Tweetovi
- Tweetovi, trenutna stranica.
- Tweetovi i odgovori
- Medijski sadržaj
Blokirali ste korisnika/cu @mpgn_x64
Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @mpgn_x64
-
Prikvačeni tweet
Update CVE-2019-19781 You can exploit the vulnerability without the file http://newbm.pl and only use the file http://rmbm.pl ! You can inject your payload inside the name of the XML file and fire the command execution !

#shitrix#citrixpic.twitter.com/g2P1GAJo1R
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
This can also help you to determine quickly a Hashcat mask linked to a specific domain
No excuse for the next internal pentest
pic.twitter.com/g3xmZIAD9p
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Indexing leaked database in ElasticSearch
Small example using data from the BreachCompilation and the dashboard you can come up with in Kibana
pic.twitter.com/fICY88sK1G
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Using SharpRDP and the UAC bypass you can now execute command as local administrator even with RID != 500 using a CLI and of course with a high integrity process
For the curious ones, follow the rabbit
https://github.com/0xthirteen/SharpRDP/pull/3 …
3/3pic.twitter.com/SxEvdmhiBmPrikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
What are the implications ? Actually, if you are a local administrator with RID != 500 you cannot psexec (or use CLI) and you're forced to use the RDP GUI to exec command
(LocalAccountTokenFilterPolicy)
This topic is covered in this post
http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/ …
2/3 

Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Using SharpRDP for lateral movement but blocked with a medium integrity process (UAC)
?
Well ... not a problem anymore !
Just updated SharpRDP with the option 'privileged' allowing you to run a process with High integrity (if your user is local admin) !
1/3 

https://twitter.com/0xthirteen/status/1220041004167892992 …pic.twitter.com/Ll3ZhxKaza
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Quickly identify users / groups / password policy of the domain with prettyloot after dumping domain info using ntlmrelayx ! https://github.com/mpgn/prettyloot The script reads all files from the loot directory and prints information like a classic enum4linux output
https://twitter.com/ditrizna/status/1103964505510416384 …pic.twitter.com/H52izvze1Z
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
CVE-2019-19781 - Quick check on how they fixed !
Path traversal no longer works
Unrestricted File Upload no longer works
Template Injection through Template Toolkit is still working but it's "by design" and not fixable
Tested on Citrix ADC version 12.0.63.13pic.twitter.com/2V8MPJSOcE
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
If you have AppLocker deployed, be aware that most times when Windows 10 is updated/upgraded, it creates a TASKS_MIGRATED folder under C:\windows\system32 that has the CREATOR OWNER, meaning that users can create and execute files from the folder and bypassing AppLocker
pic.twitter.com/YLUxRxDyxr
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
FASCINATING data here about
#NeverWarren, the No. 1 trend in the United States right now. The top three tweets about the hashtag in the world—from@johnpavlovitz,@mehdirhasan,@deetwocents—all denounce people using it. The algorithm is generating an opposite reality.pic.twitter.com/lAOyiS5S7G
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
With all the fun around Citrix Netscalers here's how to decrypt encrypted values from the config file (like bind dn passwords)
#shitrix https://dozer.nz/citrix-decrypt/Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
Support added to crack Citrix NetScaler (SHA512) hashes with hashcat 6.0.0: https://github.com/hashcat/hashcat/commit/53105abeb47a6c325dee6714b1503cd68bd0c9c8 …pic.twitter.com/Qr9nc2Avy4
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
@GossiTheDog As mentioned by@ippsec, the fact that I'm able to not use '../' is probably related to the Citrix ADC installed using Amazon AMI. This is a default installation. I'm curious if it's the same with azure
https://twitter.com/ippsec/status/1216815987909169153?s=20 …Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
CVE-2019-19781 post-exploitation notes: If you are seeing attackers reading your /flash/nsconfig/ns.conf file then you need to change all passwords. The SHA512 passwords are easily crackable with hashcat.pic.twitter.com/mNMaTT1oCE
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
What about no directory traversal at all on CVE-2019-19781 ?
GET /vpns/portal/scripts/picktheme.pl
POST /vpns/portal/scripts/rmbm.pl
POST /vpns/portal/scripts/newbm.pl
#Shitrixpic.twitter.com/pvLX1QXkqU
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Oh boy, there is more ! You can also exploit CVE-2019-19781 using the file http://picktheme.pl !
The exploit can be done using only two GET requests and not one POST & one GET
#Shitrixpic.twitter.com/RCdZwchxMZ
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
mpgn proslijedio/la je Tweet
Just posted Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2. Using a payload containing three different programming languages :)https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Exploit of CVE-2019-19781


https://github.com/mpgn/CVE-2019-19781 …pic.twitter.com/kgba7gfepD
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
6/ Now the attacker can put this payload in the XLM using the http://newbm.pl script with a POST request (check step before)
At the time the issue didn't exist on github so props to the ones who found the RCE without this
Next => check step 7
pic.twitter.com/BHytLQlKb6
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
6/ Now exploit can be found on github I will explain step 6 ! By checking on the Github of Template Toolkit there is an issue about a command execution : https://github.com/abw/Template2/issues/245 … [% http://template.new ({ 'BLOCK' => 'print "pwn"; die' }) %]


Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.