Using AFL++ on bug bounty programs: an example with Gnome libsoup
Published on Wed 30 October 2024 by @sigabrt9
A case study in using AFL++, afl-cov and basic custom harnesses to find a bug in libsoup for a public bug bounty program.
CVE-2024-45844: Privilege escalation in F5 BIG-IP
Published on Thu 17 October 2024 by myst404 (@myst404_)
This article describes the F5 BIG-IP CVE-2024-45844 root cause.
Deep diving into F5 Secure Vault
Published on Tue 04 June 2024 by myst404 (@myst404_)
This article describes in details how the F5 Secure Vault works. Security weaknesses were found during this analysis.
Post-Exploiting an F5 Big-IP: root, and now what?
Published on Wed 29 May 2024 by @lowercase_drm, myst404 (@myst404_)
This article describes multiple post-exploitation techniques specific for F5 BIG-IP. It includes capabilities like intercepting/decrypting TLS traffic or decrypting secrets in the Secure Vault. Detection methods are provided for Blue Teams.
LDAP authentication in Active Directory environments
Published on Tue 31 October 2023 by @lowercase_drm
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries.
Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)
Published on Thu 06 July 2023 by @clavoillotte
The Windows Installer accesses the MSI files in C:\Windows\Installer while impersonating the user (and using the impersonated user's device map), and trusts these files to perform elevated/privileged operations such as registry key creation. This can be abused by an unprivileged user to obtain SYSTEM privileges.
Authenticating with certificates when PKINIT is not supported
Published on Wed 04 May 2022 by Yannick Méheut
A certificate obtained through Active Directory Certificate Services is usually used to get a TGT or recover the NT hash using PKINIT. But what can we do when it's not possible?
Bypassing LDAP Channel Binding with StartTLS
Published on Thu 28 April 2022 by @lowercase_drm
While doing research on LDAP client certificate authentication, we realized that the LDAP implementation of Active Directory supports the StartTLS mechanism, which has interesting implications on relay attacks.
LDAP relays for initial foothold in dire situations
Published on Mon 28 March 2022 by @SAERXCIT
Implementing existing attacks & techniques necessitating a domain account as black box LDAP relays to facilitate gaining initial access to a hardened domain.
HowTo: intercept mutually-authenticated TLS communications of a Java thick client
Published on Wed 31 March 2021 by @SAERXCIT
A quick guide on how to intercept TLS communications of a hardened Java thick client implementing client certificate authentication and certificate pinning using jdb.
(Super) Magic Hashes
Published on Mon 07 October 2019 by myst404 (@myst404_)
Magic hashes are well known specific hashes used to exploit Type Juggling attacks in PHP. Combined with bcrypt limitations, we propose the concept of Super Magic Hashes. These hashes can detect 3 different vulnerabilities: type juggling, weak password storage and incorrect Bcrypt usage. A Go PoC found some MD5, SHA1 and SHA224 super magic hashes.
An introduction to privileged file operation abuse on Windows
Published on Wed 20 March 2019 by @clavoillotte
This is a (bit long) introduction on how to abuse file operations performed by privileged processes on Windows for local privilege escalation (user to admin/system), and a presentation of available techniques, tools and procedures to exploit these types of bugs.
UAC bypass via elevated .NET applications
Published on Fri 15 September 2017 by @clavoillotte
.NET Framework can be made to load a profiling DLL or a COM component DLL via user-defined environment variables and CLSID registry entries, even when the process is elevated. This behavior can be exploited to bypass UAC in default settings on Windows 7 to 10 (including the latest RS3 builds) by making an auto-elevate .NET process (such as MMC snap-ins) load an arbitrary DLL.