Normal view

There are new articles available, click to refresh the page.
Before yesterdaySec Team Blog

Apiculture 2 write-up

29 March 2022 at 20:13
The Apiculture challenges are dedicated to API attacks. The second level basically looks like a webpage dedicated to beehives: A quick look in the Developer Tools reveals a call to the /api/v4/products/ endpoint: This endpoint indeed permits to get the beehives JSON. It is also impacted by an Improper Data Filtering vulnerability since it contains … Continue reading Apiculture 2 write-up

GDBug write-up

29 March 2022 at 19:21
The GDBug file is an ELF binary: It simply requires a valid serial that we should identify: The strings do not reveal anything, besides a fake flag which is not accepted: Anyway, the binary doesn’t seem to have particular protections: There only seems to be a basic anti-debug: But old versions of GDB and Radare2 … Continue reading GDBug write-up

Splunk Boss Of The SOC (BOTS) @Insomni’hack

4 April 2022 at 09:28
It’s was a pleasure this year to meet you at the 2022 edition of our amazing security conference Insomni’hack ! With Splunk collaboration, we come back this year with “Splunk Boss Of The SOC” challenge. What is BOTS and his history Boss Of The SOC (BOTS) is a blue-team version of capture the flag competition. … Continue reading Splunk Boss Of The SOC (BOTS) @Insomni’hack

Automatically extracting static antivirus signatures

By: plowsec
5 April 2022 at 09:42
This blog post accompanies the talk we gave at Insomni’hack 2022. The source code as well as the slides can be found at: https://github.com/scrt/avdebugger Introduction What can we do when a tool that we use during pentest engagements becomes detected by antivirus software? For a long time, the answer was: use a packer. After a … Continue reading Automatically extracting static antivirus signatures

Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin

By: plowsec
11 April 2022 at 10:09
In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so … Continue reading Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin

Engineering antivirus evasion (Part III)

By: plowsec
19 April 2022 at 10:05
Previous blog posts addressed the issue of static artefacts that can easily be caught by security software, such as strings and API imports: This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks. As usual, source code was published at https://github.com/scrt/avcleaner … Continue reading Engineering antivirus evasion (Part III)

Getting Started With SplunkUI

3 January 2023 at 13:06
When developing new Splunk apps with a customised user interface, everything but SplunkUI is deprecated. Thus, it is only a matter of time before you need to jump from that building with faith. Most Splunk users are not web developers. Developing web UI is known to be a nightmare, that’s why they chose to be … Continue reading Getting Started With SplunkUI

Producing a POC for CVE-2022-42475 (Fortinet RCE)

14 March 2023 at 10:24
Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability. Background information I started … Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)

Bypassing PPL in Userland (again)

17 March 2023 at 15:54
This post is a sequel to Bypassing LSA Protection in Userland and The End of PPLdump. Here, I will discuss how I was able to bypass the latest mitigation implemented by Microsoft and develop a new Userland exploit for injecting arbitrary code in a PPL with the highest signer type. The current state of PP(L)s … Continue reading Bypassing PPL in Userland (again)

Attacking Android Antivirus Applications

By: 2Dai
29 March 2023 at 12:43
Although the usefulness of security tools such as Antivirus, VPN and EDR is now indisputable in business circles, these solutions often need a lot of privileges and permissions to work properly, also making them an excellent target for an attacker. The presence of a bug in one of these types of solutions could allow a … Continue reading Attacking Android Antivirus Applications

💾

Insomni’hack 2023 – hex-filtrate writeup

1 April 2023 at 19:12
In this forensic challenge, a company has been compromised and their initial investigation led to a suspicious workstation. The CEO was very anxious about a potential exfiltration, and we were provided with a network dump of that workstation in the hope that we would be able to help him make some sweet dreams again. After … Continue reading Insomni’hack 2023 – hex-filtrate writeup

Insomni’hack 2023 CTF Teaser – DoH ! writeup

By: qlu
13 April 2023 at 14:26
For this 2023 edition, i chose to focus on the DoH (DNS Over Https) protocol because it has gained popularity for attackers as a command and control (C2) communication channel for hiding DNS traffic through HTTPS rather than using the traditional DNS tunneling. In this post, i will describe in details how to solve the … Continue reading Insomni’hack 2023 CTF Teaser – DoH ! writeup

Apache Solr 8.3.1 RCE from exposed administration interface

1 May 2023 at 07:41
Back in 2020, during an external pentest, I stumbled upon a visible Solr administration panel. With nothing else of interest, I focused on this specific application to test what was hidden underneath. The version of Apache Solr was 8.3.1 and running on Windows. Note that this pentest was performed in 2020, way before the discovery … Continue reading Apache Solr 8.3.1 RCE from exposed administration interface

CVE-2022-41099 – Analysis of a BitLocker Drive Encryption Bypass

14 August 2023 at 14:12
In November 2022, an advisory was published by Microsoft about a BitLocker bypass. This vulnerability caught my attention because the fix required a manual operation by users and system administrators, even after installing all the security updates. Couple this with the fact that the procedure was not well documented initially, and you have the perfect … Continue reading CVE-2022-41099 – Analysis of a BitLocker Drive Encryption Bypass

A Deep Dive into TPM-based BitLocker Drive Encryption

15 September 2023 at 15:14
When I investigated CVE-2022-41099, a BitLocker Drive Encryption bypass through the Windows Recovery Environment (WinRE), the fact that the latter was able to transparently access an encrypted drive without requiring the recovery password struck me. My initial thought was that there had to be a way to reproduce this behavior and obtain the master key … Continue reading A Deep Dive into TPM-based BitLocker Drive Encryption

Exploiting stale ADIDNS entries

25 September 2023 at 09:46
The correct IP address is sometimes all you need to exploit a remote target. Background I realise this article will not help me with my colleagues who believe I just happen to get lucky on every assessment I’m on. Nevertheless, during a recent internal pentest, our first objective was to attempt to bypass the Network … Continue reading Exploiting stale ADIDNS entries
❌
❌