Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
an0n Profile picture
an0n
@an0n_r0
CRT(E|O|L) | OSCP | @RingZer0_CTF 1st (for 2yrs) | HackTheBox Top10 | RPISEC MBE | Flare-On completer | GoogleCTF writeup winner | SSD research | Math MSc |🇭🇺
Jun 11, 2023 9 tweets 3 min read
Built a special JS stager for Cobalt Strike (or for anything else).

Actually it is based on C# .NET, and it is super simple (full source is on the screenshot) because it uses the PE mapper from DInvoke.

Currently managed to bypass Defender.

Sharing some details in this thread. Image First, I started from a stageless Cobalt Strike beacon payload generated using my custom Artifact Kit, already including some advanced evasion features what I didn't want to rewrite again.

That's why I turned to PE staging instead of the common shellcode loading technique.
Jan 22, 2023 4 tweets 2 min read
If NetNTLMv1 is disabled but LDAP signing is not enforced on DC, and there is WebClient service enabled on the target, pwn is similar (~RBCD abuse). NTLM relay should be HTTP->LDAP instead of SMB->LDAP (WebClient does not set signature requirement on the client side). WebDAV target for coerced NTLM auth should be a dotless hostname (conforming Trusted/Intranet zone). No worries, arbitrary hostname can be registered even using a low-privileged domain account in ADIDNS (using the dnstool script in krbrelayx).
Aug 19, 2022 5 tweets 3 min read
RDP logon with certificate: @_EthicalChaos_ is releasing a dedicated tool for this soon!

Until that, here is how I did this before (from Linux): simulating PIV applet on an emulated smartcard device locally and pass it through RDP. 🧵/1 👇 First component needed: vpcd frankmorgner.github.io/vsmartcard/vir…, a virtual smart card device, what is actually emulating a software smart card reader in the PC/SC Smart Card Daemon. Just add vpcd into pcscd. 🧵/2 👇
Aug 17, 2022 7 tweets 5 min read
If you want to browse the customer service locations of the Hungarian State Treasury on allamkincstar.gov.hu, it is good to have some basic #ReverseEngineering skills. 😉 #UXFail @AdobeFlash in 2022. Thread 1/🧵⬇️ Image It is relatively easy to navigate to a customer service selector page. At the bottom there should be a county chooser according to the text, but there is nothing below. Let’s see why. 2/🧵⬇️ Image
Dec 10, 2021 8 tweets 3 min read
#log4j storm is coming, cryptominers in the first wave.

checked multiple (non-java ;) ) webservers i run and the logs are getting filled with the ${jndi:ldap://...} payloads.

THREAD: let's see a weaponized one. one common scheme is: ldap://host:port/Basic/Command/Base64/[base64encodedstring].

some of the LDAP urls are still accessible (usually only from targeted IPs, other IPs are firewalled). getting the LDAP data returns the JNDI object.