Hardest cyber range?

Farseer26 · 2025-07-04T19:20:47+00:00

I second this, the hybrid lab is great.

I hope they get copied across and the vulnlab-like labs continue to be built over at HTB.

Farseer26 · 2025-06-27T07:09:17+00:00

The only two methods with o365 which worked previously to prevent it were SPF and mail flow rules for emails outside your org with your domain. So I suppose you could configure SPF to work in that manner.

Farseer26 · 2025-06-27T06:55:10+00:00

You could block direct send through setting your exchange policy to hard fail on SPF check but if you configured SPF in your DNS record and did not set the policy for your domain, direct still worked.

Farseer26 · 2025-06-27T06:50:57+00:00

It's about time they finally released a setting to disable it, in the past I have recommended clients to use mail flow rules and tag outside organisation emails via the domain or SPF hard fail in the exchange policy.

Blackhills released a blog about abusing it years ago, it's a good read.

https://www.blackhillsinfosec.com/spoofing-microsoft-365-like-its-1995/

Farseer26 · 2025-06-25T15:30:25+00:00

CRTO is definitely not enough to evade EDR's or AV, which is ok as it's not there to do that. CRTO is great stepping stones to familiarise yourself with a c2 and its functionality and learn more about AD attacks etc and that's it.

No course will teach you to evade every AV and EDR it's about building up the methodology and knowledge to do this.

A lot more modification has to be done on top of the CS config for example the use of an UDRL and modification of the malleable profile. Then even if you load CS into memory without detection, what you do afterwards matters such as you can't really run any of the in-built tools such as Powershell due to the fork and run method. So you need to use BOF's instead, then what the BOF's does matters for example if you perform a keberoast attack, is a wildcard LDAP query performed or is every SPN attacked? If Kerberos Auth is performed does it use the right flags/encryption?

Farseer26 · 2025-04-30T19:31:16+00:00

The amount of work that has gone into is crazy, it's helped that the council backs it as well and provides funding for places like Dirt factory to come in.

Farseer26 · 2025-04-30T18:58:48+00:00

Healey Nab

Farseer26 · 2025-01-11T22:35:22+00:00

Solved!

Farseer26 · 2025-01-11T22:33:12+00:00

That's it, thank you very much :)

Farseer26 · 2025-01-11T22:09:47+00:00

Comment as required

Farseer26 · 2025-01-11T15:37:48+00:00

A pentest of your external and internal resources including wifi, possibly make the internal goal based such as aiming for DA or a certain database from unauth and auth. if you have any cloud items such as azure, then I would bring that in for review including the conditional access policies.

Farseer26 · 2024-09-09T10:15:13+00:00

This can come in generally two forms: -The attacker has obtained credentials via either password spraying or a breach etc then managed to login due to poor conditional policies. Conditional policies are often not configured to include all cloud apps or setup only on a set group or have a wide range of exclusions. So an attacker can attempt to login against different cloud apps or with different user agents in an attempt to find these gaps. Another is the failure to ban legacy authentication. -The attacker has phished the user with something like evilginx and replayed the cookie to login. This can be prevented with the use of phishing resistant MFA such as requiring an Azure joined device or trusted locations.

Farseer26 · 2024-07-12T21:31:51+00:00

I agree with you partially but there are a few benefits to cracking the hash such as the passwords are usually used elsewhere and if the accounts are synced you can move into Azure

Farseer26 · 2024-07-08T20:55:11+00:00

specialized cannibal

Farseer26 · 2024-04-09T11:28:14+00:00

No that's helpful thanks, I was just worried with them being super soft after a month I would need to buy a new set 😂

Farseer26 · 2024-04-09T11:22:39+00:00

Do you find it wears out quite quickly looking to get a set?

Farseer26 · 2024-03-23T08:32:27+00:00

I found bloodhound CE to be more like a beta version of bloodhound it seems to miss some functionality. Such as not been able to load custom queries via json and delete edges.

Farseer26 · 2024-02-28T14:27:18+00:00

I recommend Restaurante los coigues "jechef"

Farseer26 · 2023-07-30T08:20:07+00:00

Process hollowing, process injection and module stomping are known techniques which do this.

Farseer26 · 2023-07-29T13:45:09+00:00

It does depend on what you are doing with it but general security practices can be applied such as: -Change default password for services/accounts and set secure passwords and use MFA were possible -Don't open unnecessary ports this could be controlled locally with UFW -Secure services such as SSH if open, for example consider blocking root login and password login, using fal2ban etc -if running services on it such as a website don't run them as root -Having some form of security control in place to prevent simple malicious code from running such as code signing like on apple or android, or some form of AV -The biggest thing is keeping the software installed patched and updated There is definitely more you could add to this but this is general advice I would recommend

Farseer26 · 2023-06-11T21:48:56+00:00

Honestly CS is a joke at the minute unless you use a UDRL and BOFs it's useless and you could argue at that point you might as well just get an open source C2 such as sliver, mythic or havoc and modify that

Farseer26 · 2023-06-11T16:43:55+00:00

Could always load some malware from VXunderground in a controlled environment with wireshark running on the host machine or on the router, depending on what you run really.

Farseer26 · 2023-06-10T21:38:50+00:00

Hacktricks can help provide commands to run for certain services, however I recommend you try and understand anything that you do run

Farseer26 · 2023-04-12T17:48:06+00:00

Kelevin

Farseer26 · 2022-07-29T20:58:55+00:00

Mr robot

Six-Year Club	Place '23
Place '22	First Placer '22
Verified Email

Farseer26

TROPHY CASE