Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are
Author: Orange TsaiThis is a cross-post blog from DEVCORE. 中文版請參閱這裡
Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve
unauthenticated RCE. All the vulnerabilities have been reported to the vendor and
For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country's largest ISP, and how we find RCE on that to affect more than 250,000 modems :P
大家好,我是 Orange! 這次的文章,是我在 DEVCORE Conference 2019 上所分享的議題,講述如何從中華電信的一個設定疏失,到串出可以掌控數十萬、甚至數百萬台的家用數據機漏洞!
前言
身為 DEVCORE 的研究團隊,我們的工作
First of all, this is such a really interesting bug! From a small memory defect to code execution. It combines both binary and web technique so that’s why it interested me to trace into. This is just a simple analysis, you can also check the bug report and the author neex’s exploit to know the original story :D
Originally, this write-up should be published earlier, but I am now traveling and
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE
Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you:
Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs
Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as
Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361)
This is also the cross-post blog from DEVCORE
Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you!
Infiltrating Corporate Intranet Like NSA: Pre-auth
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_)
P.S. This is a cross-post blog from DEVCORE
SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take
This is also a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本!
#2019-02-22-updated
#2019-05-10-updated
#2019-05-10-released-exploit code awesome-jenkins-rce-2019
#2019-07-02-updated the slides is out!
---
Hello everyone!
This is the Hacking Jenkins series part two! For those people who still have not read the part one yet, you can check following link to get some basis and
This is a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本!
# Part two is out, please check this
---
In software engineering, the Continuous Integration and Continuous Delivery is a best practice for developers to reduce routine works. In the CI/CD, the most well-known tool is Jenkins. Due to its ease of use, awesome Pipeline system and integration of Container, Jenkins is
In every year’s HITCON CTF, I will prepare at least one PHP exploit challenge which the source code is very straightforward, short and easy to review but hard to exploit! I have put all my challenges in this GitHub repo you can check, and here are some lists :P
2017 Baby^H Master PHP 2017 (0/1541 solved)
Phar protocol to deserialize malicious object
Hardcode anonymous function
Hi! This is the case study in my Black Hat USA 2018 and DEFCON 26 talk, you can also check slides here:
Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out
In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser
gCalc is the web challenge in Google CTF 2018 quals and only 15 teams solved during 2 days’ competition!
This challenge is a very interesting challenge that give me lots of fun. I love the challenge that challenged your exploit skill instead of giving you lots of code to find a simple vulnerability or guessing without any hint. So that I want to write a writeup to note this :P
The challenge
Author: Orange Tsai(@orange_8361) from DEVCORE
Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities.
This is an simple and interesting case, and seems easy to exploit in real world!
Affected
All PHP version
PHP 5 < 5.6.33
PHP 7.0 < 7.0.27
PHP 7.1 < 7.1.13
PHP 7.2 < 7.2.1
Vulnerability Details
The vulnerability is on the
Hi, it’s been a long time since my last blog post.
In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. It's really a memorable experience :P
Thanks Review Boards for the acceptance.
This post is a simple
Before
GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses. You can get 45-days free trial and download the VM from enterprise.github.com.
After you deployed, you will see like bellow:
Now, I have all the GitHub environment in a VM. It's interesting, so I decided to look deeper into VM :P
把出過的 CTF Web 題都整理上 GitHub 惹,包括原始碼、解法、所用到技術、散落在外的 Write ups 等等
This is the repository of CTF Web challenges I made. It contains challs's source code, solution, write ups and some idea explanation.
Hope you will like it :)
https://github.com/orangetw/My-CTF-Web-Challenges
This is my talk about being a Bug Bounty Hunter at HITCON Community 2016
It shared some of my views on finding bugs and some case studies, such as
Facebook Remote Code Execution... more details
Uber Remote Code Execution... more details
developer.apple.com Remote Code Execution
abs.apple.com Remote Code Execution
b.login.yahoo.com Remote Code Execution... more details
eBay SQL Injection
千呼萬喚始出來XD
How I Hacked Facebook, and Found Someone's Backdoor Script (English Version)
滲透 Facebook 的思路與發現 (中文版本)
看來再找一個 Google 的 RCE 就可以把各大公司的 RCE 系列給蒐集全了XD