Forwarded from 1N73LL1G3NC3
Bolthole
A proof-of-concept ClickOnce payload for Red Teams to establish initial access.
• Reverse SSH tunnel into the target environment
• CMD shell access as the executing user (no password required)
• SOCKS proxy functionality for pivoting
A proof-of-concept ClickOnce payload for Red Teams to establish initial access.
• Reverse SSH tunnel into the target environment
• CMD shell access as the executing user (no password required)
• SOCKS proxy functionality for pivoting
1🔥35👍13🤯1
Несколько часов назад была сильно обновлена утилита certipy. Обратим внимание, что в документации также появилось описание техники ESC16...
#redteam #pentest #ad #adcs
#redteam #pentest #ad #adcs
GitHub
GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
Tool for Active Directory Certificate Services enumeration and abuse - ly4k/Certipy
2👍36🔥7🥰1
Forwarded from APT
🔐 Bitrix CMS Ultimate Pentest Guide
A detailed guide on penetration testing for 1C-Bitrix CMS, one of the most popular content management systems in CIS countries. The guide covers authentication bypasses, XSS, SSRF, LFI, RCE exploits, WAF bypass methods, and vulnerabilities in third-party modules (especially Aspro).
🔗 Source:
https://pentestnotes.ru/notes/bitrix_pentest_full/
#1c #bitrix #web
A detailed guide on penetration testing for 1C-Bitrix CMS, one of the most popular content management systems in CIS countries. The guide covers authentication bypasses, XSS, SSRF, LFI, RCE exploits, WAF bypass methods, and vulnerabilities in third-party modules (especially Aspro).
🔗 Source:
https://pentestnotes.ru/notes/bitrix_pentest_full/
#1c #bitrix #web
🔥45👍8😁8🤯2🥰1
Вот такой крутой ресерч сегодня подъехал. От учетных записей dMSA до администратора домена. А с учетом того, что dMSA можно создать самому (при определенных, но часто встречающихся условиях), это прям крутой Low Fruit. Особенно с учетом того, что Майкрософт пока не собирается это исправлять.
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Но! Стоит также отметить, что dMSA появились только на Windows Server 2025))
Soft: https://github.com/logangoins/SharpSuccessor
Soft: https://github.com/Pennyw0rth/NetExec/pull/702
Soft: https://gist.github.com/snovvcrash/a1ae180ab3b49acb43da8fd34e7e93df
#pentest #redteam #ad #privesc
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Но! Стоит также отметить, что dMSA появились только на Windows Server 2025))
Soft: https://github.com/logangoins/SharpSuccessor
Soft: https://github.com/Pennyw0rth/NetExec/pull/702
Soft: https://gist.github.com/snovvcrash/a1ae180ab3b49acb43da8fd34e7e93df
#pentest #redteam #ad #privesc
Akamai
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
Akamai researchers found a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory.
1👍30🤔7😱2
Forwarded from 1N73LL1G3NC3
Unauthenticated RCE module for vBulletin 5.1.0-6.0.3
Write-up: https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
Search query:
Write-up: https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
Search query:
ZoomEye: app="vBulletin"
Shodan: http.html:"content=\"vBulletin"
FOFA: app="vBulletin"
1🔥24🥰6👍3😁2😱1
Про принудительную аутентификацию Windows в 2025 году
https://blog.redteam-pentesting.de/2025/windows-coercion/
Вместе с постом несколько скриптов:
Софт wspcoerce: https://github.com/RedTeamPentesting/wspcoerce
Модуль NetExec efsr_spray: https://github.com/Pennyw0rth/NetExec/pull/718
ntlmrelayx RPC server and EPM: https://github.com/fortra/impacket/pull/1974
#ad #coerce #pentest #redteam
https://blog.redteam-pentesting.de/2025/windows-coercion/
Вместе с постом несколько скриптов:
Софт wspcoerce: https://github.com/RedTeamPentesting/wspcoerce
Модуль NetExec efsr_spray: https://github.com/Pennyw0rth/NetExec/pull/718
ntlmrelayx RPC server and EPM: https://github.com/fortra/impacket/pull/1974
#ad #coerce #pentest #redteam
RedTeam Pentesting - Blog
The Ultimate Guide to Windows Coercion Techniques in 2025
Windows authentication coercion often feels like a magic bullet against the average Active Directory. With any old low-privileged account, it usually allows us to gain full administrative access to almost arbitrary Windows workstations and servers, …
🔥22👍8😢1
Полный гайд по эксплуатации ADCS от ESC1 до ESC16. Понятно, что материалов по этой теме и так много, но пусть будет под рукой))
https://xbz0n.sh/blog/adcs-complete-attack-reference
#ad #adcs #privesc #pentest #redteam
https://xbz0n.sh/blog/adcs-complete-attack-reference
#ad #adcs #privesc #pentest #redteam
xbz0n.sh
Breaking ADCS: ESC1 to ESC16 Attack Techniques
Let's talk about Active Directory Certificate Services. If you've been doing red team work for any length of time, you've probably heard about ADCS attacks. ...
