😈 [ n00py1, n00py ]
Blue Teams turn for shellz
https://t.co/8L5t9N5w5H
🔗 https://github.com/its-arun/CVE-2022-39197
🐥 [ tweet ]
Blue Teams turn for shellz
https://t.co/8L5t9N5w5H
🔗 https://github.com/its-arun/CVE-2022-39197
🐥 [ tweet ]
😈 [ filip_dragovic, Filip Dragovic ]
PoC for CVE-2022-3368 , arbitrary file move bug I found in Avira Security.
https://t.co/MRewhiDit4
🔗 https://github.com/Wh04m1001/CVE-2022-3368
🐥 [ tweet ]
PoC for CVE-2022-3368 , arbitrary file move bug I found in Avira Security.
https://t.co/MRewhiDit4
🔗 https://github.com/Wh04m1001/CVE-2022-3368
🐥 [ tweet ]
😈 [ dafthack, Beau Bullock ]
Finding cleartext creds in AD user attributes is something that happens more than most might think. Great demo John! Here's a 1-liner to find these while leveraging PowerView:
https://t.co/ZItkN8BjZ9
And here's one for Azure AD:
https://t.co/IcCHRYPrE5
🔗 https://gist.github.com/dafthack/5f8c36f7468fad991e9e1f6d81ec29d4
🐥 [ tweet ][ quote ]
Finding cleartext creds in AD user attributes is something that happens more than most might think. Great demo John! Here's a 1-liner to find these while leveraging PowerView:
https://t.co/ZItkN8BjZ9
And here's one for Azure AD:
https://t.co/IcCHRYPrE5
🔗 https://gist.github.com/dafthack/5f8c36f7468fad991e9e1f6d81ec29d4
🐥 [ tweet ][ quote ]
🔥1
😈 [ n00py1, n00py ]
I made a tool to enumerate fine-grained password policies from Linux.
Not sure how useful it will be as you typically need admin to enumerate it. Either way, here it is!
https://t.co/gGphLCCmgN
🔗 https://github.com/n00py/GetFGPP
🐥 [ tweet ]
I made a tool to enumerate fine-grained password policies from Linux.
Not sure how useful it will be as you typically need admin to enumerate it. Either way, here it is!
https://t.co/gGphLCCmgN
🔗 https://github.com/n00py/GetFGPP
🐥 [ tweet ]
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ 0x09AL, Rio ]
Full analysis of the Cobalt Strike RCE that me and @FuzzySec wrote is now up.
https://t.co/882Xpd3i8x
🔗 https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/
🐥 [ tweet ]
Full analysis of the Cobalt Strike RCE that me and @FuzzySec wrote is now up.
https://t.co/882Xpd3i8x
🔗 https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/
🐥 [ tweet ]
😈 [ Tarlogic, Tarlogic ]
From #Log4Shell to #Text4Shell. Vulnerability CVE-2022-42889 has once again put Java products in check, albeit with lesser affectation. Our colleagues @TuLkHaXs, @nicovell3, and @joserabal analyze the incident 👇
https://t.co/qGDpUOq3aY
🔗 https://www.tarlogic.com/blog/cve-2022-42889-critical-vulnerability-affects-apache-commons-text/
🐥 [ tweet ]
From #Log4Shell to #Text4Shell. Vulnerability CVE-2022-42889 has once again put Java products in check, albeit with lesser affectation. Our colleagues @TuLkHaXs, @nicovell3, and @joserabal analyze the incident 👇
https://t.co/qGDpUOq3aY
🔗 https://www.tarlogic.com/blog/cve-2022-42889-critical-vulnerability-affects-apache-commons-text/
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
New CrackMapExec module to dump Microsoft Teams cookies thanks to @KuiilSec contribution✌️
You can use them to retrieve informations like users, messages, groups etc or send directly messages in Teams 🔥
Initial discovery by @NoUselessTech 🪂
🐥 [ tweet ]
New CrackMapExec module to dump Microsoft Teams cookies thanks to @KuiilSec contribution✌️
You can use them to retrieve informations like users, messages, groups etc or send directly messages in Teams 🔥
Initial discovery by @NoUselessTech 🪂
🐥 [ tweet ]
😈 [ ShitSecure, S3cur3Th1sSh1t ]
Did not find any Twitter handle for credits but zimawhit3 released a (potential Nim gamechanging) repo. PiC Code over Nim? This would solve a lot of use-cases at least for me. +HalosGate/TargarusGate in Nim.🔥🔥
https://t.co/TQ82rbpwih
🔗 https://github.com/zimawhit3/Bitmancer
🐥 [ tweet ]
Did not find any Twitter handle for credits but zimawhit3 released a (potential Nim gamechanging) repo. PiC Code over Nim? This would solve a lot of use-cases at least for me. +HalosGate/TargarusGate in Nim.🔥🔥
https://t.co/TQ82rbpwih
🔗 https://github.com/zimawhit3/Bitmancer
🐥 [ tweet ]
😈 [ 424f424f, rvrsh3ll ]
Having fun running PowerShell from Python https://t.co/j5g3qzwwlV
🔗 https://github.com/JamesWTruher/PsPython
🐥 [ tweet ]
Having fun running PowerShell from Python https://t.co/j5g3qzwwlV
🔗 https://github.com/JamesWTruher/PsPython
🐥 [ tweet ]
😈 [ ippsec, ippsec ]
#HackTheBox Faculty video is up! Enjoyed abusing the ptrace capability with GDB to inject code into a running process. But my fav was an Unintended SQL Injection in an Update Statement because it teaches an important lesson on how dangerous type can be. https://t.co/y3VHiqHrYw
🔗 https://www.youtube.com/watch?v=LGO-dn7668g
🐥 [ tweet ]
#HackTheBox Faculty video is up! Enjoyed abusing the ptrace capability with GDB to inject code into a running process. But my fav was an Unintended SQL Injection in an Update Statement because it teaches an important lesson on how dangerous type can be. https://t.co/y3VHiqHrYw
🔗 https://www.youtube.com/watch?v=LGO-dn7668g
🐥 [ tweet ]
😈 [ D1rkMtr, D1rkMtr ]
https://t.co/UMTaYerSnT
Force the triggering of a conditional jump inside AmsiOpenSession() to close AMSI scaning session:
The 1st patch by corrupting the Amsi context header.
