renini

How to setup Burp Suite inside a docker container.

renini

CVE-2021-21972

CVE-2021-21972

Tested against VMware VCSA 6.7

create ssh keypair

ssh-keygen -t rsa -f vcsa.key -N ''

renini

#!/usr/bin/env python3

"""
Copyright (c) 2017 Graeme Smith

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do

renini

# Script to call the new CveEventWrite function to validate/test logging to Audit-CVE
# In this case generate a basic CVE-2020-0601 log entry
$MethodDefinition = @'
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
public static extern long CveEventWrite(string lpCveId, string lpAdditionalDetails);
'@
$Advapi32 = Add-Type -MemberDefinition $MethodDefinition -Name 'advapi32' -PassThru
$Advapi32::CveEventWrite('[CVE-2020-0601] CERT validation', 'Used by CERT to validate CVE-2020-0601')

renini

# Emergency iRULE to bypass privacyidea otp auth
# This will return the OKE status to all privacyidea auth requests for OTPs
# Only use when there is an emergency and nobody is able to login! (or when you have maintenance... ;))
#
# See: https://privacyidea.readthedocs.io/en/latest/modules/api/validate.html

when HTTP_REQUEST {
	#if { [HTTP::method] eq "POST" } {
		if {[string tolower [HTTP::path]] eq "/validate/check"} {
			set json "{ \"detail\": { \"message\": \"matching 1 tokens\", \"serial\": \"IRULEBYPASS01\", \"type\": \"spass\" }, \"id\": \"1\", \"jsonrpc\": \"2.0\", \"result\": { \"status\": true, \"value\": true }, \"version\": \"privacyIDEA F5 Irule\" }"

renini

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
            </OOBE>
    </settings>
</unattend>

renini

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

renini

# PS-BGInfo
# Powershell script that updates the background image with a random image from a folder and writes out system info text to it.

# Configuration:

# Font Family name
$font="Consolas"
# Font size in pixels
$size=10.0
# spacing in pixels

renini

#!/usr/bin/env python

## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
##  <http://davenport.sourceforge.net/ntlm.html>
## with additional detail subsequently added from the official protocol spec:
##  <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
##

renini

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096