Articles

Drupal .htaccess

On a recent engagement I encountered a drupal site which allowed for some interesting file uploads. The first file upload form had a whitelist of allowed extensions which I was not able to bypass. The second accepted archive formats including tar, zip, and bz2. It would extract the archive and

Read More »

“Fun” With sqlmap

In my time as a pen tester sqlmap has been an extremely valuable tool. Miroslav Stampar deserves a big salute for creating and maintaining sqlmap. THANK YOU!! So in this post I’m going to talk about a few situations where sqlmap was not working out of the box for one

Read More »

Programatically Modifying .NET Assemblies

Continuing with my WCF vulnerability research I was recently taking a look at “Microsoft.Exchange.Directory.TopologyService.exe” which is part of Exchange server and exposes a WCF endpoint over a NetTcpBinding. Client code can usually be found in the install path of a service and is generally a lot easier to use vs.

Read More »

Abusing WCF Endpoints for Fun and Profit

TL;DR A previous version of Check Point’s ZoneAlarm antivirus and firewall product exposes a WCF interface which could be abused by low privilege users to trigger the execution of an update binary as SYSTEM. The issue has been disclosed by Check Point here. The exploitable WCF method takes the full

Read More »

#1 on Alibaba Bug Bounty

About a yer ago my friend/coworker and I started a monthly hacker meet up called The Dark Corner (https://www.meetup.com/The-Dark-Corner). At the meet up I met a bug hunter named Mike (https://twitter.com/taksec). A few months ago he helped renew my interest in bug bounties which had waned after all my submissions

Read More »

My Connect Back VPN Tunnel Setup for Penetration Testing

Have you ever wanted to be on the same network segment as a remote computer that you aren’t on the same segment as :p?? Well you can be, with the magic of connect back VPN tunneling! Without any further ado, here’s my how-to guide. Server Config 1. Install OpenVPN Access

Read More »

BSidesSF 2018 CTF – goribble.c

Last month was BSidesSF 2018. This was my first BSides and I’ll say I thought the con was really well done. The location was cool, the vendor area had plenty of free goodies, and the CTF was a lot of fun. There were quite a few people from Dark Corner

Read More »

Natas Level 27

All the sql code in this level is there to throw us off.  If you pull off a SQL injection on this level let me know, because AFAIK it is not possible.  The trick to beating this level is in the comments at the top of the page. They’re telling

Read More »

Natas Level 26

Today we’ll be exploiting the unserialize() function in PHP.  The major lesson here is to NEVER unserialize() user input, and I’ll show you why. PHP.net describes the serialize() function as follows: “Generates a storable representation of a value.  This is useful for storing or passing PHP values around without losing

Read More »