{"version":1,"pages":[{"id":"FdWzEXnYijHtB8Mv0ZrC","title":"About This Gitbook","pathname":"/","siteSpaceId":"sitesp_4wCdv","description":"Navigating The Shadows contains personal notes on my journey through offensive and defensive security. I write when I have time and feel like it. Sometimes I just drop links to other work."},{"id":"d3CScy47BDxY3s8dZ1mt","title":"Initial Access","pathname":"/red-team-operations/initial-access","siteSpaceId":"sitesp_4wCdv","description":"This section describes techniques related to Mitre TA0001 - Initial Access","breadcrumbs":[{"label":"Red Team Operations"}]},{"id":"lcmAtWEMeMadpriHCc6c","title":"Webshells","pathname":"/red-team-operations/initial-access/webshells","siteSpaceId":"sitesp_4wCdv","description":"This category talks about webshells. Our aim is usually to load a C2 framework from the webshell or execute other code without spawning suspicious subprocesses from the web server process.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"}]},{"id":"s1BtU94hYdqqKzI0hMZe","title":"Java (JSP) - Bring Your Own Jar","pathname":"/red-team-operations/initial-access/webshells/java-jsp-bring-your-own-jar","siteSpaceId":"sitesp_4wCdv","description":"On this page, we will explore how to reflectively load a class from a Java library and call its main method. In red team context, this can be used to stage additional java code without touching disk.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"},{"label":"Webshells"}]},{"id":"a147XsqsffSsZ4g7K2sw","title":"IIS - SOAP","pathname":"/red-team-operations/initial-access/webshells/iis-soap","siteSpaceId":"sitesp_4wCdv","description":"This page describes how to run shellcode from a webshell with a .soap extension. Sometimes web applications use upload blacklists and forget about this extension type.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"},{"label":"Webshells"}]},{"id":"DTB8k9OhQuKQ343hh5NZ","title":"Macro Attacks","pathname":"/red-team-operations/initial-access/macro-attacks","siteSpaceId":"sitesp_4wCdv","description":"This category talks about Office macro attacks, which are often used in combination with phishing to establish a foothold on the victim's machine.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"}]},{"id":"GXf39ulYvI4OhA7D3OWZ","title":"Talking Documents with SpVoice COM","pathname":"/red-team-operations/initial-access/macro-attacks/talking-documents-with-spvoice-com","siteSpaceId":"sitesp_4wCdv","description":"This page describes how to use the Microsoft Speech API to let your office document talk to the end user.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"},{"label":"Macro Attacks"}]},{"id":"vOmu3pEwdrKMIsgyyeh2","title":"Binary File Write via Microsoft Speech API","pathname":"/red-team-operations/initial-access/macro-attacks/binary-file-write-via-microsoft-speech-api","siteSpaceId":"sitesp_4wCdv","description":"This page describes how to use the Microsoft Speech API to write binary files from office documents.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"},{"label":"Macro Attacks"}]},{"id":"k17oekVDU8YLQkoZyz5R","title":"Mark-Of-The-Web Bypass with 7-zip","pathname":"/red-team-operations/initial-access/macro-attacks/mark-of-the-web-bypass-with-7-zip","siteSpaceId":"sitesp_4wCdv","description":"","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Initial Access"},{"label":"Macro Attacks"}]},{"id":"rMVc4h6I6vQapFmO7ZBl","title":"Azure and O365","pathname":"/red-team-operations/azure-and-o365","siteSpaceId":"sitesp_4wCdv","description":"","breadcrumbs":[{"label":"Red Team Operations"}]},{"id":"DnAxQaeDHP3VhaXT0DZD","title":"PRT Abuse from Userland with Cobalt Strike","pathname":"/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike","siteSpaceId":"sitesp_4wCdv","description":"This page describes how to acquire an Azure AD Single Sign-On session from a non-privileged user session on a Windows machine. The acquired token is later used to enumerate Azure AD via ROADTools.