I was helping a teammate on an internal network pentest. One of my tasks was screenshotting and reviewing HTTP/S services for default credentials and exploitable versions. That’s when I stumbled upon a Remote Code Execution (RCE) vulnerability in Symmetricom SyncServer. This post outlines the challenges we faced when developing the exploit proof of concept (PoC) and Metasploit code.

The (known) affected software version is 9.0.146 of both the KACE Systems Deployment and Remote Site appliances.

On your internal pentest you managed to find a Windows vm while searching network shares as a low privilged user. If you can extract the SAM hashes from the virtual machine, you may be able to pass the hash and gain local admin access to some systems.

From BloodHound: “GenericWrite to a computer object can be used to perform a resource based constrained delegation attack. Abusing this primitive is currently only possible through the Rubeus project. First, if an attacker does not control an account with an SPN set, Kevin Robertson’s Powermad project can be used to add a new attacker-controlled computer account”

Here I will be showing the easiest and most useful pivot techniques I use on penetration testing engagements as well as HackTheBox Pro Lab networks. We will not be discussing other types of pivots, including the myriad ways to bend SSH to your will as those topics are already well documented.

While reviewing the security of a product marketed as a “Ransomware Protection and Recovery” solution, I discovered multiple stored Cross-Site Scripting (XSS) vulnerabilities in NAKIVO Backup & Replication version 10.4.1 (build 59587 from 21 Oct 2021). These vulnerabilities could allow malicious JavaScript to be executed by anyone who authenticates to the web application. The attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user.

I recently had the pleasure of attending Steve Borosh’s “Enterprise Attack Initial Access” course offered through Antisyphon. This is my review.

NCC Group published an article titled “RIFT: Analysing a Lazarus Shellcode Execution Method”.[1] This shellcode execution method bypasses some of the usual Sysmon/ETW detections on VirtualAlloc, WriteProcessMemory or CreateThread by encoding the shellcode in UUID’s before creating space on the heap and using some relatively benign WinAPI calls to execute the shellcode. At the moment I’m not sure how many EDR’s this will evade, but I do know that this method will evade detection by most if not all antivirus products. The only detection I’ve found after using Sysmon with a common public domain ruleset is a crash found in the Application log after the shellcode has already executed, which the user never sees.

I’ve been learning Nim programming and love how easy and productive Nim development is compared to C/C++, while also giving you low-level control and a fantastic Windows FFI. There are already some great examples out there on Offensive Nim, including Byt3bl33d3r’s OffensiveNim GitHub repository. I recently found that there didn’t seem to be any examples of how to use Nim to inject a DLL from disk into a process. After spending more than a day debugging my code, I stumbled on waldo-irc’s NimMusings example. This post is a simple explanation on the Windows API call differences between injecting shellcode and DLL’s into a process using Nim.

Jeeves is a HackTheBox (binary) Pwn challenge, and is now retired. It’s an easy challenge: