Aggregator

今日暂未更新资讯~
更多最新文章，请访问SecWiki

TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a new PR by yours truly to let you loot Slack again out of the box, and a BOF exists to get you all the credential material you need to do it. I recommend you let Nemesis do the heavy lifting of finding interesting data in what you pull back.

Slack Cookies BOF PR

SlackPirate PR

The BOF

This all started because I noticed that my brilliant colleague Matt Creel had added a new BOF to TrustedSec’s CS-Remote-OPs-BOF collection that pulled Slack cookies from the memory of either a browser or Slack client process. This would allow an operator to then utilize the stolen cookies to proxy browser traffic through a compromised machine and access the target organization’s Slack instance. He released a great blog about it if you want to learn more.

Slack is awesome, and full of valuable data about an organization. There’s the obvious stuff like people being lax and pasting credentials, but don’t forget that is also a comprehensive directory of who works there, and probably more valuable than their internal documentation (when was the last time you actually searched Confluence? Exactly.)

I was stoked to start using Matt’s BOF, since there hasn’t been an assessment where I got access to Slack where it didn’t prove useful. That said, something was nagging at me… This is the age of Nemesis! We don’t need to read anymore, reading is for squares! We have computers to do that for us while we watch short-form videos of animals with funny things on their heads (see below). Reading Slack was no exception.

https://medium.com/media/27059ff93db76037ec82d64aa35b9853/href

A classic.

So I set out to find a good Slack looter. I quickly stumbled upon SlackPirate, created by Mikail Tunç, which seemed to be the defacto choice. And for good reason! It is simple, fairly comprehensive, and also quite modular; you can change what is being searched for with relative ease. By default though it does a lot, such as:

• Scraping all messages for private keys, passwords, and cloud provider credentials
• Grabbing a list of all Slack users
• Downloading hosted files en-masse
• Pulling important Slack-specific data, such as pinned messages

Great! I plugged in my cookie and… no dice. I was unable to authenticate to any of the API endpoints I should be able to. I knew the Slack cookie I had was valid, so it was time to investigate.

Troubleshooting

Figuring out what was the matter was pretty breezy! Slack is an Electron app, so you can still access the Chrome dev tools. Slack used to allow this by exporting a particular environment variable:

SET SLACK_DEVELOPER_MENU=TRUE && start C:\Users\<USER>\AppData\Local\slack\slack.exe

You could then access the developer tools by pressing ctrl + alt + i. This no longer works for me, so I instead opted to use Chrome remote debugging, which was successful.

(NOTE: If you’re reading this blog, there’s a good chance your security team will have an alert in place for Chrome remote debugging to prevent cookie crimes. You may want to check with them before doing this on a work computer.)

C:\Users\<USER>\AppData\Local\slack\slack.exe --args --remote-debugging-port=9222

Then when you browse to chrome://inspect/ you will be able to see Slack as with option to inspect:

Chrome remote debugging

By pressing “inspect” you get your dev tools, plus a neat window of the Electron app you are debugging! I have never tried to use this to screen-peek on an Electron app over a proxy, but wouldn’t that be neat.

Inspecting Slack network traffic

My strategy at this point was to record network traffic while performing actions that seemed like they would have to be hitting a defined API endpoint from the client and seeing what the network traffic looked like. For example, going to the “users” page and finding what endpoint got hit to retrieve them. That’s what I am doing in the screenshot above for the BloodHoundGang slack (which you should join if you haven’t).

This allowed me to compare the requests with what was being performed in SlackPirate and determine what had changed to break it.

Turns out, not much! The APIs ended up being the same as before, the only piece that was missing what that now requests were made with a token included in the request payload itself, in addition to the cookie in the headers we already knew about.

An API request for user data containing an API token

As you can see, this token is also in a nice searchable format, starting with “xoxc”, so the same technique used by Matt’s BOF to pull the cookie from memory can be used for the token. Now the BOF pulls both, and can be used not only get the credential material needed to browse a target organization’s Slack via a proxy, but also interact with it programmatically.

With these two pieces of information, you can hit the Slack API just as if you were the client when a user clicks around and types. You can even make your own janky Slack bots that post out of your account… which of course I did. But you already knew that from the title. So here’s screenshots of my fellow Specters suffering while I posted the entire Bee Movie into our group chat, each line as its own message. We all know it’s what you’re here for.

🐝 The aftermath

Quick aside — you may be thinking: Why go through all the trouble of doing this with the Electron client? Why not just open Slack in a web browser and inspect that traffic?

Anecdotally, I see people using the client way more often, so I wanted to make sure whatever I looked at would be representative of that. Also developers seem to trust dedicated clients more, so the tokens and cookies you snoop from them last much longer. For instance my buddy Jesko got tired of having to reauth to Slack, so he snagged a token from his phone’s client that never expires. My janky Slack bots haven’t had to reauth yet either.

