Romern

39 posts

Romern

@Romerrn

Katılım Nisan 2020

289 Takip Edilen39 Takipçiler

Romern retweetledi

SafeBreach@safebreach·19 Şub

SafeBreach Labs discovered a critical RCE vulnerability in the MS-EVEN RPC protocol that allowed low-privileged domain users to write arbitrary files and run code on remote Windows 11 and Windows Server 2025 computers in the domain. Get the full breakdown: hubs.ly/Q043PMZ-0

English

7.1K

Romern@Romerrn·30 Oca

@Defte_ @RedTeamPT Did you even read my replies 🥺

English

Aurélien Chalot@Defte_·30 Oca

@RedTeamPT So it's still possible for a computer to add a keycredentiallink to itself ? We only need to modify some flags ? Great work anyway 🥳🥳

English

345

Romern retweetledi

RedTeam Pentesting@RedTeamPT·30 Oca

🚀Our tool keycred for KeyCredentialLinks and Shadow Credential attacks now works with updated domain controllers again! It turns out, Microsoft violated their own specs. Try it out: github.com/RedTeamPentest…

Aurélien Chalot@Defte_

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

English

238

28K

Romern@Romerrn·29 Oca

@buck_steffen @Defte_ Als see here: learn.microsoft.com/en-us/openspec…

English

104

Romern@Romerrn·29 Oca

@buck_steffen @Defte_ The writing of keycredentials on self is handled by a validated write, which is still there (even visible in your picture): learn.microsoft.com/en-us/openspec…

English

249

Aurélien Chalot@Defte_·28 Oca

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

English

133

43K

Romern@Romerrn·29 Oca

@Defte_ @MGrafnetter From what I looked at yesterday there just weren’t any checks before, except if it parsed at all. I attached the new function and an analysis of it with pyghidra-mcp and Claude haiku at the end of the gist: #file-xclaude_haiku_analysis-md" target="_blank" rel="nofollow noopener">gist.github.com/Romern/69a60b9…

English

128

Aurélien Chalot@Defte_·29 Oca

@MGrafnetter Alright so they probably modified who's able to write that attribute I'd say... Pywhisker does work with a domain admin so that's the only thing I can think of

English

1.5K

Romern@Romerrn·29 Oca

@Defte_ @MGrafnetter WRITE_PROPS on keycredentials on a server 2025 (retrieved using bloodyAD --resolve-sd):

English

114

Romern@Romerrn·29 Oca

@Defte_ @MGrafnetter Note that most administrator groups (at a glance at least Key Admins, Enterprise Key Admins and Administrators) have WRITE_PROP privileges on that attribute, so in that case there is no validation.

English

204

Romern@Romerrn·28 Oca

@Defte_ Here is a Diff for the working and non working version, it seems like they added a new function for checking if a keycredential is valid: gist.github.com/Romern/69a60b9…

English

1.6K

Romern@Romerrn·28 Oca

@Defte_ I just installed a clean version of Server 2022 (20348.169), setup it up as a DC, and tried to create a keycredential. That worked. Than I installed the latest cumulative update (KB5073457) and now it does not work anymore. So it seems to be a recent change.

English

2.5K

Romern@Romerrn·20 Oca

@Defte_ Could you increase the SMB timeout to show the error message or show it in wireshark ?

English

417

Aurélien Chalot@Defte_·20 Oca

Anyone know wtf is happening ? Authenticating via NTLM on DC2025 seems a bit broken while working completely fine with Kerberos:

English

7.3K

Romern@Romerrn·8 Ara

We just released my writeup for my first CTF challenge I ever created, "Ghostbusters" for Haix-La-Chapelle 2025 CTF. it involves some cool techniques for exploiting Ghostscript and PDF/PostScript file type confusion. pwn-la-chapelle.eu/posts/hlc2025_…

English

100

Romern retweetledi

RedTeam Pentesting@RedTeamPT·28 Kas

🎄Care for some Glühwein and flags? The Haix-la-Chapelle CTF 2025 starts tomorrow! 🍷 @Pwn_la_Chapelle @infosec.exchange/115627727047022848" target="_blank" rel="nofollow noopener">mastodon.social/@Pwn_la_Chapel…

English

896

Romern retweetledi

RedTeam Pentesting@RedTeamPT·19 Kas

🔥Only 10 days left until the Haix-la-Chapelle 2025 CTF is starting on November 29! We're sponsoring the prize money for the best writeups and are excited to see your creative solutions. haix-la-chapelle.eu

English

591

Romern@Romerrn·4 Eyl

@userlolxxl @KulinskiArkadi So this hasn’t anything to do with Ghostscript or am I wrong?

English

userlolxxl@userlolxxl·4 Eyl

@Romerrn @KulinskiArkadi Download here giac.org/paper/gdat/578… and go to the page 18 "A second example is the lkpfye.exe file, which VirusTotal says communicates with ilo[.]brenz[.]pl at IP 148[.]81[.]111[.]12 ... (I renamed the PDF as you can read in in the path of the file that was found in app/temp

English

100

userlolxxl@userlolxxl·3 Eyl

hmm:)spy>> ghostscript ran in the background - I found tmp pointing to "ILO-BRENZ-PL_all-seeing-eye-sauron-powershell-tool-data-collection-threat-hunting_578.pdf" related with Copy of ilo brenz pl >>> wget-ilo.exe virustotal.com/graph/embed/g4… cc:@KulinskiArkadi

English

933

Romern@Romerrn·3 Ağu

@Chocapikk_ Good find, reminds me of this:

RedTeam Pentesting@RedTeamPT

One of our pentesters recently got a new D-Link DAP-X1860 repeater, which they couldn't setup. This was caused by a neighbor's Wi-Fi containing a single tick in their Wi-Fi name ("Olaf's WiFi"), resulting in the following error while scanning for access points:

English

157

Chocapikk@Chocapikk_·3 Ağu

When a Wi-Fi SSID Gives You Root on an MT02 Repeater chocapikk.com/posts/2025/whe…

English

2.8K

Romern@Romerrn·30 Haz

@nmatt0 I messed with that last month too, I got into the Android Browser through a link in Mini Metro. However the Android Settings were locked down, so accessing the local network was all I could achieve (no internet), and it was right at the end of the flight 😅

English

191

Matt Brown@nmatt0·30 Haz

Kiosk escape is so close

Deutsch

2.6K

Romern@Romerrn·12 Haz

@jeffmcjunkin @RedTeamPT That's only outbound (SMB client) though, not inbound (SMB server), right?

English

Jeff McJunkin@jeffmcjunkin·11 Haz

@RedTeamPT Great paper and blog post! Minor nit: > SMB relaying is possible unless server-side SMB signing is enforced. [...] on servers it is only enforced by default on domain controllers. SMB signing is enabled by default in Server 2025 now: learn.microsoft.com/en-us/windows-…

English

140

RedTeam Pentesting@RedTeamPT·11 Haz

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live: 🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos: blog.redteam-pentesting.de/2025/reflectiv…

English

174

424

38.6K

Romern@Romerrn·18 Mar

@theluemmel x.com/synacktiv/stat…

Synacktiv@Synacktiv

In our latest article, @croco_byte and @SScaum demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks! synacktiv.com/publications/t…

QME

214

LuemmelSec@theluemmel·18 Mar

There was a post lately about SMB errorcodes being sent which resulted in Webdav being used as fallback plus a PR for impacket that implements this? Can't find it anymore...

English

4.3K

Keşfet

@Defte_ @RedTeamPT @buck_steffen @MGrafnetter @userlolxxl @KulinskiArkadi @elonmusk @BarackObama