WWHF @ Mile High 2025

This talk explores new ways to exploit browser extensions for both privilege escalation and persistence. It will explore the “NativeMessaging” functionality within all popular browsers (Edge, Chrome and Firefox) across all major Operating Systems (Windows, Linux, MacOS) and how it can be exploited to run arbitrary processes. This would be useful not only to execute code when the browser is launched, or when certain sites are visited, but it also leaves another area ripe for misconfigurations that we can exploit. This means that under certain circumstances, we may be able to escalate privileges. In addition to all of that, it provides an opportunity to run code in the context of other users, if a misconfiguration is present or the user has high enough privileges on the machine. We will go over the benefits to the offensive-side of using this method, as well as adjacent techniques that have been observed In-The-Wild. Alongside this talk explaining how it was discovered, how to exploit it and why it is useful, I will also be releasing a brand new tool which can be used to detect if any vulnerable extensions are installed and then exploit them to run a process of our choice.

Detection Engineering is a time consuming and deeply technical field. In this talk, I’ll share my process on researching and creating detections. This is not always success, in fact, when researching some harder to detect techniques we sometimes end up going into rabbit holes that turn out to be a dead end.  But it’s not all doom and gloom—failure can be a phenomenal teacher. I’ll share how these experiences brought me valuable skills and provided valuable insights which make the invested time more than worth the investment.

Email (SMTP) is a topic where people either know it very well or not at all. I began my journey in the latter group, but after spending several months delving into the relevant RFCs, I gained a comprehensive understanding of how to abuse the email ecosystem. This knowledge culminated in the creation of a browser extension called MailFail. In this presentation, I will get you up to speed so that you can quickly identify and exploit email misconfigurations. Join me as we delve into the intricacies and quirks of email, uncovering both its complexities and its absurdities.

Transhumans, individuals enhanced with technological augmentations, have moved beyond science fiction into reality. Historically viewed through medical or cyborg lenses, recent advancements like Brain-Computer Interfaces (BCIs) and SMART technologies are blurring the lines between physical and biological entities. This shift is significantly impacting cybersecurity, as these augmented humans can execute sophisticated cyberattacks, such as URL redirections, phishing, smishing, and man-in-the-middle (MiTM) attacks, using embedded technologies. Traditional security measures are becoming inadequate in this new landscape, requiring a fundamental reassessment of cybersecurity strategies. The presentation will explore these emerging threats through demonstrations of implant-initiated attacks and emphasize the urgent need for advanced, layered security solutions to protect against the unique risks posed by transhumans.

The Impersonator Shell started as a combination of two popular hacker tools: Netcat and Printspoofer. The exploit is named after the Windows privilege that Printspoofer uses to get administrative access to Windows machines, the SeImpersonate privilege. This shell abuses the SeImpersonate privilege to create an administrative reverse or bind shell.  Users running server software on Windows hosts will commonly have the SEImpersonate enabled. Security engineers who can obtain RCE on said servers can also obtain an administrative shell by abusing the SEImpersonate privilege. Instead of uploading Netcat and the corresponding kernel exploit, security engineers can use the Impersonator shell. If the inbuilt exploit does not work, security engineers will be provided a non-administrative shell. The Impersonator shell can connect to a Metasploit listener and be upgraded to a meterpreter shell. The Impersonator Shell can also leverage native Windows API functions to grab a process and capture information about the token associated with the process.  People who attend this talk can expect to learn the inner mechanics of reverse shells and bind shells, Offensive Windows API use, and the basics of exploit coding in the C programming language all under the umbrella of the newly created Impersonator shell.

How many times have you heard, "Are you doing anything right now that could [verb] our [noun]?" The answer is sometimes "Yes", always "Maybe", and hopefully "No". After a recent client call, I set up a range and hammered common web servers to figure out the impact that pentesting tools have on typical client systems. I tried to answer questions like, "Does Nuclei cause performance issues for the target?", "Is testssl.sh slowing down that Linux server?" "How many Gobuster threads does it take to max out a standard WordPress server?" In this talk, I'll discuss results from tool testing that may or may not surprise you but will definitely leave you with more evidence for your next client call.