This post will walk through various services within the Azure catalogue and look at potential attack paths.

A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6

Introduction When performing penetration tests, we sometimes find that the systems or data we are targeting are not directly accessible from the network our attacking system is connected to. This is often the case when searching for things such a PCI data.…

Recently for Christmas my 4 year old daughter got an Amazon Kids tablet. So far the tablet has been great and Kids+ seems like a pretty decent value for what you get. I'm very wary of the types of content available on the internet, and as a parent it's my…

I'll state this upfront, so as not to confuse: This is a POST exploitation technique. This is mostly for when you have already gained admin on the system via other means and want to be able to RDP without needing MFA. Okta MFA Credential Provider for Windows…

Here are the slides and video from my 2023 talk at CactusCon. The YouTube video currently is cut-off at the beginning, but if it gets fixed I'll update with a new link.

Metasploit recently released version 6.3.  With it came a whole lot of new features related to LDAP operations and using Kerberos authentication. In this blog I want to demonstrate how to perform a GenericWrite -> RBCD attack, which I find are very common.…

This blog is meant to serve as a guide for practical exploitation of systems that allow for the NTLMv1 authentication protocol. While NTLMv1 is hardly ever needed anymore, a surprising number of organizations still use it, perhaps unknowingly. There are however…

In the past I had written a quick blog post on password spraying Dell SonicWALL Virtual Office.  While it wasn't all that exciting of a post, a number of people did find it useful and having a blog for it helped people find it more easily than only being…

There are two common reasons you may want to change a user’s password during a penetration test: You have their NT hash but not their plaintext password. Changing their password to a known plaintext value can allow you to access services in which Pass-the…

This blog is about something I found recently regarding Cisco Unified Call Manager (CUCM).  While playing around with SeeYouCM Thief, which is designed to download parse configuration files from Cisco phone systems, I noticed something interesting within…

Recently I came upon an attack path in BloodHound that looked like this: I had control of a computer object (an Exchange server) that effectively had WriteDacl over the domain. I had a few constraints as well: All systems were configured with EDR I only had…

TL;DR for Hackers & Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested. 好久沒有打部落格了，紀錄一下這次我在 WebConf 2023 上的演講，大概就是把

This is a cross-post blog from DEVCORE. You can check the series on: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack S

Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dan

P.S. This is a cross-post blog from Zero Day Initiative (ZDI) This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain w

Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the

The series of A New Attack Surface on MS Exchange: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack Surface on MS Excha

Physical access controls are designed to prevent unauthorized access to secure areas directly. Examples of physical access controls…

I will update this post regularly, I am starting with a few of my most commonly used snippets.