Press "Enter" to skip to content

harmj0y Posts

PowerUp

On a recent assessment we ran into a situation where we needed to escalate privileges on a fairly locked down workstation. Kernel exploits (kitrap0d) wouldn’t work, so we fell back to an old classic, vulnerable windows services. While we couldn’t manipulate services directly, a custom system service purposely left its binary privileges open for compatibility purposes. tldr; replacing the service binary path with a custom binary (that created a user and added them to the local administrators) and then rebooting the box did the job nicely. Our process was more or less manual: reviewing all currently running Windows services and…

Cracking the Perimeter (CTP) and OSCE review

Exactly a year ago I went through the Offensive Security Certified Professional (OSCP) exam, the 24 hour capstone to the comprehensive and awesome Penetesting with Backtrack (now Pentesting with Kali Linux) training offered by the guys Offensive Security. I can’t say enough good things about that set of training and the exam itself; it’s a de facto requirement at my company that technical testers get their OSCP. A few months ago, I completed the follow-up training course, Cracking the Perimeter, and just finished the exam this past weekend. The OSCE functions as an ‘intermediate’ certification in between the OSCP and…