Xaliom's Blog

 The powershell history we were looking for Recently, I discovered a new way to obtain PowerShell history in Windows. While the location of the Bash history file is widely known, the file that stores PowerShell history is not as well-documented. To gather accurate information about PowerShell history and the PSReadLine module, we can refer to Microsoft's official documentation. As far as I know, the PowerShell history file is mentioned in the following three articles: about_history  ( link ) about_PSReadLine  ( link ) Get-History ( link ) Some informations about where and how the history is stored The Get-History cmdlet retrieves all commands executed in the current session. However, the PowerShell history file contains a persistent record of all commands executed by the user via PowerShell in clear text. This file is generated and maintained by the PSReadLine module, which is installed and enabled by default. Whether you are a red teamer or a blue teamer, knowing how t...

Hide PowerUp.ps1 from MS Defender PowerUp.ps1 is a well-known script among pentesters for escalating local privileges. However, since it is fairly old and quite popular, Microsoft Defender detects it as malicious. To use it, we need to either create a custom version of the script or obfuscate the one available online. In this guide, we will use a minimal obfuscation approach. By making small changes to the script, we can bypass Microsoft Defender’s detection and use the script without any issues. What We need A Windows VM with the AV Signatures Updated The PowerUp.ps1 Script ( here ) The Tool DefenderCheck made by matterpreter ( here ) Notepad Let's Start The first step is to disable Microsoft Defender temporarily so we can download the PowerUp.ps1 script without interference. After disabling Windows Defender, go to the GitHub page that contains the raw version of PowerUp.ps1. Copy the content and save it in Notepad with a .ps1 extension. Once you have downloaded both the PowerUp ...

Unveiling CVE-2024-44777 , CVE-2024-44778 , and CVE-2024-44779 How Curiosity and Boredom Can Lead to Discovering Unknown Vulnerabilities In this discussion, I will focus on vTiger CRM 7.4.0, an older version of the CRM platform that, despite its age, remains an important research target.  I discovered a Reflected XSS vulnerability in this version, which is especially concerning since there is no public CVE associated with it.so many users are likely unaware of this security risk.

 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically. Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore. The Reverse Shell uses the following Windows API: LoadLibraryA GetProcAddress WSAStartup WSASocketA WSAConnectA CreateProcessA ExitProcess Every API has been loaded dynamically to try to bypass AV controls. Loading Windows API Dynamically: How to Read the Following Paragraph // Creating the signature of the function // Creating an instance of the function // Calling the function  LoadLibraryA Becomes loader using loader = HMODULE(__stdcall*)(LPCSTR); loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA")); getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loade...

  Notes an ASM X64 Reverse Shell This article is a collection of Resources that i used to create a x64 reverse shell in pure ASM. Furthermore you can find the code that I wrote commented line by line.   The Resources: The starting point Windows X64 calling convention GetProcAddress WSAstartup WSASocketA Sockaddr WSAConnect CreateProcessA STARTUPINFOA ExitProcess The Steps: Finding Kernel32.dll Address Parsing Kernel32.dll to find GetProcAddress API  Using GetProcAddress to find LoadLibrary API Loading the ws2_32.dll Using GetProcAddress to locate and store WSAStartup address Using GetProcAddress to locate and store WSASocketA address Using GetProcAddress to locate and store WSAConnect address Using GetProcAddress to locate and store CreateProcessA address Using GetProcAddress to locate and store ExitProcess address Calling WSAstartup() Calling WSASocketa() Creating the sockaddr structure Calling WSAConnect() Pushing cmd.exe string to stack Setting STARTUPINFOA S...

ENG: Interestingly, the /windows/exec payload generated via msfvenom is not detected by well-known antiviruses such as McAfee ,Kaspersky and TrendMicro when included in a legitimate executable such as calc.exe by exploiting a "Code Cave".  What is a CodeCave ? A code cave is an area of memory allocated but not exploited by an executable. msfvenom -p /windows/exec CMD=mspaint.exe EXITFUNC=thread -f c -o shellcode.bin msfvenom -p /windows/exec CMD=mspaint.exe EXITFUNC=thread -f raw -o <executable_name>,.exe PS_1: The MSF framework is a widely used framework and therefore well known to AV vendors. PS_2: The shellcode generated by the framework has not been obfuscated/modified in any way.