Blogs

FireRTC: Call Spoofing

FireRTC is a tool that can be used to spoof any phone number, and dial out to the designated phone number.

Hidden Eye: A Modern Phishing Tool

An easy to use phishing tool that will allow you quickly build and create a phishing engagement in an attempt to capture credentials.

CEH Master, An Honest Review

This post is meant to be an honest review of the CEH Master, if you're unhappy with my review, I'm sorry.

Linux Privilege Escalation: Quick and Dirty

A quick and dirty Linux Privilege Escalation cheat sheet. I have utilized all of these privilege escalation techniques at least once.

The Ultimate OSCP Preparation Guide, 2021

An organized guide to highlight some of the smartest techniques and resources for your OSCP journey. Updated with new techniques and refined on: 2/2/2021

P1: Critical - Discovering and Foiling a Threat Actor

How Jackson and I managed to land a Critical Vulnerability Bounty - and through persistence, ensure that justice was served.

CVE-2020-27388: YOURLS 1.5 - 1.7.10, Multiple Stored Cross Site Scripting (XSS) Vulnerabilities in Admin Panel

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP Plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Account Takeover on the Jack Daniel's Tennessee Squire Association Platform

A Business Logic Flaw was discovered in the Jack Daniel's Tennessee Squire Association. It led to the full compromise of a user account, with many other accounts inadvertently exposed.

CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)

Versions of npm private-ip including and prior to 1.0.5 are vulnerable to multiple Server Side Request Forgery (SSRF) bypasses. Implemented Regular Expression (RegEx) within the package fail to account for variations of localhost and other Private IP ranges. An attacker can obfuscate payloads, or utilize ranges outside of the block list to successfully execute SSRF bypass techniques, circumventing restrictions.

Twitter Verification 2021: Research Study

A hasty analysis of the new Twitter Verification criteria and resultant negative Application Security effects, inevitable silencing of worthy individuals, and stripping of "title"

UNEP Breached, 100K+ Employee Records Accessed

A writeup detailing the exposed employee records that Sakura Samurai managed to access during our security research through their vulnerability disclosure program.

Indian Government Breached, Massive Amount of Critical Vulnerabilities

A writeup detailing the vulnerability reporting process that took place after Sakura Samurai had breached the Indian Government

CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux

Cleartext Storage in a File or on Disk in Keybase Desktop Clients for Windows, macOS, and Linux allows attacker who can locally read user’s files obtain private pictures in the Cache and uploadtemps directories. Keybase Client fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the “Explode message/Explode now” functionality.

Indian Government Breach, Disclosure

A full-scale writeup detailing the specifics of the vulnerabilities discovered and Sakura Samurai's exploitation methodology.

Ritual Motion Gaming Gloves [Skins]: An Honest Evaluation

Ritual Motion Gaming Gloves, protecting a hacker's hands.