Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.
offsec.almond.consulting/bypassing-ap...
27.02.2026 12:28
π 3
π 1
π¬ 0
π 0
Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.
offsec.almond.consulting/bypassing-ap...
Team member @myst404 identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: www.wapt.fr/fr/doc/wapt-...
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
Deleting a file in Wire doesnβt remove it from servers β and other findings
Did you know deleting a file in Wire doesnβt remove it from servers?
Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesnβt work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains whatβs happening under the hood in this post: sensepost.com/blog/2025/di...
To escape a locked-down Citrix environnement, team member SAERXCIT (twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:
github.com/AlmondOffSec...
This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).
Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...
New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member myst404
offsec.almond.consulting/privilege-es...
Screenshot of GOAD lab within Hyper-V manager
If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate
Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec...
F5 BIG-IP unit key structure
How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member myst404
offsec.almond.consulting/deep-diving-...
Decrypted TLS traffic within a Wireshark window.
Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404.
offsec.almond.consulting/post-exploit...
Screenshot of the ippsec's video showing PassTheCert github.
Stoked to see #PassTheCert featured in ippsec βs solution to @hackthebox.bsky.social Authority!
Video: www.youtube.com/watch?v=7AF5...
Find the tool here: github.com/AlmondOffSec...
We updated this old gem by myst404 to include the new #GLPI decryption algorithm.
offsec.almond.consulting/multiple-vul...