█████╗ ██████╗ ██████╗ ███████╗███████╗ ██████╗ ███████╗███████╗██╗███╗ ██╗███████╗ ██╔══██╗██╔══██╗██╔══██╗██╔════╝██╔════╝██╔════╝ ██╔════╝╚══███╔╝██║████╗ ██║██╔════╝ ███████║██████╔╝██████╔╝███████╗█████╗ ██║ █████╗ ███╔╝ ██║██╔██╗ ██║█████╗ ██╔══██║██╔═══╝ ██╔═══╝ ╚════██║██╔══╝ ██║ ██╔══╝ ███╔╝ ██║██║╚██╗██║██╔══╝ ██║ ██║██║ ██║ ███████║███████╗╚██████╗ ███████╗███████╗██║██║ ╚████║███████╗ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚══════╝╚══════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝╚═╝ ╚═══╝╚══════╝ ### Week: 13 | Month: April | Year: 2022 | Release Date: 01/04/2022 | Edition: #424 ### ' ╔╦╗┬ ┬┌─┐┌┬┐ ╔═╗┌─┐┌─┐ ' ║║║│ │└─┐ │ ╚═╗├┤ ├┤ ' ╩ ╩└─┘└─┘ ┴ ╚═╝└─┘└─┘ ' Something that's really worth your time! URL: https://hackerone.com/reports/1377748 Description: 2 Click Remote Code execution in Evernote Android. URL: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement PoC: https://github.com/DDuarte/springshell-rce-poc Description: Spring Framework RCE (CVE-2022-22965). ' ╦ ╦┌─┐┌─┐┬┌─ ' ╠═╣├─┤│ ├┴┐ ' ╩ ╩┴ ┴└─┘┴ ┴ ' Some Kung Fu Techniques. URL: https://github.com/cyberbutler/RedDrop Blog: https://link.medium.com/8tjr2NAIQob Description: RedDrop Exfil Server. URL: https://github.com/NetSPI/NetblockTool Description: Find netblocks owned by a company. URL: https://github.com/ulfox/nettrust Description: Dynamic Outbound Firewall Authorizer. URL: https://github.com/snovvcrash/KeeThief/tree/syscalls Description: Methods for attacking KeePass 2.X databases. URL: https://github.com/Rog3rSm1th/Frelatage Description: The Python Fuzzer that the world deserves snake. URL: https://gccybermonks.com/posts/falcon-bypass/ Description: Bypass Crowd Strike Falcon to Dump Windows Hashes. URL: https://github.com/shfz/shfz Description: TypeScript Scenario-Based Web Application Fuzzing Framework. URL: https://github.com/michaelweber/Macrome Description: Excel Macro Document Reader/Writer for Red Teamers & Analysts. URL: https://github.com/post-cyberlabs/Offensive_tools/tree/main/Citrix Description: Replay Citrix credentials + OTP gathered during phishing attack. URL: https://github.com/marcinguy/scanmycode-ce Description: Code Scanning/SAST/Linting using many tools/Scanners with One Report. URL: https://github.com/dinosn/CVE-2022-22963 More: https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html Description: Spring Cloud Function SpEL RCE PoC (CVE-2022-22963). URL: https://github.com/FULLSHADE/Auto-Elevate Description: Escalate from a low-integrity Admin account to NT AUTHORITY\SYSTEM w/out an LPE. ' ╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬ ' ╚═╗├┤ │ │ │├┬┘│ │ └┬┘ ' ╚═╝└─┘└─┘└─┘┴└─┴ ┴ ┴ ' All about security issues. URL: https://pwning.systems/posts/php_filter_var_shenanigans/ Description: PHP filter_var shenanigans. URL: https://sysdig.com/blog/guide-kubernetes-forensics-dfir/ Description: A Practical Guide for Kubernetes DFIR. URL: https://bit.ly/3Lq6vXY (+) Description: Sandboxing Antimalware Products for Fun and Profit. URL: https://www.mdsec.co.uk/2022/03/abc-code-execution-for-veeam/ Description: ABC-Code Execution for Veeam (CVE-2022-26503). URL: https://link.medium.com/8Tdbxf8PPob Description: Pwning 3CX Phone Management Backends from the Internet. URL: http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce Description: ImpressCMS - From unauthenticated SQL injection to RCE. URL: https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html Description: Bypassing UAC in the most Complex Way Possible! URL: https://www.datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc/ Description: Using the Dirty Pipe Vulnerability to Break Out from Containers. URL: https://bit.ly/3D74Ofh (+) Description: Fantastic Infrastructure as Code security attacks and how to find them. URL: https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html Description: LDAP relays for initial foothold in dire situations. ' ╔═╗┬ ┬┌┐┌ ' ╠╣ │ ││││ ' ╚ └─┘┘└┘ ' Spare time? URL: https://chains.prelude.org/ Description: Prelude Attack Chains. URL: https://www.davidbauer.ch/readme/ Description: How to work with me - A user manual for David Bauer. URL: https://sgcderek.github.io/posts/meridian-tv/ Description: Analog UHF TV DXing using a Russian military satellite. ' ╔═╗┬─┐┌─┐┌┬┐┬┌┬┐┌─┐ ' ║ ├┬┘├┤ │││ │ └─┐ ' ╚═╝┴└─└─┘─┴┘┴ ┴ └─┘ ' Content Helpers (0x) 52656e61746f20526f64726967756573202d204073696d7073306e202d2068747470733a2f2f706174686f6e70726f6a6563742e636f6d https://pathonproject.com/zb/?35865edcc1801346#bHvUu/2Dd3WvyW1mH4ABmt6D8LPv7kqv9bJDfCY/e50=