All articles

In-depth explanation of the msDS-KeyCredentialLink attribute used in a shadow credentials attack, and how to parse it.

Learn how to analyze a BSOD crash dump on Windows to understand what happens during a system crash and how to troubleshoot effectively.

Windows services often run with a specific account, but where and how are the passwords of the service stored? How to extract them?

We will see how to create context-free payloads for jinja2, always allowing direct access to the os module in a jinja2 template without requirements. These payloads will be particularly useful for exploiting SSTI vulnerabilities.

Complete analysis and restoration of a 1990s mechanical IBM Model M keyboard, an iconic model known for its manufacturing quality and unique buckling spring mechanism.

Writeup du challenge réaliste Escalate Me proposé par la plateforme RootMe à l'European Cyber Cup 2022 à Lille.

LimeSurvey v5.3.9 and below allows attackers to include javascript or HTML code in the config.xml file of a plugin.

Some versions of lighttpd mishandles HTTP request with an URL overflowing the maximum URL length, resulting in a denial of service.

The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml.

We will see a few common queries to find useful information in LDAP during a Windows Active Directory pentest.

In this article we will analyze an exploit for RemoteMouse 3.008 allowing unauthenticated keyboard control of a remote machine.

Improper Access Control in Adminer versions <= 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the server by connecting a remote MySQL database to the Adminer.

Enumerating Active Directory sites and subnets is an important part of the enumeration phase. We will see how to extract them from Windows and linux.

A talk on optimization of SSTIs payloads in jinja2 to achieve remote code execution, presented at GreHack 2021.

Windows account security questions are a good way to recover your password. Where and how are they stored? How to extract them?

We will see how to perform a depth-first search in a web application search APIs to extract database content efficiently.

Newer versions of UNIX shells no longer transfer SUID rights by default. We will see how to get around this protection.

We will see how to create context-free payloads for Mako, always allowing direct access to the os module in a jinja2 template without requirements. These payloads will be particularly useful for exploiting SSTI vulnerabilities.

In order to be able to use the TCP / IP interfaces of the IBM AS / 400, they must be configured. In this article, we will see how to enable and configure the TCP / IP service to access the local network through Ethernet.

We will see how to create context-free payloads for jinja2, always allowing direct access to the os module in a jinja2 template without requirements. These payloads will be particularly useful for exploiting SSTI vulnerabilities.

Adminer versions <= 4.6.2 (fixed in version 4.6.3) allow an attacker to perform arbitrary file read on the server by connecting a remote MySQL database to Adminer.

Windows Print Spooler is a service with many vulnerabilities. In this we will see 3 methods to disable this service.

On June 22, 2021, an aggregate of data concerning 700 million LinkedIn accounts was offered for sale on a forum. We will analyze its content in detail.

IBM mainframes such as the IBM AS/400 use an Initial Program Load (IPL) at machine startup. We will see what are the different IPL of the AS/400 in this article.

IBM AS/400s are legendary mainframes still present in many companies. In this article I detail how I completely restored an AS/400 9401-150 server.

Windows Reverse Shells : 3 payloads in 1 different languages !

There are different types of port forwarding with an SSH connection. Remote, local, dynamic port forwarding, how does it work, how to choose them? This is what we will see in this article!

Group Policy Preferences (GPP) can be very dangerous if they are used to store passwords. To quickly find these in a pentest, we made a tool with Shutdown that crawls and extracts these passwords from Windows shares !

UNIX Reverse Shells : 42 payloads in 17 different languages !

This writeup describes how I became root on the server hosting the HeroCTF v3 kernel challenges, by exploiting a vulnerable challenge.

FCSC 2021 - Writeups of the introduction category (Pwn, Crypto, Forensics, Hardware, Reverse, Web)

This challenge will cover a basic stack buffer overflow on the bofbof challenge of the France CyberSecurity Challenge (FCSC) 2021

In this challenge you will discover and exploit the unsigned integer overflow vulnerability, to set an arbitrary score in this service.

In this challenge, you will perform an analysis of this XOR cryptosystem to decipher the flag

This forensics challenge addresses the DOCX file format, in which a flag is hidden in plaintext.

This challenge will teach you the basics of the IQ file format, used to save radio frequencies signal captures.

In this challenge you will learn how to reverse a basic crackme with several basic validation steps.

This challenge focuses on a weak python script using AES GCM for encrypting the flag.

This web application is vulnerable to an SQL injection in the login page. We will exploit it to bypass the authentication page and extract the administrator password.

This web application allow us to perform a Stored Cross Site Scripting (XSS) attack. We will use it to retrieve cookies from the administrator and get the flag.

In this forensics challenge we need to find a flag in a disk image. We will need to change the endianness to read the flag with strings.

In this forensics challenge, we need to find a flag in a disk image. To do this, we'll use the powerful strings command.

This challenge gives us access to a python interpreter and asks us to read the flag.txt. We will read the file, and for fun, open a shell afterwards.

A flag was hidden in the spectrogram of this signal. We will open the IQ file and display it as a waterfall to get it !

In this challenge, we will attack a DevOps Box, in various steps. We will exploit a Jenkins server to get a user reverse shell and privilege escalation to root using ansible.

TTYs and where to find them

Python format strings can be very useful but they can be prone to vulnerabilities when misused.

In this article I will demonstrate how to exploit Micro Focus Enterprise Server Administration (ESA) 1.09.56 to create a root account on the host server

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood.

This challenge focuses on Bluetooth Low Energy characteristics for IoT devices.

This challenge focuses on Bluetooth Low Energy characteristics for IoT devices.

This challenge focuses on the advertising phase of Bluetooth Low Energy for IoT devices.

In this challenge, you will learn about the dangers of default passwords in IoT devices

In this challenge, we will focus on an extremely common vulnerability, default hardcoded passwords

In this challenge, you will learn how to burn a firmware and interact with the Damn Vulnerable Iot Device (DVID)

The Damn Vulnerable IoT Device (DVID) project is aiming to provide a device to experiment with common attacks on the Internet of Things (IoT)

This article explains the necessary components to create a reverse shell.

This article details how I created a curl-based reverse shell, from scratch.

This article details how I created a wget-based reverse shell, from scratch.

An authenticated code injection on the Administration avancee (Advanced administration) page of Telmat AccessLog, Git@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.

An unauthenticated code injection on the login page of Telmat AccessLog, Gît@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.

What would happen if we tried to allocate an infinite amount of memory ? This is what we will try to discover in this article !