Almond OffSec

@[email protected]
66 Followers
0 Following
28 Posts
Offensive Security team at Almond
Bloghttps://offsec.almond.consulting/
Twitterhttps://twitter.com/AlmondOffSec
Almond OffSecMar 10

Are one-way trusts really one way? @drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html

Almond OffSecFeb 27

Team member @sigabrt was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.

https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html

Almond OffSecFeb 17
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: https://www.wapt.fr/fr/doc/wapt-changelog.html#wapt-2-6-1-17705-2026-02-04
Almond OffSecNov 6
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: https://offsec.almond.consulting/evading-elastic-callstack-signatures.html
PoC: https://github.com/AlmondOffSec/LibTPLoadLib
Almond OffSecJun 27, 2025
Following @S3cur3Th1sSh1T's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
https://github.com/AlmondOffSec/DCOMRunAs
Almond OffSecJun 25, 2025

Did you know deleting a file in Wire doesn’t remove it from servers?

Team member @myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.

https://offsec.almond.consulting/deleting-file-wire-doesnt-remove-it.html

Almond OffSecDec 9, 2024

To escape a locked-down Citrix environnement, team member SAERXCIT (https://twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:

https://github.com/AlmondOffSec/OpenEdgeABL-Loader

SAERXCIT (@saerxcit) on X

@AlmondOffSec

X (formerly Twitter)
Almond OffSecOct 30, 2024
Team member @sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: https://offsec.almond.consulting/using-aflplusplus-on-bug-bounty-programs-an-example-with-gnome-libsoup.html
Using AFL++ on bug bounty programs: an example with Gnome libsoup - Almond Offensive Security Blog

Almond OffSecOct 17, 2024
New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member @myst404
https://offsec.almond.consulting/privilege-escalation-f5-CVE-2024-45844.html
CVE-2024-45844: Privilege escalation in F5 BIG-IP - Almond Offensive Security Blog

Almond OffSecSep 27, 2024

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate @M4yFly 's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:

https://github.com/AlmondOffSec/GOAD_hyperv

#GOAD #activedirectory #hyperv

GitHub - AlmondOffSec/GOAD_hyperv: Vagrant style script to build GOAD on Hyper-V

Vagrant style script to build GOAD on Hyper-V. Contribute to AlmondOffSec/GOAD_hyperv development by creating an account on GitHub.

GitHub