@drm

18 Followers
59 Following
104 Posts
@AlmondOffSec but #pywerview at night
drm2d ago
Almond OffSec2d ago

A private Burp Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances.

https://github.com/AlmondOffSec/certbot-plugin-burpcollaborator

GitHub - AlmondOffSec/certbot-plugin-burpcollaborator: Certbot plugin for authentication using Burp Collaborator

Certbot plugin for authentication using Burp Collaborator - AlmondOffSec/certbot-plugin-burpcollaborator

GitHub
drmMar 10
Almond OffSecMar 10

Are one-way trusts really one way? @drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html

drmMar 6

I was bored to type the same commands each time I started a new internal pentest. So here comes KingCastle. This script does not perform any attacks, consider it as a cheat sheet, to quickly see low hanging fruits.

https://github.com/ThePirateWhoSmellsOfSunflowers/KingCastle

drmFeb 27
Almond OffSecFeb 27

Team member @sigabrt was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.

https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html

drmFeb 17
Almond OffSecFeb 17
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: https://www.wapt.fr/fr/doc/wapt-changelog.html#wapt-2-6-1-17705-2026-02-04
drmJan 30
Show threadRedTeam PentestingJan 30
Originally, Microsoft did not enforce their own specs for validated writes at all and only checked if a KeyCredentialLink is already present. Now they require a CustomKeyInformation field with the "MFA Not Required" flag to be present and the last logon timestamp to be absent.
drmDec 17
To all my VMK sniffers here: you can now perform the attack for approximately 80€. I've successfully sniffed my good ol' T470 with a 16u3 from SipeedIO. The hardware is nice🫡, the software is meh😕(laggy/ buggy/crash). Definitively not a Saleae killer, but ok to start to play.
drmNov 14
4 channels @ 800 MS/s for < 80€ ? 🥰
TPM sniffing is cheaper than ever
https://www.cnx-software.com/2025/11/12/69-sipeed-slogic16u3-low-cost-logic-analyzer-supports-3-2-gbps-bandwidth-150-protocols/
drmNov 8
K. Reid Wightman  🌻  Jun 22, 2025
#directorytraversalmemes
drmNov 6
Almond OffSecNov 6
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: https://offsec.almond.consulting/evading-elastic-callstack-signatures.html
PoC: https://github.com/AlmondOffSec/LibTPLoadLib