Minor changes to Oliver Lyak\Certipy to make it compatible with Almond OffSec\PassTheCert. Now you can use both PKINIT and Schannel when dealing with ESC4! Find out more 👇 github.com/ly4k/Certipy/p…

We've extended mitch\ntlm_challenger with MSSQL support! This is useful when network segmentation prevents from reaching the SMB port ➡️ github.com/nopfor/ntlm_ch…

Windows Local Privilege Escalation via StorSvc service (writable SYSTEM path DLL search order Hijacking) /cc Antón Ortigueira Kurosh Dabbagh ➡️ github.com/blackarrowsec/…

Have you ever tried exploiting a Spring Boot Actuators RCE but the restart endpoint was disabled? ⬇️ Abuse this behaviour using this #TrickOrThreat by Antón Ortigueira

I've found that fibers may be something to look at when it comes to execute local in-memory code. This is a simple PoC of how you can leverage fibers to execute in-memory code without spawning threads and hiding suspicious thread stacks among others. github.com/Kudaes/Fiber

Watchguard has fixed 4 vulnerabilities in Watchguard EPDR discovered by our researchers Antón Ortigueira and Marcos Díaz. These vulnerabilities can be used to turn-off the defensive capabilities of the product and achieve privilege escalation. ➡️ Advisories: watchguard.com/es/wgrd-psirt/…

Our colleague Iago Abad has weaponized the leaked token handles technique for MSSQL. Now open token handles in MSSQL's process (sqlservr.exe) can be abused to change security context and escalate privileges both locally and in the domain. github.com/blackarrowsec/…

Enhanced version of secretsdump from #Impacket to dump credentials without touching disk. This feature takes advantage of the WriteDACL privileges held by local administrators to provide temporary read permissions on registry hives. github.com/fortra/impacke…

Our colleagues Kurosh Dabbagh & Inés will be at #HackOn2024 presenting an alternative approach to ROP-based sleep obfuscation technique to evade memory scanners. ➡️ Read more: hackon.es/charlas/In%C3%…

Although it's nothing new, Inés and I are pleased to publish our own ROP-based implementation of the code fluctuation technique. We've tried to keep it simple and functional, avoiding to use common features like Timers, HWBP or APCs. github.com/Kudaes/Shelter

I created a tool designed to simplify the generation of proxy DLLs (i know, a bit late to the game) while addressing common conflicts related to windows.h when it comes to redefining an existing function when performing proxy DLL. It was a fun project 😁 github.com/Krypteria/Prox…