Other Exploitation Guides
Return Home
All links on this page should eventually be included in a topic page, or have a topic page created.
Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes)
This blog post is mainly aimed to be a very ‘cut & dry’ practical guide to help clear up any confusion regarding NTLM relaying. Talking to pentesters I’ve noticed that there seems to be a lot of general confusion regarding what you can do with those pesky hashes you get with Responder. I also noticed there doesn’t seem to be an up to date guide on how to do this on the interwebs, and the articles that I did see about the subject either reference tools that are outdated, broken and/or not maintained anymore.
I won’t go into detail on all the specifics since there are a TON of papers out there detailing how the attack actually works, this one from SANS is a ok when it comes to the theory behind the attack.
CVE-2017-11176: A step-by-step Linux Kernel exploitation
This series covers a step-by-step walkthrough to develop a Linux kernel exploit from a CVE description. It starts with the patch analysis to understand the bug and trigger it from kernel land (part 1), then it gradually builds a working proof-of-concept code (part 2). The PoC is then turned into an arbitrary call primitive (part 3) which is finally used to execute arbitrary code in ring-0 (part 4).
Unauth RCE as root in Cisco Prime Infrastructure
Here’s a quick and easy unauth RCE as root in Cisco Prime Infrastructure. This is a product widely deployed in data centers for router management .
Zero-day exploit (CVE-2018-8453) used in targeted attacks
Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.
Remote exploit in CrashPlan backup server
One of our customers commissioned a test of their infrastructure. One of their systems was running the Crashplan backup server from Code42, and we found a remote code execution possibility. As luck would have it (for our customer that is) a setting in their firewalls made it impossible to exploit it in their environment, but naturally we reported it to Code42. Their response was… well, not what we hoped…
Net-SMNP Remote DoS
Back in January I did some vulnerability research of net-snmp 5.7.3 and found some bugs. Here they are:
Hardware Backdoors in x86 CPUs
This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they’re buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.
Redis Remote Command Execution
Redis has eloquently explained how it can be used for remote command execution if not securely configured to mitigate arbitrary access.
Exploiting JNDI Injections in Java
Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS).
How I hacked modern Vending Machines
Indisputably, Vending Machines are objects of cult. Delicious morsels of Hackers, always. In the beginning they worked offline with coins only, then, NFC- keys/cards models started spreading. If I say “COGES” I’m sure that better times will come to someone’s mind. But… In a bunch of years things changed radically. You distract and a moment after, find the world superseded by things connected to the internet…
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
A Scary Thought: I’ve worked in the Cyber Security space performing a wide breadth of penetration and red team services for years. Yes it’s still easy to get Domain Admin “before lunch” as it was when I first started pen-testing.
Let me know what you think of this article on twitter @_TheGetch_!