All Posts

  • Simulating Scattered Spider

    Recently Scattered Spider (G1015) have been gathering attention from a range of attacks against UK retail, namely attacks against Marks and Spencer, Harrods and Co-Op. These have led to extensive service disruption, with some firms being able to limit the impacts caused more than others. This…

  • UK Legal Considerations For Red Teamers

    Strap in for a thrilling ride of legal terms and jargon! Legal stuff is certainly not the reason most red teamers perform assessments, but it is a vital part of the role. I’ve wanted to learn more about the actual legal requirements behind we do certain…

  • CBEST Testing Approach Summarised

    Overview The CBEST process is the regulated approach taken to the routine testing of financial institutions with a suitable presence within the UK. It is now a mature process which makes it a useful guide for basing non-regulated red teaming operations on. For example, aligning any…

  • One Time Phishing Links With Caddy & AWS SES

    One Time Phishing Links With Caddy & AWS SES

    Caddy has long caught my attention as a much nicer alternative to Apache or Nginx which has been widely used by red teams over the years. As a bit of a project to learn more about Caddy and GoPhish, I wanted to try and combine the…

  • Deez WORDS – An Intro To C++

    Deez WORDS – An Intro To C++

    When I first started learning C++, I found a lot of the terms hard to pick up after using C# and Python for so long. Given some of the conventions are not all that visible, I figured it would be handy to pull them together into…

  • Grow Your Own SCCM Lab!

    Grow Your Own SCCM Lab!

    The offensive usage of SCCM has become a big topic in recent months and years. In this article, I will cover the basics of SCCM and how to configure an SCCM lab from scratch. I also have another article which shows the currently known attack vectors…

  • Offensive SCCM Summary

    Offensive SCCM Summary

    This article aims to summarise the currently available tooling (August 2023), as well as the attack vectors which are present. My previous article covers the basics of SCCM and how to configure an SCCM lab from scratch. In summary, I believe the SCCM attack surface is…

  • BloodHound & Cypher Language

    BloodHound & Cypher Language

    A look at the more complex features of BloodHound’s Cypher query language, with several examples of how it can be used to audit an environment.

  • BloodHound Basics

    BloodHound Basics

    A quick primer on the basics of BloodHound, the well-known Active Directory auditing tool

  • Diagrams: Timelines

    Diagrams: Timelines

    Ever wanted to make better diagrams and timelines for your red team reports? I will cover some ideas on how to better structure them.

  • Attacking Password Managers: LastPass

    Attacking Password Managers: LastPass

    A look into how browser based password managers such as LastPass can be attacked via various methods.

  • Attacking Password Managers: KeePass

    Attacking Password Managers: KeePass

    A look into how client based password managers such as KeePass can be attacked via various methods.

  • Shodan 201: Rummaging Around The Internet

    Shodan 201: Rummaging Around The Internet

    Some tips and tricks for how to use Shodan and its powerful filters to accurately query the internet!

  • Hack The Boo

    Hack The Boo

    Hack The Boo was a Halloween themed CTF from Hack The Box. I could only dedicate a few hours to this, but still managed to solve 3 machines. Below is a quick writeup on the machines I did: Evaluation Deck First off, I downloaded the supplied…

  • RedTeamNotes: Combining Notes & Graphs!

    RedTeamNotes: Combining Notes & Graphs!

    A quick look at a notetaking application I build whilst doing CRTO as a means of representing my notes in a directed graph to aid with red teaming

  • SharpRDPHijack: RDP Session Hijacking

    SharpRDPHijack: RDP Session Hijacking

    A look at RDP session hijacking using SharpRDPHijack, Mimikatz and TSCon. This technique allows us to interact with disconnected RDP sessions.

  • Digging Into Mimikatz’s lsadump And sekurlsa

    Digging Into Mimikatz’s lsadump And sekurlsa

    Mimikatz is a tool which has always surprised me with how many functions and features it has. In this post I dig into the lsadump and sekurlsa functions to see what all of the modules do.

  • OffSecOps: Using Jenkins For Red Team Tooling

    OffSecOps: Using Jenkins For Red Team Tooling

    A quick look at how Jenkins can be used to automatically build payloads and tooling, based on the OffSecOps talk by Harmj0y.

  • Certified Red Team Operator (CRTO) Review

    Certified Red Team Operator (CRTO) Review

    A review of the Certified Red Team Operator (CRTO) exam by RastaMouse

  • HTB Christmas CTF – Toy Workshop

    HTB Christmas CTF – Toy Workshop

    Overview Toy Workshop was a 1 star rated ‘Web’ challenge from the HackTheBox “Cyber Santa is Coming to Town” CTF. This was an interesting challenge, with the flag coming from a blind stored-XSS which led to the leakage of the flag from a cookie value in…

  • AD CS – The ‘Certified Pre-Owned’ Attacks

    AD CS – The ‘Certified Pre-Owned’ Attacks

    A look at abusing digital certificates, leveraging ADCS. Featuring the famous THEFT5, ESC1 and ESC8 attacks found by SpecterOps

  • AD CS – What Can Be Misconfigured?

    AD CS – What Can Be Misconfigured?

    Introduction The aim of this post is to go into more detail on the attacks described within the excellent ‘Certified Pre-Owned’ blog post & whitepaper produced by SpecterOps. This post will show how to configure a test environment which is vulnerable to the attacks they describe.…

  • AD CS – The Basics

    AD CS – The Basics

    Delving into the basics of digital certificates within an Windows environment, better known as ADCS. Covering concepts as CSRs, EKUs and SANs

  • HackTheBox ScriptKiddie Walkthough

    HackTheBox ScriptKiddie Walkthough

    ScriptKiddie was an Easy rated Linux machine, which involved exploiting a vulnerability within MetaSploit, then gaining access to the pwn user and abusing a sudo misconfiguration. Getting A Shell Reconnisance Initial nMap scans showed a very simple box, with just SSH and port 5000 open. I…

  • My OSCP Exam Experience & Tips

    My OSCP Exam Experience & Tips

    Here is a write up of my OSCP exam experience – from studying through to passing the exam. Overall, it was a worthwhile experience and I would recommend it to anyone interested in infosec! TL:DR Practise! IMO, the OSCP exam manual is too large and not…