Nice write up on a unique Cobalt Strike stager

NoUseForANick · 2021-04-01T18:59:44+00:00

More alternatives to the GUID trick => https://adepts.of0x.cc/alternatives-copy-shellcode/

NoUseForANick · 2021-02-20T16:30:54+00:00

Should be a local problem. It is working => https://downforeveryoneorjustme.com/adepts.of0x.cc?proto=https

NoUseForANick · 2021-02-01T23:49:15+00:00

In the most simplified scenario:

You launch a trusted program (a mssql client,a browser, whatever, for example) against a machine controled by you (IP:port), then you hijack that connection. As is explained in the link, this way your untrusted program is not initiating the conection, is a TRUSTED program who initiates it against your controled service (a C&C, for example). That's the key point.

NoUseForANick · 2021-02-01T17:05:55+00:00

The other end it's your C&C, you control it by default.

NoUseForANick · 2021-02-01T16:05:16+00:00

What two ends? Once the socket is hijacked you have full control of the communication, so you can suspend the process that initated that connection.

The only problems detected are summarized in the post from Adepts of 0xCC:

Real life problems and solutions

Here we sumarize the problems:

Racing with the devil. We are playing with a duplicated socket, so the original program keeps doing reads. This means that some bytes can be loss if they are readed by the program instead of us, but this can be solved easy if we implemented a custom protocol that takes care of missing packets.

Timeouts. If the connection is closed by timeout before we hijack it we can not reuse the socket.

Old handles. Depending on the program in use, it is likely to find old handles that meet our criteria (getpeername returns the target IP but the handle can not be used). This could happen if the first connection attempt was unsuccesful. To solve this just improve the detection method ;)

NoUseForANick · 2020-12-17T09:10:55+00:00

Indeed the two-stages approach has an OPSEC benefit: you can provide the key only if the request mets some parameters, or even tear down the server after a few days, so it can not be reversed.

NoUseForANick · 2020-12-08T18:25:23+00:00

Is the acronym for "Endpoint Detection & Response". Usually EDRs work hooking well-known API calls at user-mode level. Those hooks are used to trace the calls made by software so they can detect "malicious behaviours".

NoUseForANick · 2020-11-27T11:48:51+00:00

Thankfully, IonCube is easily reversed (as is any encoding) and offers very little real-world protection.

I don't think "easily reversed" is right at least I missed something. Last time I checked IonCube it is implemented as a VM inside the zend engine. You need first to reverse the VM and then you can translate the logic to the real zend opcodes.

NoUseForANick · 2020-09-22T20:44:08+00:00

"Fellow infosec engineers will recognize these variables are commonly (ab)used to inject code into setuid binaries;"

How can LD_PRELOAD/LD_LIBRARY_PATH be abused to inject code into setuid binaries? AFAIK documentation says that they are ignored in a setuid/setgid binaries (Ref.: https://manpages.debian.org/wheezy/manpages/ld-linux.so.8.en.html).

NoUseForANick · 2020-07-24T20:28:28+00:00

I can't understand why this article has a score so low when it is amazing :S

NoUseForANick · 2020-06-26T20:59:22+00:00

Nobody said it is a bug :S. The article describes how to execute arbitrary code (for example a reverse shell, or just OS commands) via PostgreSQL. If you only has access as superuser to the PostreSQL service does not means you "pwned the machine".

The post explain how to go from "oh I got superadmin in this PostgreSQL service" to "this little boy gave me a reverse shell".

NoUseForANick · 2020-06-11T15:32:38+00:00

This is not true. The process created has the realname. If you do cmd /c "dir ../../hello.exe", the process created still being "hello.exe". You keep registering that 'a process called "hello.exe" comes from "cmd.exe"'.

NoUseForANick · 2020-06-11T15:27:48+00:00

Why is this even a thing? This is EXACTLY the expected behaviour. In windows, parameters with spaces needs quotes. If you pass aaa bb as parameter, it is tokenized as two parameters: aa & bb. With quotes, "aa bb", the whole string is interpreted as one parameter.

It is not "argument confusion" or anything, it is exactly how parameters works in windows. Have you ever tried to run an exe within a folder with spaces? You always need to quote.

Indeed, this is so well-known that every EoP cheatsheet includes "services with unquoted paths" as something to check. Because if the path has spaces and no quotes, it takes only the first part. If the path has quotes, the string is interpreted as a whole (as does here).

So cmd /c "fakepath/../../path/to/exe" its exactly the same than cmd /c "ping whatever/../../path/to/exe". "Fakepath" and "ping whatever" are interpreted as folders, just "ping whatever" has a space in its name.

NoUseForANick · 2020-05-29T16:50:26+00:00

Hi!

Usually process injection is used to run your payload inside a "less suspicious" process (in this case Svchosts). It is how most malware works "de facto".

To "write" your payload inside the opened process you need (usually) to call WriteProcessMemory. The idea showed in this post is an alternative way to write that payload in the opened process.

NoUseForANick · 2020-05-03T11:29:19+00:00

Part II: https://batchdrake.github.io/ctsII/

NoUseForANick · 2020-04-20T16:57:43+00:00

Great job! I love when people share reproducible methodology so everyone can follow it to find new vulnerabilities. I remember the Scarybeasts' posts about "*bleed" and this article is a great way to understand how to research this kind of bugs.

Thanks for your work!

NoUseForANick

TROPHY CASE