CEH Master, An Honest Review

This post is meant to be an honest review of the CEH Master, if you're unhappy with my review, I'm sorry.

Linux Privilege Escalation: Quick and Dirty

A quick and dirty Linux Privilege Escalation cheat sheet. I have utilized all of these privilege escalation techniques at least once.

The Ultimate OSCP Preparation Guide [DEPRECATED]

An organized guide to highlight some of the smartest techniques and resources for your OSCP journey. DEPRECATED: 12/28/2022

P1: Critical - Discovering and Foiling a Threat Actor

How Jackson and I managed to land a Critical Vulnerability Bounty - and through persistence, ensure that justice was served.

CVE-2020-27388: YOURLS 1.5 - 1.7.10, Multiple Stored Cross Site Scripting (XSS) Vulnerabilities in Admin Panel

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP Plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Account Takeover on the Jack Daniel's Tennessee Squire Association Platform

A Business Logic Flaw was discovered in the Jack Daniel's Tennessee Squire Association. It led to the full compromise of a user account, with many other accounts inadvertently exposed.

CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)

Versions of npm private-ip including and prior to 1.0.5 are vulnerable to multiple Server Side Request Forgery (SSRF) bypasses. Implemented Regular Expression (RegEx) within the package fail to account for variations of localhost and other Private IP ranges. An attacker can obfuscate payloads, or utilize ranges outside of the block list to successfully execute SSRF bypass techniques, circumventing restrictions.

UNEP Breached, 100K+ Employee Records Accessed

A writeup detailing the exposed employee records that Sakura Samurai managed to access during our security research through their vulnerability disclosure program.

Indian Government Breached, Massive Amount of Critical Vulnerabilities

A writeup detailing the vulnerability reporting process that took place after Sakura Samurai had breached the Indian Government

CVE-2021-23827: Sakura Samurai discover cleartext pictures in Keybase Desktop Client; Windows, macOS, Linux

Cleartext Storage in a File or on Disk in Keybase Desktop Clients for Windows, macOS, and Linux allows attacker who can locally read user’s files obtain private pictures in the Cache and uploadtemps directories. Keybase Client fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the “Explode message/Explode now” functionality.

Indian Government Breach, Disclosure

A full-scale writeup detailing the specifics of the vulnerabilities discovered and Sakura Samurai's exploitation methodology.

CVE-2021-24495: Improper Neutralization of Input During Web Page Generation on ‘id’ parameter in Wordpress Marmoset Viewer Plugin versions 1.9.3 ≤ leads to Reflected Cross Site Scripting

A reflected cross site scripting vulnerability exists on the ‘id’ parameter of the Wordpress Marmoset Viewer plugin. A threat actor can utilize a specially crafted payload and append it to the id parameter included in the Marmoset Viewer. The cross site scripting vulnerability can lead to the potential theft of cookies or credentials, giving the threat actor the ability to take over a victim’s account or steal other sensitive information.

CVE-2021-40875: Improper Access Control in Gurock TestRail versions ≤ results in sensitive file exposure

A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure hardcoded credentials, API keys, or other sensitive data.

The Ultimate Guide to Crashing Your Friend's Wedding - The Knot, Business Logic Flaw

A friend shared a link to their Wedding RSVP website. After several minutes, a Business Logic Flaw was identified - resulting in the ability to accept/decline RSVP invites on behalf of another person, access notes, and view/modify any other custom fields included in the form.

Google Earth Hacking - EaaS (Espionage as a Service)

Google Earth Enterprise is deployed with default credentials. We discovered that educational, government, private enterprise and military organizations all rely on GEE for day-to-day operations.

CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16

A CSRF issue on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain file system access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

An Open Letter to the Japanese Government on Cybersecurity

Times are changing, and the Japanese Government’s Cybersecurity posture lags behind the best of NATO and other prominent countries.

The Ultimate CRTO Preparation Guide

The ultimate guide to passing the Certified Red Team Operator exam by Zero Point Security.

Spear Phishing with Zix: An Undisclosed Red Team Method for the Hungry APT

A business logic flaw in various Zix configurations allows a threat actor to perform native Spear Phishing from the context of the organization's own trust.

Stealing Data with Zix - Bypassing Data Loss Prevention Policies

A business logic flaw in various Zix configurations allows a threat actor to perform native data exfiltration from the context of the organization's own trust.

Stealing Data with Zix - Bypassing Data Loss Prevention Policies

A business logic flaw in various Zix configurations allows a threat actor to perform native data exfiltration from the context of the organization's own trust.

OSCP Reborn - 2023 Exam Preparation Guide

Revamped OSCP guide, tailored to be relevant for the latest revision of the OSCP which includes Active Directory exploitation.

CVE-2023-24068 && CVE-2023-24069: Abusing Signal Desktop Client for fun and for Espionage

A flaw in how files are stored in Signal Desktop ≤ 6.2.0 allows a threat actor to potentially obtain sensitive attachments sent in messages. Subsequently, a similar issue with Signal Desktop ≤ 6.2.0 exists, allowing an an attacker to modify conversation attachments within the same directory. Client mechanisms fail to validate modifications of existing cached files, resulting in the ability to implement malicious code or overwrite pre-existing files and masquerade as pre-existing files. Local access is needed.