Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

I live at the fringes of the cybersecurity community. I have never attended infosec conferences. There will be a talk on PKI hacking at Blackhat 2021 soon: Top AD offensive security gurus are presenting comprehensive research on abusing ADCS (Active Directory Certificate Services). I only know about that, because I noticed backlinks from their article … Continue reading Looking Back: Hacking and Defending Windows Public Key Infrastructure (ADCS)

Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!

How can you read files encrypted with Windows's Encrypting File System if you neither have access to the owner's encryption certificate and key and nor that of a legit data recovery agent (DRA) ... but if you are a local administrator? This work is still inspired by the hackthebox machine Helpline. You were able to … Continue reading Injecting an EFS Recovery Agent – and Let the Virus Scanner Help You!

Parse Certificates Stored in the Windows Registry

You can parse the binary blobs that represent certificates stored in the Windows registry with certutil correctly, even when the Windows Explorer / GUI tells you that this is not a certificate. certutil seems to be able to handle / ignore meta data better. Once upon a time I played with the machine Ethereal provided by … Continue reading Parse Certificates Stored in the Windows Registry

Locating Domain Controllers and Spoofing Active Directory DNS Servers

Last year, hackthebox let me test something I have always found fascinating - and scary: You can impersonate any user in a Windows Active Directory Forest if you have control over the certificate templates of an AD-integrated Windows Public Key Infrastructure: Add extended key usages for smartcard logon to the template, enroll for the certificate, … Continue reading Locating Domain Controllers and Spoofing Active Directory DNS Servers

Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Another great machine has been retired on hackthebox.eu - Helpline by @egre55! Here is my 'silly' unintended way to root the box: You can get both the encrypted user and root flag via the cumbersome web RCE alone - if you wait for a legit user to just look at the file. This is unlikely … Continue reading Helpline @ hackthebox: Injecting an EFS Recovery Agent to Read Encrypted Files

Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

My writeup - how to pwn my favorite box on hackthebox.eu, using a (supposedly) unintended path. Sizzle - created by @mrb3n813 and @lkys37en - was the first box on HTB that had my favorite Windows Server Role - the Windows Public Key Infrastructure / Certification Authority. This CA allows a low-privileged user - amanda - … Continue reading Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!

Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily. Trying to ping all hosts in a subnet Linux for i in $(seq 1 254); do host=192.168.0.$i; … Continue reading Simple Ping Sweep, Port Scan, and Getting Output from Blind Remote Command Execution

Echo Unreadable Hex Characters in Windows: forfiles

How to transfer small files to a locked-down Windows machine? When there is no option to copy, ftp, or http GET a file. When powershell is blocked so that you can only use Windows cmd commands? My first choice would be to use certutil: certutil is a built-in tool for certificate and PKI management. It … Continue reading Echo Unreadable Hex Characters in Windows: forfiles

Ethereal @ hackthebox: Certificate-Related Rabbit Holes

This post is related to the 'insanely' difficult hackthebox machine Ethereal (created by egre55 and MinatoTW) that was recently retired. Beware - It is not at all a full comprehensive write-up! I zoom in on openssl, X.509 certificates, signing stuff, and related unnecessary rabbit holes that were particularly interesting to me - as somebody who … Continue reading Ethereal @ hackthebox: Certificate-Related Rabbit Holes

Hacking

I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind - in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu. I have been hacking … Continue reading Hacking

Internet of Things. Yet Another Gloomy Post.

Technically, I work with Things, as in the Internet of Things. As outlined in Everything as a Service many formerly 'dumb' products - such as heating systems - become part of service offerings. A vital component of the new services is the technical connection of the Thing in your home to that Big Cloud. It … Continue reading Internet of Things. Yet Another Gloomy Post.

Have I Seen the End of E-Mail?

Not that I desire it, but my recent encounters of ransomware make me wonder. Some people in say, accounting or HR departments are forced to use e-mail with utmost paranoia. Hackers send alarmingly professional e-mails that look like invoices, job applications, or notifications of postal services. Clicking a link starts the download of malware that … Continue reading Have I Seen the End of E-Mail?

Shortest Post Ever

... self-indulgent though, but just to add an update on the previous post. My new personal website is  live: elkement.subversiv.at I have already redirected the root URLs of the precursor sites radices.net, subversiv.at and e-stangl.at. Now I am waiting for Google's final verdict; then I am going to add the rewrite map for the 1:n … Continue reading Shortest Post Ever

Looking for Patterns

Scott Adams, of Dilbert Fame, has a lot of useful advice in his autobiographical book How to Fail at Almost Everything and Still Win Big. He recommends looking for patterns in your life, without attempting to theorize about cause and effects. Learning from those patterns you could increase the chance that luck with hit you. … Continue reading Looking for Patterns

Waging a Battle against Sinister Algorithms

I have felt a disturbance of the force. As you might expect from a blog about anything, this one has a weird collection of unrelated top pages and posts. My WordPress Blog Stats tell me I am obviously an internet authority on: how rodents get into kitchen appliances, about the physics of a spinning toy, … Continue reading Waging a Battle against Sinister Algorithms

Google and Heating Systems (2)

I googled our company name. Then I found this: Auftrag means order and the obfuscated parts contain our full company name, the Chief Engineer's name, the URL of a vendor we ordered material from recently, invoice total, and a comment like The client said we should... The now inaccessible URL had pointed to a comma-separated … Continue reading Google and Heating Systems (2)

When I Did Social Engineering without Recognizing It

I planned to read something about history this summer. Then I picked the history of hacking. My favorite was Kevin Mitnick's autobiography - the very definition of a page-turner. The book is free of hardcore technical jargon and written for geeks and lay audience alike. Readers are introduced to the spirit of a hacker in … Continue reading When I Did Social Engineering without Recognizing It

5 Years Anniversary: When My Phone Got Hacked

I like to play with phones. 5 years ago my cell phone decided it wanted to play on its own. It did participate in a TV voting - so the provider said and the itemized bill proved. This was for a music show I wouldn't even watch if somebody paid me for doing so. The … Continue reading 5 Years Anniversary: When My Phone Got Hacked

Automatic Mapping of Logon Certificates to Users in Active Directory

This post has originally been published to my other / 'archive' website in 2014, first as a PDF, later converted to a HTML article. I am publishing it here on my WordPress blog in April 2022, using its original publication date - as it predates most of the other articles in my PKI UPN AD … Continue reading Automatic Mapping of Logon Certificates to Users in Active Directory

Cyber Security Satire?

I am a science fiction fan. In particular, I am a fan of movies featuring Those Lonesome Nerds who are capable of controlling this planet's critical infrastructure - from their gloomy basements. But is it science fiction? In the year Die Hard 4.0 has been released a classified video - showing an electrical generator dying … Continue reading Cyber Security Satire?