Pen Test Partners

ISC2 East of England Chapter

Building Cyber AI Confidence event on ‘Flirting with AI: Pwning Websites Through Their AI Chatbot Agents and Politely ...
Pen Test Partners

The built-in Windows security features you should be using

TL;DR Introduction  It’s more common than you might think to miss built-in defences. Windows has a lot of features that help ...
pentestpartners.com

Cybersec Europe 2026

222 Broadway 22nd Floor, Suite 2525,New York, ...
pentestpartners.com

Pwning CCTV cameras

CCTV is ubiquitous in the UK. A recent study estimates there are about 1.85m cameras across the UK – most in private premises. Most of those cameras will be connected to some kind of recording device, ...
pentestpartners.com

Hacking the Mitsubishi Outlander PHEV hybrid

The Mitsubishi Outlander plug in hybrid electric vehicle (PHEV) is a big-selling family hybrid SUV. It has an electric range of up to 30 miles or so plus petrol range of another 250ish miles. We ...
pentestpartners.com

eyeDisk. Hacking the unhackable. Again

Last year, about the time we were messing around with a virtually unheard-of hardware wallet we got a bit excited about the word “unhackable”. Long story short, I ended up supporting a selection of ...
pentestpartners.com

Living off the land, GPO style

The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what ...
pentestpartners.com

SweetPotato – Service to SYSTEM

I’ve had a keen interest in the original RottenPotato and JuicyPotato exploits that utilize DCOM and NTLM reflection to perform privilege escalation to SYSTEM from service accounts. The applications ...
pentestpartners.com

Drilling open a smart door lock in 4 seconds

The BBC asked us to have a look at some smart locks for a TV show recently. We didn’t have much prep time, but were genuinely shocked by just how easy this one was to compromise. Usually, we spend ...
pentestpartners.com

Call centres. Outbound call verification

One way to deal with this is to call the company back on a validated number, a number not provided by the caller. The challenge here is that it’s often difficult to get back to the original person, or ...
pentestpartners.com

Pwning WordPress GraphQL

Third-party plugins are often the security Achilles heel of Content Management Systems (CMS). It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a ...
pentestpartners.com

DCOM abuse and lateral movement with Cobalt Strike

When researching lateral movement techniques I came across a post from Raphael Mudge (of Cobalt Strike fame). He details scripting an Aggressor Script for Matt Nelson’s MMC20.Application Lateral ...