2025
Leakymetry: Circumventing GLPI Authentication
GLPI (Gestionnaire libre de parc informatique) is a popular open-source software in France and Brazil. It is used to create a mapping of a network through an inventory plugin, but also to gather users’ issues through a ticket system. As I was wondering how the update mechanism worked in GLPI, I saw something really interesting in this file. It is important to note that most of the GLPI files are…
Using & improving frida-trace
TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit. I often find that half of the problem is finding out what you don’t know. Take a mobile application for instance: Which class is responsible for the SSL pinning? Which class does the crypto? What method is…
NoSQL error-based injection
TL;DR How to do NoSQL error-based injection In this second blog post (read the first one here), on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything. When trying to extract information via NoSQL injection, you typically make use of Boolean conditions to figure out a character. Portswigger has a couple of examples…
Capchan – Solving CAPTCHA with Image Classification
A few years ago, I tried my hand at the, now retired, CAPTCHA Forest CTF, which was part of the nullcon HackIM 2019. I wanted to solve it using computer vision and machine learning. This started me on a path of discovery and incremental improvements that finally resulted in capchan, a generic CAPTCHA to text tool. This post is broken into four parts: The first CTF The second CTF Neural…
Getting rid of pre- and post-conditions in NoSQL injections
TL;DR: I found a cool way to get rid of pre-conditions in NOSQL syntax injections I have been investigating NoSQL injection for a bit, trying to make it better, or at least somewhat equivalent to SQL injection. One of the things that are tricky with NoSQL injection is getting rid of pre- and post-conditions. For this post I’m focusing on MongoDB, so s/NoSQL injection/Mongo injection/g In case you forgot, most…
goLAPS
During the last SenseCon we had at OrangeCyberdefense in May 2024 (see https://sensepost.com/blog/sensecon/), we usually either pick-up from a list of ideas or pitch our own to implement in the 24 hours to work on whatever project is itching you. I proposed a few ideas. I’ll leave some of them here verbatim (I have removed the ideas that were only applicable internally), in case you want to tackle the challenges…
Diving Into AD CS: Exploring Some Common Error Messages
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact, I can’t recall an internal I’ve done in the past two or more years that didn’t feature ADCS abuse in some manner or another. We can all agree that when AD CS abuse works as intended, it is fantastic. As Tinus Green stated in his BSides talk, AD CS abuse…
InvokeADCheck – A PowerShell Module for Assessing Active Directory
During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their formatting—or rather, the lack thereof. The various PowerShell scripts included public, as well as proprietary, scripts that were used for retrieving Active Directory objects and their attributes. Faced with resource and time constraints within the team, I proposed to try to come up with a better, more efficient way to conduct…
PsExec’ing the right way and why zero trust is mandatory
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work with during my first ever SenseCon. The Sensecon is an internal conference that lasts 3 days during which we meet people, share knowledge and have fun. There is also a day long hackathon during which we work on hacking subjects we are interested in. For that hackathon, we wanted to…
Prev
Page 2 of 2