Level: 1337
Abstract:
Are you interested in learning about the latest techniques for bypassing web-application firewalls (WAFs) and password attempt limits? Look no further! In this talk, I will share with you a cutting-edge method that I’ve developed for getting past these obstacles during penetration testing. Whether you’re a cyber-security professional or simply curious about the subject, this talk is sure to provide valuable insights that will help you stay one step ahead of attackers. Join me for a 30-minute presentation that will open your eyes to the world of password attacks and WAF evasion.
Bio:
Daniel Poposki – Security Researcher // Pentester // Cyber Security Student
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Bypassing Web-App Firewalls and Password Attempt Limits (Daniel Poposki)
Level: Technical
Abstract:
As a security enthusiast, an obsolete tablet presented an opportunity to install Kiwi Syslog server from SolarWinds, but connecting to the tablet posed a challenge. Upon inspecting the tablet for restrictions, a curiosity-driven decision was made to run some PowerSploit scripts to check for possible privilege escalation. An unquoted service path vulnerability was discovered in the Kiwi Syslog server and reported to SolarWinds (CVE-2021-35231). The Kiwi Syslog Server version 9.7.2.1 has a “”Unquoted Service Path”” vulnerability which allows local privilege escalation. The default BINARY_PATH_NAME in the Kiwi Syslog Server service points to C:\Pogram Files(x86)\Syslogd\nasm.exe. We can place an executable named “”Program.exe”” in the “”C:\”” folder and because of unquoted service path and the Windows search order, the C:\Program.exe is executed as the NT Authority System next time the service is restarted.
The tablet was part of larger setup where the environment was prepared to evaluate Microsoft Defender and Sentinel. With an offensive mindset and again a lot of curiosity the decision was made to investigate how Microsoft Defender could be abused for privilege escalation. As vendors put a lot of effort into securing security products, we cannot expect to find much. But the Incident Response feature was interesting. When contacting support, Microsoft may ask for the output package of the “”Microsoft Defender for Endpoint Client Analyzer”” tool. This guidance is available in the article “”Collect support logs in Microsoft Defender for Endpoint using live response”” (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide). It was discovered that the “”Microsoft Defender for Endpoint Client Analyzer”” tool does not check the integrity of PowerShell modules and allows an attacker to gain “”nt authority\system”” privileges on the victim machine. If an endpoint has been compromised to an extend and the attacker has permissions to write to specific paths, he can execute a PowerShell module implant attack (Powersplanting). Microsoft didn’t recognize this as an vulnerability since by default the paths listed below are not writable by a none admin user. Since the console runs as NT Authority\System, the following search order for loading modules is considered:
- .\WindowsPowerShell\Modules
- C:\Program Files\WindowsPowerShell\Modules
- C:\Windows\system32\WindowsPowerShell\v1.0\Modules
- C:\Program Files\Microsoft Monitoring Agent\Agent\PowerShell
For accessing “.\WindowsPowerShell\Modules” we would need system privileges, therefore the next path is C:\Program Files\WindowsPowerShell\Modules\. To exploit the vulnerability, we need write permissions in C:\Program Files\ (not enabled by default). If the conditions are met, we can create a malicious BitsTransfer module, place it into C:\Program Files\WindowsPowerShell\Modules\BitsTransfer\BitsTransfer.psm1 and provide the necessary arguments as in the original BitsTranfer module. The result is a working privilege escalation.
Bio:
Danijel Grah has been in cyber security for almost ten years. He began his career as a consultant, later moved into research, and today at NIL he works in the Security Operations Center (SOC). Danijel has rich experience in penetration testing and security hardening,
programming, consulting, and developing systems of cyber defense. He has published and presented research papers at various international conferences in the field of information security, and he has confirmed his knowledge and experience with industry certificates such as GRID.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on A tale of an almost and one CVE (Danijel Grah)
Level: Technical
Abstract:
Server-Side Request Forgery (SSRF) vulnerabilities have been around for a long time, and they still pose a significant threat to web applications, so much so this kind of vulnerability has been included in OWASP TOP 10. This type of attack allows an attacker to send unauthorized requests from a vulnerable application, which can lead to data leakage, server-side request smuggling, and even full-scale remote code execution.
In this technical talk, we will explore the concept of SSRF attacks and how easy it is for developers to introduce these vulnerabilities into their code. We will delve into the technical details of SSRF, looking at some of the most common attack scenarios and how they can be exploited.
The focus of this talk will be on mitigating SSRF vulnerabilities in Go applications. We will explore:
- what SSRF is and why audience should care about it when implementing web applications
- the limitations of negative validations of user supplied urls with Go http package
- how positive validation can overcome some of those shortcomings, but it’s still vulnerable
- integrating safeurl library in your Go applications
- taking it one step further with network controls and authentication
- impacts of SSRF in real life attacks.
To make this talk more practical, we will also perform a live coding demonstration of all the techniques discussed.
At the end of this talk, attendees will have a better understanding of SSRF attacks, how they work, and how to protect their Go applications from them. They will also have a clear idea of the various tools and techniques available to mitigate SSRF risks, making it harder for attackers to exploit these vulnerabilities.
Bio:
Marcin Niemiec is security researcher, bug bounty hunter and appsec engineer. Currently working as Senior Cloud Security Engineer in Form3
Video/recordings:
[Slides in Github repo (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Mitigating SSRF Vulnerabilities in Go: A Practical Guide (Marcin Niemiec)
Level: Technical
Abstract:
OAuth is a very common thing on the modern web, but most single-page apps have a fundamental security flaw in the implementation (including some popular OAuth libraries).
In most cases, the tokens will be saved to localStorage, or a js-accessible cookie and the developer will be done with it, but both of those approaches are susceptible to an XSS attack. In this talk, we’ll go through the secure alternatives to this implementation.”
Bio:
Darko Kukovec – An engineer with over a decade of experience developing web applications using JavaScript and TypeScript in various forms.
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Doing OAuth the secure way (Darko Kukovec)
Level: 1337
Abstract:
During this presentation, we will examine how we can bypass most Anti-Virus detection using a payload embedded on a BadUSB device, resulting in a silver bullet for gaining initial access inside a victim network. Demo will be also included during the presentation.
Bio:
Cristian Cornea – Founder @ Zerotak Security | President @ Romanian Cyber Security Training Centre of Excellence | Scheme Committee Member @ EC-Council CEH | Speaker at multiple conferences | InfoSec Writer @ Medium
Video/recordings:
[Slides (PDF)] [Recording (MP4)]
Posted in talks | Comments Off on Anti-Virus Evasion through BadUSB (Cristian Cornea)