On your internal pentest you managed to find a Windows vm while searching network shares as a low privilged user. If you can extract the SAM hashes from the virtual machine, you may be able to pass the hash and gain local admin access to some systems.

From BloodHound: “GenericWrite to a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account”

Here I will be showing the easiest and most useful pivot techniques I use on penetration testing engagements as well as HackTheBox Pro Lab networks. We will not be discussing other types of pivots, including the myriad ways to bend SSH to your will as those topics are already well documented.

While reviewing the security of a product marketed as a “Ransomware Protection and Recovery” solution, I discovered multiple stored Cross-Site Scripting (XSS) vulnerabilities in NAKIVO Backup & Replication version 10.4.1 (build 59587 from 21 Oct 2021). These vulnerabilities could allow malicious JavaScript to be executed by anyone who authenticates to the web application. The attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user.

I recently had the pleasure of attending Steve Borosh’s “Enterprise Attack Initial Access” course offered through Antisyphon. This is my review.

NCC Group published an article titled “RIFT: Analysing a Lazarus Shellcode Execution Method”.[1] This shellcode execution method bypasses some of the usual Sysmon/ETW detections on VirtualAlloc, WriteProcessMemory or CreateThread by encoding the shellcode in UUID’s before creating space on the heap and using some relatively benign WinAPI calls to execute the shellcode. At the moment I’m not sure how many EDR’s this will evade, but I do know that this method will evade detection by most if not all antivirus products. The only detection I’ve found after using Sysmon with a common public domain ruleset is a crash found in the Application log after the shellcode has already executed, which the user never sees.

I’ve been learning Nim programming and love how easy and productive Nim development is compared to C/C++, while also giving you low-level control and a fantastic Windows FFI. There are already some great examples out there on Offensive Nim, including Byt3bl33d3r’s OffensiveNim GitHub repository. I recently found that there didn’t seem to be any examples of how to use Nim to inject a DLL from disk into a process. After spending more than a day debugging my code, I stumbled on waldo-irc’s NimMusings example. This post is a simple explanation on the Windows API call differences between injecting shellcode and DLL’s into a process using Nim.

Jeeves is a HackTheBox (binary) Pwn challenge, and is now retired. It’s an easy challenge:

This post discusses how a compiled C program (Elf) on Linux resolves the location in memory for shared libraries and includes a walkthrough of the Procedure Linkage Table (PLT) and Global Offset Table (GOT).

This article doesn’t cover HOW to build a pentest appliance virtual machine although it does link to another article that I followed. What I do cover here is after you’ve built a pentest appliance virtual machine in vmware, how to reduce the file size so that when you export it to OVA and give it to your customer it will be as small as possible. I started out with a 20 GB OVA file even though the disk usage was only 9 GB, and through the following steps I reduced it down to 4 GB.