Write up of my journey figuring out how to host the CLR and execute .NET assemblies from memory in pure Go.| ropnop blog
Default installations of Helm on Kubernetes can make it trivial for attackers to escalate to cluster admin. In this post I’ll demonstrate how.| ropnop blog
Serverless functions have so much potential - here’s a few useful examples I use when pentesting or doing bug bounties. Who needs testing infrastructure?| ropnop blog
The newest Windows 10 update includes OpenSSH utilities, including ssh-agent. Here’s how to extract unencrypted saved private keys from the registry| ropnop blog
The SANS team hit another homerun with the HHC including awesome challenges that mimicked real-world pentest activities. Here’s my solutions!| ropnop blog
After lots of mucking around, this is the bare minimum configuration I found to successfully connect to and mange Hyper-V in a non-domain network| ropnop blog
If you end up with a copy of NTDS.dit and the SYSTEM registry hive, you can extract domain computer info offline and user NTLM hashes for cracking.| ropnop blog
I often need to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. These are some of my favorite techniques.| ropnop blog
I’ve shown all the different ways to own a Windows environment when you have a password - but having a hash is just as good! Don’t bother cracking - PTH!| ropnop blog
Had an awesome time presenting at Thotcon this year. I plan to expand on this topic quite a bit and eventually turn it into a blog posts/series, but in the meantime, here’s the slides and the demo video| ropnop blog
WMI and WinRM are two Windows administrative “features” that are ripe for abuse if you have credentials. In this post, I’ll show how to (mis)use them…| ropnop blog
Pentesters use PsExec style commands all the time, and in this post I’m going to explore and manually recreate the technique using native Windows tools.| ropnop blog
Du’h…if you have admin creds you can own a box. But how many different ways can you do it? Here’s a blog-ified version of my notes and my favorite methods| ropnop blog
On a recent pentest, we recovered credentials to a private Docker registry. Looting the contained images yielded us source code and admin ssh keys.| ropnop blog