CVE-2018-5240 – Symantec Management Agent (Altiris) Privilege Escalation

In case you missed it, I found a zero day vulnerability in Altiris which allows a low level user to elevate privileges to SYSTEM on any host governed by Altiris. For more information on the vulnerability check out the Nettitude labs post below. Symantec have released some notes on the vulnerability here:

Service-Perms in Powershell

Updated my Service-Perms.exe to Powershell, grab a copy here:  Usage direct from the Internet within Powershell: IEX (new-object“”); Get-ServicePerms Outputs an HTML

PoshC2 – Powershell C2

A new tool written by @benpturner (me) and @davehardy20! PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen… Continue reading PoshC2 – Powershell C2

Brute-forcing Microsoft Lync via NTLM

Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to NTLM like many other services is… Continue reading Brute-forcing Microsoft Lync via NTLM

Parsing Nessus to find Java Remote Class Loading

On every internal pentest I perform I always find myself searching through lots of Nessus findings to actually get the output I want, so I wrote a script. This script is piggy backed of a cool python class called dotnessus_v2 parser ( Basically my script takes a Nessus file as the input and parses the RMI… Continue reading Parsing Nessus to find Java Remote Class Loading

Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN

When attempting social engineering or red teaming engagements I often choose to embed various HTTP/UNC paths inside an attachment, e.g. Word/Excel/PDF. The best thing about embedding this malicious URL is that it does not warn the user of any external content loading. You can also do this directly inside an email but the user will… Continue reading Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN

Using MSSQL NTLM Stealer to Get Highly Privileged Domain Creds

Going from a normal domain user to a highly privileged MSSQL Service Account can sometimes be pretty easy with the following Metasploit module: auxiliary/admin/mssql/mssql_ntlm_stealer I have been using this method of escalation when various other methods fail, but also MSSQL databases can often be where the clients personally identifiable information (PII) is held and shows… Continue reading Using MSSQL NTLM Stealer to Get Highly Privileged Domain Creds

Loading A Weaponised Interactive PowerShell Session With Metasploit

A colleague @davehardy20 and I came up with this from an idea I had, it gives an Interactive PowerShell session from Metasploit, using newly developed Metasploit payloads. Check out the blog post here for more information – Enjoy