Three ways to level up your Windows Privilege Escalation skills #windows #privesc #techtok #infosec https://cyberfeed.io/article/5e24a486dab0555016500dc60f7c7aef #cybersec #security #infosec #cybersecurity

Dirty Pipe: CVE-2022-0847 - I have just completed this room! Check it out: https://tryhackme.com/room/dirtypipe #tryhackme #dirty pipe #CVE-2022-0847 #Linux #Kernel #Privesc #Walkthrough #Tutorial #Beginner #MuirlandOracle #dirty #pipe #dirtypipe via @RealTryHackMe

#xorg #cve #privesc #infosec #cve #CVE-2023-0494

https://lists.x.org/archives/xorg/2023-February/061255.html

Vulnversity - I have just completed this room! Check it out: https://tryhackme.com/room/vulnversity #tryhackme #recon #privesc #webappsec #video #vulnversity via @RealTryHackMe

Linux PrivEsc - I have just completed this room! Check it out: https://tryhackme.com/room/linuxprivesc #tryhackme #privesc #privilege escalation #linux #linux privilege escalation #tib3rius #linuxprivesc via @RealTryHackMe

POC for Linux privilege escalation Vulnerability "CVE-2022-2602": DirtyCred File Exploitation applied on an io_uring UAF

Poc:
https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit

Article:
https://blog.hacktivesecurity.com/index.php/2022/12/21/cve-2022-2602-dirtycred-file-exploitation-applied-on-an-io_uring-uaf/

#infosec #privesc #linux #linuxexploits #kernelexploitation #binaryexploitation #exploitation

Several #vulnerabilities were identified in Avicena Medical Laboratory by Bishop Fox Researcher Dardan Prebreza. The issues were as follows:

- A critical remote incorrect access control vulnerability that could be exploited to retrieve ~166,000 COVID-19 test results

- A low-risk bug involving vulnerable software that could lead to #privesc

See the technical write-up for more info: https://bishopfox.com/blog/160k-covid-19-records

CertPotato – Using #ADCS to #privesc from virtual and network service accounts to local system

#infosec #cybersecurity #redteam #pentesting

https://sensepost.com/blog/2022/certpotato-using-adcs-to-privesc-from-virtual-and-network-service-accounts-to-local-system/

This looks like a nasty one! I've always been suspicious of snap and the general direction Ubuntu has been headed in this regard. I doubt this'll be the last we hear about these types of flaws.

#cybersecurity #cybersecuritynews #privesc #Linux #Ubuntu

https://securityaffairs.co/wordpress/139209/hacking/three-linux-bugs-full-root-privileges.html

@konst LinPEAS and WinPEAS is a good starting point if you’ve got access to the box.

But I suspect you’re not asking for ways to find #PrivEsc on these boxes 😅

#music to #privesc to.

It sounds like kinda NINy, kinda Quakey thanks to the wave rectifier.
#modular #synths #synth #synthesiser #modularsynth #hacker #hackers #waves

Year of the Dog - I have just completed this room! Check it out: tryhackme.com/room/yearofthe… #tryhackme #Linux #Web #cert-style #Privesc #New Year #MuirlandOracle #Year of the Dog #SQlite #Gitea #yearofthedog via @RealTryHackMe

OK, so everyone seemed to enjoy the last one. Here's another #PrivEsc #ZeroDay :)

This time for the #PotentiallyUnwantedProgram called DriverTalent, also known as DriveTheLife from Shenzhen DriveTheLife Software Technology Co.Ltd

Vendor website is hxxps://160.com in Chinese and hxxps://www.drivethelife.com in English.

To me the vendor is a bad actor. It's a PUP, and the same developers once bundled a mapper driver (send IOCTL with obfuscated unsigned driver PE, it loads it) with most of their products, some of which have been distributed in the past via #PUP bundler networks.

Here's the technical details:

• It installs a service, DevDrvSvc (in the zh-CN version) or LDrvSvc (in the english version), that runs as SYSTEM.
• This service exposes IPC via shared memory (with a semaphore to lock that memory, an event to notify the server that a message is sent, and an event to notify the client that a message was replied to).
• All the objects are created with a security descriptor that has a NULL access control list (so everyone at Medium IL can access them).
• The IPC commands include creating an arbitrary process (where the command line and application name are obfuscated by 1024-byte XOR key) as SYSTEM (in session zero or current session); copying a file as SYSTEM with arbitrary source and destination paths; deleting a file as SYSTEM with arbitrary path.

Latest known vulnerable components are devdrvsvc.dll v1.0.21.616 and LDrvSvc.dll v2.0.8.610.

Uninstallation of this software will prevent exploitation of the issue.

PoC code will fit in a reply.

#0day

OK, so I'm going to drop a nice #ZeroDay here. At least I think it's 0day, but for bring your own vulnerable driver purposes it's still not blocklisted (despite reporting it months ago, maybe MS only adds drivers that are actively exploited):

BattlEye Anti-Cheat BEDAISY.SYS PPL privesc:

• Have the string "top BEService&pi" somewhere in your executable PE image. You can just write it to .data if you want.
• Load bedaisy.
• Open its \\?\GLOBALROOT\Device\BattlEye device.
• Write a 9-byte zerofilled buffer to it.
• Congratulations, you just got WinTCB PPL, go tamper with lsass or whatever.

#AntiCheat #PrivEsc

Abuse AD CS via dNSHostName Spoofing

This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1

#ad #adcs #privesc #redteam

*DNSHostName Spoofing combined with KrbRelayUp*

Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.

https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25

#ad #adcs #privesc #ldap #relay #redteam

Schon wieder Freitag und unser letztes #NetHack-Video ist Live. Oder zumindest das Letzte, in dem wir unser Ziel angreifen, denn nach diesem Video sind wir endlich #root. Wie es danach weiter geht, erfahrt ihr am Schluss!

https://youtu.be/-jIIfdjzKMs

#ethical #hacking #privesc #ctf

Full PRTG response to the PrivEsc vuln with patch information!

Patch is available. If you run PRTG Network Monitor, please update!

#infosec #hacking #privesc #patch

https://kb.paessler.com/en/topic/81765-why-did-prtg-get-a-new-logging-framework

Windows Privilege Escalation by exploiting security product PRTG Network Monitor.

Still no patch! This is live!

PoC Exploit Code: https://github.com/Critical-Start/Section-8/blob/master/Paessler%20-%20PRTG/prtg_privesc.ps1

Great writeup of process of discovering PrivEsc’s! Read to learn how to do it yourself!

#hacking #infosec #privesc

https://criticalstart.com/2018/10/prtg-network-monitor-privilege-escalation/