Cube0x0
@cube0x0
Followers
11,307
Following
515
Media
55
Statuses
1,337
Explore trending content on Musk Viewer
#خلصوا_صفقات_الهلال1
• 1139791 Tweets
Brazil
• 610085 Tweets
Elon Musk
• 581180 Tweets
Alexandre de Moraes
• 435119 Tweets
ラピュタ
• 418393 Tweets
Atatürk
• 410706 Tweets
Johnny
• 246468 Tweets
Gaudreau
• 179388 Tweets
Xandão
• 132149 Tweets
Sterling
• 122453 Tweets
olivia
• 120452 Tweets
Napoli
• 110947 Tweets
Bluesky
• 84763 Tweets
Lyon
• 67813 Tweets
Adeus Twitter
• 64631 Tweets
Labor Day
• 57186 Tweets
كاس العالم
• 52398 Tweets
Arteta
• 40473 Tweets
Nelson
• 38023 Tweets
#قفلوا_احتياجات_النصر
• 38007 Tweets
Javier Acosta
• 30221 Tweets
Strasbourg
• 26687 Tweets
Tadic
• 23327 Tweets
Scott McTominay
• 23239 Tweets
Multa de 50
• 22338 Tweets
Dzeko
• 19063 Tweets
#FBvALY
• 17848 Tweets
Lolla
• 16893 Tweets
Derrubaram o X
• 15492 Tweets
Kenya Power
• 14421 Tweets
Fatih Tekke
• 11568 Tweets
Alanya
• 10849 Tweets
VPNs
• 10351 Tweets
Over a year ago, I left my position at WithSecure to start a new journey, create something new, and do my own thing. Today, I'm excited to publicly announce what I've been working on all this time.
Introducing 0xC2, a cross-platform C2 framework targeting Windows, Linux, and
61
253
1K
When you spend 2-months of your private time writing a full-featured C2 framework including C++ GUI, Backend, and a C++ PIC agent with custom functions only to end up clueless about what to do with it
67
162
1K
Scanner and automated exploitation of the CVE-2021-42287/CVE-2021-42278.
Yet another low effort domain user to domain admin exploit
5
456
1K
Let me introduce you to KrbRelay, the only public tool for relaying Kerberos tickets and the only relaying framework written in C#.
No-fix LPE + No-fix Cross-Session, VDI deployments has never been more broken.
Demo at Images/demo.mp4 !
16
450
1K
Impacket implementation of CVE-2021-1675 🔥
12
314
684
Elevate to SYSTEM from a Service Account with Impersonate privileges by only using C# code and the built-in RPC runtime!
Great research from
@tiraniddo
1
257
668
Took a break from the LSASS parser project to create a PoC in C# for CVE-2021-36934 aka
#HiveNightmare
/
#SeriousSam
with a built-in hive parser
8
217
591
now with more potato.
Locally trigger system or cross-session user authentication
2
198
560
LocalPoato
SMB relaying client ✅
ADCS relaying client✅
LDAP relaying client✅
RPC over SMB relaying client✅
All in C# 😏
6
117
544
C# LPE implementation released
CVE-2021-1675 and execute-assembly goes bbrrrrrrrr
5
181
416
2
145
403
A new blog post about relaying YubiKeys is up and tools have been uploaded to GitHub!
This would not have been possible without the previous work of
@_EthicalChaos_
so big thanks to him
4
175
370
I'll be taking a break from C# dev and focus on C2 and malware dev instead for a while.
First up is Kerberoasting BOF
5
95
338
I'll start adding NTLM support to KrbRelay
RemotePotato0 like with a local capture server for all OS versions
5
90
300
Soon back to the C# potato development
Recently did a pentest where I got Domain Admin by stealing cross-session hashes with SharpDcomTrigger inside of a Citrix deployment.
Next time will go smoother with a local capture server :)
3
70
294
🔥 Tool release 🔥
Sharpen version of CrackMapExec with new cool and modern features
3
119
289
BOF and PIC project for full DLL unhooking using dynamic syscalls.
4
106
280
Boring Sunday so decided to port Windows RPC protocols to C# using MIDL
4
110
263
NTLMv1 downgrade on computers that are members of Domain Controllers or Domain Admins is a gift that keeps coming even in 2022
5
31
214
Parsing all of your credentials from a 3MB lsass dump. MiniDumpWriteDump no more
1
54
206
Start writing functions in assembly they said, it will be fun they said
5
14
192
C# version of
@MDSecLabs
's ParallelSyscalls
Thanks
@peterwintrsmith
for sharing this technique
2
83
197
exploit POC for CVE-2020-1472 (Zerologon: instantly become domain admin by subverting Netlogon cryptography)
1
78
181
SharpMapExec update
* 2 new providers, Cim(new WMI) and Reg32. can be used to enable winrm, disable mitigations and logging
* MiniDump update, now with more credentials
* System and delegwalk opsec improvements, uses npipe for command input on the remote process
0
51
162
@bugch3ck
PrintNightmare uses the MS-RPRN RpcAddPrinterDriverEx function while SharpPrintNightmare uses the Win32 AddPrinterDriverEx function and they both operate in a different way. With the Win32 API we can add drivers as domain users to servers that we couldn't do with MS-RPRN
6
29
135
This MS patch also effects krbrelay. It looks like we had our fun with rpc->ldap
After 18 months
#RemotePotato0
has been silently fixed 🥳
The downgrade attack performed in the ResolveOxid2 response (part of DCOM activation) does not work anymore and with the October 22 patch the client always authenticates with level INTEGRITY during the IRemUnkown bind
4
84
248
3
46
137
When people asks you if they could get beta access to your c2, nice try blue team
5
11
130
C# tooling in the works
Parse LSASS process dumps directly with execute-assembly etc
2
26
127
I've been asked by a few people to open up a GitHub Sponsors page and it just got approved so here it comes.
