Manish Kishan Tanwar
@IndiShell1046
Followers
2K
Following
8K
Media
152
Statuses
5K
SQL Injection fan Develop vulnerable labs and web shells in spare time https://t.co/K2kSnZjLDO
IndiShell Lab
Joined May 2016
Everyone was saying RFI is dead in PHP applications (including me). Today, I got a way to perform RFI even if remote URL inclusion is disabled. I blogged about it 😄 SMB is loaded with awesomeness \m/ https://t.co/1LDu6ouUTI
13
306
660
In AD CS exploitation series, here comes Manual exploitation of AD CS ESC1 vulnerable certificate template using Windows certreq binary: https://t.co/CWwbJzqrhk
0
0
0
Certi-Bhai PowerShell scripts to exploit AD CS ESC2 and ESC3 vulnerable certificate templates. ESC2.ps1: https://t.co/Oyo2UmHWUw ESC3.ps1: https://t.co/3O46Pyo8Co Demo video:
0
3
5
Special thanks to Dominic sir for his valuable guidance 🙏 , Konstantin bhai ji 😍 for PowerShell script Idea, Karan & MANOJ for being my partner in crime and SpecterOps for Amazing AD CS exploitation research 🙏
0
0
0
I am releasing a PowerShell script that can exploit the Windows AD CS ESC1 vulnerable certificate template: --==[[ Certi-bhai ]]==-- Script Code: https://t.co/SHjxxW0wy3 Demo video:
1
4
7
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here: https://t.co/KnuLXeNLUc 🙃
semperis.com
Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.
3
78
154
--==[[ Privilege escalation from IIS defaultAppPool to NT Authority/SYSTEM without *potato exploit ]]==-- Last year, I chained NTLM relay and AD CS web enrollment endpoint to perform privilege escalation from IIS virtual account to NT Authority/SYSTEM https://t.co/oQtmRuL0EJ
1
8
19
Last month, @d_tranman and I gave a talk @MCTTP_Con called "COM to the Darkside" focusing on COM/DCOM cross-session and fileless lateral movement tradecraft. Check out the slides here: https://t.co/1KNln1ldzF Recording should be released soon.
github.com
Slides and resources from MCTTP 2025 Talk. Contribute to bohops/COM-to-the-Darkside development by creating an account on GitHub.
1
81
253
Later, used Rubeus to gain local admin access on the machine. Special thanks to @domchell sir for his guidance, Andy sir and Marcus sir for their encouragement, Karan and Manoj for being partner in crime <3
0
0
2
In this exploit chain, I used an ASPX code to trigger SMB request (no OS command used) to attacker controlled NTLM/CVertiPy instance and relayed the captured machine account's NTLMv2 hash to AD CS web enrollment endpoint to obtain a Machine account certificate.
1
0
1
--==[[ Privilege escalation from IIS defaultAppPool to NT Authority/SYSTEM without *potato exploit ]]==-- Last year, I chained NTLM relay and AD CS web enrollment endpoint to perform privilege escalation from IIS virtual account to NT Authority/SYSTEM https://t.co/oQtmRuL0EJ
1
8
19
Zero-Day? CVE for documentation smells? I’d suggest to get ready for another “flood of CVEs” based on e.g. https://t.co/wVaAGXRPnM 😬
github.com
A library for detecting known secrets across many web frameworks - blacklanternsecurity/badsecrets
🚨 We identified a ViewState deserialization attack affecting Sitecore deployments. The attacker leveraged an exposed ASP[.]NET machine key to perform remote code execution. Get the full details, indicators of compromise, and defensive recommendations: https://t.co/nkXi97LjOa
1
1
22
I have launched YSoNet ( https://t.co/9BofGcFaWh) and added #SharePoint CVE-2025-49704 payload generator to it as the first thing. Here is how this can work: Running command: ``` ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 1 -c "calc" ``` Running C# code: ``` ysonet.exe
github.com
Deserialization payload generator for a variety of .NET formatters - irsdl/ysonet
4
125
475
Today MSRC fixed two vulnerabilities I reported a couple months ago. EoP in Windows Update service (affects only windows 11/10 with at least 2 drives) https://t.co/YnCsk1934F EoP in Microsoft PC Manager https://t.co/ssudyvpgDS PoC for CVE-2025-48799: https://t.co/brRVf18DnY
github.com
Contribute to Wh04m1001/CVE-2025-48799 development by creating an account on GitHub.
9
99
388
Pretty cool! If you use the tool with a public client and scope from https://t.co/v1qrDbKmYF you can add this to roadtx interactiveauth with the -url parameter to catch the resulting token 😀
Okay folks, your going to want to bookmark this. Over the weekend I vibe coded a tool I'm calling Microsoft Entra Sign-in URL Builder This is something I've been wanting to build for some time and inspiration struck. Here's a quick walk through 🧵👇
2
43
176
You have got a valid NTLM relay but SMB and LDAP are signed, LDAPS has got Channel Binding and ESC8 is not available... What about WinRMS ? :D Blogpost: https://t.co/p2uwj2yKTQ Tool: https://t.co/zMPpwtyFir And also, big thanks to jmk (Joe Mondloch) for the collab' :D!
9
204
601
This ended up being a great applied research project with @d_tranman on weaponizing a technique for fileless DCOM lateral movement based on the original work of @tiraniddo. Excellent work, Dylan! - Blog: https://t.co/4cXnRjhyK0 - PoC:
github.com
ForsHops. Contribute to xforcered/ForsHops development by creating an account on GitHub.
Had a lot of fun digging into COM stuff with @bohops recently! We ended up finding a way to laterally move without dropping a file. https://t.co/F6NahVpuHP
9
83
234
This cropped up recently for me and hopefully save someone some time... If you're exploiting ADCS and get a KDC_ERR_CERTIFICATE_MISMATCH error, this is down to strong mapping enforcement. Just supply the SID + UPN during your cert request and gtg as normal
4
30
165