DumpChromeSecrets
Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks.
@IRCyberGuardians
Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks.
@IRCyberGuardians
Mining_Composite_API_Traffic_to_Prevent_BAC.pdf
1.1 MB
"BacAlarm: Mining and Simulating Composite API Traffic to Prevent Broken Access Control Violations", Dec. 2025.
All source code and datasets
@IRCyberGuardians
All source code and datasets
@IRCyberGuardians
MongoBleed (CVE-2025-14847) - Unauthenticated Memory Leak PoC
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Affected versions:
@IRCyberGuardians
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Shodan: product:"MongoDB"
HUNTER: product.name="MongoDB"
ZoomEye Dork: app="MongoDB"
Affected versions:
8.2.0 to 8.2.2
8.0.0 to 8.0.16
7.0.0 to 7.0.27
6.0.0 to 6.0.26
5.0.0 to 5.0.31
4.4.0 to 4.4.29
4.2.0 and later
4.0.0 and later
3.6.0 and later
@IRCyberGuardians
This media is not supported in your browser
VIEW IN TELEGRAM
Chronomaly — Android / Linux Kernel LPE exploit (CVE-2025-38352)
The exploit was written specifically for Linux kernel v5.10.157, but should work against all vulnerable v5.10.x kernels, as it does not require any specific kernel text offsets to work.
Blog:
• Part 1 - In-the-wild Android Kernel Vulnerability Analysis + PoC
• Part 2 - Extending The Race Window Without a Kernel Patch
• Part 3 - Uncovering Chronomaly
@IRCyberGuardians
The exploit was written specifically for Linux kernel v5.10.157, but should work against all vulnerable v5.10.x kernels, as it does not require any specific kernel text offsets to work.
Blog:
• Part 1 - In-the-wild Android Kernel Vulnerability Analysis + PoC
• Part 2 - Extending The Race Window Without a Kernel Patch
• Part 3 - Uncovering Chronomaly
@IRCyberGuardians
ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients
How to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.
@IRCyberGuardians
How to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.
@IRCyberGuardians
Profilehound
BloodHound OpenGraph collector for user profiles stored on domain machines. Make informed decisions about looting secrets by identifying active user profiles on domain machines.
@IRCyberGuardians
BloodHound OpenGraph collector for user profiles stored on domain machines. Make informed decisions about looting secrets by identifying active user profiles on domain machines.
P.S.
BloodHound's HasSession edge is great, but it's only useful when a user is logged into a machine. If a user is not logged into a machine when the data is collected, it's much more difficult to find which computer may contain secrets to facilitate further exploitation. User profiles may contain a significant amount of valuable intel within DPAPI, cached credentials, SSH keys, cloud keys, and more - these don't require an active user session to access.
@IRCyberGuardians
TaskHound
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
Blog: https://r0bit.io/posts/taskhound.html
@IRCyberGuardians
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
Blog: https://r0bit.io/posts/taskhound.html
@IRCyberGuardians
EDRStartupHinder
Prevents AV / EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup.
Blog: https://www.zerosalarium.com/2026/01/edrstartuphinder-edr-startup-process-blocker.html
@IRCyberGuardians
Prevents AV / EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup.
Blog: https://www.zerosalarium.com/2026/01/edrstartuphinder-edr-startup-process-blocker.html
@IRCyberGuardians
Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation
Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation.
Net-NTLMv1 Rainbow Tables
Rainbow tables generated for the Net-NTLMv1 authentication protocol with the challenge of 1122334455667788 to aid in key recovery
Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of 1122334455667788, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation.
A common chain attackers use is authentication coercion from a highly privileged object, such as a domain controller (DC). Recovering the password hash of the DC machine account allows for DCSync privileges to compromise any other account in AD.
Net-NTLMv1 Rainbow Tables
Rainbow tables generated for the Net-NTLMv1 authentication protocol with the challenge of 1122334455667788 to aid in key recovery
ConfigManBearPig
PowerShell collector for adding SCCM attack paths to BloodHound with OpenGraph.
Blog: https://specterops.io/blog/2026/01/13/introducing-configmanbearpig-a-bloodhound-opengraph-collector-for-sccm
PowerShell collector for adding SCCM attack paths to BloodHound with OpenGraph.
Blog: https://specterops.io/blog/2026/01/13/introducing-configmanbearpig-a-bloodhound-opengraph-collector-for-sccm
Using NTLM Reflection to Own Active Directory (CVE-2025-33073)
Extending NTLM Reflection Attacks to LDAP/LDAPS & (Possibly) RPC Services
Tool: https://github.com/decoder-it/impacket-partial-mic
Blog: Reflecting Your Authentication: When Windows Ends Up Talking to Itself
Extending NTLM Reflection Attacks to LDAP/LDAPS & (Possibly) RPC Services
Tool: https://github.com/decoder-it/impacket-partial-mic
Blog: Reflecting Your Authentication: When Windows Ends Up Talking to Itself
P.S.: SMB signing / channel binding enforcement does NOT protect against the NTLM reflection attack. We could also perform cross-protocol relays to ADCS enrollment services, MSSQL databases, LDAPS, RPC and WinRMS. (X/Twitter post)
CVE-2025-68921 Windows LPE in Nahimic audio enhancement software
A local privilege escalation vulnerability in audio enhancement software pre-installed on many gaming laptops, including Lenovo Legion, IdeaPad Gaming, MSI, Thunderobot, and others. The vulnerability was tracked by Lenovo PSIRT as LEN-18785 and assigned CVE-2025-68921, allowing a low-privileged user to escalate privileges directly to NT AUTHORITY\SYSTEM.
Blog: https://www.hackandhide.com/cve-2025-68921/
@IRCyberGuardians
A local privilege escalation vulnerability in audio enhancement software pre-installed on many gaming laptops, including Lenovo Legion, IdeaPad Gaming, MSI, Thunderobot, and others. The vulnerability was tracked by Lenovo PSIRT as LEN-18785 and assigned CVE-2025-68921, allowing a low-privileged user to escalate privileges directly to NT AUTHORITY\SYSTEM.
Blog: https://www.hackandhide.com/cve-2025-68921/
@IRCyberGuardians
CVE-2025-64155: Fortinet FortiSIEM Argument Injection to Remote Code Execution.
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an unauthenticated attacker to remotely inject arguments, leading to root remote code execution.
Blog: https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/
Dork:
@IRCyberGuardians
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an unauthenticated attacker to remotely inject arguments, leading to root remote code execution.
Blog: https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/
Dork:
ZoomEye: app="Fortinet FortiSIEM"
HUNTER : product.name="Fortinet FortiSIEM"
@IRCyberGuardians