offsec.almond.consulting Open in urlscan Pro
2606:4700:10::6816:1166  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Blog home
 * Advisories
 * Articles
 * Write-ups
 * Almond
 * We're hiring






ALL ARTICLES ON ALMOND OFFENSIVE SECURITY BLOG


LDAP AUTHENTICATION IN ACTIVE DIRECTORY ENVIRONMENTS

Published on Tue 31 October 2023 by @lowercase_drm



Understanding the different types of LDAP authentication methods is fundamental
to apprehend subjects such as relay attacks or countermeasures. This post
introduces them through the lens of Python libraries.



 


WINDOWS INSTALLER ARBITRARY CONTENT MANIPULATION ELEVATION OF PRIVILEGE
(CVE-2020-0911)

Published on Thu 06 July 2023 by @clavoillotte



The Windows Installer accesses the MSI files in C:\Windows\Installer while
impersonating the user (and using the impersonated user's device map), and
trusts these files to perform elevated/privileged operations such as registry
key creation. This can be abused by an unprivileged user to obtain SYSTEM
privileges.



 


SHELL IN THE GHOST: GHOSTSCRIPT CVE-2023-28879 WRITEUP

Published on Tue 11 April 2023 by @sigabrt9



This write-up details how CVE-2023-28879 - an RCE in Ghostscript - was found and
exploited. Due to the prevalence of Ghostscript in PostScript processing, this
vulnerability may be reachable in many applications that process images or PDF
files (think ImageMagick, PIL, etc.), making this an important one to patch and
look out for.



 


SANS CHRISTMAS CHALLENGE 2022

Published on Fri 06 January 2023 by Yannick Méheut



Yannick's write-up for the 2022 SANS Christmas Challenge.



 


AUTHENTICATING WITH CERTIFICATES WHEN PKINIT IS NOT SUPPORTED

Published on Wed 04 May 2022 by Yannick Méheut



A certificate obtained through Active Directory Certificate Services is usually
used to get a TGT or recover the NT hash using PKINIT. But what can we do when
it's not possible?



 


BYPASSING LDAP CHANNEL BINDING WITH STARTTLS

Published on Thu 28 April 2022 by @lowercase_drm



While doing research on LDAP client certificate authentication, we realized that
the LDAP implementation of Active Directory supports the StartTLS mechanism,
which has interesting implications on relay attacks.



 


LDAP RELAYS FOR INITIAL FOOTHOLD IN DIRE SITUATIONS

Published on Mon 28 March 2022 by @SAERXCIT



Implementing existing attacks & techniques necessitating a domain account as
black box LDAP relays to facilitate gaining initial access to a hardened domain.



 


SANS CHRISTMAS CHALLENGE 2021

Published on Tue 04 January 2022 by Yannick Méheut



Yannick's write-up for the 2021 SANS Christmas Challenge.



 


HOWTO: INTERCEPT MUTUALLY-AUTHENTICATED TLS COMMUNICATIONS OF A JAVA THICK
CLIENT

Published on Wed 31 March 2021 by @SAERXCIT



A quick guide on how to intercept TLS communications of a hardened Java thick
client implementing client certificate authentication and certificate pinning
using jdb.



 


SANS CHRISTMAS CHALLENGE 2020

Published on Mon 11 January 2021 by Yannick Méheut



Yannick's write-up for the 2020 SANS Christmas Challenge.



 


DISPLAYLINK USB GRAPHICS SOFTWARE ARBITRARY FILE WRITE ELEVATION OF PRIVILEGE

Published on Wed 01 July 2020 by Yannick Méheut



Due to overpermissive access rights on a logging folder, the DisplayLink USB
Graphics software can be abused to perform privileged file operations, such as
arbitrary file creation. This can be exploited, e.g. via DLL hijacking on the
privileged DisplayLink process, to obtain SYSTEM privileges on the local
machine.



 


PLAYING WITH GZIP: RCE IN GLPI (CVE-2020-11060)

Published on Tue 12 May 2020 by myst404 (@myst404_)



GLPI is vulnerable to a Remote Code Execution (RCE) via the backup feature
(CVE-2020-11060).



 


MULTIPLE VULNERABILITIES IN GLPI

Published on Tue 12 May 2020 by myst404 (@myst404_)



Multiple vulnerabilities affect GLPI (CVE-2020-5248, CVE-2020-11034,
CVE-2020-11035, CVE-2020-11036 and CVE-2020-11062), including static key used to
encrypt sensitive data, Open Redirect, and several XSS.



 


TESTING THE TESTERS: SOLVING A CUSTOMER'S PRIVATE CTF

Published on Fri 08 May 2020 by Almond OffSec Team



Write-up for a private CTF, offered by customer for an RFP candidate selection,
with web, crypto and binary exploitation challenges.



