Earlier this year, an intriguing admin-to-kernel technique was published by @floesen_ in the form of a proof-of-concept (PoC) on GitHub. The author mentioned a strong limitation involving LSASS and Server Silos, without providing much details about it. This piqued our interest, so we decided to give it a second look…
Continue reading Exploiting KsecDD through Server SilosYear: 2024
Privilege escalation through TPM Sniffing when BitLocker PIN is enabled
This blog post offers additional insights following the presentation delivered at the Swiss Cyber Storm conference in Bern on October 22, 2024.
Continue reading Privilege escalation through TPM Sniffing when BitLocker PIN is enabledGetting code execution on Veeam through CVE-2023-27532
While several blog posts have shown how to retrieve credentials through this vulnerability, we decided to dig deeper and see whether it was possible to execute arbitrary code through this issue.
Continue reading Getting code execution on Veeam through CVE-2023-27532Ghost in the PPL Part 3: LSASS Memory Dump
Following my failed attempt to achieve arbitrary code execution within a protected LSASS process using the BYOVDLL technique and an N-day exploit in the KeyIso service, I took a step back, and reconsidered my life choices opted for a less ambitious solution: a (not so) simple memory dump. After all, when it comes to LSASS, we are mostly interested in extracting credentials stored in memory.
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and explored to improve my proof-of-concept, and hopefully achieve arbitrary code execution.
Continue reading Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASSGhost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary DLL in LSASS, or even dump its memory.
Continue reading Ghost in the PPL Part 1: BYOVDLLInsomni’hack 2024 – Bash to the Future writeup
The Challenge
You have been contracted to help COPERNIC Inc spot the light on a potential compromise. It seems that one of their scientists has been spied through a 20 years old malware… And fortunately, Zeus was on your side since the 4 Gb snapshot was carried out at the best possible time to facilitate your analysis.
Continue reading Insomni’hack 2024 – Bash to the Future writeup