630 Posts In Total


Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Humans will always flock to the simplest, cheapest distractions available and towards the social setting which offers them most comfort with least investments required and lowest entry barrier available.

How I discovered the vulnerability in Huawei’s AppGallery, the consequences and what happened.

Back in February 2022, a developer I know released an app on the AppGallery. While looking at the listing of the app, I started wondering how Huawei’s API worked. After a few minutes, I finally figured out one API that took a package name as a parameter and returned a JSON object with the details of the app. At that point I didn’t know what I would find later on, so I just tried the API with the package name of a known free app: Huawei’s AppGallery itself. Vulnerability in Huawei’s AppGallery: can download paid apps for free

The Universe dreams through our dreams.

EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report. EMBA automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. EMBA is a command line tool with the option to generate an easy to use web report for further analysis.

EMBA combines multiple established analysis tools and can be started with one simple command. Afterwards it tests the firmware for possible security risks and interesting areas for further investigation. No manual installation of all helpers, once the integrated installation script has been executed, you are ready to test your firmware.

EMBA is designed to assist penetration testers and not as a standalone tool without human interaction. EMBA should provide as much information as possible about the firmware, that the tester can decide on focus areas and is responsible for verifying and interpreting the results. The security analyzer for embedded device firmware

Larascript is a script which take advantage from CVE-2018-15133 and can execute remote commands if a vulnerable Laravel app is exposed. You can send commands and get response such as get cat /etc/passwd. But you also can ask for a shell so it gives you a reverse shell.

It has some argument personalization so you can specify what type of reverse shell you get (bash or sh), what reverse shell language use to retrieve the shell (PHP, bash, mkfifo, Python…) or the Laravel RCE method (1,2,3 or 4). It also provides a good shell interaction and references to the shell treatment or Linux privilege escalation. CVE-2018-15133: Laravel RCE

In this list I decided to share most of the tools I utilize in authorized engagements, along with my personal ranking of their value based on their usage and for you to consider if they should be in your toolkit, including where to find some of them, and in some cases I will also include some other alternatives. My goal with this list is to help fellow Red Teamers with a ‘checklist’, for whenever they might be missing a tool, and use this list as a reference. Red Team - Physical Security

Reproducing is like involuntary manslaughter because from the moment of birth you’ve condemned someone new to death.

One of the most profound moral realization out there is that morality is a social construct that doesn’t tangibly exist in reality, a cultural fan-fiction on a grand scale.

frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. As of now, it supports TCP and UDP, as well as HTTP and HTTPS protocols, where requests can be forwarded to internal services by domain name.

frp also has a P2P connect mode. frp

pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide a deep integration between Cobalt Strike and Bloodhound.

pyCobaltHound strives to assists red team operators by:

  • Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials.
  • Automatically marking compromised users and computers as owned.
  • Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users.

To accomplish this, pyCobaltHound uses a set of built-in queries. Operators are also able to add/remove their own queries to fine tune pyCobaltHound’s monitoring capabilities. This grants them the flexibility to adapt pyCobaltHound on the fly during engagements to account for engagement-specific targets (users, hosts etc..). pyCobaltHound

CVE-2022-21972 is a Windows VPN Use after Free (UaF) vulnerability that was discovered through reverse engineering the raspptp.sys kernel driver. The vulnerability is a race condition issue and can be reliably triggered through sending crafted input to a vulnerable server. The vulnerability can be be used to corrupt memory and could be used to gain kernel Remote Code Execution (RCE) or Local Privilege Escalation (LPE) on a target system. CVE-2022-21972: Windows Server VPN Remote Kernel Use After Free Vulnerability

Intellectual property is a meme.

The basis for this introduction will be a challenge from the hxp2020 CTF called “kernel-rop”. There’s (obviously) write-ups for this floating around the net (check references) already and as it turns out this exact challenge has been taken apart in depth by (ChrisTheCoolHut and @_lkmidas), for part two I’ll prepare a less prominent challenge or ignore those CTF challenges completely… So, this here very likely won’t include a ton of novelty compared to what’s out there already. However, that’s not the intention behind this post. It’s just a way for me to persist the things I learned during research and along the way to solving this one. Another reason for this particular CTF challenge is its simplicity while also being built around a fairly recent kernel. A perfect training environment :)! Learning Linux kernel exploitation - Part 1 - Laying the groundwork and Learning Linux kernel exploitation - Part 2 - CVE-2022-0847