Our Blog

CertPotato – Using ADCS to privesc from virtual and network service accounts to local system

Reading time: ~14 min
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will...

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

WireSocks for Easy Proxied Routing

Reading time: ~9 min
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such...

sensecon 2022 – wait a minute, you got legs? edition

Reading time: ~10 min
In a world of returning back to, well, “normal” it meant that we could finally have our annual internal hackathon...

me vs request smugglingPOST

Reading time: ~17 min
I’ve come to realise that I wasn’t the only one that has never actually exploited an HTTP Request Smuggling vulnerability,...

Sail away, sail away, sail away

Reading time: ~10 min
A while back, after some live music and drinks at Railways, I made my way to another city for pleasant...

using a cloud mac with a local ios device

Reading time: ~17 min
Doing iOS mobile assessments without macOS around is not exactly fun. This can be for many reasons that include code...

Constrained Delegation Considerations for Lateral Movement

Reading time: ~17 min
The abuse of constrained delegation configuration, whereby a compromised domain user or computer account configured with constrained delegation can be...

Left To My Own Devices – Fast NTCracking in Rust

Reading time: ~17 min
When I got a new MacBook with an M1 Pro chip, I was excited to see the performance benefits. The...

SIM Hijacking

Reading time: ~38 min
Introduction “533 million Facebook users’ phone numbers leaked” was one of the highlighted titles that flooded many social networks’ pages....