Defeating Windows Credential Guard
Microsoft introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016. It is enabled by default on all systems running Windows 11, version 22H2 and later that meet the requirements. It is assumable that Microsoft will enable Credential Guard on Windows server by default too in the future.
Before we continue, this blog is heavily based on Oliver Lyak’s blog: https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22. Oliver Lyak did all of ...
NTLM Relay 2 self without Printer Spooler and DNS
If you landed on a system as a user with low privileges inside a domain, you could coerce the system to authenticate to itself over HTTP (WebDAV), and relay that request to the domain controller using ntlmrelayx. NTLM relay attacks are not new, and have been a big attack surface in the Windows realm for years. However, preventing relay attacks over HTTP are harder to counter and may even be unpatchable (forever day).
There are a few methods to go perform this attack. One common way is to use Pri ...
My OSCP preparation and exam experience
Disclaimer: I am not allowed to share any details about the exam I took, so it will be more a general view of it.
PreparationAlthough I have some experience with pentesting, I did not want to underestimate the exam. Before I bought the course from Offensive Security, I already completed 100+ boxes on HackTheBox. I also completed four ProLabs from HackTheBox; Dante, Zephyr, Offshore and Rastalabs. These boxes and prolabs thought me basically everything I needed to know for the exam
In the beginni ...
Hacking the Bitwarden vault PIN
Unlock with PIN is a Bitwarden feature to unlock your vault instead of using your masterkey. Bitwarden introduced this feature, but never raised the security issues within the extension or app. This blog post will show how to retrieve the PIN back from the Firefox extension data.
Bitwarden unlock with PIN featureBitwarden’s “Unlock with PIN” feature is a functionality designed to provide users with a quicker way to access their vault of stored passwords, secure notes, credit card information, an ...
Security Risks For Building Projects In Visual Studio
It is very easy to clone a GitHub repository to Visual Studio, build it and use it. Who even cares about the source code right? Well, you should. After reading this blog you may want to reconsider building the program without checking it first.
How does Visual Studio build a program?To get a better understanding about the dangers of building a program in Visual Studio, we need to first understand how Visual Studio (VS) actually builds your program.
Visual Studio uses a process called the MSBuil ...
Exploring the new BloodHound Community Edition
In the realm of cybersecurity, Active Directory is a critical component for managing and organizing a network, controlling access to resources, and ensuring security. BloodHound takes a unique approach by utilizing graph theory to map out relationships between different elements in Active Directory, such as users, groups, and computers. This graphical representation helps security professionals identify and understand potential security risks, such as privilege escalation and lateral movement pa ...
Appsanity - HackTheBox
Nmap1234567891011121314151617181920# Nmap 7.94 scan initiated Sun Oct 29 09:01:48 2023 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.147.80Nmap scan report for 10.129.147.80Host is up (0.024s latency).Not shown: 65532 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0| http-methods: |_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Microsoft-IIS/10.0|_http-title: Did not follow redirect to https:// ...
Blackfield - HackTheBox
Nmap scanWe begin by doing a nmap scan on the target IP (10.10.10.192).
1**nmap -sCV -T4 --min-rate 10000 -v -oA nmap/tcp_default 10.10.10.192**
1234567891011121314151617181920212223242526# Nmap 7.93 scan initiated Wed Nov 30 10:28:13 2022 as: nmap -sCV -T4 --min-rate 10000 -v -oA nmap/tcp_default 10.10.10.192Nmap scan report for 10.10.10.192Host is up (0.025s latency).Not shown: 993 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus ...
Bookworm - HackTheBox
Nmap scanWe begin by scanning the box using nmap:
123456789101112131415161718192021# Nmap 7.94 scan initiated Tue Oct 17 07:05:54 2023 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.10.11.215Nmap scan report for 10.10.11.215Host is up (0.028s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 81:1d:22:35:dd:21:15:64:4a:1f:dc:5c:9c:66:e5:e2 (RSA)| ...
Skyfall - HackTheBox
1. Nmap scan1234567891011121314151617181920# Nmap 7.94SVN scan initiated Mon Feb 5 03:50:17 2024 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.216.173Nmap scan report for 10.129.216.173Host is up (0.027s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)|_ 256 74:48:33:07:b7:88:9d:32:0e ...