News

• Hackers Demand $10M From Riot Games to Stop Leak of 'League of Legends' Source Code. "It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack." Is it?
• Protecting Against Malicious Use of Remote Monitoring and Management Software. Someone at CISA finally watched my talk on Traitorware?
• U.S. Department of Justice Disrupts Hive Ransomware Variant. Don't do crimes.
• Yandex Services Source Code Leak. No git history, no ML models, but lots of source code.
• The Microsoft Edge team no longer offers VM image downloads for the testing of Microsoft Edge and Internet Explorer.. The go-to source for quick, legitimate test VMs is gone. This on the back of the news that detection lab is not being maintained has opened a hole in the test VM/lab/management area... (stay tuned).

Techniques and Write-ups

• At the Edge of Tier Zero: The Curious Case of the RODC. Just because its read-only doesn't mean it can't lead to domain dominance.
• Operator's Guide to the Meterpreter BOFLoader. BOFs come to Meterpreter - they are truly the cross-C2 primitive of modern red teaming. You can run them from Python3 now with pybof. Hell, I even put them in osquery.
• Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI. Hardcode a private key == hardcode a bad time.
• Password strength explained. This is a good explainer. Dice-chosen word-based passwords are the way to go.
• Abusing Exceptions for Code Execution, Part 2. This one is meaty and really cool. If you though SEH exploitation died in 2008, buckle up.
• Extending PersistAssist: Act I. How to add your own modules and stick around even after a reboot.

• Web Hacking

  • Using 0days to Protect the United Nations. Some web apps are frighteningly bad at security - this is one of them.
  • Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315). A nice authenticated RCE chain.
  • MyBB <= 1.8.31: Remote Code Execution Chain. This is just quality web app hacking.

• Insomni'hack 2023 CTF Teaser - InsoBug. CTF writeups don't usually make the blog, but this one is particularly interesting and Windows based which is extremely rare.
• gaylord M FOCker - ready to pwn your MIFARE tags. If you're getting started in the RFID card space, this post will give you a quick overview of the various attacks.
• Microsoft Defender Vulnerability Management Authenticated Scan Security Risks. Authenticated scans can give attackers hashes when 'Negotiate' is enabled.
• CVE-2023-23504: XNU Heap Underwrite in dlil.c. "This can be triggered by a root user creating 65536 total network interfaces." Seems pretty far fetched, but a physical attack (malicious USB) is a potential vector.
• How to access data secured with BitLocker? Do a system update. BitLocker effectively disables itself during updates.
• Give me a browser, I'll give you a Shell. The javascript to create a browse button was neat.
• Fun with macOS's SIP. A nify trick to "bypass" (but not really) System Integrity Protection on macOS.
• Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks. Loader/AV bypassers take note.

Tools and Exploits

• gato GitHub Self-Hosted Runner Enumeration and Attack Tool. More information in this post.
• starhound-importer - Import data from SharpHound and AzureHound using CLI instead of GUI BloodHound using "BloodHound's code". Detail here.
• azbelt - AAD related enumeration in Nim.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• yaralyzer Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.
• Forking Chrome to render in a terminal. Simply amazing.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.