The 2nd patch by changing the string "AMSI" which will be compared to the Amsi context header to "D1RK".
🔗 https://github.com/D1rkMtr/PatchThatAMSI
🐥 [ tweet ]
https://t.co/UMTaYerSnT
Force the triggering of a conditional jump inside AmsiOpenSession() to close AMSI scaning session:
The 1st patch by corrupting the Amsi context header.
The 2nd patch by changing the string "AMSI" which will be compared to the Amsi context header to "D1RK".
🔗 https://github.com/D1rkMtr/PatchThatAMSI
🐥 [ tweet ]
😈 [ jack_halon, Jack Halon ]
Today I am finally releasing a new 3-part browser exploitation series on Chrome! This was written to help beginners break into the browser exploitation field.
Part 1 covers V8 internals such as objects, properties, and memory optimizations. Enjoy! https://t.co/bbFjOOzlOu
🔗 https://jhalon.github.io/chrome-browser-exploitation-1/
🐥 [ tweet ]
Today I am finally releasing a new 3-part browser exploitation series on Chrome! This was written to help beginners break into the browser exploitation field.
Part 1 covers V8 internals such as objects, properties, and memory optimizations. Enjoy! https://t.co/bbFjOOzlOu
🔗 https://jhalon.github.io/chrome-browser-exploitation-1/
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
CrackMapExec can now retrieve gMSA passwords using LDAP protocol and option --gmsa 🔥 Thanks to @pentest_swissky for this addition into CME 🫡
Also, I probably don't say it enough but thanks to all the sponsors from @porchetta_ind 🪂
🐥 [ tweet ]
CrackMapExec can now retrieve gMSA passwords using LDAP protocol and option --gmsa 🔥 Thanks to @pentest_swissky for this addition into CME 🫡
Also, I probably don't say it enough but thanks to all the sponsors from @porchetta_ind 🪂
🐥 [ tweet ]
😈 [ kalilinux, Kali Linux ]
New Blog Post - Kali Community Themes https://t.co/G0IVtG4hcl
Everyone loves the default Kali themes, but some people like too heavily customize their install to make it their own. In this community blog post we discuss customizations some have made along with their configs.
🔗 https://www.kali.org/blog/kali-community-themes/
🐥 [ tweet ]
New Blog Post - Kali Community Themes https://t.co/G0IVtG4hcl
Everyone loves the default Kali themes, but some people like too heavily customize their install to make it their own. In this community blog post we discuss customizations some have made along with their configs.
🔗 https://www.kali.org/blog/kali-community-themes/
🐥 [ tweet ]
😈 [ mpgn_x64, mpgn ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec 🎉
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀
Crazy module 🪂
🐥 [ tweet ]
Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec 🎉
If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀
Crazy module 🪂
🐥 [ tweet ]
😈 [ BlackArrowSec, BlackArrow ]
💥One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
➡ https://t.co/8KWQw4q5U5
🔗 https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
🐥 [ tweet ]
💥One shell to HANDLE them all
New approach to escalate privileges from a web shell by abusing open token handles. #RedTeam /cc @_Kudaes_
➡ https://t.co/8KWQw4q5U5
🔗 https://www.tarlogic.com/blog/token-handles-abuse-one-shell-to-handle-them-all/
🐥 [ tweet ]
😈 [ _dirkjan, Dirk-jan ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research 😀
🔗 https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
🐥 [ tweet ]
If you missed my Black Hat US talk about abusing External Identities in Azure AD, I will be giving the talk again as a BH webcast on Thursday November 10th!
You can register on the BH site: https://t.co/9QgT5Cd5Xk
I'll be joined by @kfosaaen sharing more Azure AD research 😀
🔗 https://www.blackhat.com/html/webcast/11102022-backdooring-and-hijacking-azure-ad-accounts.html
🐥 [ tweet ]
😈 [ _RastaMouse, Rasta Mouse ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
🔗 https://github.com/rasta-mouse/SharpC2/releases/latest
🐥 [ tweet ]
I finally got around to publishing release binaries for #SharpC2. They're self-contained, so no need to have a .NET runtime or SDK installed to use.
https://t.co/sGFr5XbAtf
🔗 https://github.com/rasta-mouse/SharpC2/releases/latest
🐥 [ tweet ]
Forwarded from 1N73LL1G3NC3
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
Denoscription
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.