Andrea P (@decoder

Andrea P

1,826 posts

Andrea P

@decoder_it

Security Consultant @semperistech . Independent Security Researcher. Cyclist & Scubadiver. MSRC MVR 2022. "So di non sapere"

Joined May 2009

Andrea P
@decoder_it
Jan 10, 2023
We did it again with #LocalPotato! A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM. Tracked as #CVE-2023-21746 - Windows NTLM EoP Soon more details --> localpotato.com cc @splinter_code
90K
Andrea P
@decoder_it
Apr 26, 2021
When (NTLM) relaying potatoes lead you to domain admin... A "permanent" 0day Privilege Escalation Vulnerability in Windows RPC Protocol ;-) cc @splinter_code Our writeup here: labs.sentinelone.com/relaying-potat…
Andrea P
@decoder_it
Jun 22, 2019
Just uploaded the pdf slides of my talk "whoami /priv" @hackinparis #HIP19
GitHub - decoder-it/whoami-priv-Hackinparis2019: Slides from my talk in "Hackinparis" 2019 edition
From github.com
Andrea P
@decoder_it
Jul 25, 2021
#remotepotato0 xsession is finally out! @splinter_code and me released it: github.com/antonioCoco/Re… Coerce and relay NTLM auth from any user in any session w/o session 0! Enjoy responsibly ;)
Release RemotePotato0 Cross Session Activation · antonioCoco/RemotePotato0
From github.com
Andrea P
@decoder_it
Mar 31, 2022
Me and @splinter_code did it again 😜
Andrea P
@decoder_it
Feb 26, 2024
Hello: I'm your ADCS server and I want to authenticate against you. My latest Post and PoC are out. You can read it here: decoder.cloud/2024/02/26/hel… Enjoy :)
58K
Andrea P
@decoder_it
Nov 25, 2024
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/Krb…
51K
Andrea P
@decoder_it
Oct 5, 2022
We have just released a new version of our #JuicyPotatoNG tool to help red teamers/pentesters. Now you can bruteforce clsid's, find open ports and get interactive console. Check it out here: github.com/antonioCoco/Ju… cc @splinter_code
github.com
GitHub - antonioCoco/JuicyPotatoNG: Another Windows Local Privilege Escalation from Service Account...
Another Windows Local Privilege Escalation from Service Account to System - antonioCoco/JuicyPotatoNG
Andrea P
@decoder_it
Apr 24, 2024
"Hello: I'm your Domain Administrator and I want to authenticate against you". My #SilverPotato is out, check the blog post: decoder.cloud/2024/04/24/hel… 😃
Hello: I’m your Domain Admin and I want to authenticate against you
From decoder.cloud
54K
Andrea P
@decoder_it
Jul 5, 2024
Cool finding from my colleague @cj_berlin detailed here: it-pro-berlin.de/2024/07/use-ss…. PS remoting and SSH ignores "Deny Logon restrictions". So if you enable SSHd on a Domain Controller, every domain user can log in... and, for example, perform a #RemotePotato0 attack 😲
52K
Andrea P
@decoder_it
Dec 12, 2019
I have just published this funny post: From iPhone to NT AUTHORITY\SYSTEM :-) decoder.cloud/2019/12/12/fro… cc @padovah4ck
Andrea P
@decoder_it
Dec 18, 2019
From dropbox(updater) to NT AUTHORITY\SYSTEM decoder.cloud/2019/12/18/fro…
Andrea P
@decoder_it
Oct 4, 2024
Is Kerberos relaying so limited? I'd say no, thanks to @tiraniddo CredMarshalTargetInfo trick. In this case, I'm relaying SMB to HTTP (ADCS) with a modified version of @cube0x0 krbrelay using DFSCoerce and PetitPotam - classic ESC8 attack with Kerberos, no DCOM involved ;)
58K
Andrea P
@decoder_it
Sep 23, 2020
Abusing Group Policy Caching
Abusing Group Policy Caching
From decoder.cloud