Search Results

If we are able to enroll certificates as someone else (user or computer), we can compromise a target principal using explicit certificate mapping. Requirements There is 4 scenarios: ESC14 Scenario A: Write altSecurityIdentities on Target The attacker has writ...

SpecterOps https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf ESC13 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 ESC14 https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 HTB ADCS https://aca...

Cybersecurity enthousiast with a passion for Red Team/Pentesting. BobBuilder/Raphael - Software Ing. in CyberSecurity & AI Focus for Active Directory Privilege Escalations and Lateral Mouvements within Entreprise Networks Kerberos Protocol Active Directory Ce...

Google Dorks Search Operators site:website1.com # Search only within website1.com intitle:website1 # Find pages with "website1" in the title inurl:website1 # Find pages with "website1" in the URL intext...

Scan Types ICMP Echo Request and ARP Ping nmap 10.129.2.18 -sn -oA host -PE --packet-trace nmap 10.129.2.18 -sn -oA host -PE --reason nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping Top Ports Scan nmap 10.129.2.28 --top-ports=10 nmap 10...

Joining a Windows Machine to a Domain Author: bobbuilder Prerequisites A user account with permissions to join computers to the domain. The domain name (e.g., targetdomain.com). The domain controller's IP or hostname (optional, but useful for troubleshootin...

Writeup Author: bobbuilder Overview Category: Chain Difficulty: Easy Windows Machine Author: xct Domain: hybrid.vl Machines: Linux (mail01.hybrid.vl) and Windows (DC and user endpoints) Objective: Domain Admin compromise via NFS, Roundcube RCE, KeePass extra...

Writeup Author: bobbuilder Overview Category: Chain Difficulty: Easy Windows Machine Author: r0BIT Domain: trusted.vl Machines: trusted.vl (Windows Domain Controller) lab.trusted.vl (XAMPP test environment) Objective: Domain Admin compromise in trusted.v...

Unlike ESC1, ESC15 occurs when a certificate template: Allows low-privileged user enrollment. Allows arbitrary SAN specification. Uses Schema Version 1. Does not include the Client Authentication EKU, e.g.: Client Authentication : False Thi...

Writeup Author: bobbuilder Overview Category: Chain Difficulty: Medium Windows Machine Author: xct Domain: sendai.vl Machine: Windows Server 2022 Domain Controller Objective: Domain Admin compromise via AD enumeration, password resets, ACL abuse to retrieve ...

Writeup Author: bobbuilder Overview Category: Machine Difficulty: Easy Linux Machine Author: jkr Domain: down.vl Objective: The machine exposes a web interface vulnerable to command injection, which allows initial access. User credentials are later extracted...

Writeup Author: bobbuilder Overview Category: Machine Difficulty: Medium Machine Author: xct Domain: Shibuya.vl Machine: Windows Objective: This Windows AD machine Shibuya involved Kerberos and SMB enumeration, credential bruteforcing, .wim image extraction ...

Writeup Author: bobbuilder Overview Category: Machine Difficulty: Medium Windows Machine Author: yeeb Domain: Sweep.vl Objective: Initial access is achieved via misconfigured credentials and enumeration of Lansweeper for asset discovery, followed by privileg...

Writeup Author: bobbuilder Overview Category: Machine Difficulty: Hard Machine Author: geiseric Domain: Redelegate.vl Machine: Windows Objective: The initial compromise path starts with anonymous FTP access revealing sensitive files, including a KeePass data...