_OVERVIEW

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker tricks a server into making requests to internal resources on their behalf. This deceptively simple flaw can have devastating consequences, potentially allowing attackers to:

• Bypass firewall rules blocking externel access to resources
• Access internal services hidden from the public internet
• Leak sensitive cloud metadata
• Read local files on the server
• Perform network discovery and port scanning

In this guide, we’ll explore SSRF from identification to mitigations, complete with practical demonstrations and real-world bypass techniques.

__OVERVIEW

Have you ever been in an engagement or CTF where you finally find a Groovy script console… and then discover that outbound connections are blocked? Or you have a basic shell but you just can’t get tools to the target using built-in upload methods?

Over the next few minutes I’ll show a practical, repeatable approach for turning a Groovy console into a persistent, multithreaded java bind shell that lives in the webroot and how to transfer binary tools via base64 encoding (small and large size). This guide serves as a proof of concept; the shell in here is not secure enough for opsec, but it’s a starting point for you to build upon.

__OVERVIEW

In this post, we dive into CVE-2025-32463, a recently disclosed vulnerability in Sudo’s -R (--chroot) option that allows local privilege escalation by abusing chroot in combination with how nsswitch resolves system resources. Discovered by Rich Mirch, this flaw makes It possible for an attacker to trick sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory.

__OVERVIEW

Python has the Python standard library, with many modules on board from a standard installation of Python. These modules provide many solutions that would otherwise have to be laboriously worked out by writing our programs. There are many ways in which we can abuse a Python library to PrivEsc. Much depends on the script and its contents itself. However, there are three basic vulnerabilities where hijacking can be used to PrivEsc.

__OVERVIEW

NoPAC is a privilege escalation vulnerability in Active Directory environments that allows an authenticated low-privileged user to impersonate any user, including Domain Admins.

This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command. Here is a quick breakdown of what each CVE provides regarding this vulnerability.

__OVERVIEW

this post highlights the power of custom wordlists, Instead of relying on generic, multi-gigabyte wordlists, we will perform a targeted attack. The strategy is to use Open Source Intelligence (OSINT) to create a custom wordlist and ruleset tailored specifically to our victim.
We can use Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists.

_Overview

In addition to acquiring copies of the SAM database to extract and crack password hashes, we will also benefit from targeting the Local Security Authority Subsystem Service (LSASS).

Upon initial logon, LSASS will:

• Cache credentials locally in memory
• Create access tokens
• Enforce security policies
• Write to Windows’ security log
  Let’s cover some of the techniques and tools we can use to dump LSASS memory and extract credentials from a target running Windows.

Overview

DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol, which is used by Domain Controllers to replicate domain data. This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes.

_OVERVIEW

Cicada is easy Windows Active Directory box. it start off with enumerating SMB shares to find a new hire welcome note with a default password. RID-cycle to get a list of usernames, and spray that password to find a user still using it. With a valid user I can query LDAP to find another user with their password stored in their description. That user has access to a share with a dev script used for backup, and more creds. Those creds work to get a shell, and the user is in the Backup Operators group, so exfil the registry hives and dump the machine hashes.

_Overview

SolarLab begins with an SMB share containing a spreadsheet of usernames and passwords. By exploiting a website that displays distinct error messages for incorrect usernames versus wrong passwords, combined with analyzing the username format, I was able to identify valid credentials.

Once logged in, I leveraged CVE-2023-33733 in the reportlab PDF generation process to achieve Remote Code Execution (RCE) and obtain a shell.

For lateral movement, to escalate privileges to the openfire user, method takes advantage of CVE-2023-32315 in OpenFire to create a user and upload a malicious plugin for RCE.
With this access, I decrypted a password from the OpenFire configuration, which served as the administrator’s password.