Julian Horoszkiewicz

@julianpentest

Living on the edge; fast CPUs, dangerous commands, unpredictable fuckups.

Fucking Nowhere
Vrijeme pridruživanja: travanj 2017.

Tweetovi

Blokirali ste korisnika/cu @julianpentest

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @julianpentest

  1. Prikvačeni tweet

    My new t-shirt just arrived :D

    Poništi
  2. proslijedio/la je Tweet
    13. sij

    Released a little tool to perform lateral movement that hide the command you are executing by registering a protocol handler. The protocol handler is executed over WMI by simply running start customhandler:// ❤

    Poništi
  3. 13. sij

    Can anyone recommend exploit dev certifications other than OSCE and OSEE? Thanks in advance!

    Poništi
  4. proslijedio/la je Tweet
    27. pro 2019.

    You know you can embed C# in a PowerShell script, (but the PowerShell scanning and logging makes it no longer great for hacking, not to mention that it internally compiles and loads a .dll) but did you know about the C# REPL scriptcs? - Known good EXE/DLL's - No AMSI, logging...

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    27. pro 2019.

    SharpSploit v1.5 is out! Includes amazing work from , , , , and . Includes: lateral movement over SCM and PSRemoting, an AMSI bypass, CreateProcessWithToken, and DynamicInvoke improvements. 🔥🔥🔥

    Poništi
  6. PE Import Table hijacking as a way of achieving persistence/exploiting DLL side loading (Christmas blog post 😉):

    Poništi
  7. Is there any open source tooling providing similar functionality to cantor.dust? This approach seems super helpful in forensics/malware analysis.

    Poništi
  8. Dealing with a potential DLL-side loading, from the very beginning of the boot log, all CreateFileMapping() calls with PageProtection:PAGE_EXECUTE result in FILE LOCKED WITH ONLY READERS - so I guess the DLL is somehow locked from being executed, what might be the cause?

    Poništi
  9. proslijedio/la je Tweet
    16. pro 2019.

    Unfortunately one of the negatives to sharing information freely is that sometimes a vocal few who have used it as a stepping stone will try and close the door behind them.. “thanks, but the professionals are here now, step aside”.. Resist that BS and keep on sharing.

    Poništi
  10. proslijedio/la je Tweet
    Odgovor korisnicima
    Poništi
  11. Maybe it's the VTable Offset interface property, but in my case it's empty.

    Prikaži ovu nit
    Poništi
  12. Just to be clear, I know where they are as they are mentioned in the article, plus I got the symbols file and thus (in this case) the methods in the DLL can be found quite easily, but just curious what am I missing in what OleViewDotNet is showing.

    Prikaži ovu nit
    Poništi
  13. - "OleViewDotNet identifies both the module that implements the class of interest and the offsets of interface methods". I see the module (DLL) in the service definition, but where does it (OleViewDotNet) show relevant method offsets?

    Prikaži ovu nit
    Poništi
  14. The .search-ms query format supports UNC paths in the path element in the scope, nice 🤭 Name resolution seems to only work on NBNS, however IP addr given directly does the trick.

    Poništi
  15. proslijedio/la je Tweet
    9. pro 2019.

    We open sourced PathAuditor: a tool for Linux that and I worked on this summer. Tl;dr: you can use it to instrument root daemons and find insecure file access patterns like CVE-2019-3461. Check out the code: Blog post:

    Poništi
  16. Copying an autoElevate binary to an alternative location in order to hijack its DLL loading sequence order with your own DLL -> universal UAC bypass, brilliant! 👍

    Poništi
  17. Anyway, it's shit - doesn't load DLLs🤡

    Prikaži ovu nit
    Poništi
  18. Hm, I expected a well known associated extension like txt to end up in running notepad++ on the target instead... Well, you live and learn.

    Prikaži ovu nit
    Poništi
  19. Prikaži ovu nit
    Poništi
  20. BTW, to my surprise calc.exe can as well be run directly from a garbage extension like tmp 😉

    Prikaži ovu nit
    Poništi
  21. After stumbling upon c:\windows\system32\runexehelper.exe and some reversing I figured out it can be used to run execs (two conditions: diagtrack_action_output env var needs to be set to a writable directory and runexewithargs_output.txt must not exist there).

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·