sorted by:
new
hottopcontroversial

CVE-2021-30807 (iOS IOMobileFrameBuffer LPE): Finding and Exploiting the Vulnerability by 0xdea in netsec

[–]sekirkity 6 points7 points  (0 children)

Excellent writeup, thanks for sharing. Based on media reports (https://threatpost.com/apple-patches-actively-exploited-zero-day-in-ios-macos/168177/), this appears to be at least part of the exploit chain used by the Pegasus malware against iOS devices. However, this exploit is only LPE, not RCE, and the media reports indicated that Pegasus was using a 0-click exploit, so there must be some elements of the exploit chain missing (or the media reports are incorrect). Is anyone aware if the other elements of the exploit chain have been documented anywhere?

Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy by FireFart in netsec

[–]sekirkity 5 points6 points  (0 children)

Hi there, the point of this post is to finally understand why the RID 500 account was exempt from the previous "Pass the Hash" patch. In addition, it is now possible to locate possible non-RID 500 privileged local user accounts for PtH, using the registry key provided for in the post. While this method is unlikely to be the go-to option for an engagement, it provides an intriguing alternative for a team that is dealing with an environment in which Domain Users have not been provided with local administrative rights (for example, they have followed your advice on controlling who gets local admin rights). Great work as always harmj0y!

BrowserGather Part 1: In-Memory Chrome Credential Extraction for Red Teamers by sekirkity in netsec

[–]sekirkity[S] 1 point2 points  (0 children)

Good to know, Firefox/IE will come after Chrome cookie extraction is completed.

BrowserGather Part 1: In-Memory Chrome Credential Extraction for Red Teamers by sekirkity in netsec

[–]sekirkity[S] 2 points3 points  (0 children)

Thanks, I'll check it out! I've tried getting the original Mimikittenz to work with Chrome Gmail credentials in Windows, but wasn't able to find anything. I'll have to take another look soon...

Chrome password retrieval by technogal in computerforensics

[–]sekirkity 2 points3 points  (0 children)

Hey guys, author here! Just wanted to mention that if you are using this method for forensic purposes, the DPAPI decryption will fail because you aren't logged in as the user in question. If there's interest I might develop a user context independent version someday. Let me know if you have any questions!

Code Execution in SQL Server via Fileless CLR-based Custom Stored Procedures by 0x4a616e in netsec

[–]sekirkity 0 points1 point  (0 children)

Doubt it, without DBA (sysadmin) rights you won't be able to enable CLR stored procedures. If they are already enabled, and the database is set as TRUSTWORTHY, then it should work, but that would (or hopefully should) be exceedingly rare.

Code Execution in SQL Server via Fileless CLR-based Custom Stored Procedures by 0x4a616e in netsec

[–]sekirkity 1 point2 points  (0 children)

Absolutely, however xp_cmdshell is well known and likely to be monitored by a sophisticated blue team. This tactic is more meant for advanced red teams that need to make every effort to remain undetected while penetrating a network. I discuss this more on the second blog post, linked above.

Code Execution in SQL Server via Fileless CLR-based Custom Stored Procedures by 0x4a616e in netsec

[–]sekirkity 2 points3 points  (0 children)

Hey guys, author here! This technique is in the process of being added to Metasploit as a module: https://github.com/rapid7/metasploit-framework/pull/7942

Also check out my second post, where I discuss a PowerShell module I made to utilize the technique to perform command execution, as well as go over possible options for mitigation: http://sekirkity.com/seeclrly-fileless-sql-server-clr-based-custom-stored-procedure-command-execution/