Manish Kishan Tanwar, Security Consultant @ MDSec, @IndiShell1046
Karan Raheja, Senior Security Engineer at ServiceNow
Manish is interested in web app sec, network Pentest, Cloud environment, Active Directory exploitation, and has a love of developing vulnerable labs and web shell in his spare time.
Manish has published exploits and papers related to SQL Injection research on Exploit-DB platform.
Speaking experience:
a) SANS Hackfest 2022
b) SteelCon (UK) 2022
c) Blackhat MEA 2023
d) VulnCon 2024, 2025
e) MCTTP 2025
Karan has been working as an Offensive Security Pentester for close to 07 years now. Most of his work is around the web application security, network pentesting, active directory and cloud security domains.
In the past, he has presented at multiple international conferences such as:
1. The Hack Summit '23
2. BlackHat MEA '23
3. VulnCon '24
talks & Q&A
Web Server by Day, C2 by Night: Weaponizing IIS for Active Directory Post-Exploitation
Description:
It started with a CrowdStrike-protected machine inside an enterprise network - over $1 billion in revenue, 20,000+ Windows hosts. We had local administrator access, an ESC1-vulnerable AD CS certificate template that was accessible to the machine account, and reachable only through the web enrollment endpoint. and an EDR that refused to let us anywhere near the machine account credentials we needed.
Somewhere in that challenging moment, A thought surfaced, What if the web server was already our C2?
In this session, we'll share how that one real-world challenge became the seed of an entire offensive playbook and inspired us to explore what an IIS web server is truly capable of inside an Active Directory environment. Out of that experimentation, we came up with a complete "Living Off the Web Server" playbook covering enumeration, exploitation, and privilege escalation tricks. The best part? No need to drop any publicly known offensive tools or any type of binaries.
