Responsible disclosure: Access control vulnerability discovered in the ThingsBoard IoT platform

| Outpost24

A vulnerability on the ThingsBoard IoT platform is discovered, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved.

Phishing: Better Proxy than Story

| Outpost24

Social engineering is the art of manipulating people, so that they give up confidential information or perform an action you ask them to do. Read and learn first hand how modern phishing works to trick victims into giving up their credentials, bank information or computer access to secretly install malicious software.

To trick recipients of phishing emails into clicking, you want a domain name that looks very close to the original. You can manually start pondering on what would be great and not-too-obvious domains that look similar...

Alice in Windowsland: 3 ways to escalate privileges and steal credentials

| Outpost24

During an internal penetration test earlier this year, we got ourselves access to a couple of Windows workstations. Fully patched Windows 10 machines, from which we had to try and find a way to escalate our privileges to a user with higher privileges.

Our goal was to escalate our access all the way to Domain Admin, so that we could achieve the objective for this project as set out by the customer. We tried working our way through the internal network by identifying alive hosts, enumerating potential exploitable network services and obtaining credentials but with no luck. We found ourselves stuck on this one host, so decided to dive all the way into the rabbit hole.

IBM WebSphere (RCE) - Metasploit Module

This module exploits a vulnerability in IBM's WebSphere Application Server identified by CVE-2015-7450. An unsafe deserialization call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows remote arbitrary code execution.

Undetectable Metasploit WAR

A possible attack path during a penetration test is having access to the administrative console of a JAVA Application Server (like WAS, JBOSS and Tomcat) installed on a Windows server with default or guessable (e.g. through brute-force) administrative credentials.

The idea was to upload a Metasploit generated WAR application in order to successfully compromise the server, but the outcome was not the expected...

Knock and Pass: Kerberos Exploitation

Almost a year after the critical vulnerability MS14-068 lot of guides and tutorials have written how to trick the Domain Controller in order to retrieve the Golden ticket impersonating a simple user as a user with "high level" privileges.

The purpose of this post is not to teach you or to re/present how to exploit a DC in order to retrieve the Kerberos ticket because there are hundreds well written posts about the specific exploitation but a general guide of how to configure a Linux machine in order to generate a valid Kerberos ticket without assigning your host machine into the Domain Controller.

Bypass UAC and AV on Windows 7

It's being a long time since I wrote my last tutorial, so I'm coming back folks with a new one that implements some basic penetration techniques like msfconsole and introducing a couple of amazing tools for our purpose such as Shellter.

Some intro about Shellter.

Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.