New LDAP & RDP Relay Vulnerabilities in NTLM
https://blog.preempt.com/new-ldap-rdp-relay-vulnerabilities-in-ntlm
https://www.youtube.com/watch?v=pKt9IJJOM3I
https://blog.preempt.com/new-ldap-rdp-relay-vulnerabilities-in-ntlm
https://www.youtube.com/watch?v=pKt9IJJOM3I
Invisi-Shell
Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API.
https://github.com/OmerYa/Invisi-Shell
Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API.
https://github.com/OmerYa/Invisi-Shell
GitHub
GitHub - OmerYa/Invisi-Shell: Hide your Powershell script in plain sight. Bypass all Powershell security features
Hide your Powershell script in plain sight. Bypass all Powershell security features - OmerYa/Invisi-Shell
Something special for the weekend...: A nice writeup on Universal #RCE #exploit by exploiting #Ruby 2.x #serialization
https://www.elttam.com.au/blog/ruby-deserialization/
https://www.elttam.com.au/blog/ruby-deserialization/
Feature, not bug: DNSAdmin to DC compromise in one line
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
Medium
Feature, not bug: DNSAdmin to DC compromise in one line
Background
Have you checked your PSReadline history lately? Do you know it stores the commands in clear-text and is persistent across reboots? This is on a Domain Controller. #PowerShell #RedTeam
LethalHTA - A new lateral movement technique using DCOM and HTA
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
https://codewhitesec.blogspot.com/2018/07/lethalhta.html
Blogspot
CODE WHITE | Blog: LethalHTA - A new lateral movement technique using DCOM and HTA
The following blog post introduces a new lateral movement technique that combines the power of DCOM and HTA. The research on this t...
PHP_imap_open_exploit
Bypassing disabled exec functions in PHP via imap_open (Debian & Ubuntu)
https://github.com/Bo0oM/PHP_imap_open_exploit
Bypassing disabled exec functions in PHP via imap_open (Debian & Ubuntu)
https://github.com/Bo0oM/PHP_imap_open_exploit
GitHub
GitHub - Bo0oM/PHP_imap_open_exploit: Bypassing disabled exec functions in PHP (c) CRLF
Bypassing disabled exec functions in PHP (c) CRLF. Contribute to Bo0oM/PHP_imap_open_exploit development by creating an account on GitHub.
Exploiting internal tomcat server with SSRF - Insomnihack teaser 2017 Web 50 writeup
https://blog.0daylabs.com/2017/01/22/smart-tomcat/
https://blog.0daylabs.com/2017/01/22/smart-tomcat/
0Daylabs
Exploiting internal tomcat server with SSRF - Insomnihack teaser 2017 Web 50 writeup
Exploiting internal tomcat server (with default credentials) using SSRF (Insomnihack teaser 2017 Web 50 writeup)
Red teamers, you can turn off Defender from admin powershell with ‘Set-MpPreference -DisableRealTimeMonitoring $true’ but it will result in a balloon notification for anyone logged on. Instead, use ‘Add-MpPreference -ExclusionPath “c:\temp”’ to silently add an exclusions folder.
#CVE-2018-14667 RichFaces Framework 3.X through 3.3.4 Expression Language (EL) injection
https://www.youtube.com/watch?v=HR7-nL5G91w
https://www.youtube.com/watch?v=HR7-nL5G91w
YouTube
Poc of CVE-2018-14667 - Remote Code Execution in WebApps using Richfaces
PoC presented at Hackers to Hackers Conference 2018 (H2HC 2018)
More details in slides: https://www.slideshare.net/mobile/joaomatosff/a-little-bit-about-code-injection-in-webapplication-frameworks-cve201814667-h2hc-2018
CVE-2018-14667 is a Expression Language…
More details in slides: https://www.slideshare.net/mobile/joaomatosff/a-little-bit-about-code-injection-in-webapplication-frameworks-cve201814667-h2hc-2018
CVE-2018-14667 is a Expression Language…
Active Directory Firewall Ports – Let’s Try To Make This Simple
https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
https://pentesterslife.blog/2018/06/28/jsgen/
https://pentesterslife.blog/2018/06/28/jsgen/
Undetectable C# & C++ Reverse Shells
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15