😈 [ Aurélien Chalot @Defte_ ]
Wanna blindly check if the ADCS web enroll is installed on a domain ? Bruteforce the /certenroll endpoint without the trailing/ on all webservers. If you hit the ADCS web enroll you will get a location: /certenroll/ header in the response. Now enjoy blind ntlmrelayx ESC8 👀👀👀
Example. This webserver does not expose a ADCS web enroll endpoint but the Windows Admin Center panel. Yet your command will flag it as ADCS. While mine won't ;)
🐥 [ tweet ]
Wanna blindly check if the ADCS web enroll is installed on a domain ? Bruteforce the /certenroll endpoint without the trailing/ on all webservers. If you hit the ADCS web enroll you will get a location: /certenroll/ header in the response. Now enjoy blind ntlmrelayx ESC8 👀👀👀
Example. This webserver does not expose a ADCS web enroll endpoint but the Windows Admin Center panel. Yet your command will flag it as ADCS. While mine won't ;)
🐥 [ tweet ]
👍9🤔2🤯2
😈 [ BlackWasp @BlWasp_ ]
Last week I have presented a conference at @sth4ck about the SCCM infrastructures and how to exploit them during your internal pentests and Red Team missions to quickly become Domain Admin!
If you understand french or can use subnoscripts, go check it out ✌️
🔗 https://youtu.be/ibFQgsAMjwI?si=Su_WW3sKBjtf9IxV
🐥 [ tweet ]
Last week I have presented a conference at @sth4ck about the SCCM infrastructures and how to exploit them during your internal pentests and Red Team missions to quickly become Domain Admin!
If you understand french or can use subnoscripts, go check it out ✌️
🔗 https://youtu.be/ibFQgsAMjwI?si=Su_WW3sKBjtf9IxV
🐥 [ tweet ]
🔥4
Offensive Xwitter
😈 [ ap @decoder_it ] Based on a recent finding, tried to understand on how to abuse the "SeRelabelPrivilege". Thanks to @tiraniddo post , I was able to perform an LPE in its simplest form. -> No security boundary violation ;) 🔗 https://www.tiraniddo.dev/2021/06/the…
😈 [ ap @decoder_it ]
Just published a short blog post on abusing the SeRelabelPrivilege ;)
🔗 https://decoder.cloud/2024/05/30/abusing-the-serelabelprivilege/
🐥 [ tweet ]
Just published a short blog post on abusing the SeRelabelPrivilege ;)
🔗 https://decoder.cloud/2024/05/30/abusing-the-serelabelprivilege/
🐥 [ tweet ]
🔥5
😈 [ Synacktiv @Synacktiv ]
Did you enjoy the latest blogpost on PHP filter chains? Well, our ninja @_remsio_ strikes again with a new article detailing how you can abuse them to leak files from the targeted system, as well as a freshly developed tool to exploit it!
🔗 https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle
🐥 [ tweet ]
Did you enjoy the latest blogpost on PHP filter chains? Well, our ninja @_remsio_ strikes again with a new article detailing how you can abuse them to leak files from the targeted system, as well as a freshly developed tool to exploit it!
🔗 https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle
🐥 [ tweet ]
🔥6
😈 [ Octoberfest7 @Octoberfest73 ]
I have a vague memory of some research posted in the past year or two about a technique for executing encrypted shellcode by decrypting the next instruction, executing it, remasking it, etc. Ring any bells for anyone?
… answer …
🔗 https://github.com/lem0nSec/ShellGhost
🐥 [ tweet ]
I have a vague memory of some research posted in the past year or two about a technique for executing encrypted shellcode by decrypting the next instruction, executing it, remasking it, etc. Ring any bells for anyone?
… answer …
🔗 https://github.com/lem0nSec/ShellGhost
🐥 [ tweet ]
🔥4
Forwarded from 1N73LL1G3NC3
CookieKatz
Dump cookies directly from Chrome, Edge, or Msedgewebview2 process memory. Chromium-based browsers load all their cookies from the on-disk cookie database on startup.
The benefits of this approach are:
This solution consists of three projects:
Dump cookies directly from Chrome, Edge, or Msedgewebview2 process memory. Chromium-based browsers load all their cookies from the on-disk cookie database on startup.
