😈 [ Vector 35 @vector35 ]
We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI:
🔗 https://scc.binary.ninja/
🔗 https://github.com/Vector35/scc
If you haven't seen it before, it's available under the Edit / Compile dialog.
🐥 [ tweet ]
We've open-sourced another core Binary Ninja feature: SCC. If you're not familiar with it, the Shellcode Compiler has been built-in to BN from the beginning, allowing you to build small PIE shellcode in a variety of architectures right from the UI:
🔗 https://scc.binary.ninja/
🔗 https://github.com/Vector35/scc
If you haven't seen it before, it's available under the Edit / Compile dialog.
🐥 [ tweet ]
👍4
😈 [ Alex Neff @al3x_n3ff ]
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown:
🔗 https://github.com/Pennyw0rth/NetExec/releases/tag/v1.4.0
🐥 [ tweet ]
NetExec v1.4.0 has been released! 🎉
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown:
🔗 https://github.com/Pennyw0rth/NetExec/releases/tag/v1.4.0
🐥 [ tweet ]
🔥17👍6
😈 [ Orange Cyberdefense's SensePost Team @sensepost ]
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_
Writeup:
🔗 https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
PR to impacket:
🔗 https://github.com/fortra/impacket/pull/1947/files
Demo:
🔗 https://youtu.be/3mG2Ouu3Umk
🐥 [ tweet ]
The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_
Writeup:
🔗 https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
PR to impacket:
🔗 https://github.com/fortra/impacket/pull/1947/files
Demo:
🔗 https://youtu.be/3mG2Ouu3Umk
🐥 [ tweet ]
🔥7👍2
😈 [ Check Point Research @_CPResearch_ ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code.
In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking.
Blog:
🔗 https://research.checkpoint.com/2025/waiting-thread-hijacking/
Code:
🔗 https://github.com/hasherezade/waiting_thread_hijacking
🐥 [ tweet ]
👍8
😈 [ 0xdf @0xdf_ ]
OS Enumeration CheatSheet! I'll look at using package versions, common ports, and packet TTLs.
🔗 https://0xdf.gitlab.io/cheatsheets/os
🐥 [ tweet ]
OS Enumeration CheatSheet! I'll look at using package versions, common ports, and packet TTLs.
🔗 https://0xdf.gitlab.io/cheatsheets/os
🐥 [ tweet ]
👍7🥱1
😈 [ Compass Security @compasssecurity ]
3 milliseconds to admin — Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post:
🔗 https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/
🐥 [ tweet ]
3 milliseconds to admin — Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post:
🔗 https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/
🐥 [ tweet ]
👍6🤯4🔥1
😈 [ NetSPI @NetSPI ]
Microsoft patched critical vulnerabilities (CVE-2025-21299, CVE-2025-29809) in Q1 2025.
NetSPI research reveals Kerberos canonicalization bypasses Hyper-V isolation of credentials, compromising Windows security.
Read the full article:
🔗 https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/
🐥 [ tweet ]
Microsoft patched critical vulnerabilities (CVE-2025-21299, CVE-2025-29809) in Q1 2025.
NetSPI research reveals Kerberos canonicalization bypasses Hyper-V isolation of credentials, compromising Windows security.
Read the full article:
🔗 https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/
🐥 [ tweet ]
😈 [ Jord @0xLegacyy ]
Blog post is out, BOF coming tomorrow 🐸
🔗 https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html
BOF is out now, enjoy! 🐸
🔗 https://github.com/iilegacyyii/DataInject-BOF
🐥 [ tweet ][ quote ]
Blog post is out, BOF coming tomorrow 🐸
🔗 https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html
BOF is out now, enjoy! 🐸
🔗 https://github.com/iilegacyyii/DataInject-BOF
🐥 [ tweet ][ quote ]
🔥9🥱3
😈 [ hasherezade @hasherezade ]
Centralized resource for listing and organizing known injection techniques and POCs:
🔗 https://github.com/itaymigdal/awesome-injection
🐥 [ tweet ][ quote ]
Centralized resource for listing and organizing known injection techniques and POCs:
🔗 https://github.com/itaymigdal/awesome-injection
🐥 [ tweet ][ quote ]
🔥10👍1🤯1
😈 [ Mr.Z @zux0x3a ]
Last night, I made myself busy and revisited some older methods for exploiting tokens in Windows applications shared by @mrd0x couple of years ago. However, I realized that the integration of AI into applications like Notepad presents new opportunities for exploitation. This led me to write a blog post and modify a BOF to tackle the issue.
a compromised Cowriter Bearer token could be leveraged to extract potentially sensitive information.
🔗 https://0xsp.com/offensive/the-hidden-risk-compromising-notepad-cowriters-bearer-tokens/
🐥 [ tweet ]
Last night, I made myself busy and revisited some older methods for exploiting tokens in Windows applications shared by @mrd0x couple of years ago. However, I realized that the integration of AI into applications like Notepad presents new opportunities for exploitation. This led me to write a blog post and modify a BOF to tackle the issue.
a compromised Cowriter Bearer token could be leveraged to extract potentially sensitive information.
