BadgerDAPS

Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.

Github

Signal DLL Hijacking

DLL Malware for Signal Desktop. Utilizes missing dbghelp.dll

Github

RokuRogue

A script for brute forcing Roku TVs and installing applications remotely.

Github

Jorogumo

Red Team Stored XSS SVG phishing-companion tool with the ability to serve a malicious login page, or clone an html page and implement custom javascript. It then generates a relevant SVG.

Github

Buffer Overflow Guide

This Bufferflow Guide includes instructions and the scripts necessary for Buffer Overflow Exploitation. This guide is a supplement for TheCyberMentor's walkthrough. Includes companion scripts. It's pretty old as it was used for the original OSCP which has since been reworked.

Github

The Ultimate CRTO Preparation Guide

The ultimate guide to passing the Certified Red Team Operator exam by Zero Point Security.

Link

OSCP Reborn - 2023 Exam Preparation Guide

Revamped OSCP guide, tailored to be relevant for the latest revision of the OSCP which includes Active Directory exploitation.

Link

9.8 CRITICAL

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Remote code execution via MSSQL paired with CrackMapExec. Data theft, tampering, or destruction. Negatively affecting medical patients' results.

More likely to be exploited by a threat actor on the internal network, have used this on multiple medical client networks so it's relevant for pivoting.

7.8 HIGH

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file.

Native spear fishing. If a backdoored attachment gets forwarded to a group chat, everyone can end up compromised.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal and intelligence agencies, both domestic to the US and foreign.

3.3 LOW

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation./p>

Recovery of deleted attachments, rendering deletion pointless.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal agencies or within eDiscovery and legal hold processes.

8.8 HIGH

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Remote code execution via compromised credentials or chained credential theft.

Likely to be abused if access to this router is obtained. Exploitation is trivial.

5.4 MEDIUM

Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.

Credential theft via phishing, but possible escalation to RCE via phishing if the correct conditions are achieved.

Unlikely to lead in an enterprise compromise, possible account theft.

4.8 MEDIUM

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

Credential theft via phishing

Possible account theft.

5.5 MEDIUM

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality. Local filesystem access is needed by the attacker.

Recovery of deleted attachments, rendering deletion pointless.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal agencies or within eDiscovery and legal hold processes.

7.5 HIGH

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths.

The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Possible discovery during web application hacking.

6.1 MEDIUM

A reflected cross site scripting vulnerability exists on the ‘id’ parameter of the Wordpress Marmoset Viewer plugin. A threat actor can utilize a specially crafted payload and append it to the id parameter included in the Marmoset Viewer. The cross site scripting vulnerability can lead to the potential theft of cookies or credentials, giving the threat actor the ability to take over a victim’s account or steal other sensitive information.

Credential theft via phishing

This may be chained with a post-authenticated exploit, unlikely to be used otherwise.

6.6 MEDIUM

Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

Theft of sensitive data and credential material to perform Administrative account takeover.

There's high associated risk based on how trivial it is.

9.1 CRITICAL

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Bypass for prevntive measures against a wide array of attacks including but not limited to SSRF, RFI, LFI, XSS, etc

High associated risk, very likely.

7.5 HIGH

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

Bypass for preventive measures within Perl for SSRF, RFI, LFI, XSS, etc

Lower associated risk against modern code, likely against older assets.

9.8 CRITICAL

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges.

Indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

High probability of exploitation. A modern day filter bypass technique.

6.5 MEDIUM

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories.

An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure

High probability of exploitation if outdated TCL TV is on the internal network.

7.8 HIGH

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system.

Fake system upgrades by writing to the /data/vendor/upgrage folder.

Low liklihood, requires multiple factors to align.

5.4 MEDIUM

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Credential theft.

Improbable from an APT perspective, likely for targeted exploitation.