Our Blog

CertPotato – Using ADCS to privesc from virtual and network service accounts to local system

Reading time: ~14 min
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will...

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

WireSocks for Easy Proxied Routing

Reading time: ~9 min
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such...

Android Application Testing Using Windows 11 and Windows Subsystem for Android

Reading time: ~17 min
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release,...

Building an offensive RPC interface

Reading time: ~28 min
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you...

Masquerading Windows processes like a DoubleAgent.

Reading time: ~17 min
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for...

Attacking smart cards in active directory

Reading time: ~10 min
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...

Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2

Reading time: ~16 min
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by...

recreating known universal windows password backdoors with Frida

Reading time: ~21 min
tl;dr I have been actively using Frida for little over a year now, but primarily on mobile devices while building...

Abusing GDI Objects for ring0 Primitives Revolution

Reading time: ~21 min
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One...

Intercepting passwords with Empire and winning!

Reading time: ~6 min
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now...