Almond OffSec

@[email protected]
66 Followers
0 Following
28 Posts
Offensive Security team at Almond
Bloghttps://offsec.almond.consulting/
Twitterhttps://twitter.com/AlmondOffSec
Almond OffSec3d ago

A private Burp Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances.

https://github.com/AlmondOffSec/certbot-plugin-burpcollaborator

GitHub - AlmondOffSec/certbot-plugin-burpcollaborator: Certbot plugin for authentication using Burp Collaborator

Certbot plugin for authentication using Burp Collaborator - AlmondOffSec/certbot-plugin-burpcollaborator

GitHub
Almond OffSecMar 10

Are one-way trusts really one way? @drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html

Almond OffSecFeb 27

Team member @sigabrt was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.

https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html

Almond OffSecFeb 17
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: https://www.wapt.fr/fr/doc/wapt-changelog.html#wapt-2-6-1-17705-2026-02-04
Almond OffSecNov 6
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: https://offsec.almond.consulting/evading-elastic-callstack-signatures.html
PoC: https://github.com/AlmondOffSec/LibTPLoadLib
Almond OffSecJun 27, 2025
Following @S3cur3Th1sSh1T's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
https://github.com/AlmondOffSec/DCOMRunAs
Almond OffSecJun 25, 2025

Did you know deleting a file in Wire doesn’t remove it from servers?

Team member @myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.

https://offsec.almond.consulting/deleting-file-wire-doesnt-remove-it.html

Almond OffSecDec 9, 2024

To escape a locked-down Citrix environnement, team member SAERXCIT (https://twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:

https://github.com/AlmondOffSec/OpenEdgeABL-Loader

SAERXCIT (@saerxcit) on X

@AlmondOffSec

X (formerly Twitter)
Show threadAlmond OffSecDec 5, 2024
@sigabrt @yeswehack This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).
Almond OffSecOct 30, 2024
Team member @sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html
Using AFL++ on bug bounty programs: an example with Gnome libsoup - Almond Offensive Security Blog