🚨Nextcloud was vulnerable to XSS in PDF.js (CVE-2024-4367) found by Thomas Rinsma at CodeanIO.

Although Nextcloud mitigated the vulnerability in their portal by disabling eval, the viewer.html component of the vulnerable PDF.js was still exposed.

www.redteam-pentesting.de/en/advisorie...

Haix-la-Chapelle 2025 is over!

128 teams submitted at least one flag, 270 correct flags were submitted, and 589 drinks consumed.

The winners are:
🥇 Team tjcsc with 3165 points
🥈Team THEM?! with 2665 points
🥉Team IT-Security Club with 2087 points

Thanks to all participants, see you next year!

By popular demand, registrations for Haix-la-Chapelle are now open!
Register your account here:
haix-la-chapelle.eu/register

If you experience any issues, open a support ticket on our discord:
discord.gg/ASYqv7N2Rj

It's hard hosting a new CTF
#haix25

Just 10 days left until our first CTF, Haix-la-Chapelle, starts!

We have been hard at work and are excited to have you play our challenges 👀

CTF starts at 10am CET on 29th November with prizes sponsored by our lovely sponsors @redteam-pentesting.de and @binary.ninja

🔥Only 10 days left until the Haix-la-Chapelle 2025 CTF is starting on November 29!

We're sponsoring the prize money for the best writeups and are excited to see your creative solutions.

haix-la-chapelle.eu

🚨8 months after public disclosure, RHEL @almalinux.org @rockylinux.org are still vulnerable for a Ghostscript RCE with a reliable public exploit (CVE-2025-27835 and others)! It can be triggered by opening LibreOffice docs or through a server that uses ImageMagick for file conversion!

So CVE-2025-33073 (Reflective Kerberos Relay) has been added to CISA KEV. In the original writeup, SMB Signing (server-side) is listed as a mitigation for this vulnerability. HOWEVER...

blog.redteam-pentesting.de/2025/reflect...

We are happy to announce that we will be hosting our first ever CTF, Haix-la-Chapelle 2025, on the 29th of November!
It will be a Jeopardy style CTF and will start at 10 am Berlin time, lasting for 24 hours.

You can find the CTFTime event at ctftime.org/event/2951

See you there!

👀 Turns out MS-EVEN can do a lot more than NULL auth:

In addition to leaking environment variables, it is possible to coerce authentication from arbitrary logged on users* 🤯

*If you are willing to trigger Windows Defender.

We're excited to host our XSS workshop for RWTH Aachen University's SecLab, again. Today, the students will face XSS challenges as well as a hunt for IT security easter eggs to climb the leaderboard 🏆
#rwth #informatik #aachen

Based on our testing, MS seems to have fixed CVE-2025-33073 by blocking the CredUnmarshalTargetInfo/CREDENTIAL_TARGET_INFORMATIONW trick!
@tiraniddo.dev @decoder-it.bsky.social @synacktiv.com #infosecsky #infosec #pentests #redteam #cybersky #cybersecurity

bsky.app/profile/redt...

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...

🚨🚨🚨 Just a heads-up: Microsoft will release a fix for a vulnerability we discovered as part of Patch Tuesday, today. MS classified CVE-2025-33073 as "important" and we recommend patching soon.

Stay tuned for our blog post and paper about it tomorrow at 10:00 am CEST 🔥

Newer Windows clients often enforce signing ✍️ when using SMB fileshares.
To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.​py based on a prior work by @lowercasedrm.bsky.social .

github.com/fortra/impac...

🎉 It is finally time for a new blog post!

Join us on our deep dive into Windows Authentication Coercion and its current state in 2025, including some brand-new tooling ✨
#infosecsky #infosec #pentests #redteam #cybersky #cybersecurity

blog.redteam-pentesting.de/2025/windows...