👍37🔥17🥰1
CVE-2025-49113: Roundcube (1.6.10) Auth RCE
blog: https://fearsoff.org/research/roundcube
PoC: https://github.com/fearsoff-org/CVE-2025-49113
#exploit #git #pentest #redteam
blog: https://fearsoff.org/research/roundcube
PoC: https://github.com/fearsoff-org/CVE-2025-49113
#exploit #git #pentest #redteam
fearsoff.org
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]
A deep technical breakdown of CVE-2025-49113, a critical Roundcube vulnerability involving PHP session serialization. Learn how the bug was discovered, exploited, and responsibly disclosed with full PoC and recommendations for defenders and developers. Kirill…
🔥16👍7🤯3🥰1😁1
CVE-2025-32756: Fortinet UnAuth RCE
PoC: https://github.com/kn0x0x/CVE-2025-32756-POC
#exploit #git #pentest #redteam
PoC: https://github.com/kn0x0x/CVE-2025-32756-POC
Affected Products: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera
#exploit #git #pentest #redteam
👍23🔥5🤔5😁2🥰1
CVE-2025-33073: Reflective Kerberos Relay (LPE)
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
RedTeam Pentesting - Blog
A Look in the Mirror - The Reflective Kerberos Relay Attack
It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …
🔥15👍6
Ralf Hacker Channel
CVE-2025-33073: Reflective Kerberos Relay (LPE) Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/ Patched: June 10, 2025 Интересная LPE с релеем на себя... Даже CVE есть) #lpe #ad #relay #pentest #redteam
В продолжение все той же темы CVE-2025-33073...
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Еще один ресерч, на это раз от Synactiv. Вот только у них не LPE, а Auth RCE от имени SYSTEM (если подпись SMB на машине не требуется).
#rce #lpe #ad #relay #pentest #redteam
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
Еще один ресерч, на это раз от Synactiv. Вот только у них не LPE, а Auth RCE от имени SYSTEM (если подпись SMB на машине не требуется).
Even though CVE-2025-33073 is referred by Microsoft as an elevation of privilege, it is actually an authenticated remote command execution as SYSTEM on any machine which does not enforce SMB signing.
#rce #lpe #ad #relay #pentest #redteam
Synacktiv
NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073
🔥16👍10😱1
Forwarded from 1N73LL1G3NC3
BloodHound Query Library
A collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem.
Blog: https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/
A collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem.
Blog: https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/
👍18🔥9🥰2🤔1
Forwarded from Adaptix Framework
AdaptixC2 v0.6 is out
https://github.com/Adaptix-Framework/AdaptixC2
* Обновленная консоль агента с гибкими настройками
* Оповещения в Telegram
* OTP для синхронизации файлов и команд
* Новая тема Dracula
* Обновление до Golang 1.24.4
Полная информация по обновлению: https://adaptix-framework.gitbook.io/adaptix-framework/changelog/v0.5-greater-than-v0.6
https://github.com/Adaptix-Framework/AdaptixC2
* Обновленная консоль агента с гибкими настройками
* Оповещения в Telegram
* OTP для синхронизации файлов и команд
* Новая тема Dracula
* Обновление до Golang 1.24.4
Полная информация по обновлению: https://adaptix-framework.gitbook.io/adaptix-framework/changelog/v0.5-greater-than-v0.6
🔥31👍7😁2
Сразу две статьи от SpecterOps, можно считать, одна - продолжение другой. В блоге разбирают атаки на трасты AD, но с упором на BloodHound CE.
1. Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound
2. Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)
Даже если не собираетесь погружаться в BHCE, стоит просто бегло почитать))
#pentest #redteam #ad #trust #lateralmovement #bloodhound
1. Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound
2. Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)
Даже если не собираетесь погружаться в BHCE, стоит просто бегло почитать))
#pentest #redteam #ad #trust #lateralmovement #bloodhound
SpecterOps
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make it easier to identify cross-domain attack paths, we are…
🔥19👍5
Reads blacklist.txt and blocks dlls from loading with option to unblock subsequently. Patches LdrLoadDll in local/remote process to return dll not found.
https://github.com/cybersectroll/TrollBlacklistDLL
#pentest #redteam #av #evasion
👍10🤔9🔥5😁2😱1
Forwarded from 1N73LL1G3NC3
Abusing Chrome Remote Desktop on Red Team Operations: A Practical Guide
In this post, we’ll be exploring a practical technique for abusing Chrome Remote Desktop (also known as Google Remote Desktop) within a Red Team operation.
In this post, we’ll be exploring a practical technique for abusing Chrome Remote Desktop (also known as Google Remote Desktop) within a Red Team operation.
👍21🔥12🥰4😁2
CVE-2025-32463: sudo 1.9.14-1.9.17 LPE
Blog + exploit: https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Patched: June 28, 2025
#lpe #linux #pentest #redteam
Blog + exploit: https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
Patched: June 28, 2025
#lpe #linux #pentest #redteam
3🔥42👍9🤯6😁3
Forwarded from APT
This media is not supported in your browser
VIEW IN TELEGRAM
🩸 CitrixBleed 2 — Citrix NetScaler Memory Leak (CVE-2025-5777)
Critical memory leak vulnerability in Citrix NetScaler ADC/Gateway. Sending malformed POST request with login parameter without value causes server to return ~127 bytes of uninitialized stack memory, including session tokens, enabling MFA bypass and active session hijacking.
🔗 Research:
https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
🔗 Source:
https://github.com/win3zz/CVE-2025-5777
#citrix #netscaler #memoryleak #exploit
Critical memory leak vulnerability in Citrix NetScaler ADC/Gateway. Sending malformed POST request with login parameter without value causes server to return ~127 bytes of uninitialized stack memory, including session tokens, enabling MFA bypass and active session hijacking.
🔗 Research:
https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
🔗 Source:
https://github.com/win3zz/CVE-2025-5777
#citrix #netscaler #memoryleak #exploit
🔥15👍9😁2
CVE-2025-48799: Windows Update Service LPE
PoC: https://github.com/Wh04m1001/CVE-2025-48799
Patched: July 8, 2025
#lpe #windows #pentest #redteam
PoC: https://github.com/Wh04m1001/CVE-2025-48799
Patched: July 8, 2025
This vulnability affects windows clients (win11/win10) with at least 2 hard drives.
#lpe #windows #pentest #redteam
GitHub
GitHub - Wh04m1001/CVE-2025-48799
Contribute to Wh04m1001/CVE-2025-48799 development by creating an account on GitHub.
🔥20👍8😁2
CVE-2025-25257: Pre-Auth SQLi to RCE - Fortinet FortiWeb
PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257
Blog: https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
#rce #pentest #redteam #fortinet #cve
PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257
Blog: https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
Affected:
7.6.0 through 7.6.3
7.4.0 through 7.4.7
7.2.0 through 7.2.10
7.0.0 through 7.0.10
#rce #pentest #redteam #fortinet #cve
🔥20😁9👍3🤯1😱1