I realize that I haven't given any news about PrivescCheck in a while, but I'm still working on this tool and updating it when I have the opportunity to do so. 😛
In particular, the script now has the capability of identifying vulnerable drivers based on the list provided by loldrivers[.]io. 🥳
👉 https://github.com/itm4n/PrivescCheck
Here we go, new articles are ready on a brand new and exciting topic, smart contracts security! ⛓️
⏩To get things off to a good start, here's the first article, Blockchain 101.
Happy reading!
A blockchain represents a decentralized register (or database). There is no central entity deciding whether a transaction is valid or not, but rather thousands of people or machines working to verify and validate these transactions, all governed by precise mathematical rules and concepts.
Finally done!
My latest article introduce the basics of Windows kernel drivers/internals and how to find and exploit process killer drivers using LOLDrivers 🤓
I hope you'll enjoy it! Thanks M. and @r00tbsd for the proofread !
https://alice.climent-pommeret.red/posts/process-killer-driver/
This article describes a quick way to find easy exploitable process killer drivers. There are many ways to identify and exploit process killer drivers. This article is not exhaustive and presents only one (easy) method. Lately, the use of the BYOVD technique to kill AV and EDR agents seems trending. The ZeroMemoryEx Blackout project, the Terminator tool sold (for 3000$) by spyboy are some recent examples. Using vulnerable drivers to kill AV and EDR is not brand new, it’s been used by APTs, Red Teamers, and ransomware gangs for quite some time.
🔥 Brace yourself #LocalPotato is out 🥔
Our new NTLM reflection attack in local authentication allows for arbitrary file read/write & elevation of privilege.
Patched by Microsoft, but other protocols may still be vulnerable.
cc @decoder_it
Enjoy! 👇
https://www.localpotato.com/localpotato_html/LocalPotato.html
"Bypassing PPL in Userland (again)"
Over the past 6 months, I worked on a new Userland exploit for injecting unsigned code in a PPL. In this new blog post, I discuss my methodology and all the issues I had to solve to achieve this result.
https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/
Up until recently, we've enjoyed in-memory loading of Mach-O bundles courtesy of dyld and its NSCreateObjectFileImageFromMemory/NSLinkModule API methods. And while these methods still exist today, there is a key difference.. memory modules are now persisted to disk. So in this post we'll take a look at just what was changed in dyld, and see what we can do to restore this functionality... hopefully keeping our warez in memory for a little longer.
Yooo new MS-RPC #research has dropped this morning!
If you're not aware, our team has been putting in a ton of werk into MS-RPC (Microsoft's remote procedure call) and the newest addition to that is live now.
MS-RPC is... involved to say the least, and the security mechanisms are all over the place. This blog is intended to help clear up some of these various mechanisms, where they are, and what they do.
Link: https://www.akamai.com/blog/security-research/msrpc-security-mechanisms
If you want some more #RPC info and tools, our #github repo link is here too: https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit
Goad writeup part 11 is up. This one is about acl/ace exploitation.
Clément Labro
Alice Climent-Pommeret
splinter_code
Swissky 
Adam Chester 
James Forshaw 
tricia, queen of house cyberly 
mayfly