ESXI 6.7 Password recovery / reset

Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.

Continue reading

Telephreak Tactical Lunchbox

One of the cooler swag I received @ Defcon this year was a lunchbox for the Telephreak party, filled with candy, gadgets, and toys from telephreakbadge. I do some ‘red teaming’ occasionally and always had my stuff all janky in my backpack with no way to really keep it all pretty and was a pain in the ass to go through everything to find what tools I needed. Plus stuffing them all in a box tends to get shit broken eventually. I was thinking I needed something like a pelican box but I didnt feel like spending a huge amount on something simple. So I was thinking one day that this lunchbox sitting on my desk would do the trick. I ended up getting a few pieces of Polyethylene off ebay for $9, They arrived pretty quick and i spent about an hour or so arranging some of my most used tools onto each layer and cutting out the foam to fit them all in. I used a small knife (the ones that have a knife/scissor/toothpick) and a razor blade to cut out the foam. Here’s all 3 layers that fit inside with descriptions of each tool’s usage.

Continue reading

skiptracer

My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: https://github.com/xillwillx/skiptracer feel free to submit new modules or code fixes.

Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes). Continue reading

Exploiting with EternalRomance using Metasploit installed inside Win10 WSL

This post will have a few sections. We will get some general information of the ETERNALROMANCE exploit, learn how to install WSL on Win10 Creators Update, along with Metasploit. As a bonus I will show how to do this on Kali, and show a few different additional tricks to download payloads to the target machine. Continue reading

Equihax


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability. Continue reading

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability

EternalRed – CVE-2017-7494

I wrote another post for the Milton Security blog on the CVE-2017-7494 Samba exploit, which affects Linux machines running Samba 3.5.0 – 4.5.4/4.5.10/4.4.14. This also includes NAS devices that many people do not patch regularly. In the blog post i talked about what Samba is and how it has been vulnerable for the last 7 years due to this bug. I also go over on how to test/ exploit your machine to see if you’re vulnerable. I also cover some mitigations, the maintainers of the Samba project have provided a patch so I would advise you install it as soon as possible, some NAS firmware upgrades have been available from Netgear and Synology already. Continue reading

CVE-2017-0199 exploiting and preventing – guest blog

Phishing scams tricking unsuspecting users into opening nefarious files are nothing new, and attackers have using weaponized documents for just about as long. This week, I had the pleasure of being featured on Milton Security’s blog to talk about a new attack that was spotted as early as last year, and was finally patched by Microsoft in April. I went over this CVE-2017-0199 vulnerability that affected Windows based machines using Microsoft Word and the default built-in Wordpad, that enabled an attacker to send a malicious RTF file that would execute a HTA file remotely without any user interaction besides opening the file. I went over how to create the file using Metasploit, a python script, and finally just using Microsoft Word itself and editing the file to make it autorun. Spear-phishing attacks could allow the attacker to send these files to their victims over a spoofed in email and gain a foothold into the victim’s network if they weren’t properly patched which the article also covered towards the end on how to mitigate. So head over there and check it out. https://www.miltonsecurity.com/company/blog/analysis-cve-2017-0199-ms-word-threats-are-back