RedTeam Pentesting

952 posts

RedTeam Pentesting

@RedTeamPT

Official RedTeam Pentesting GmbH account -- Impressum: https://t.co/pS9oK62Lsu

Aachen, Germany Katılım Ocak 2017

174 Takip Edilen8.4K Takipçiler

Sabitlenmiş Tweet

RedTeam Pentesting@RedTeamPT·5 Ara

Wir haben eine Mission: Werde eine*r von uns! 👩‍🚀👨‍🚀 Finde gemeinsam mit uns die Schwachstellen von morgen 🔑 und manchmal auch welche aus längst vergangener Zeit 🗝️ Mehr erfahrt ihr unter jobs.redteam-pentesting.de 🚀 #infosec #cybersecurity #aachen #hiring #ITJobs #Pentesting

Deutsch

RedTeam Pentesting@RedTeamPT·2 Şub

@buck_steffen @0xFunnybananas @Defte_ Before the patch SELF also only had DS-Validated-Write-Computer permissions for msDS-KeyCredentialLink. That was the reason why you could not have more than one KeyCredentialLink per computer account. Only the validation check changed with the update.

English

152

Steffen Buck@buck_steffen·31 Oca

@0xFunnybananas @Defte_ @RedTeamPT As far as I understand the patch, yes. The patch removed the explicit permissions to write to the msDS-KeyCredentialLink attribute for SELF. The computer account still has implicit permissions via DS-Validated-Write-Computer, but has to follow validation rules.

English

264

Aurélien Chalot@Defte_·28 Oca

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

English

133

43K

RedTeam Pentesting@RedTeamPT·30 Oca

This is kind of funny because CustomKeyInformation is actually forbidden for validated writes according to Microsoft's specs 🤡 learn.microsoft.com/en-us/openspec…

English

1.4K

RedTeam Pentesting@RedTeamPT·30 Oca

Originally, Microsoft did not enforce their own specs for validated writes at all and only checked if a KeyCredentialLink is already present. Now they require a CustomKeyInformation field with the "MFA Not Required" flag to be present and the last logon timestamp to be absent.

English

1.9K

RedTeam Pentesting@RedTeamPT·30 Oca

🚀Our tool keycred for KeyCredentialLinks and Shadow Credential attacks now works with updated domain controllers again! It turns out, Microsoft violated their own specs. Try it out: github.com/RedTeamPentest…

Aurélien Chalot@Defte_

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

English

238

28K

RedTeam Pentesting@RedTeamPT·4 Ara

🚨Nextcloud was vulnerable to XSS in PDF.js (CVE-2024-4367) found by @thomasrinsma at @CodeanIO. Although Nextcloud mitigated the vulnerability in their portal by disabling eval, the viewer.html component of the vulnerable PDF.js was still exposed. redteam-pentesting.de/en/advisories/…

English

1.7K

RedTeam Pentesting@RedTeamPT·28 Kas

🎄Care for some Glühwein and flags? The Haix-la-Chapelle CTF 2025 starts tomorrow! 🍷 @Pwn_la_Chapelle @infosec.exchange/115627727047022848" target="_blank" rel="nofollow noopener">mastodon.social/@Pwn_la_Chapel…

English

896

RedTeam Pentesting@RedTeamPT·27 Kas

@aegixe_team @RHEL @AlmaLinux @rocky_linux Actually, we're talking about 6 CVEs . The patches were published in March and are really simple - mostly clean 1-line diffs like this: bugs.ghostscript.com/attachment.cgi… The easiest way would be for upstream maintainers to just apply these patches and be done with it 😮‍💨

English

RedTeam Pentesting@RedTeamPT·13 Kas

🚨8 months after public disclosure, @RHEL @AlmaLinux @rocky_linux are still vulnerable for a Ghostscript RCE with a reliable public exploit (CVE-2025-27835 and others)! It can be triggered by opening LibreOffice docs or through a server that uses ImageMagick for file conversion!

English

5.9K

RedTeam Pentesting@RedTeamPT·19 Kas

You can find the CTFTime event at ctftime.org/event/2951

English

400

RedTeam Pentesting@RedTeamPT·19 Kas

🔥Only 10 days left until the Haix-la-Chapelle 2025 CTF is starting on November 29! We're sponsoring the prize money for the best writeups and are excited to see your creative solutions. haix-la-chapelle.eu

English

591

RedTeam Pentesting@RedTeamPT·17 Kas

@RedHatSecurity How can we get these Ghostscript RCEs (CVE-2025-27835 and others) that have been public for 8 months fixed in RHEL? We received no response on Bugzilla. x.com/RedTeamPT/stat…

RedTeam Pentesting@RedTeamPT

English

1.8K

RedTeam Pentesting@RedTeamPT·13 Kas

Disclaimer: We did not discover this vulnerability (credits go to zhutyra🎉), we're just wondering why we can still exploit these vulnerabilities in pentests on patched systems 🤷 We received no response on the @RHEL bug tracker: bugzilla.redhat.com/show_bug.cgi?i…

English

675

RedTeam Pentesting@RedTeamPT·13 Kas

This is neither the first, nor the second time that we can't get distros to apply upstream fixes for publicly disclosed RCEs with POCs available in Ghostscript. x.com/RedTeamPT/stat…

RedTeam Pentesting@RedTeamPT

🚨 Another month, another critical Ghostscript RCE, with patches rolling out rather slowly to some distros again 👻😱 #infosec #DeprecateUntrustedPostscript

English

813

RedTeam Pentesting retweetledi

🕳@sekurlsa_pw·4 Eki

Why doesn’t pretender from @RedTeamPT get more love? It’s excellent for relaying.

English

134

9.2K

RedTeam Pentesting@RedTeamPT·20 Ağu

@SpecterOps found out that the EFS service (PetitPotam) can simply be activated by asking the endpoint mapper. Great research!🎓 Now our efsr_spray NetExec module is obsolete, but we're on it: This PR activates the service by default with coerce_plus 🚀 github.com/Pennyw0rth/Net…

SpecterOps@SpecterOps

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. @0xthirteen breaks down the service startup mechanics, plus the protocols and technologies. ghst.ly/41QT7GW

English

138

9.5K

RedTeam Pentesting@RedTeamPT·19 Ağu

Check out our Impacket PR that adds SMB signing support (NTLM and Kerberos) to smbserver to allow Windows 11 clients that require signing by default to connect: github.com/fortra/impacke…

English

4.1K

RedTeam Pentesting@RedTeamPT·19 Ağu

Another interesting tidbit was that the share path can contain environment variables, which are expanded by the host. This could reveal system level variables, which could be interesting in some configurations.

English

1.9K

RedTeam Pentesting@RedTeamPT·19 Ağu

👀Turns out MS-EVEN can do a lot more than NULL auth: In addition to leaking environment variables, it is possible to coerce authentication from arbitrary logged on users* 🤯 *If you are willing to trigger Windows Defender.

English

166

19.7K

Keşfet

@buck_steffen @0xFunnybananas @Defte_ @thomasrinsma @CodeanIO @aegixe_team @RHEL @AlmaLinux