SlackPirate Updates

So with our new programmatic access, it is time to loot! For the most part all of my changes to SlackPirate were updating the script to utilize the new token in addition to a cookie. There are a few other changes I threw in though that you may want to be aware of:

• There was an “interactive mode” that let you interact with multiple workspaces. This functionality has been removed and you will always need to provide the appropriate token and cookie for the individual workspace you want to target as arguments to the script
• The list of what files and strings are searched for by default is more focused on finding credential material, especially in file formats that are easy for Nemesis to parse
• Various functions targeting AWS data have been changed to also look for Azure data

And there you have it. With these new updates, you are ready to get back to a nice easy life of not reading and letting Nemesis read your target’s whole Slack for you. So kick back and let your reading comprehension regress to a third-grade level with another classic animal-with-thing-on-head video from the cellar. It is a fine vintage.

https://medium.com/media/c6c2f8d56966e8eab40b836e1e4567ea/href

SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack appeared first on Security Boulevard.

DeepSeek, a disruptive new AI model from China, has shaken the market, sparking both excitement and controversy. While it has gained attention for its capabilities, it also raises pressing security concerns. Allegations have surfaced about its training data, with claims that it may have leveraged models like OpenAI’s to cut development costs. Amid these discussions, [...]

The post Analyzing DeepSeek’s System Prompt: Jailbreaking Generative AI appeared first on Wallarm.

The post Analyzing DeepSeek’s System Prompt: Jailbreaking Generative AI appeared first on Security Boulevard.

IntelBroker and EnergyWeaponUser Claim to Have Leaked Hewlett Packard Enterprise GTCAAS Source Code, Credentials, API Tokens and More in a Second Breach

As internet security evolves, SSL (Secure Sockets Layer) certificates, cornerstones of encrypted communication, are stepping into a brand-new role as vital tools in the fight against cyberattacks. Experts are now leveraging SSL intelligence and historical SSL data to expose hidden threat actor infrastructure, track malware activity, and thwart potential cyber threats before they gain traction. […]

The post New Threat Hunting Technique to Uncover Malicious Infrastructure Using SSL History appeared first on Cyber Security News.

HIKARI SEIKO CO. LTD. Has Fallen Victim to Qilin Ransomware

WOLF CYBER ARMY Defaced the Website of Koło Koło Society of Social Housing Sp. z o.o

Insurance giant Globe Life finished the investigation into the data breach it suffered last June and says that the incident may have impacted an additional 850,000 customers. [...]

A Threat Actor Claims to be Selling RDWeb Access to an Unidentified Company in the USA

A vulnerability classified as problematic was found in Lewe TeamCal Neo 3.8.2. This vulnerability affects unknown code of the file /teamcal/src/index.php. The manipulation of the argument abs leads to cross site scripting. This vulnerability was named CVE-2025-0930. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in Lewe TeamCal Neo 3.8.2. This affects an unknown part of the file /teamcal/src/index.php. The manipulation of the argument abs leads to sql injection. This vulnerability is uniquely identified as CVE-2025-0929. It is possible to initiate the attack remotely. There is no exploit available.

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letters that unknown attackers stole files from its network between August and October 2024. [...]

Fenix24 this week acquired vArmour to add an ability to detect the relationship between software, as part of an effort to extend the services it provides to enable organizations to recover faster from a cyberattack.

The post Fenix24 Acquires vArmour to Boost Cyber Resiliency Services appeared first on Security Boulevard.

The Cyber Trust Mark has the potential to change how we define and measure security at the endpoint level. But potential isn't enough.

The food delivery industry has a fraud problem. With slim profit margins already under pressure, bad actors are exploiting vulnerabilities on both the consumer and courier sides of delivery platforms.

The post How Fraud is Eating Away at Food Delivery Profits appeared first on Security Boulevard.

Cisco Talos found that exploitation of public-facing applications made up 40% of incidents it observed in Q4 2024, marking a notable shift in initial access techniques

NASA 朱诺号（Juno）探测器在木星卫星木卫一（Io）南半球发现了一个巨大的火山热点。该热点的面积超过地球上最大的淡水湖，其喷发的能量更是全球所有发电厂总和的六倍。这是迄今在这颗太阳系内最活跃火山天体上记录到的最强烈火山活动。木卫一的剧烈火山活动主要源自木星强大的引力变化，即潮汐力。木卫一的大小与地球的月球相当，但距离木星极近，并以椭圆轨道绕行，每 42.5 小时完成一周。由于距离的变化，木星对木卫一的引力拉扯也随之改变，使其不断受到挤压与拉伸。这种变形产生的摩擦热量导致木卫一内部部分熔化，从而驱动其表面约 400 座活跃火山的喷发，使其成为太阳系内火山活动最剧烈的天体。观测显示，木卫一南半球出现了极强的红外辐射，显示一个巨大的火山热点，其辐射强度甚至使朱诺号的探测器达到饱和状态。数据显示，该区域可能包含多个紧密相连的活跃热点，暗示其地下可能存在庞大的岩浆库系统。科学团队估计，这个尚未命名的热点面积约达 10 万平方公里，远超过此前的纪录保持者。