😈 [ taha @lordx64 ]

Imagine you are the threat actor behind xz backdoor and you have to explain to your boss why did you spent 6+months building something this complex that a single dude, reversed, documented exploited repurposed honeypoted dockerized in 24hours. This is a W

🔗 https://github.com/amlweems/xzbot

🐥 [ tweet ]

😈 [ Mayfly @M4yFly ]

SCCM Lab write up 📝part 0x3 is out:

🔗 https://mayfly277.github.io/posts/SCCM-LAB-part0x3/

- Exploit as client admin
- Exploit as sccm admin

Find all the articles about the SCCM laboratory exploitation here:

🔗 https://mayfly277.github.io/categories/sccm/

🐥 [ tweet ]

😈 [ Mark Baggett @MarkBaggett ]

Kerberoasting was discovered more than 8 years ago. But it’s still effective today. Do you know how it works and how it was discovered? Check out @TimMedin of @RedSiege in this episode.

🔗 https://youtu.be/KHkYd81wHTg?si=Hy_sJN_YjQqSnL6J

🐥 [ tweet ]

😈 [ Mark Baggett @MarkBaggett ]

Do you know the history of Metasploit? How did it grow from a small project to a game changer for Infosec? Check out this episode of Infosec. Toolshed featuring @hdmoore

🔗 https://youtu.be/Dl6qNRCiPgo?si=-zKticbSGYqlL6H7

🐥 [ tweet ]

😈 [ Ido Veltzman @Idov31 ]

After a long time, the 6th and final part of Lord Of The Ring0 is here:
In this part, the focus will be on kernel mode and user mode memory interaction, look into how attaching process work, and writing an AMSI bypass driver:

🔗 https://idov31.github.io/posts/lord-of-the-ring0-p6

🐥 [ tweet ]

😈 [ Diego Capriotti @naksyn ]

One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions.
impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling noscript that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools.
I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level.
there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc

🔗 https://gist.github.com/naksyn/8204c76cda2541e72668fa065ba94c09

🐥 [ tweet ]

😈 [ Ricardo Ruiz @RicardoJoseRF ]

Last week I made public NativeDump, a tool to dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!). Check it out here:

🔗 https://github.com/ricardojoserf/NativeDump

🐥 [ tweet ]

😈 [ Filip Dragovic @filip_dragovic ]

I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.

🔗 https://github.com/Wh04m1001/UserManagerEoP
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36047
🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21447

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

TAC Practice Lead @mega_spl0it and co-author @4ndr3w6S are back with the final installment of A Hitch-Hacker’s Guide to DACL-Based Detections. Read about the additional attributes they found on our blog!

🔗 https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum

🐥 [ tweet ]

😈 [ Octoberfest7 @Octoberfest73 ]

I spent the past couple days playing with and contributing to @R0h1rr1m's Shoggoth project, which can turn PE's and BOF's into PIC. Super cool project, and one that opens up some interesting possibilities 😉

🔗 https://github.com/frkngksl/Shoggoth

🐥 [ tweet ]

🏭 We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!

A brief instruction for red teams:

1. Compile our enhanced DLL;
2. Use NetSPI's ruler and wait!

No back connect required!

🔥 📐📏

😈 [ Andy Gill @ZephrFish ]

My latest post on the @Lares_ Labs blog, is live. It discusses a real-world scenario we observed during a pentest.

🔗 https://labs.lares.com/this-one-time-on-a-pentest/

🐥 [ tweet ]

Мануал по почесыванию ЧСВ:
1. Открываешь рандомный гайд по пенетрестам.
2. Идешь в референсы.
3. Считаешь количество матчей по своему никнейму.
4. If > 0: радуешься, забыв на пару секунд о бренности бытия (else: тильтуешь).

😈 [ Fabio Assolini @assolini ]

XZ backdoor story – Initial analysis

🔗 https://securelist.com/xz-backdoor-story-part-1/112354/

🐥 [ tweet ]

😈 [ Eloy @zer1t0@defcon.social @zer1t0 ]

Shellnova: A template for generating advances Linux shellcodes from c code that resolves libc functions dynamically. Inspired from Windows Stardust of @C5pider.

🔗 https://gitlab.com/Zer1t0/shellnova

🐥 [ tweet ]

😈 [ Rhino Security Labs @RhinoSecurity ]

New Blog Post: CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster

🔗 https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/

🐥 [ tweet ]