CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox
MDSec | Penetration testing
by Admin
6M ago
VirtualBox is a popular open source, cross-platform, virtualization software developed by Oracle Corporation. Earlier this year we identified an arbitrary file move vulnerability in the VirtualBox system service service that could facilitate privilege escalation; here we’ll outline the steps used to discover and exploit this issue. This vulnerability was also discovered by Naor Hodorov who is also credited in the Oracle Patch Advisory. Vulnerability Discovery After installing VirtualBox for Windows, a single user-land service is installed (VirtualBox system service) which runs as SYSTEM and is ..read more
Visit website
Active Directory Enumeration for Red Teams
MDSec | Penetration testing
by Admin
8M ago
The Directory Service is the heart and soul of many organisations, and whether its Active Directory, OpenLDAP or something more exotic, as a source of much knowledge it often acts a conduit for internal reconnaissance and other attacks during red team operations. With this in mind, it is common to see blue teams invest heavily in securing and monitoring access to the directory, whether that’s through honey tokens, analysis of LDAP queries, anomalies within telemetry or other similar defensive strategies. Therefore this creates a challenge for red teams looking to tap in to this knowledge base ..read more
Visit website
Nighthawk 0.2.6 – Three Wise Monkeys
MDSec | Penetration testing
by Admin
1y ago
Overview See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and development, we’re happy to release Nighthawk 0.2.6, and as is the status quo, including several new features unique to Nighthawk. Call Stack Masking Telemetry obtained from call stacks is proving to be a reliable and effective resource for defenders to detect malware. This is evidenced through Elastic’s (and other vendors) continued evolution in this space. More information on the direction of travel can be foun ..read more
Visit website
The Not So Pleasant Password Manager
MDSec | Penetration testing
by Admin
1y ago
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were asked to investigate the organisation’s Password Manager solution, with the key objective of compromising stored credentials, ideally from an unauthenticated perspective. As part of this engagement, Sean Doherty & Juan Manuel Fernandez carried out a detailed analysis of the Password Manager solution (Pleasant Password Server). Resulting in the identification of a reflected cross-site scripting (XSS) vulnerability, CVE-2023-27121, that they found could be abused to leak passwords stored in the solution. CVE ..read more
Visit website
Leveraging VSCode Extensions for Initial Access
MDSec | Penetration testing
by Admin
1y ago
Introduction On a recent red team engagement, MDSec were tasked with crafting a phishing campaign for initial access. The catch was that the in-scope phishing targets were developers with technical skills above that of the average user. As a result, they were unlikely to fall for typical payloads and pre-texts. Rather than relying on traditional initial access payloads, why not use their own development tools to our advantage? Mapping the attack surface One of the main development applications used by the target organisation was VSCode. The ability to install custom VSCode extensions makes thi ..read more
Visit website
CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup
MDSec | Penetration testing
by Admin
1y ago
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure. As part of this simulation, Juan Manuel Fernandez and Sean Doherty carried out a detailed analysis of the software used to perform backups (ArcServe UDP). Within minutes of analysing the code, a critical authentication bypass was discovered that allowed access to the administration interface. In this article we will proceed to explain the root cause of this vulnerability that affects versions 7.0 ..read more
Visit website
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
MDSec | Penetration testing
by Admin
1y ago
Date: 14th March 2023 Today saw Microsoft patch an interesting vulnerability in Microsoft Outlook. The vulnerability is described as follows: Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user. However, no specific details were provided on how to exploit the vulnerability. At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagemen ..read more
Visit website
Nighthawk 0.2.1 – Haunting Blue
MDSec | Penetration testing
by Admin
2y ago
November 1st 2022 Image courtesy of DALL-E This Halloween week brings our third and final Nighthawk release for the year and its packed with exciting new features, backed by MDSec’s world class research and development team. Indeed, there are so many new features that move the needle, this release could easily have been a major release. However, as it will be our last release in the current architecture (watch this space! :coolbemused:) we decided to issue it as a minor version. But let that take nothing away from the exciting new features it includes, many of which are first time to any publi ..read more
Visit website
Autodial(DLL)ing Your Way
MDSec | Penetration testing
by Admin
2y ago
The use of the AutodialDLL registry subkey (located in HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters) as a persistence method has been previously documented by @Hexacorn in his series Beyond good ol’ Run key, (Part 24). The use of this persistence method by Threat Actors has been identified in the wild during last years, examples include: KOMPROGO backdoor integrated this persistence method. Operation Dragon Castling. Although its use has been limited to persistence only, this registry key can be used for other purposes. In this article we are going to discuss other creativ ..read more
Visit website
Microsoft Office Online Server Remote Code Execution
MDSec | Penetration testing
by Admin
2y ago
Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be integrated with SharePoint to provide web based access to these documents within Sharepoint. During a routine penetration test, MDSec discovered a Server-Side Request Forgery vulnerability that, under the right conditions, can be exploited to achieve remote code execution on the Office Online Server itself. The Vulnerability The /op/view.aspx endpoint within Office Online Server is intended to be used ..read more
Visit website

Follow MDSec | Penetration testing on FeedSpot

Continue with Google
Continue with Apple
OR