veeam published an advisory stating that all the versions BEFORE Veeam Backup Enterprise Manager 12.1.2.172 is affected by an authentication bypass allowing an unauthenticated attacker to bypass the authentication and log in to the Veeam Backup Enterprise Manager web interface as any user. , the CVSS for this vulnerability is 9.8.

🔗 Source:
https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/

🔗 PoC:
https://github.com/sinsinology/CVE-2024-29849

#veeam #authentication #bypass #cve

1.9k 0 23

1N73LL1G3NC3

10 Jun, 07:06

@0xcc00/bypassing-edr-ntds-dit-protection-using-blueteam-tools-1d161a554f9f' rel='nofollow'>Bypassing EDR NTDS.dit protection using BlueTeam tools.

During an internal penetration test, Cortex EDR was installed in the domain controller. After obtaining Domain Admin privileges on the network, the EDR blocked all known attempts to extract the NTDS hashes. In this article, I'll share a technique I used to bypass this obstacle.

2.4k 0 53

1N73LL1G3NC3

8 Jun, 11:56

Disable-TamperProtection

A POC to disable TamperProtection and other Defender / MDE components

It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.

An example, to use the POC is as follows:
1 — Unload WdFilter
2 — Disable Tamper Protection
3 — Disable Defender / MDE components
4 — Reinstate / restore the WdFilter

Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components

POC Demo: https://youtu.be/MI6aVDHRix8

This vulnerability, during testing was found to affect the following versions of Windows:
• Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
• Windows Server 2019
• Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
• Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).

2.8k 0 46

1N73LL1G3NC3

7 Jun, 17:32

Two weeks before the launch of Rarecall on the new Copilot+ PCs on June 18, Recall was beaten and spat on. While everyone is looking forward to the release of this Spyware from Microsoft, here are some memes about the current situation.

2k 0 29

1N73LL1G3NC3

7 Jun, 13:23

CVE-2024-27348 Apache HugeGraph Server RCE Scanner

The Scanner will run 4 commands on the target (host,ping,curl,wget), As in case one of the utilities not found.

You can read the analysis for the vulnerability from here: https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/

Query:
Hunter: /product.name="Apache HugeGraph"
FOFA: app="HugeGraph-Studio"
SHODAN: http.title:"HugeGraph"

2.2k 0 36

1N73LL1G3NC3

7 Jun, 12:41

00:08

Видео недоступно для предпросмотра

Смотреть в Telegram

PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC

This vulnerability affects all versions of PHP installed on the Windows operating system:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29

2.5k 0 50

1N73LL1G3NC3

7 Jun, 12:03

CVE-2024-4577 Yet Another PHP RCE (Argument Injection in PHP-CGI)

PHP overlooked the Best-Fit character conversion feature in Windows during its design. When PHP-CGI runs on the Windows platform and uses specific code pages (Simplified Chinese 936, Traditional Chinese 950, Japanese 932, etc.), attackers can craft malicious requests to bypass the CVE-2012-1823 patch. This allows them to execute arbitrary PHP code without the need for authentication.

Query:
Hunter: header.server="PHP"
FOFA: app="XAMPP"
FOFA: server="PHP"
SHODAN: server: PHP

2.1k 0 60

Показано 20 последних публикаций.

6 737

подписчиков

Статистика канала

Популярное в канале

Pwning the Domain: AD CS (Active Directory Certificate Services) Domain Escalation: • ESC 1 (...

CookieKatz Dump cookies directly from Chrome, Edge, or Msedgewebview2 process memory. Chromium-b...

CVE-2024-28995: High-Severity Directory Traversal Vulnerability affecting SolarWinds Serv-U. Sol...

CVE-2024-26238: WINDOWS 10 PLUGSCHEDULER ELEVATION OF PRIVILEGE This vulnerability is an arbitra...

CVE-2024-26229 Windows LPE (PoC) Improper Address Validation in IOCTL with METHOD_NEITHER I/O Co...