u/Vegetable-Ad-5808

How to find existing windows / AD CVEs

I've just completed the fluffy box, where you can read a PDF file that tells you what CVEs to use to get an initial foothold. The CVE was CVE-2025-24071, where you can create a malicious .zip and capture an NTLMv2 hash to crack when someone opens it.

I realised that if this PDF never told me what CVE to look at and use, I never would've found it / solved the box. In my current methodology, I only test for coercion CVEs (such as petit potam) via netexecs coerce_plus module, and nopac.

If you were to do the fluffy box without being told what CVE to use, how would you figure it out? Would anyone be willing to share their methodology when it comes to finding these things?

Thank you

reddit.com
u/Vegetable-Ad-5808 — 20 hours ago

Methodology to find pre-existing CVEs

Would anyone be willing to share their methodology to find pre-existing CVEs? I've noticed while doing some labs that I'm more than fine with finding custom exploits, but when I have to search for pre-existing CVEs, I often miss them.

My current methodology is:

  • First, search for the software name and version being used
  • Then search for just the software name if the first search doesn't output anything
  • I normally search with: searchsploit, CVE.org, and a regular google search

To improve on my methodology, I'm looking for the following things:

  • What tools / websites do you use to search for them
  • What search terms do you use: do you search for the name and version, just the name, or anything else

Any help would be great, thank you

reddit.com
u/Vegetable-Ad-5808 — 4 days ago
▲ 20 r/oscp

Methodology to find pre-existing CVEs

Would anyone be willing to share their methodology to find pre-existing CVEs? I've noticed while doing some labs that I'm more than fine with finding custom exploits, but when I have to search for pre-existing CVEs, I often miss them.

My current methodology is:

  • First, search for the software name and version being used
  • Then search for just the software name if the first search doesn't output anything
  • I normally search with: searchsploit, CVE.org, and a regular google search

To improve on my methodology, I'm looking for the following things:

  • What tools / websites do you use to search for them
  • What search terms do you use: do you search for the name and version, just the name, or anything else

Any help would be great, thank you

reddit.com
u/Vegetable-Ad-5808 — 4 days ago

Strategies for cross forest attacks

I'm currently on the Cross-Forest Trust Abuse section of the Active Directory Enumeration & Attacks module, and was wondering whether the following attack would work?

Once you have full control over forest1, is there an attack that get's all the user / group SIDs from forest1, forges tickets for those SIDs with the krbtgt hash, then sprays the tickets across services on forest2. This could catch things like Set-PSSessionConfiguration being used to give a cross forest user access to a computer via psremote.

Is there a reason that this wouldn't work / isn't done?

reddit.com
u/Vegetable-Ad-5808 — 12 days ago