If you’d like to be notified when I post new things, you can sign up for email notifications below
This took me a while to get my head around recently so I figured I’d document it here in case it helps someone else. Thanks to @exploitph for answering several questions about this and @harmj0y for writing this blog post which explains the entire process. Whilst that post does go into a lot of detail, […]
We’re all used to Windows treating usernames as not being case sensitive, i.e. a username of JOE.BLOGGS is the same as joe.bloggs. However this idea falls apart when you use that username as part of the salt for AES encryption, which is case sensitive. Which is exactly what happens when we perform Kerberos preauthentication using AES encryption (the default encryption level in current versions of Windows). So why doesn’t this cause problems when we run commands that require credentials and we supply the username in the incorrect case?
Exploring some interesting behaviour with the CreateService Win32 API that bypasses the default service ACL
This blog post is intended to supplement the Kerberos explanation video that just went live on my Youtube channel: As such, I’m not going to explain everything in detail here. This post is intended as a quick reference for all of the diagrams I made for that video. Hopefully they can be useful on their […]
No exploits in this one – just some good old fashioned coding tips. I wanted to show the command line used to launch each process that’s running on the machine (the executable file path along with arguments passed to it, i.e. C:\Windows\system32\svchost.exe -k netsvcs). Now there’s plenty of examples online showing how to do this […]
As per my previous post, I’ve been working on building a GUI reverse shell utility for the last week or so. The first alpha version has just been released and you can find more information along with a download link on the dedicated page for the tool here: https://vbscrub.com/tools/vbrev/ I’ve also just uploaded a quick […]
We’ve all used netcat reverse shells and similar alternatives to explore remote machines, but I recently found myself thinking it would be nice if I could just explore the file system through a GUI and skip all the constant typing needed to navigate between directories and download files etc. So I’m developing this little tool […]
I recently uploaded a video explaining port forwarding, or port tunnelling as I like to call it. This is a technique that allows you to remotely connect to TCP ports that would not normally allow inbound remote connections (either due to firewall or the way the listener is configured). EDIT: A few people have asked […]
My video of the Sniper machine that just got retired on HTB:
First of all I should point out that at the moment this priv esc exploit only works on a workstation OS and not on a server OS (unless you can get into the Print Operators group). This post is about me trying, and failing, to get it to work on a server OS. For more […]
Recently uploaded my video guide to the HTB Forest machine that was retired this weekend: To get a good understanding of everything in this one, I’d recommend watching the two videos below as well:
Just uploaded a new video taking an in depth look at how a DC Sync attack works and making use of another Impacket script called secretsdump.py:
If you’ve watched my video on Kerberos Pre-Authentication and how Impacket’s GetNPUsers script takes advantage of that being disabled, you’ll be aware that by default user accounts are not vulnerable to this kind of attack. I also mentioned in the video that in 8 years of Windows network admin in various organisations, I’ve never actually […]
I see a lot of people in the CTF community saying AD/LDAP is their weakness and that they don’t know much about it. So I made this video to explain all of the basics to someone that has pretty much zero experience with AD. There will be more in depth videos on specific topics coming […]
I’ve seen a lot of people using this tool in various CTF challenges but not really having any idea how or why it works. So I put together this video explaining it in detail. Enjoy!
Here is the first of many HTB machine video guides that I will be releasing. Today the JSON machine was retired so that’s what we are taking a look at in this video. Rather than just tell you what to type and click on to get the user/root flag, these videos are going to be […]
Tools like ysoserial.net will generate a .NET deserialization payload for you to send to a remote server and give you remote code execution… but how and why does this actually work?
I found a couple of guides online about how to get the python Impacket scripts working on Windows, but they didn’t quite work for me (on Windows 7 x64) so here’s what I ended up having to do: Download and install the X86 version of Python 2.7 from here (has to be version 2.x, not […]
The Azure AD Connect service is essentially responsible for synchronizing things between your local AD domain, and the Azure based domain. However, to do this it needs privileged credentials for your local domain so that it can perform various operations such as syncing passwords etc. I recently discovered this great video that explains where it […]
There’s a great blog post from Shay Ber on this subject already, but when I tried to follow along myself I hit a few stumbling blocks with the C++ parts as I’ve got no experience with that language (and after using it, my god I realise how spoiled we are with languages like C#.NET). Anyway, […]