Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. By exploiting this vulnerability An attacker might be able to:
Below, i’ll share top tier free resources and guides to help you understand SSRF better.
Have you ever been in an engagement or CTF where you finally find a Groovy script console… and then discover outbound connections are blocked? or you can’t get tools to the target using built in upload methods?
Over the next few minutes I’ll show a practical, repeatable approach for turning a Groovy console into a persistent, multithreaded JSP bind shell that lives in the webroot and how to transfer binary tools via base64 encoding (small and large size). this guide serves as a proof of concept, the shell in here is not secure enough for opsec, but it’s a starting point for you to build upon.
In this post, we dive into CVE-2025-32463, a recently disclosed vulnerability in Sudo’s -R (--chroot) option that allows local privilege escalation by abusing chroot in combination with how nsswitch resolves system resources. Discovered by Rich Mirch, this flaw makes It possible for an attacker to trick sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory.
Python has the Python standard library, with many modules on board from a standard installation of Python. These modules provide many solutions that would otherwise have to be laboriously worked out by writing our programs. There are many ways in which we can abuse a Python library to PrivEsc. Much depends on the script and its contents itself. However, there are three basic vulnerabilities where hijacking can be used to PrivEsc.
NoPAC is a privilege escalation vulnerability in Active Directory environments that allows an authenticated low-privileged user to impersonate any user, including Domain Admins.
This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command. Here is a quick breakdown of what each CVE provides regarding this vulnerability.
| CVE | Description |
|---|---|
| 42278 | 42278 is a bypass vulnerability with the Security Account Manager (SAM). |
| 42287 | 42287 is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS. |
this post highlights the power of custom wordlists, Instead of relying on generic, multi-gigabyte wordlists, we will perform a targeted attack. The strategy is to use Open Source Intelligence (OSINT) to create a custom wordlist and ruleset tailored specifically to our victim.
We can use Hashcat to combine lists of potential names and labels with specific mutation rules to create custom wordlists.
In addition to acquiring copies of the SAM database to extract and crack password hashes, we will also benefit from targeting the Local Security Authority Subsystem Service (LSASS).
Upon initial logon, LSASS will:
DCSync is a technique for stealing the Active Directory password database by using the built-in Directory Replication Service Remote Protocol, which is used by Domain Controllers to replicate domain data. This allows an attacker to mimic a Domain Controller to retrieve user NTLM password hashes.
SolarLab begins with an SMB share containing a spreadsheet of usernames and passwords. By exploiting a website that displays distinct error messages for incorrect usernames versus wrong passwords, combined with analyzing the username format, I was able to identify valid credentials.
Once logged in, I leveraged CVE-2023-33733 in the reportlab PDF generation process to achieve Remote Code Execution (RCE) and obtain a shell.
For lateral movement, to escalate privileges to the openfire user, method takes advantage of CVE-2023-32315 in OpenFire to create a user and upload a malicious plugin for RCE.
With this access, I decrypted a password from the OpenFire configuration, which served as the administrator’s password.