🚨 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos.
Yesterday, Microsoft patched the vulnerability we discovered, so we can now share the details:
https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
👀 We have also released a paper which really goes into the nitty-gritty for those who are interested 🕵️♀️:
https://www.redteam-pentesting.de/publications/202 ...
It is finally time for a new blog post! Join us on our deep dive into Windows Authentication Coercion and its current state in 2025, including some brand-new tooling:
https://blog.redteam-pentesting.de/2025/windows-coercion/
We also released an cross-platform implementation of WSPCoerce in Python, which should work against all Windows clients:
https://github.com/RedTeamPentesting/wspcoerce
And this is our pull request to NetExec which adds efsr_spray which can re-enable EFSR/PetitPotam on up-to-...
We discovered a PHP application that uses eval(), what could go wrong? 🤔
Today we can tell the story of how we achieved RCE (despite heavy filtering):
🚀 Back to School - Exploiting a Remote Code Execution Vulnerability in Moodle
https://blog.redteam-pentesting.de/2024/moodle-rce/
Last year, we discovered how we could access all data in a Bitwarden vault protected by biometrics via Windows Hello on a domain-joined machine without using passwords: https://blog.redteam-pentesting.de/2024/bitwarden-heist/
Incidentally, the issue was independently discovered by another researcher, but we only learned that after reporting it to Bitwarden. The issue is corrected now, for details head over to the blog post!
🚀 We just published our new blog post:
Better dSAFER than Sorry - An Attacker's Overview of Ghostscript 👻👻
Learn about exploiting Ghostscript from the fundamentals to the most recent vulnerabilities CVE-2023-36664 and CVE-2023-43115 🔥
https://blog.redteam-pentesting.de/2023/ghostscript-overview/
🚨 New Advisory: RWS WorldServer 🚨
https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
The vulnerability allows to feasibly enumerate session tokens. While it was fixed by the vendor prior reporting, no concrete information is publicly available that this critical issue was fixed in v11.8.0.
#infosec
🌪️🌧️ Our HTTP fuzzer monsoon just received a huge update 🚀
Learn more about the new features and improvements such as multi-parameter fuzzing and the overhauled test command in our latest blog post 🥳
https://blog.redteam-pentesting.de/2023/monsoon-next-level/
We participated again at the traditional Lousberglauf 2023 in Aachen 🏃🏃🏃
After mastering the steep ascent ⛰️ we awarded ourselves with delicious pizza 🍕
See you at the next race 🚀
🚀 We've just dropped a new blog post: Storing Passwords - A Journey of Common Pitfalls 🥳
We outline common misconceptions about security concepts in the field of password hashing using STARFACE PBX as an example 🔑 ☎️
https://blog.redteam-pentesting.de/2023/storing-passwords/
#infosec #pentesting
This is an odd one: new advisory released for STARFACE PBX devices, which allow logging into the web interface and the REST API not only with the password, but with the password hash as well. 🤔
https://www.redteam-pentesting.de/advisories/rt-sa-2022-004/