Part of TCG's vision is stand-alone evasion POCs published and demoed w/o weaponization--but containerized and useful in C2s, B&AS, etc. @almondoffsec.bsky.social did this with their call gadget evasion research following @rastamouse.me 's LibTP API: offsec.almond.consulting/evading-elas... Neat!

A private Burp Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances. github.com/AlmondOffSec...

Are one-way trusts really one way? @lowercasedrm.bsky.social sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets. offsec.almond.consulting/trust-no-one...

Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine. offsec.almond.consulting/bypassing-ap...

Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1. Changelog: www.wapt.fr/fr/doc/wapt-...

Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post: offsec.almond.consulting/evading-elas... PoC: github.com/AlmondOffSec...

Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification. github.com/AlmondOffSec...

Did you know deleting a file in Wire doesn’t remove it from servers? Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations. offsec.almond.consulting/deleting-fil...

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...

To escape a locked-down Citrix environnement, team member SAERXCIT (twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it: github.com/AlmondOffSec...

This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).

Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...

New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member myst404 offsec.almond.consulting/privilege-es...

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here: github.com/AlmondOffSec...

How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member myst404 offsec.almond.consulting/deep-diving-...

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404. offsec.almond.consulting/post-exploit...

Stoked to see #PassTheCert featured in ippsec ‘s solution to @hackthebox.bsky.social Authority! Video: www.youtube.com/watch?v=7AF5... Find the tool here: github.com/AlmondOffSec...

We updated this old gem by myst404 to include the new #GLPI decryption algorithm. offsec.almond.consulting/multiple-vul...