🔗 https://0xsp.com/offensive/the-hidden-risk-compromising-notepad-cowriters-bearer-tokens/
🐥 [ tweet ]
👍5
Offensive Xwitter
😈 [ ippsec @ippsec ] After using Python for so long, I've been trying to switch to GoLang over the last two years just to try something new. I'm finally somewhat confident in being able to write I'd try to create a video series to help others. This is the…
😈 [ ippsec @ippsec ]
New video in my Hackers for Golang series: Dependency Injection. Covers why it’s crucial for clean code, with Python examples before Go. It’s complex but worth learning early. Check it out and let me know your thoughts!
🔗 https://youtu.be/BhLpqRev80s
🐥 [ tweet ]
New video in my Hackers for Golang series: Dependency Injection. Covers why it’s crucial for clean code, with Python examples before Go. It’s complex but worth learning early. Check it out and let me know your thoughts!
🔗 https://youtu.be/BhLpqRev80s
🐥 [ tweet ]
🔥9👍1🍌1
😈 [ R.B.C. @G3tSyst3m ]
Discovered a somewhat novel UAC bypass. Had fun learning this one. It takes advantage of machines that have the Intel ShaderCache directory installed in the appdata directory. Also uses junctions + arbitrary write, etc.
🔗 https://g3tsyst3m.github.io/uac%20bypass/Bypass-UAC-via-Intel-ShaderCache/
🐥 [ tweet ]
Discovered a somewhat novel UAC bypass. Had fun learning this one. It takes advantage of machines that have the Intel ShaderCache directory installed in the appdata directory. Also uses junctions + arbitrary write, etc.
🔗 https://g3tsyst3m.github.io/uac%20bypass/Bypass-UAC-via-Intel-ShaderCache/
🐥 [ tweet ]
👍5🔥1
Offensive Xwitter
Итак, закончилось ежегодное награждение Pentest Award 2024 (by @JustSecurity), поэтому время для стильной фоточки. Снова большой респект организаторам - по сравнению с прошлым годом масштабы инициативы выросли, как и зрелость ее проведения (привет усатым барменам…
Раунд 3
https://news.1rj.ru/str/justsecurity/382
#pentest_awards
Открыли прием заявок на Pentest award 2025!💡 Каждый год мы зажигаем новые яркие лампочки в гирлянде отечественного рынка кибербезопасности — компетентных специалистов, которые остаются за кадром большой работы по поиску уязвимостей.
Участие все еще бесплатное, а прием заявок продлиться до 30 июня. В этом году появились новые номинации от спонсоров проекта: Совкомбанк Технологии и BI.ZONE Bug Bounty.🥇 Главный приз за победу — стеклянная именная статуэтка и макбук!
🥈🥉За вторые и третьи места призеры получат айфоны и смарт-часы.🎬 OFFZONE подарит финалистам билеты на свою конференцию 2025.✏️ А учебный центр CyberEd гранты на обучения.
Ну и конечно, самая ценная награда за участие — почет и уважение сообщества этичных хакеров.
Отправляйте заявки на сайте, участвуйте и побеждайте!
https://news.1rj.ru/str/justsecurity/382
#pentest_awards
Please open Telegram to view this post
VIEW IN TELEGRAM
👍5🔥2😢1
😈 [ Toffy @toffyrak ]
I have just released my first tool: GPOHound 🚀
GPOHound is an offensive tool for dumping and analysing GPOs. It leverages BloodHound data and enriches it with insights extracted from the analysis.
Check it out here:
🔗 https://github.com/cogiceo/GPOHound
🐥 [ tweet ]
I have just released my first tool: GPOHound 🚀
GPOHound is an offensive tool for dumping and analysing GPOs. It leverages BloodHound data and enriches it with insights extracted from the analysis.
Check it out here:
🔗 https://github.com/cogiceo/GPOHound
🐥 [ tweet ]
👍14🔥10
😈 [ S3cur3Th1sSh1t @ShitSecure ]
And another AMSI bypass with a different DLL/patch 👌
🔗 https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80
🐥 [ tweet ]
And another AMSI bypass with a different DLL/patch 👌
🔗 https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80
🐥 [ tweet ]
another_byte_patch++👍5
😈 [ Logan Goins @_logangoins ]
I jumped heavily into learning about SCCM tradecraft and wrote a detailed write-up with custom examples, covering the most interesting vulnerabilities that combine commonality and impact from low-privilege contexts, and what you can do to prevent them :)
🔗 https://logan-goins.com/2025-04-25-sccm/
🐥 [ tweet ]
I jumped heavily into learning about SCCM tradecraft and wrote a detailed write-up with custom examples, covering the most interesting vulnerabilities that combine commonality and impact from low-privilege contexts, and what you can do to prevent them :)
🔗 https://logan-goins.com/2025-04-25-sccm/
🐥 [ tweet ]
👍4