{"uuid": "17d2ccc8-b435-4ee2-9dc9-63ed03c90558", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-41120", "type": "published-proof-of-concept", "source": "https://t.me/dilagrafie/28", "content": "33) \u200b\u200bWindows Privilege Escalation Cheatsheet\n\nThis cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Windows-based machines and CTFs with examples. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles.\n\nhttps://github.com/Ignitetechnologies/Windows-Privilege-Escalation\n\n34) \u200b\u200bBumbleCrypt\n\nA Bumblebee-inspired Crypter\n\nThe BumbleCrypt is inspired by Bumblebee's crypter, in Bumblebee's case the main Bumblebee DLL is been loaded in the memory and executed in the following way:\n\n\u25ab\ufe0f Decrypts and writes the payload in the Heap\n\u25ab\ufe0f Hooks three NtApi's - NtOpenFile, NtCreateSection and NtMapViewOfSection\n\u25ab\ufe0f Calls LoadLibraryW(\"gdiplus.dll\") which triggers the inline hooks as the above three API's are been used by LoadLibrary() to load any library.\n\u25ab\ufe0f The inline hooks and LoadLibrary itself then loads the main Bumblebee DLL in place of \"gdiplus.dll\"\n\u25ab\ufe0f At last, the control is been transferred to the exported function \"SetPath\" of the main Bumblebee DLL\n\nhttps://github.com/knight0x07/BumbleCrypt\n\n35) FrostByte\n\n\u25ab\ufe0f Replace SigFlip.exe with latest .NET version\n\u25ab\ufe0f Changed .NET assembly executable to RegAsm.exe\n\u25ab\ufe0f Modify variable names and functions for better evasion\n\u25ab\ufe0f Modify shellcode callback method to a lesser known technique for evasion\n\u25ab\ufe0f Encrypt the signatured \"tag\" used in SigFlip to evade static analysis which gets decrypted at runtime\n\nhttps://github.com/wsummerhill/FrostByte\n\n36) \u200b\u200bSideLOADR\n\nA \"simple\" script to perform DLL sideloading using Python.\n\nhttps://github.com/Pascal-0x90/sideloadr\n\n37) \u200b\u200bCallObfuscator\n\nObfuscate (hide) the PE imports from static/dynamic analysis tools.\n\nhttps://github.com/d35ha/CallObfuscator\n\n38) \u200b\u200bSysmonEoP\n\nHere is PoC for CVE-2022-41120. I combined arb file delete and limited arb file write to get code execution as NT Authority\\System.\n\nhttps://github.com/Wh04m1001/SysmonEoP\n\n#cve #poc\n\n39) \u200b\u200bteler\n\nReal-time HTTP Intrusion Detection\n\nteler is an real-time intrusion detection and threat alert based on web log that runs in a terminal with resources that we collect and provide by the community. \n\nhttps://github.com/kitabisa/teler\n\n40) \u200b\u200bPwnAI\n\nI leverage OpenAI to automate explanations of what malware or suspected malicious code samples are doing\n\nhttps://github.com/NoDataFound/PwnAI\n\n#infosec #cybersec #tool #hack\n\n4/4", "creation_timestamp": "2022-12-04T12:15:30.000000Z"}