The benefits of this approach are:
• Support dumping cookies from Chrome’s Incogntio and Edge’s In-Private processes
• Access cookies of other user’s browsers when running elevated
• Dump cookies from webview processes
• No need to touch on-disk database file
• DPAPI keys not needed to decrypt the cookies
• Parse cookies offline from a minidump file
This solution consists of three projects:
• CookieKatz - PE executable
• CookieKatz-BOF - Beacon Object File version
• CookieKatzMinidump - minidump parser.
🔥14👍3🥱2
😈 [ Rémi GASCOU (Podalirius) @podalirius_ ]
smbclient-ng is finally out! 🥳
Discover lots of features, additional modules, autocompletion, recursive get and recursive put, colors and progress bars!
🔗 https://github.com/p0dalirius/smbclient-ng
🐥 [ tweet ]
smbclient-ng is finally out! 🥳
Discover lots of features, additional modules, autocompletion, recursive get and recursive put, colors and progress bars!
🔗 https://github.com/p0dalirius/smbclient-ng
🐥 [ tweet ]
🔥9👍2
😈 [ Smukx.E @5mukx ]
My Nerdy work Releases (^^)
Obfuscation methods:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/obfuscation
Process Hollow:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/Process/remote_mapping_injection.rs
Remote Mapping Inject:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/shellcode_exec/Shell-Exec_fnPointer.rs
Shellcode Exec fn pnt:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/Process/process_hollowing.rs
DLL Unhooking:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/dll_injection/dll_unhooking.rs
🐥 [ tweet ]
My Nerdy work Releases (^^)
Obfuscation methods:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/obfuscation
Process Hollow:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/Process/remote_mapping_injection.rs
Remote Mapping Inject:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/shellcode_exec/Shell-Exec_fnPointer.rs
Shellcode Exec fn pnt:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/Process/process_hollowing.rs
DLL Unhooking:
🔗 https://github.com/Whitecat18/Rust-for-Malware-Development/blob/main/dll_injection/dll_unhooking.rs
🐥 [ tweet ]
🔥7
Forwarded from КиберТопор
В Твиттере официально разрешили публиковать порно
Теперь пользователи могут создавать и смотреть видео на сексуальную тематику, если они сделаны по обоюдному согласию
–Можно мне PorhHub?
–У нас есть PorhHub дома
PorhHub дома:
🕹КиберТопор — Подписаться
Теперь пользователи могут создавать и смотреть видео на сексуальную тематику, если они сделаны по обоюдному согласию
–Можно мне PorhHub?
–У нас есть PorhHub дома
PorhHub дома:
🕹КиберТопор — Подписаться
🍌8😁4
😈 [ Outflank @OutflankNL ]
It's not *always* about Windows - macOS and Linux #EDRs need attention, too! In our latest blog, @kyleavery_ explains more about the telemetry sources for these under-discussed endpoint products:
🔗 https://www.outflank.nl/blog/2024/06/03/edr-internals-macos-linux/
🐥 [ tweet ]
It's not *always* about Windows - macOS and Linux #EDRs need attention, too! In our latest blog, @kyleavery_ explains more about the telemetry sources for these under-discussed endpoint products:
🔗 https://www.outflank.nl/blog/2024/06/03/edr-internals-macos-linux/
🐥 [ tweet ]
🔥4
😈 [ James Forshaw @tiraniddo ]
Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder.
🔗 https://www.tiraniddo.dev/2024/06/working-your-way-around-acl.html
🐥 [ tweet ]
Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder.
🔗 https://www.tiraniddo.dev/2024/06/working-your-way-around-acl.html
🐥 [ tweet ]
👍5🔥1
😈 [ V❄️ @vincenzosantuc1 ]
In-memory sleeping technique using threads created in suspended state and timers that work with the ResumeThread function in order to adapt SWAPPALA to the Reflective DLL context.
🔗 https://oldboy21.github.io/posts/2024/06/sleaping-issues-swappala-and-reflective-dll-friends-forever/
🐥 [ tweet ]
In-memory sleeping technique using threads created in suspended state and timers that work with the ResumeThread function in order to adapt SWAPPALA to the Reflective DLL context.
