chebuya

@[email protected]
0 Followers
0 Following
4 Posts
Show threadchebuyaApr 9, 2024

@ac1d_d4ddy @campuscodi
Hey I am the author of this exploit :3. The get_files() function is the pre-auth path traversal, yes

The SQLi is used to login to the web panel and collect the filesystem paths for decryption keys (they are shown in the web panel). Technically, these would be accessible if you could guess the filename since they are stored in the webroot, but bypassing them and collecting the filenames is possible so why not

chebuyaApr 5, 2024
How I discovered and chained and RCE and an XSS on CHAOS RAT v5.01, allowing an attacker to takeover the RAT server. Taking inspiration from https://x.com/ACEResponder/status/1687214024247615488, I also added exploit functionality to rickroll RAT operators.
https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/
https://github.com/chebuya/CVE-20
ACE Responder (@ACEResponder) on X

Introducing RogueSliver. A tool to disrupt offensive campaigns that use the Sliver C2 framework. • Hijack beacons • Send memes to the attacker • Flood C2 servers #DFIR #RedTeam https://t.co/DeJq1P8byd

X (formerly Twitter)
chebuyaApr 5, 2024
I found a pre-auth path traversal vulnerability in the Jasmin Ransomware panel allowing an attacker to deanonymize panel operators and dump decryption keys. Jasmin ransomware was observed in a recent TeamCity exploitation campaign (https://twitter.com/brody_n77/status/1765145148227555826)
https://github.com/chebuya/CVE-20
Brody (@brody_n77) on X

Multiple cases of JetBrains TeamCity exploitation (CVE-2024-27198, CVE-2024-27199) being followed up by deployments of (suspected modified) Jasmin Ransomware. https://t.co/3zgKhY8fi1 https://t.co/IYP2Ls19WS https://t.co/SE8YvgjchR

X (formerly Twitter)