Quick Tip: Crack NTLMv1 Handshakes with Crack.sh

What This post will show how to crack NTLMv1 handshakes with the crack.sh service to obtain the NTLM hash. This technique has been publicized since 2013, but is often not leveraged by testers. Intro For most pentesters, running Responder.py is one of the first tasks performed on internal…

Apache and Java Information Disclosures Lead to Shells

Overview During a recent Red-Team engagement, we discovered a series of information disclosures on a site allowing our team to go from zero access to full compromise in a matter of hours. Information disclosures in Apache HTTP servers with mod_status enabled allowed our team to discover.jar files, hosted…

Quick Tip: Gaining Code Execution with Injection on Java args

Recently on a pentest, we encountered a web application that allowed us to control command line args sent to the 'java' binary on the underlying server. We didn't see any resources published on how to gain arbitrary command execution with just control of the arguments to java, so this blog…