Almond OffSec

A private @Burp_Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances. github.com/AlmondOffSec/c…

Are one-way trusts really one way? @lowercase_drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets. offsec.almond.consulting/trust-no-one_a…

Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine. offsec.almond.consulting/bypassing-apac…

Team member @myst404_ identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1. Changelog: #wapt-2-6-1-17705-2026-02-04" target="_blank" rel="nofollow noopener">wapt.fr/fr/doc/wapt-ch…

Publishing github.com/SAERXCIT/LibTP…! It's a generalisation of LibTPLoadLib to proxy APIs with an arbitrary number of args. Provided as a Crystal Palace shared library. API made compatible with @_RastaMouse 's LibTP. Hooks are provided to show off the newest Crystal Palace features

Callstacks are largely used by the Elastic EDR to detect malicious activity. @SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post: offsec.almond.consulting/evading-elasti… PoC: github.com/AlmondOffSec/L…

The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go: r-tec.net/r-tec-blog-rev…

Following @ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by @SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification. github.com/AlmondOffSec/D…

Did you know deleting a file in Wire doesn’t remove it from servers? Team member @myst404_ took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations. offsec.almond.consulting/deleting-file-…

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post sensepost.com/blog/2025/divi…

To escape a locked-down Citrix environnement, team member @saerxcit wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it: github.com/AlmondOffSec/O…

This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).

You can now also follow us on Mastodon : @AlmondOffsec" target="_blank" rel="nofollow noopener">infosec.exchange/@AlmondOffsec

You can now also follow us on Bluesky: bsky.app/profile/almond…

📢 Hunter Alert! Here's an excellent write-up by @sigabrt9 - who recently uncovered a bug in @gnome’s #BugBounty program. Perfect to expand your knowledge about finding bugs in open-source programs 👉 offsec.almond.consulting/using-aflplusp… Thank you @sigabrt9 for this valuable contribution!

Team member @sigabrt9 describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: offsec.almond.consulting/using-aflplusp…

New article on F5! A write-up on CVE-2024-45844, a privilege escalation vulnerability in BIG-IP by team member @myst404_ offsec.almond.consulting/privilege-esca…

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate @M4yFly 's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here: github.com/AlmondOffSec/G…

How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member @myst404_ offsec.almond.consulting/deep-diving-f5…

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members @lowercase_drm and @myst404_ offsec.almond.consulting/post-exploitin…