🔗 https://oldboy21.github.io/posts/2024/06/sleaping-issues-swappala-and-reflective-dll-friends-forever/
🐥 [ tweet ]
🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Tim McGuffin @NotMedic ]
Powershell and DNS was my jam forever. I built entire attack frameworks around it. nslookup one TXT record, copy/paste it into a PS window, and bring in a ton of tools. AES encrypted, B64 encoded TXT records. It's noisy if they're looking, but most aren't looking.
🐥 [ tweet ][ reply ]
Powershell and DNS was my jam forever. I built entire attack frameworks around it. nslookup one TXT record, copy/paste it into a PS window, and bring in a ton of tools. AES encrypted, B64 encoded TXT records. It's noisy if they're looking, but most aren't looking.
🐥 [ tweet ][ reply ]
🔥11
Offensive Xwitter
😈 [ Tim McGuffin @NotMedic ] Powershell and DNS was my jam forever. I built entire attack frameworks around it. nslookup one TXT record, copy/paste it into a PS window, and bring in a ton of tools. AES encrypted, B64 encoded TXT records. It's noisy if they're…
Фигею с того, насколько сильно люди могут заморочиться с выгрузкой поше-скриптов через статические TXT-записи - это уже второй фреймворк, который я увидел на просторах Твиттера (первый был тут). Но это напомнило мне один старый прикол 😁
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥14
😈 [ Orange Tsai 🍊 @orange_8361 ]
PHP just fixed one of my RCE vulnerabilities, which affects XAMPP by default. Check to see if you are affected and update now! 🔥
🔗 https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
🐥 [ tweet ]
PHP just fixed one of my RCE vulnerabilities, which affects XAMPP by default. Check to see if you are affected and update now! 🔥
🔗 https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
🐥 [ tweet ]
🔥6
😈 [ 𝙻𝚊𝚠𝚛𝚎𝚗𝚌𝚎 @zux0x3a ]
Released .NET tool for extracting Windows Defender exclusions & ASR rules! 🌟
🔹 Works from low user context .
🔹 Supports local & remote queries
🔹 Extracts paths from Event ID 5007 and ASR from Event ID 1121 using regex
🔹 Enumerates ASR rules from MSFT_MpPreference WMI class(works perfectly from low user context as well).
🔹 Displays results in a clean, tabulated format
works smoothly with inline-assembly!
🔗 https://github.com/0xsp-SRD/MDE_Enum
🐥 [ tweet ]
Released .NET tool for extracting Windows Defender exclusions & ASR rules! 🌟
🔹 Works from low user context .
🔹 Supports local & remote queries
🔹 Extracts paths from Event ID 5007 and ASR from Event ID 1121 using regex
🔹 Enumerates ASR rules from MSFT_MpPreference WMI class(works perfectly from low user context as well).
🔹 Displays results in a clean, tabulated format
works smoothly with inline-assembly!
🔗 https://github.com/0xsp-SRD/MDE_Enum
🐥 [ tweet ]
🔥5👍2
Forwarded from PT SWARM
😀 Simple way to bypass a WAF in Command Injections!
Also helps with length restrictions! 🚀
Source code
Also helps with length restrictions! 🚀
Source code
🔥4🥱4👍1
Offensive Xwitter
😈 [ Kleiton Kurti @kleiton0x7e ] Created a PoC for loading DLLs without LoadLibraryA. Instead we'll leverage the VEH (Vectored Exception Handler) to modify the context, especially RIP and RCX to hold the LoadLibraryA address and it's argument. 🔗 https:/…
😈 [ Kleiton Kurti @kleiton0x7e ]
Improved the DLL-Load proxying by adding CFG bypass. As Tp* function techniques are ROP-based, a CFG bypass is likely to be needed. A way of neutralizing CFG is marking the ROP gadget stub as CFG_CALL_TARGET_VALID. Thanks @snovvcrash for the suggestion!
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads/tree/cfg-bypass/CFG.c
🐥 [ tweet ]
Improved the DLL-Load proxying by adding CFG bypass. As Tp* function techniques are ROP-based, a CFG bypass is likely to be needed. A way of neutralizing CFG is marking the ROP gadget stub as CFG_CALL_TARGET_VALID. Thanks @snovvcrash for the suggestion!
🔗 https://github.com/kleiton0x00/Proxy-DLL-Loads/tree/cfg-bypass/CFG.c
🐥 [ tweet ]
👍5🔥1