Offensive Security team at Almond - Follow us also on infosec.exchange/@AlmondOffs…
Joined September 2016
- Tweets 63
- Following 1
- Followers 957
- Likes 56
32 Photos and videos
Mar 20
A private @Burp_Suite Collaborator instance is an essential for pentesting sensitive environments, but managing TLS for it can be a pain. Today we release a Certbot plugin that automates Let’s Encrypt wildcard certificate renewals for private instances.
github.com/AlmondOffSec/cert…
3
11
551
Mar 10
Are one-way trusts really one way? @lowercase_drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.
offsec.almond.consulting/tru…
2
42
114
16,060
Feb 27
Team member @sigabrt9 was able to bypass Apache FOP Postscript escaping to reach GhostScript engine.
offsec.almond.consulting/byp…
5
19
1,378
Feb 17
Team member @myst404_ identified a privilege escalation in WAPT caused by a DLL hijacking issue, which was promptly fixed by the vendor. Patched in version 2.6.1.
Changelog: wapt.fr/fr/doc/wapt-changelo…
5
22
1,241
Publishing github.com/SAERXCIT/LibTP_Ga…!
It's a generalisation of LibTPLoadLib to proxy APIs with an arbitrary number of args.
Provided as a Crystal Palace shared library. API made compatible with @_RastaMouse 's LibTP.
Hooks are provided to show off the newest Crystal Palace features
1
14
43
4,218
6 Nov 2025
Callstacks are largely used by the Elastic EDR to detect malicious activity. @SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/eva…
PoC: github.com/AlmondOffSec/LibT…
ALT Stepping over the syscall instruction in a debugger. An alert is raised.
19
70
15,146
Almond OffSec retweeted
8 Jul 2025
The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go:
r-tec.net/r-tec-blog-revisit…
2
65
164
14,197
27 Jun 2025
Following @ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by @SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec/DCOM…
2
57
152
13,593
25 Jun 2025
Did you know deleting a file in Wire doesn’t remove it from servers?
Team member @myst404_ took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/del…
ALT Deleting a file in Wire doesn’t remove it from servers — and other findings
5
9
1,146
Almond OffSec retweeted
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post sensepost.com/blog/2025/divi…
ALT A screenshot of an AD CS ESC1 attack using Certipy getting a KDC_ERR_INCONSISTENT_KEY_PURPOSE error.
1
110
314
37,202
9 Dec 2024
To escape a locked-down Citrix environnement, team member @saerxcit wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:
github.com/AlmondOffSec/Open…
1
7
30
2,204
4 Dec 2024
This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).
30 Oct 2024
Team member @sigabrt9 describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: offsec.almond.consulting/usi…
ALT A screenshot of the AFL status screen
1
7
982
Almond OffSec retweeted
14 Apr 2023
You can now also follow us on Mastodon : infosec.exchange/@AlmondOffs…
1
4
826
Almond OffSec retweeted
16 Nov 2023
You can now also follow us on Bluesky:
bsky.app/profile/almondoffse…
1
1
402
Almond OffSec retweeted
6 Nov 2024
📢 Hunter Alert! Here's an excellent write-up by @sigabrt9 - who recently uncovered a bug in @gnome’s #BugBounty program. Perfect to expand your knowledge about finding bugs in open-source programs 👉 offsec.almond.consulting/usi…
Thank you @sigabrt9 for this valuable contribution!
2
3
29
2,596
30 Oct 2024
Team member @sigabrt9 describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack bug bounty program for Gnome: offsec.almond.consulting/usi…
ALT A screenshot of the AFL status screen
1
21
75
6,756
17 Oct 2024
New article on F5! A write-up on CVE-2024-45844, a privilege escalation vulnerability in BIG-IP by team member @myst404_
offsec.almond.consulting/pri…
9
23
2,599
27 Sep 2024
If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate @M4yFly 's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec/GOAD…
ALT Screenshot of GOAB lab within an Hyper-V
11
26
2,517
4 Jun 2024
How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member @myst404_
offsec.almond.consulting/dee…
ALT F5 BIG-IP Unit key structure
5
10
1,673
29 May 2024
Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members @lowercase_drm and @myst404_
offsec.almond.consulting/pos…
ALT Decrypted TLS trafic within a Wireshark window.
22
57
9,581