@drm

20 Followers
59 Following
109 Posts
@AlmondOffSec but #pywerview at night
drmApr 24

What have I done ??!

https://vmk.lol

drmApr 2
Clément LabroApr 2

🆕 New blog post!

"BitLocker's Little Secrets: The Undocumented FVE API"

A small Windows RE adventure to figure out how to get the status and configuration of a BitLocker protected drive programmatically and without admin privileges.

Now also implemented in PrivescCheck! 🔥

👉 https://itm4n.github.io/bitlocker-little-secrets-the-undocumented-fve-api/

drmMar 20
Almond OffSecMar 20

A private Burp Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances.

https://github.com/AlmondOffSec/certbot-plugin-burpcollaborator

GitHub - AlmondOffSec/certbot-plugin-burpcollaborator: Certbot plugin for authentication using Burp Collaborator

Certbot plugin for authentication using Burp Collaborator - AlmondOffSec/certbot-plugin-burpcollaborator

GitHub
drmMar 10
Almond OffSecMar 10

Are one-way trusts really one way? @drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html

drmMar 6

I was bored to type the same commands each time I started a new internal pentest. So here comes KingCastle. This script does not perform any attacks, consider it as a cheat sheet, to quickly see low hanging fruits.

https://github.com/ThePirateWhoSmellsOfSunflowers/KingCastle

drmFeb 27
Almond OffSecFeb 27

Team member @sigabrt was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.

https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html

drmFeb 17
Almond OffSecFeb 17
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: https://www.wapt.fr/fr/doc/wapt-changelog.html#wapt-2-6-1-17705-2026-02-04
drmJan 30
Show threadRedTeam PentestingJan 30
Originally, Microsoft did not enforce their own specs for validated writes at all and only checked if a KeyCredentialLink is already present. Now they require a CustomKeyInformation field with the "MFA Not Required" flag to be present and the last logon timestamp to be absent.
drmDec 17
To all my VMK sniffers here: you can now perform the attack for approximately 80€. I've successfully sniffed my good ol' T470 with a 16u3 from SipeedIO. The hardware is nice🫡, the software is meh😕(laggy/ buggy/crash). Definitively not a Saleae killer, but ok to start to play.
drmNov 14, 2025
4 channels @ 800 MS/s for < 80€ ? 🥰
TPM sniffing is cheaper than ever
https://www.cnx-software.com/2025/11/12/69-sipeed-slogic16u3-low-cost-logic-analyzer-supports-3-2-gbps-bandwidth-150-protocols/