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Azure and O365"}]},{"id":"Uh2IAhwazXRybjGH5pLW","title":"Enumerate Azure AD with AzureHound from Userland","pathname":"/red-team-operations/azure-and-o365/enumerate-azure-ad-with-azurehound-from-userland","siteSpaceId":"sitesp_4wCdv","description":"This page describes how to enumerate Azure AD with AzureHound, starting from a non-privileged user session on a Windows machine.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"Azure and O365"}]},{"id":"k2qi1Bs3wQJcCHC7kOHn","title":"AWS","pathname":"/red-team-operations/aws","siteSpaceId":"sitesp_4wCdv","description":"","breadcrumbs":[{"label":"Red Team Operations"}]},{"id":"RPtKUjKq1aeFS4xtQo3o","title":"Role Abuse: SSM","pathname":"/red-team-operations/aws/role-abuse-ssm","siteSpaceId":"sitesp_4wCdv","description":"This page describes how a compromised machine with the default AmazonSSMRoleForInstancesQuickSetup role can allow an attacker to move laterally to all other machines holding this role in the VPC.","breadcrumbs":[{"label":"Red Team Operations"},{"label":"AWS"}]},{"id":"vkOMptR2VpHuhq03AIfs","title":"OffSecOps","pathname":"/red-team-operations/offsecops","siteSpaceId":"sitesp_4wCdv","description":"","breadcrumbs":[{"label":"Red Team Operations"}]},{"id":"ZKHP9I6FeFWzN99vwwFe","title":"Arsenal Aggressor Script","pathname":"/red-team-operations/offsecops/arsenal-aggressor-script","siteSpaceId":"sitesp_4wCdv","description":"Aggressor script to automatically download and load an arsenal of open source and private tooling. Hopefully, this saves other teams time and helps the community!","breadcrumbs":[{"label":"Red Team Operations"},{"label":"OffSecOps"}]},{"id":"b0CSYwSk5Bi36j9NoiIC","title":"AWS","pathname":"/red-team-infrastructure/aws","siteSpaceId":"sitesp_4wCdv","breadcrumbs":[{"label":"Red Team Infrastructure"}]},{"id":"OjgwCytQRltKwFDq6TIW","title":"Connectionless Ansible Deployment with Terraform via SSM","pathname":"/red-team-infrastructure/aws/connectionless-ansible-deployment-with-terraform-via-ssm","siteSpaceId":"sitesp_4wCdv","description":"Deploying Ansible playbooks & roles to EC2 instances via Terraform from anywhere without interruption and without accessing SSH.","breadcrumbs":[{"label":"Red Team Infrastructure"},{"label":"AWS"}]},{"id":"tdhkOBFdXHFMjUHHmTqi","title":"Operational Purple Teaming for Defenders","pathname":"/training/operational-purple-teaming-for-defenders","siteSpaceId":"sitesp_4wCdv","description":"Cybersecurity Training through Attack Simulation","breadcrumbs":[{"label":"Training"}]},{"id":"d8lHwkd26tPFomtoVR3K","title":"Offensive Security","pathname":"/training-reviews/offensive-security","siteSpaceId":"sitesp_4wCdv","description":"Personal reviews on Offensive Security courses & certifications.","breadcrumbs":[{"label":"Training Reviews"}]},{"id":"cbWRZcSDRU9MiAVq54Uu","title":"OSED","pathname":"/training-reviews/offensive-security/osed","siteSpaceId":"sitesp_4wCdv","description":"Offensive Security Exploit Developer","breadcrumbs":[{"label":"Training Reviews"},{"label":"Offensive Security"}]},{"id":"c75HiYKurM5IOtM8EUkj","title":"RCE In HPE Insight Cluster Management Utility (CVE-2024-13804)","pathname":"/vulnerability-research/rce-in-hpe-insight-cluster-management-utility-cve-2024-13804","siteSpaceId":"sitesp_4wCdv","description":"I discovered an unauthenticated RCE in HPE CMU in 2023 by weaponising the Java client application against the server. The techniques discussed here, can also be applied to other Java applications.","breadcrumbs":[{"label":"VULNERABILITY RESEARCH"}]}]}