Our Blog

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

Constrained Delegation Considerations for Lateral Movement

Reading time: ~18 min
The abuse of constrained delegation configuration, whereby a compromised domain user or computer account configured with constrained delegation can be...

Building an offensive RPC interface

Reading time: ~28 min
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you...

Chaining multiple techniques and tools for domain takeover using RBCD

Reading time: ~26 min
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario...

Being Stubborn Pays Off pt. 1 – CVE-2018-19204

Reading time: ~13 min
Intro During an internal assessment, I came across monitoring software that had default credentials configured. This monitoring software allowed for...

USaBUSe Linux updates

Reading time: ~6 min
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...

AutoDane at BSides Cape Town

Reading time: ~6 min
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and...

Something about sudo, Kingcope and re-inventing the wheel

Reading time: ~5 min
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was...