With the latest CVE around the print spooler service this is a good time to update my guidance on securing domain controller environments with security hardening policies. Just for reference at the time of this posting there is an RCE going around with the print spooler service which can be…

Here is another writeup on Chatterbox. This is a retired machine in HTB. Reconnaissance An NMAP scan reveals two ports open. 9255 and 9256 A quick google search yields the following exploit DB result: Offensive Security's Exploit Database Archive Achat 0.150 beta7 - Remote Buffer Overflow. CVE-2015-1578CVE-2015-1577CVE-118206CVE-118104 . remote exploit for Windows…www.exploit-db.com Next I do a searchsploit for achat software and I get two results for a remote…

This box is on the retired list in hack the box. Here is a walk through on how I got full system privileges in this active directory environment. Pre-Requisites installations needed in Kali: winapsearch.py — https://github.com/ropnop/windapsearch Impacket — https://github.com/SecureAuthCorp/impacket Evil-WinRM — https://github.com/Hackplayers/evil-winrm Bloodhound.py — https://github.com/fox-it/BloodHound.py

This is the first series of domain controllers I was able to compromise in hack the box. At the time of this writing the box has been retired allowing me to post how I did reconnaissance, enumeration, initial foothold, and privilege escalation. …

The NSA and FBI had an excellent joint write up on Russian Drovorub Malware on 8/13. URL:https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF So for defenders what should you be doing with your internet facing Linux servers? The NSA offers the following mitigation strategies: Apply Linux Updates Prevent Untrusted Kernel Modules (Ex. Activate UEFI/Secure boot)

This is my walkthrough on how to get started with bloodhound in Kali Linux Open up terminal in Kali and type the following command: sudo apt install bloodhound After you select yes to install and the installation completes we will need to change the default passwords on the neo4j console…

I’ve gotten into kerberoasting lately and thought this would be a good opportunity to talk about auditing your SPN’s and encryption types in your environment. …

There is a wealth of information that is stored in AAD. Email addresses, telephone numbers, group memberships, physical contact info, job titles. It even has pictures of employees. Just some thoughts and recommendations of limiting access: Restrict access to the Azure AD Administration portal. To access AAD type Azure Active…