Synack – Red Vs Fed Competition 2020

Preface Obligatory statement: This blog post is in no way affiliated, sponsored, or endorsed with/by Synack, Inc. All graphics are being displayed under fair use for the purposes of this article. Over the last few months Synack has been running a user engagement based competition called Red vs Fed. As can be deduced [...]

By |2020-06-26T17:10:43+00:00June 25th, 2020|BUG BOUNTY, EXPLOITS, PENTESTING|0 Comments

A Year of Windows Privilege Escalation Bugs

A Year of Windows Privilege Escalation Bugs Earlier last year I came across an article by Provadys (now Almond) highlighting several bugs they had discovered based on research by James Forshaw of Google's Project Zero. The research focused on the exploitation of Windows elevation of privilege (EOP) vulnerabilities using NTFS [...]

By |2020-06-13T12:05:12+00:00March 12th, 2020|BUG BOUNTY, EXPLOITS, PENTESTING|0 Comments

PreAuth RCE on Palo Alto GlobalProtect Part II (CVE-2019-1579)

Background Before I get started I want to clearly state that I am in no way affiliated, sponsored, or endorsed with/by Palo Alto Networks. All graphics are being displayed under fair use for the purposes of this article. I recently encountered several unpatched Palo Alto firewall devices during a routine red team [...]

By |2019-09-18T02:36:51+00:00September 10th, 2019|BUG BOUNTY, EXPLOITS|0 Comments

POC or Stop The Calc Popping Videos – CVE-2017-9830 – CVE-2019-7839

POC or STOP THE CALC POPPING VIDEOS As a red teamer / penetration tester / bug bounty hunter, I get exposed to a wide range of software products while performing customer engagements. Often times we find systems running outdated or unpatched services with publicly disclosed vulnerabilities only to find a video popping [...]

By |2019-08-03T15:14:01+00:00August 3rd, 2019|EXPLOITS, PENTESTING|0 Comments

AMD Gaming Evolved (Raptr – Remote File Execution

Background For anyone running an AMD GPU from a few years back, you've probably come across a piece of software installed on your computer from Raptr, Inc. If you don't remember installing it, it's because for several years it was installed silently along-side your AMD drivers. The software was marketed to the gaming [...]

By |2018-10-07T23:38:07+00:00April 15th, 2018|EXPLOITS|0 Comments

DEFCON CTF 2017 – Divided Writeup

DIVIDED A little over a month ago, LegitBS held the qualifier for this year's DEF CON CTF. As the competition was nearing a close, the organizers released an atypical pwnable challenge, a Windows binary. There are only a handful of CTFs that tend to release Windows exploitation challenges and there is minimal [...]

By |2017-06-18T04:21:26+00:00June 18th, 2017|CTF, EXPLOITS|0 Comments

A Less Dirty Cow

BACKGROUND I recently came across several RHEL 6.x systems during a penetration test our team was performing for a customer. We had gained user level access on these machines and began enumerating privilege escalation possibilities. Given the somewhat recent discovery of the Dirty Cow vulnerability and what appears to be a manual patching [...]

By |2017-01-29T23:46:20+00:00January 28th, 2017|EXPLOITS, PENTESTING|1 Comment

Time To Patch: RCE on Meinberg NTP Time Server

During a recent vulnerability assessment for a customer, I ran across an interesting web server while enumerating network enabled devices.  Navigating to the web server presented the management interface for a Meinberg NTP Time Server. This particular hardware appliance was used to provide an accurate time source for time-sensitive applications and hardware components while [...]

By |2016-10-12T16:53:58+00:00July 17th, 2016|EXPLOITS|0 Comments

Fun with Remote Controllers – Dameware Mini Remote Control (CVE-2016-2345)

While performing security assessments, we often come across software that allows administrators to remotely manage systems on their network. There are dozens of different packages available, with varying benefits and drawbacks. With this convenience comes the obvious security implications that come from allowing remote access to a system. [...]

By |2016-10-12T16:53:59+00:00April 3rd, 2016|EXPLOITS|3 Comments

MEDCIN Engine Exploitation – Part 2 (CVE-2015-2898-2901, CVE-2015-6006)

Before I dive deep into a technical write-up, I first wanted to give a quick summary of what this post is going to cover for those that may want to skip around. This article is in reference to the disclosure posted here. I'm going to start by reviewing past work [...]

By |2016-10-12T16:53:59+00:00January 6th, 2016|EXPLOITS|0 Comments