 


SANS CHRISTMAS CHALLENGE 2019

Published on Tue 14 January 2020 by Yannick Méheut



Yannick's write-up for the 2019 SANS Christmas Challenge.



 


WINDOWS ERROR REPORTING MANAGER ARBITRARY FILE MOVE ELEVATION OF PRIVILEGE
(CVE-2019-1315)

Published on Tue 08 October 2019 by @clavoillotte



The privileged file operations performed by the Windows Error Reporting service
on user-writable files can be abused to rename/move arbitrary files with SYSTEM
privileges. This can be used by an unprivileged user to obtain SYSTEM
privileges.



 


(SUPER) MAGIC HASHES

Published on Mon 07 October 2019 by myst404 (@myst404_)



Magic hashes are well known specific hashes used to exploit Type Juggling
attacks in PHP. Combined with bcrypt limitations, we propose the concept of
Super Magic Hashes. These hashes can detect 3 different vulnerabilities: type
juggling, weak password storage and incorrect Bcrypt usage. A Go PoC found some
MD5, SHA1 and SHA224 super magic hashes.



 


OSQUERY FOR WINDOWS ACCESS RIGHT MISCONFIGURATION ELEVATION OF PRIVILEGE
(CVE-2019-3567)

Published on Tue 04 June 2019 by @clavoillotte



An access right misconfiguration in Osquery for Windows can be abused to load
run arbitrary programs or load arbitrary DLLs. This can be used by an
unprivileged user to obtain SYSTEM privileges on the local machine.



 


AN INTRODUCTION TO PRIVILEGED FILE OPERATION ABUSE ON WINDOWS

Published on Wed 20 March 2019 by @clavoillotte



This is a (bit long) introduction on how to abuse file operations performed by
privileged processes on Windows for local privilege escalation (user to
admin/system), and a presentation of available techniques, tools and procedures
to exploit these types of bugs.



 


F-SECURE SAFE ARBITRARY FILE COPY ELEVATION OF PRIVILEGE

Published on Wed 20 March 2019 by @clavoillotte



A privileged file copy performed by SAFE when an infected file is detected can
be abused to overwrite an arbitrary file. This can be used by an unprivileged
user to obtain SYSTEM privileges on the local machine.



 


MCAFEE ENDPOINT SECURITY ARBITRARY FILE WRITE ELEVATION OF PRIVILEGE
(CVE-2019-3582)

Published on Wed 20 March 2019 by @clavoillotte



The permissive access rights on logs and quarantine (files / folders and
configuration), and the privileged file manipulation performed by McAfee
Endpoint Security on these files can be abused to create or delete arbitrary
files, or to create arbitrary registry keys. This can be used by an unprivileged
user to obtain SYSTEM privileges on the local machine.



 


PULSE SECURE CLIENT ARBITRARY FILE WRITE ELEVATION OF PRIVILEGE (CVE-2018-11002)

Published on Wed 20 March 2019 by @clavoillotte



The permissive access rights on log folder, files and shared memory section, as
set by the Pulse Secure client’s logging service, can be abused to create
arbitrary files with write access. This can be used by an unprivileged user to
obtain SYSTEM privileges on the local machine.



 


SANS CHRISTMAS CHALLENGE 2018

Published on Mon 14 January 2019 by Yannick Méheut



🎵 I'm dreaming of a pwned Christmaaaaas 🎵 As usual, here's my write-up for the
2018 SANS Christmas Challenge.



 


SANS CHRISTMAS CHALLENGE 2017

Published on Wed 10 January 2018 by Yannick Méheut



'Tis the season to be pwning, falalalala lalalala. Each year, the SANS team
publishes a Christmas Challenge against which anyone can test their skills. This
year was no exception, and here's our write-up for the 2017 SANS Christmas
Challenge.



 


UAC BYPASS VIA ELEVATED .NET APPLICATIONS

Published on Fri 15 September 2017 by @clavoillotte



.NET Framework can be made to load a profiling DLL or a COM component DLL via
user-defined environment variables and CLSID registry entries, even when the
process is elevated. This behavior can be exploited to bypass UAC in default
settings on Windows 7 to 10 (including the latest RS3 builds) by making an
auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.



 

 



FOLLOW US

--------------------------------------------------------------------------------



PARIS

Bâtiment Crisco Duo
7 avenue de la Cristallerie
92310 Sèvres
FRANCE

NANTES

Centre d’affaires Euptouyou
4 rue Edith Piaf Immeuble Asturia C
44800 Saint-Herblain
FRANCE

STRASBOURG

Centre d’affaires Regus les Halles - Tour Sébastopol
3 quai Kléber
67000 Strasbourg
FRANCE

© 2023 Almond. All rights reserved.