Level: Technical

Abstract:
As a security enthusiast, an obsolete tablet presented an opportunity to install Kiwi Syslog server from SolarWinds, but connecting to the tablet posed a challenge. Upon inspecting the tablet for restrictions, a curiosity-driven decision was made to run some PowerSploit scripts to check for possible privilege escalation. An unquoted service path vulnerability was discovered in the Kiwi Syslog server and reported to SolarWinds (CVE-2021-35231). The Kiwi Syslog Server version 9.7.2.1 has a “”Unquoted Service Path”” vulnerability which allows local privilege escalation. The default BINARY_PATH_NAME in the Kiwi Syslog Server service points to C:\Pogram Files(x86)\Syslogd\nasm.exe. We can place an executable named “”Program.exe”” in the “”C:\”” folder and because of unquoted service path and the Windows search order, the C:\Program.exe is executed as the NT Authority System next time the service is restarted.
The tablet was part of larger setup where the environment was prepared to evaluate Microsoft Defender and Sentinel. With an offensive mindset and again a lot of curiosity the decision was made to investigate how Microsoft Defender could be abused for privilege escalation. As vendors put a lot of effort into securing security products, we cannot expect to find much. But the Incident Response feature was interesting. When contacting support, Microsoft may ask for the output package of the “”Microsoft Defender for Endpoint Client Analyzer”” tool. This guidance is available in the article “”Collect support logs in Microsoft Defender for Endpoint using live response”” (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide). It was discovered that the “”Microsoft Defender for Endpoint Client Analyzer”” tool does not check the integrity of PowerShell modules and allows an attacker to gain “”nt authority\system”” privileges on the victim machine. If an endpoint has been compromised to an extend and the attacker has permissions to write to specific paths, he can execute a PowerShell module implant attack (Powersplanting). Microsoft didn’t recognize this as an vulnerability since by default the paths listed below are not writable by a none admin user. Since the console runs as NT Authority\System, the following search order for loading modules is considered:

• .\WindowsPowerShell\Modules
• C:\Program Files\WindowsPowerShell\Modules
• C:\Windows\system32\WindowsPowerShell\v1.0\Modules
• C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell

For accessing “.\WindowsPowerShell\Modules” we would need system privileges, therefore the next path is C:\Program Files\WindowsPowerShell\Modules\. To exploit the vulnerability, we need write permissions in C:\Program Files\ (not enabled by default). If the conditions are met, we can create a malicious BitsTransfer module, place it into C:\Program Files\WindowsPowerShell\Modules\BitsTransfer\BitsTransfer.psm1 and provide the necessary arguments as in the original BitsTranfer module. The result is a working privilege escalation.

Bio:
Danijel Grah has been in cyber security for almost ten years. He began his career as a consultant, later moved into research, and today at NIL he works in the Security Operations Center (SOC). Danijel has rich experience in penetration testing and security hardening,
programming, consulting, and developing systems of cyber defense. He has published and presented research papers at various international conferences in the field of information security, and he has confirmed his knowledge and experience with industry certificates such as GRID.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Technical

Abstract:
Server-Side Request Forgery (SSRF) vulnerabilities have been around for a long time, and they still pose a significant threat to web applications, so much so this kind of vulnerability has been included in OWASP TOP 10. This type of attack allows an attacker to send unauthorized requests from a vulnerable application, which can lead to data leakage, server-side request smuggling, and even full-scale remote code execution.

In this technical talk, we will explore the concept of SSRF attacks and how easy it is for developers to introduce these vulnerabilities into their code. We will delve into the technical details of SSRF, looking at some of the most common attack scenarios and how they can be exploited.

The focus of this talk will be on mitigating SSRF vulnerabilities in Go applications. We will explore:

• what SSRF is and why audience should care about it when implementing web applications
• the limitations of negative validations of user supplied urls with Go http package
• how positive validation can overcome some of those shortcomings, but it’s still vulnerable
• integrating safeurl library in your Go applications
• taking it one step further with network controls and authentication
• impacts of SSRF in real life attacks.

To make this talk more practical, we will also perform a live coding demonstration of all the techniques discussed.

At the end of this talk, attendees will have a better understanding of SSRF attacks, how they work, and how to protect their Go applications from them. They will also have a clear idea of the various tools and techniques available to mitigate SSRF risks, making it harder for attackers to exploit these vulnerabilities.

Bio:
Marcin Niemiec is security researcher, bug bounty hunter and appsec engineer. Currently working as Senior Cloud Security Engineer in Form3

Video/recordings:

[Slides in Github repo (PDF)] [Recording (MP4)]

Level: Technical

Abstract:
OAuth is a very common thing on the modern web, but most single-page apps have a fundamental security flaw in the implementation (including some popular OAuth libraries).
In most cases, the tokens will be saved to localStorage, or a js-accessible cookie and the developer will be done with it, but both of those approaches are susceptible to an XSS attack. In this talk, we’ll go through the secure alternatives to this implementation.”

Bio:
Darko Kukovec – An engineer with over a decade of experience developing web applications using JavaScript and TypeScript in various forms.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: 1337

Abstract:
During this presentation, we will examine how we can bypass most Anti-Virus detection using a payload embedded on a BadUSB device, resulting in a silver bullet for gaining initial access inside a victim network. Demo will be also included during the presentation.

Bio:
Cristian Cornea – Founder @ Zerotak Security | President @ Romanian Cyber Security Training Centre of Excellence | Scheme Committee Member @ EC-Council CEH | Speaker at multiple conferences | InfoSec Writer @ Medium

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Level: Advanced Subject Matter

Abstract:
This talk will provide an introduction to the Linux kernel, the core component of an operating system, and its attack surface. The speaker will discuss the differences between userspace and kernel-space and the security implications of each. He will explain how attackers can exploit kernel vulnerabilities for privilege escalation and other malicious goals. The talk will cover the environment setup for kernel debugging, various types of kernel bugs and their impact, and different mitigations and bypasses that can be used to protect against kernel exploits. A ret2user exploit will be demonstrated, and the talk will conclude with a discussion of fuzzing the kernel and reporting bugs. Overall, this talk will provide a comprehensive overview of Linux kernel security.

Bio:
Ivor Canjuga is an undergraduate student at the Faculty of Electrical Engineering and Computer Science at the University of Maribor. He enjoys creating challenges for CTFs, particularly hard ones, and has experience in penetration testing and bug bounty programs. Ivor’s passion lies in binary exploitation, where he applies his skills to uncover vulnerabilities and exploits.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]