mpgn

NFS escape to the root directory with NetExec

NFS downloading the /etc/shadow file from a system with default NFS configs

This looks off to you? Yeah...

In the default configuration, NFS exposes THE ENTIRE FILE SYSTEM and not only the exported directory!
This means that you can read every file on the system that is not root:root owned, e.g. /etc/shadow.

But it can get even worse 1/4🧵

🔐 Purple Team job alert ! 🛡️🚨🔥
Lucca ouvre un poste dans sa team sécu !

TL;DR : Du web, du k8s Talos, des millions de users, un prog de bounty mature, un ADN branché scalabilité dans une boîte qui cultive la transparence, l'expertise et la culture du challenge.

Bref, vous en saurez plus ici :👇

🇫🇷🎙️Nouvel épisode du podcast Hack'n Speak !

C'est la partie 2 du relais Kerberos, avec une section dédiée à SCCM et un petit supplément Red Team 🥷🐊

Bonne écoute à toutes et à tous 🎶

creators.spotify.com/pod/show/hac...

Generate a valid krb5 conf file directly from netexec 🔥

Not that NXC needs it, but sometimes you gotta help other tools for them to work. 😂

DCsync a domain when you find a user in the Backup Operators group using netexec, very simple and no need for a custom smb server 😛🏆

So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇

NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️

awesome as always 🔥

GitHub - dirkjanm/BloodHound.py: A Python based ingestor for BloodHound A Python based ingestor for BloodHound. Contribute to dirkjanm/BloodHound.py development by creating an account on GitHub.

Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/Blo...

ldap socks on netexec / nxc 🎃

Diagram representing the various Windows Point and Print configurations that reintroduce the PrintNightmare exploit variants.

I updated the diagram representing the different Point and Print configurations and their exploitation on my blog.

Hopefully, this should provide a better understanding of the whole "PrintNightmare" situation to both defenders and red teamers. 🤞

This is the paradox of security and it. Doing your job well results in nothing (in a good way). Mistakes are blown up and noticed (in a bad way).

hear me out, pass the certificate auth on nxc 🔥

merged on main 🎃

Thanks to Xiaolichan, NXC is now capable of scanning your network without attempting SMBv1 first by using the flag --no-smbv1. This reduces unexpected errors and scan time on large networks. 👺

A new module has also been added to scan hosts vulnerable to the Remove-MIC vulnerability 🔥

bye bye smb on ldap proto, coming soon 👺

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

Vous savez quoi ? @mpgn.bsky.social est désormais sur Bluesky ! 👀

L'occasion rêvée pour reposter le lien vers mon intervention sur son podcast Hack'n'Speak 🎙️

Two new modules for MSSQL on NXC, thanks to the contributions of @lodos2005.bsky.social and @adamkadaban.bsky.social 🔥

- rid-brute from mssql
- mssql_coerce from mssql

github.com/Pennyw0rth/N...

Pour mes followers francophones, voici mon intervention pour le podcast Hack’n’Speak de MPGN https://podcasters.spotify.com/pod/show/hacknspeak

If you want to first blood a windows box in @hackthebox.bsky.social every minute counts ! 🩸
I've added a special flag --generate-hosts-file so you just have to copy past into your /etc/hosts file and be ready to pwn as soon as possible 🔥