itm4n

adeptsof0xcc, 3 months ago to random Spanish

Dear Fell(owl)ship, we are experiencing a miracle. Two posts in our blog in the same month! This time @XC3LL's homily is about a product he pwned last xmas.

A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108)

https://adepts.of0x.cc/gtbcc-pwned/

itm4n, 3 months ago to random

🆕​ New blog post! "A Practical Guide to PrintNightmare in 2024"

ℹ️​ The idea of writing this article came after realizing two things. First, organizations are still implementing unsafe Point and Print configurations. Second, the more I dug into the various Point and Print policies and settings, the more I understood why that is. So, I rolled up my sleeves, and created a home lab to reproduce and test all the configuration variations I could think of, and I summarized everything in this post.

👉​ https://itm4n.github.io/printnightmare-exploitation/

itm4n, 4 months ago to random

"Do not trust this Group Policy!" by @decoder_it

How to identify and exploit weak Files and Folders Group Policy Preferences to elevate privileges from user to SYSTEM.

👉​ https://decoder.cloud/2024/01/23/do-not-trust-this-group-policy/

itm4n, 4 months ago to random

🆕​ New blog post!

ℹ️​ This one is a short write-up for the challenge "Cache Cache" I created for the Insomni'hack CTF Teaser 2024.

👉​ https://itm4n.github.io/insomnihack-2024-cache-cache/

itm4n, 5 months ago to random

🆕​ New PrivescCheck extended check! 🎁​

ℹ️​ It can now find cached MSI files which run potentially unsafe Custom Actions as SYSTEM. This new addition was inspired by the following blog posts.

👉​ https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers
👉​ https://badoption.eu/blog/2023/10/03/MSIFortune.html

⚠️​ A manual review is still required, but at least it should bring out the ones that are more likely to be vulnerable. Although I didn't perform extensive testing, I can tell that it successfully reported the "exacqVision" example given in the second blog post.

🚧​ Feedback is welcome as I'm sure there is room for improvement.

https://github.com/itm4n/PrivescCheck

itm4n, 5 months ago to random

🆕​ New PrivescCheck feature!

ℹ️​ It can now list AppLocker "allow" rules that can be exploited to run arbitrary code as a low-privileged user.

💡​​​ It does not fully replace a manual review, but should provide enough initial insight to help identify common pitfalls.

https://github.com/itm4n/PrivescCheck

itm4n, 5 months ago to random

🆕​ PrivescCheck update!

🚨​ The script now reports SCCM Network Access Accounts stored locally by reading the raw CIM repository file.

☑️​ It had been on my TODO list for a while, but I finally took the time to implement this.

ℹ️​ Just in case you have no idea what I am referring to:

👉​ https://posts.specterops.io/the-phantom-credentials-of-sccm-why-the-naa-wont-die-332ac7aa1ab9

🎁​ In almost all my recent engagements, this account had incorrectly configured privileges that gave it admin rights on all workstations, or even the SCCM servers themselves. So, definitely worth to check during pentests!

itm4n, 8 months ago to random

Here is a new blog post following the one on CVE-2022-41099. 📝​

A Deep Dive into TPM-based BitLocker Drive Encryption

https://blog.scrt.ch/2023/09/15/a-deep-dive-into-tpm-based-bitlocker-drive-encryption/

itm4n, 8 months ago to random

Once again, really cool blog post by @splinter_code 🔥

Bypassing UAC with SSPI Datagram Contexts
https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html

itm4n, 11 months ago to random

OffensiveCon23 - The Print Spooler Bug that Wasn’t in the Print Spooler - @maddiestone & @tiraniddo

https://www.youtube.com/watch?v=H03b0UaogVs

Or how to find 0-day EoP bugs on Windows in 2023... Brilliant! 🤓​