😈 [ cnotin, Clément Notin ]

I did not expect a non-domain joined Windows machine, using an identity provided with "runas /netonly", to silently manage to obtain a Kerberos TGT then use it to access a service! 😮
I thought it would fallback to NTLM immediately...
That's nice though 😀

🐥 [ tweet ]

😈 [ podalirius_, Podalirius ]

Today in #AwesomeRCEs, I present a technique to achieve remote code execution on Apache #Tomcat by uploading an #app as admin.

In order to do this, I wrote a WAR application exposing a JSON API to execute code on the server and download files:

https://t.co/OJIr4V4R8D

🔗 https://github.com/p0dalirius/Tomcat-webshell-application

🐥 [ tweet ]

😈 [ ORCA10K, ORCA ]

i released i tiny poc on getting the syscalls from ntdll of a new suspended process :
https://t.co/wtCeeEpaJI

🔗 https://gitlab.com/ORCA000/suspendedntdllunhook

🐥 [ tweet ]

😈 [ 0xBoku, Bobby Cooke ]

BokuLoader features update! Added Find-Beacon EggHunter, Stomp MZ Magic Bytes, PE Header Obfuscation, PE String Replacement, and Prepend ASM Instructions! Shoutouts to @passthehashbrwn & @anthemtotheego ;)
https://t.co/WnolPDNPuo

🔗 https://github.com/xforcered/BokuLoader

🐥 [ tweet ]

😈 [ tiraniddo, James Forshaw ]

Another of my recent Kerberos bugs has been opened, this time _another_ way of bypassing AppContainer enterprise authentication capability this time by using LsaCallAuthenticationPackage https://t.co/axda3g2XDm

🔗 https://bugs.chromium.org/p/project-zero/issues/detail?id=2273

🐥 [ tweet ]

😈 [ harmj0y, Will Schroeder ]

Very cool Kerberoasting implementation using LsaCallAuthenticationPackage, all through a macro https://t.co/BswTJvqzHg

🔗 https://github.com/Adepts-Of-0xCC/VBA-macro-experiments/blob/main/kerberoast.vba

🐥 [ tweet ]

😈 [ 0xdf_, 0xdf ]

What Happens In a "Shell Upgrade" video released:

https://t.co/ql6kIj6RK5

I love this one because I learned so much making it. Hopefully that knowledge transfers to you as well.

🔗 https://youtu.be/DqE6DxqJg8Q

🐥 [ tweet ][ quote ]

😈 [ 0xBoku, Bobby Cooke ]

Dannnggggg.. @CaptMeelo has some great blog posts 🔥 Thanks @FuzzySec for directing me back there :)
https://t.co/0gbd1VHqRl

🔗 https://captmeelo.com/category/maldev

🐥 [ tweet ]

😈 [ podalirius_, Podalirius ]

Heard of #Printerbug, #PetitPotam, #ShadowCoerce and #DFSCoerce ? These are only the tip of the Iceberg and there is probably many more to find. 👀

Want to find a new call ? Here is 242 probable #RPC calls with python poc ready to be triaged! 🎉

https://t.co/WjmEzuSOcz

🔗 https://github.com/p0dalirius/windows-coerced-authentication-methods

🐥 [ tweet ]

😈 [ podalirius_, Podalirius ]

Ever wanted to trigger a #NTLM authentication to a machine using every possible RPC call ? You can do this using #Coercer 🥳🎉

This tool automatically detects available pipes and protocols and call every possible functions to trigger an #authentication.

https://t.co/6aVELSP4NC

🔗 https://github.com/p0dalirius/Coercer

🐥 [ tweet ]

😈 [ harmj0y, Will Schroeder ]

Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post https://t.co/5Tr9UxYuh1 where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at https://t.co/l77vlPDQrj

🔗 https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
🔗 https://github.com/GhostPack/Koh

🐥 [ tweet ]

😈 [ theluemmel, S4U2LuemmelSec ]

Created a pull request (https://t.co/P40XZVrCrC) for @porchetta_ind 's CrackMapExec to query for LDAP Signing and Channel Binding. Big thanks to @zyn3rgy for his awesome work: https://t.co/8bfwJiSl4E which I just ported.
Thx @byt3bl33d3r and @mpgn_x64 for this awesome tool.

🔗 https://github.com/Porchetta-Industries/CrackMapExec/pull/606
🔗 https://github.com/zyn3rgy/LdapRelayScan

🐥 [ tweet ]

😈 [ an0n_r0, an0n ]

if anyone runs into "unsupported hash type MD4" (on fully updated Kali) like me (for example by using BloodHound Python ingestor), it is because openssl legacy algorithms are being dropped from config. here is the fix from FluffMe: https://t.co/E89SOZSlOu

🔗 https://gitlab.com/kalilinux/packages/kali-tweaks/-/issues/27

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

@XakepRU, спасибо за подгон 🤓📚

🐥 [ tweet ]

😈 [ TrustedSec, TrustedSec ]

Continuing with some cross-site scripting (XSS) fun, @hoodoer demonstrates how to capture credentials from a login form using an IFrame trap.

https://t.co/q1MzMA9A9w

🔗 https://hubs.la/Q01gmrKB0

🐥 [ tweet ]

👹 [ snovvcrash, sn🥶vvcr💥sh ]

To summarize @NotMedic’s idea of an alternative approach for running NanoDump from memory (as a BOF) I’ve added a note on using RunOF (by @Nettitude_Labs) filelessly 👉🏻 https://t.co/SpuXr1PXQQ

#bof #nanodump #lsass

🔗 https://ppn.snovvcrash.rocks/red-team/maldev/bof-coff#runof

🐥 [ tweet ]

😈 [ M4yFly, Mayfly ]

Let's play with the ad lab, goadv2:
https://t.co/zvysxTYQlq
https://t.co/xdd4UD44TN
https://t.co/NTvxzojcAv

🔗 https://mayfly277.github.io/posts/GOADv2-pwning_part1/
🔗 https://mayfly277.github.io/posts/GOADv2-pwning-part2/
🔗 https://mayfly277.github.io/posts/GOADv2-pwning-part3/

🐥 [ tweet ]

😈 [ mpgn_x64, mpgn ]

Dumping SAM from a live Kali Linux in 2022 🔽

1⃣ cd Windows/System32/config
2⃣ pypykatz registry --sam SAM SYSTEM

Tools like chntpw, bkhive, pwdump, samdump2 are not working on latest Windows 10 👀

https://t.co/LyHlBnvcCX

🔗 https://security.stackexchange.com/a/158174/41351

🐥 [ tweet ]