😈 [ Matt Creel @Tw1sm ]

Been working to improve my BOF/C dev skills, created some BOFs mimicking SQLRecon modules as a fun learning exercise

🔗 https://github.com/Tw1sm/SQL-BOF

🐥 [ tweet ]

😈 [ 0xdf @0xdf_ ]

I learned so much about Kerberos solving Rebound. It was very difficult, but such a great experience. There's Kerberoasting without auth, cross session with RemotePotato0, and abusing delegation, both constrained and RBCD!

🔗 https://0xdf.gitlab.io/2024/03/30/htb-rebound.html
🔗 https://youtu.be/oUIoH4yBT3k?si=EvookdfPJ6wMaCZK

🐥 [ tweet ]

миллион лет уже не был на хтб, но райтап прикольный, где-то выглядит даже жизненно для АДшечки

😈 [ Lsec @lsecqt ]

My blogpost about bypassing AVs via SMB staging is now LIVE:

🔗 https://lsecqt.github.io/Red-Teaming-Army/malware-development/beyond-detection-smb-staging-for-antivirus-evasion/

Let me know if you enjoy such content and if you would want to see more of that in future.

🐥 [ tweet ]

#для_самых_маленьких

😈 [ Octoberfest7 @Octoberfest73 ]

This April Fools Day, I'm excited to release my latest research and blog post from my time at @RedSiege: SSHishing. The name might be a joke, but the technique isn't!

Read the details here:

🔗 https://redsiege.com/sshishing

🐥 [ tweet ]

😈 [ Cipher007 @xCipher007 ]

It's my first payload Loader with my learnings from @MalDevAcademy ! Check it out:

🔗 https://github.com/Cipher7/ChaiLdr

🐥 [ tweet ]

😈 [ taha @lordx64 ]

Imagine you are the threat actor behind xz backdoor and you have to explain to your boss why did you spent 6+months building something this complex that a single dude, reversed, documented exploited repurposed honeypoted dockerized in 24hours. This is a W

🔗 https://github.com/amlweems/xzbot

🐥 [ tweet ]

😈 [ Mayfly @M4yFly ]

SCCM Lab write up 📝part 0x3 is out:

🔗 https://mayfly277.github.io/posts/SCCM-LAB-part0x3/

- Exploit as client admin
- Exploit as sccm admin

Find all the articles about the SCCM laboratory exploitation here:

🔗 https://mayfly277.github.io/categories/sccm/

🐥 [ tweet ]

😈 [ Mark Baggett @MarkBaggett ]

Kerberoasting was discovered more than 8 years ago. But it’s still effective today. Do you know how it works and how it was discovered? Check out @TimMedin of @RedSiege in this episode.

🔗 https://youtu.be/KHkYd81wHTg?si=Hy_sJN_YjQqSnL6J

🐥 [ tweet ]

😈 [ Mark Baggett @MarkBaggett ]

Do you know the history of Metasploit? How did it grow from a small project to a game changer for Infosec? Check out this episode of Infosec. Toolshed featuring @hdmoore

🔗 https://youtu.be/Dl6qNRCiPgo?si=-zKticbSGYqlL6H7

🐥 [ tweet ]

😈 [ Ido Veltzman @Idov31 ]

After a long time, the 6th and final part of Lord Of The Ring0 is here:
In this part, the focus will be on kernel mode and user mode memory interaction, look into how attaching process work, and writing an AMSI bypass driver:

🔗 https://idov31.github.io/posts/lord-of-the-ring0-p6

🐥 [ tweet ]

😈 [ Diego Capriotti @naksyn ]

One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions.
impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling noscript that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools.
I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level.
there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc

🔗 https://gist.github.com/naksyn/8204c76cda2541e72668fa065ba94c09

🐥 [ tweet ]

😈 [ Ricardo Ruiz @RicardoJoseRF ]

Last week I made public NativeDump, a tool to dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!). Check it out here:

🔗 https://github.com/ricardojoserf/NativeDump

🐥 [ tweet ]

😈 [ Filip Dragovic @filip_dragovic ]

I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.

🔗 https://github.com/Wh04m1001/UserManagerEoP
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36047
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21447

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

TAC Practice Lead @mega_spl0it and co-author @4ndr3w6S are back with the final installment of A Hitch-Hacker’s Guide to DACL-Based Detections. Read about the additional attributes they found on our blog!

🔗 https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum

🐥 [ tweet ]