2024
make prs, not war
Everyday we’re faced with a choice – some glaringly obvious, others more subtle. The choice to give, or to take, is something that I believe is deeply rooted in each of us, and choosing to give, to contribute no matter how big or small, almost always ends up bigger than ourselves. Imagined by us, and illustrated by the amazingly talented @christidutoit, I’m excited to show you “make pr’s, not war”…
Dumping LSA secrets: a story about task decorrelation
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the LSA secrets because of a particular EDR being installed and pretty aggressive against me. In this blog post we’ll see how this EDR was blocking me and why it is still possible to dump these secrets exploiting decorrelation attacks! As a bonus, I’ll show you a fancy way of retrieving…
From a GLPI patch bypass to RCE
GLPI is a popular software used by companies, mainly in France. GLPI is usually used for two main purposes. Firstly it allows companies to see the inventory of their different equipment (such as: computers, software, printers, etc…). Secondly it is used for its ticketing system, allowing users to create tickets about their issues. It also has different roles for each user, those who can only create tickets (low privileges user),…
Targeting an industrial protocol gateway
Inside industrial systems (also known as Operational Technology, or OT), devices communicate with each other and can be accessed over IP using familiar IT protocols (such as SSH, web services, etc.), as well as with a variety of industrial network protocols. Among them, you may have heard of Modbus, maybe S7comm, OPC-UA and a few others, but do you know all the industrial protocols you could find on industrial networks?…
Guest vs Null session on Windows
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”, “Guest session” and “Anonymous session”. These words describe techniques that can be used on Windows servers to connect to resources and obtain information about a computer or Active Directory objects such as users or SMB shares you have access on. Even if these techniques are well known I realised that…
From Discovery to Disclosure: ReCrystallize Server Vulnerabilities
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE. Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and…
Mail in the Middle – A tool to automate spear phishing campaigns
In the chilly month of December 2023, my colleagues Jason (@BreakerOfSigns), Szymon (@TH3_GOAT_FARM3R), and myself (@felmoltor) were on a red team. This one was tough, but we had fun. We had to be a bit more creative than I am used to and two interesting things were done that are worth sharing: Szymon and Jason physically broke into the client’s facilities. At a branch office, they left an implant using…
Deck of Cards CTF
I created a small crypto style CTF for Black Hat last year (we’re training again this year, check our courses out) and hid the starting point in an “easter egg” on a deck of cards. The deck of cards are a custom design by the SensePost training team, which were themed around hacking and were handed out during the conference. This post covers how we built it, and how to…
Serial PitM
Sometimes you need to get in the way of a hardware device and its controller, and see what it has to say for itself. If you are lucky, the two parts are communicating using a serial port, and then it’s relatively simple to do. In this post, I will explain two scenarios where I had to do this, and the approach that I took in each. As a bonus, I’ll…
Sensecon 23: from Windows drivers to an almost fully working EDR
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server. When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining…
Page 1 of 1