As promised in the previous post, I will show you how to embed the "lonely potato" in InstallUtil.exe. Why do we need that? Because, as explained here , with Installutil we can call our C# assembly with whatever extension we like, for example ".txt". Cool way to bypass some Application and File restriction policies.... Quick and…
Never heard about the "Rotten Potato"? If not, read this post written by the authors of this fantastic exploit before continuing: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ The mechanism is quite complex, it allows us to intercept the NTLM authentication challenge which occurs during the DCOM activation through our endpoint listener and impersonate the user's security access token (in this case…
This seems to be a never ending story but, believe me, there are so many ways to achieve the same result! This time we are going to use another simple technique for running our powershell scripts without invoking powershell.exe. Introducing MSBuild.exe... MSBuild is a tool included in .Net frameworks for automating the processes of creating…
In your pentesting activities, there are many circumstances where you need to “migrate” your Windows working process, typically a shell,to a different process and some scenarios can be: You have an unstable shell and need to move to a more robust process on the victim's machine (typically explorer.exe which will live until the victim doesn't…
This is the third part of my "powershell-less" series: howto execute powershell scripts without using powershell.exe In part 2 I used DotNetToJscript in order to circumvent AppLocker policy. Now let's try to use another technique. The problem is always the same: we cannot run executable files outside windows directories and we can't run powershell.exe. Never heard…
In my previous post I showed you how to bypass policy restrictions which won't let you execute powershell.exe. Now let's move on to a more complicated (but realistic) scenario: you can't run exe files located outside the "classic" Windows directories because there is an App Locker policy which won't permit it Say bye-bye to powershell?…
Please don't misunderstand me, you really need Powershell and all it's magic if you are a pentester, don't you? But what can you do if some policy is blocking access to powershell.exe? Yes, this is a well known problem and there are many solutions. In my article I just want to focus on a quick…
Article can be found here: From pass the hash to pass the ticket!
In this article we will try to bypass the ASLR (Address Space Layout Randomization) and NX (non execute bit) techniques. So we got this 32 bit binary "overflow" without source code and root suid bit turned on! $ ls -al overflow -rwsr-sr-x 1 root root 7377 Jun 15 21:17 overflow All we know is…
This article, written with my friend Giuseppe, is published here: http://resources.infosecinstitute.com/apk-golden-ticket-owning-android-smartphone-gaining-domain-admin-rights/
