Exploit 29
- Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation
- The PrintNightmare is not Over Yet
- Ghost in the PPL Part 3: LSASS Memory Dump
- Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
- Ghost in the PPL Part 1: BYOVDLL
- A Practical Guide to PrintNightmare in 2024
- Insomni'hack 2024 CTF Teaser - Cache Cache
- Bypassing PPL in Userland (again)
- Insomni'hack 2023 CTF Teaser - InsoBug
- From RpcView to PetitPotam
- Bypassing LSA Protection in Userland
- Do You Really Know About LSA Protection (RunAsPPL)?
- An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability
- Windows .Net Core SDK Elevation of Privilege
- CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability
- Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
- PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
- Windows DLL Hijacking (Hopefully) Clarified
- Windows Server 2008R2-2019 NetMan DLL Hijacking
- CVE-2020-0863 - An Arbitrary File Read Vulnerability in Windows Diagnostic Tracking Service
- CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function
- CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing
- CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
- Give Me Back My Privileges! Please?
- Weaponizing Privileged File Writes with the USO Service - Part 2/2
- Weaponizing Privileged File Writes with the USO Service - Part 1/2
- Windows Privilege Escalation - DLL Proxying
- CVE-2019-19544 - CA Dollar Universe 5.3.3 'uxdqmsrv' - Privilege Escalation via a Vulnerable SUID Binary
- CVE-2017-13130 - BMC Patrol 'mcmnm' - Privilege Escalation via a Vulnerable SUID Binary