I do not really have any expectations
4
24
113
Instead of adding host recon modules to the SharpMapExec source code, I'll be uploading them to a separate repo which can later be executed with the SME /m:assembly function
1
33
94
The PoC will now find the file dynamically :D
@cube0x0
Nice work! For anyone running into ERROR_FILE_NOT_FOUND issues, note that the script currently uses a hard coded pDriverPath which may be different between systems (line 42 in the *.py). Update this and it works.
4
2
22
2
25
82
The KrbRelayUp attack tool allows local privilege escalation on hybrid joined devices with on-premises domain controllers. Read our blog to understand the KrbRelayUp attack flow and to get mitigation and protection guidance:
2
123
289
2
17
77
SharpMapExec update
* Minor logic improvements
* /system now gives stdout/stderr and disables AMSI
* /delegwalk executes in a delegated process context sorted by unique users (useful for shared workstations/servers)
* /comsvcs automatically parses LSASS
1
21
67
Quick testing from me and
@filip_dragovic
* NoWarningNoElevationOnInstall can be set to 0
* Authenticated users do not need to be in Pre-Windows 2000 Compatible Access group
5
2
50
- Visual Studio
Some of my fav offensive tools in no particular order:
- Empire
- Badrats
- CrackMapExec
- Impacket
- Metasploit
- MimiKatz
- BloodHound
- Evil-WinRM
- SharPersist
- PwnCat (CalebStewart version)
- gobuster
- Responder
- PowerShell
- Hashcat
- SQLMap
- Dehashed
What are yours?
40
120
696
1
2
44
As domain users, we can use OpenRemoteBaseKey to enumerate print drivers on any member/dc server.
Manually specifying pDriverPath is no longer required
1
6
41
Thanks again to
@tiraniddo
for publishing his research on this,
@decoder_it
and
@splinter_code
for their work on all the potato's, and shoutout to
@_EthicalChaos_
for being there to ball ideas with 😄
1
2
31
check out this presentation on lateral movement by my F-Secure colleague
For those who care, I uploaded the slides of my talk on lateral movement that I gave at TROOPERS this year:
3
165
485
1
5
33
🔥
POC for
#SilverPotato
utilizing Kerberos relay vs SMB ;) Starting from
@cube0x0
great krbrelay tool with extra layer of complexity to get the SilverPotato beast working.. Still in the rough but will publish soon :-)
4
78
297
0
6
32
Probably the hardest machine released on htb. Enjoy
Persistent LOVE for
#HTB
? 💚 APT
#Insane
#Windows
Machine created by
@cube0x0
will go live 31 October 2020 at 19:00:00 UTC. Fuse will be retired! You still have time to hack your way in at:
#HackTheBox
#CyberSecurity
#CyberSecurityTraining
#Pentesting
4
18
108
1
1
24
@ippsec
Thank you!
Much of the fundamentals that you can expect also apply for the nix agents, proxy, pivoting, execution of object files in memory, modularity, etc..
Almost all enterprise Linux machines are servers that lower the built-in features needed/wanted.
Mac is a different
0
0
22
@XTeamWing
Other than the things shown in the picture it has support for Malleable profile. It's PIC so you can convert it directly to shellcode so no need for an RL, and the size for the full-featured agent is 40kb. Mostly no imports or from ntdll
2
0
21
First of many
Time to get reel...AGAIN! 🎣 Reel2
#Hard
#Windows
Machine created by cube0x0 will go live 3 October 2020 at 19:00:00 UTC. Blackfield will be retired! You still have time to hack your way in at: 😉
#HackTheBox
#CyberSecurity
#Pentesting
2
20
84
1
2
20
@MarcOverIP
A task on the DC that runs invoke-command with CredSSP auth is all you need.
If you need to run code as an logged in unprivileged user(signed in w autologon) you can creata a custom scheduled task and delete it after execution
1
1
21
🔥
Another weekend or so left and lsarelayx should be at least ready for lab testing. In the meantime checkout the latest feature. Kerberos -> NTLM downgrade, so even clients attempting to connect with Kerberos will be forced to use NTLM.
4
91
314
0
5
19
2
2
18
@_xpn_
For research and development;
Problem analysis and researching every single potential solution to the problem on my own. Exploring new ideas or things without a clear vision where it's going to end
pentesting;
hackthebox or configure my own lab environment with vulnerabilities
0
1
17
@ShitSecure
It could be, or just because of a 4-hour sleeping schedule and 5 weeks of vacation 🙈
1
0
15
I cannot recommend
@over_simplified
's youtube channel enough
This guy is a genius in creating history related entertaining videos
1
1
15
Just to clarify. For LAPS the marshalling of the com object in done cross session and for RBCD the marshalling is done in SYSTEM
0
1
13
Default answer
- The amount of bad AD configurations and practices that I've seen would give you nightmares
Me trying to socialize: “so uh you ever heard of Active Directory?”
52
171
2K
1
4
13
@Jean_Maes_1994
@Geiseric4
@splinter_code
There are a few reg hives that any authenticated user can read.
This is how we got the print driver path for the non-python print nightmare exploits
1
0
10
Based
0
1
9
@GossiTheDog
yes you can both trigger SYSTEM authentications and run a COM relaying server without any admin privileges :)
0
1
8
What option would you prefer your goto C2 to be distributed like?
Closed-Source
51
Public Open-Source
93
Private Open-Source
97
Show results
88
5
1
8
@qtc_de
tbh security keys needs criticism because people thinks its a holy grail. I would take 2fa code on signal or sms over security key any day, it's way more practical and you'll get a notice if anyone tries to login using your credentials, and you can secure your phone if you want
2
1
7