Connecting to a private Windows EC2 instance without exposing RDP to the internet
Let’s say you have a (Windows or Linux) EC2 instance in a private subnet and want to access it interactively. There are several ways to do this.
Security
Deciphering the FileMaker Server keystore
A description of how FileMaker Server stores secrets and how to approach deciphering an unknown keystore.
Beware of wilcards paths in sudo commands
Say you want to allow a non-root user on Linux to execute a couple of scripts as root or another user with more privileges. A common way of doing this is to ...
Python tarfile directory traversal
Currently, there’s a lot of hype around the behavior of Python’s tarfile module for extracting archives. In short: tarfile will not sanitize filenames in arc...
nginx alias misconfiguration allowing path traversal
I recently came across an nginx server that had a vulnerable alias configuration which allowed anyone to read files outside the intended directory. In the fo...
Bypassing regular expression checks with a line feed
Regular expressions are often used to check if a user input should be allowed for a specific action or lead to an error as it might be malicious.
Info leaks via buffered output on HTTP redirects
Writing data to the output buffer before deciding that the response to the current HTTP request should actually be a redirect (for example when an unauthenti...
CVE-2021-44147: XML External Entity Vulnerability in Claris FileMaker
Description of a XXE vulnerability in the Claris FileMaker Platform
CRTP Certification Review
A couple of days ago I took the exam for the CRTP certification by Pentester Academy. In this review I want to give a quick overview of the course contents, ...
Hack the Box Write-up #10: Buff
Write-up of “Buff” from Hack The Box
Hack the Box Write-up #9: Tabby
Write-up of “Tabby” from Hack The Box
Hack the Box Write-up #8: Fuse
Write-up of “Fuse” from Hack The Box
Disabling NX in Linux via Kernel Parameter (using GRUB)
To boot Linux without Data Execution Prevention, so that the OS doesn’t mark certain memory regions as non-executable, we…
Exploiting Python pickles
How unpickling untrusted data can lead to remote code execution.
Hack the Box Write-up #7: Bart
Write-up of “Bart” from Hack The Box
Hack the Box Write-up #6: Kotarak
Write-up of “Kotarak” from Hack The Box
Hack the Box Write-up #5: TartarSauce
Write-up of “TartarSauce” from Hack The Box
Hack the Box Write-up #4: Cronos
Write-up of “Cronos” from Hack The Box
Hack the Box Write-up #3: Netmon
Write-up of “Netmon” from Hack The Box
Running commands in a specific user context in PowerShell
Using the Invoke-Command Cmlet, you can execute a script block in the security context of a different user.
Hack the Box Write-up #2: Networked
Write-up of “Networked” from Hack The Box
Hack the Box Write-up #1: Jerry
Write-up of “Jerry” from Hack The Box
Reading sniffed SSL/TLS traffic from curl with Wireshark
If you want to debug/inspect/analyze SSL/TLS traffic made by curl, you can easily do so by setting the environment variable SSLKEYLOGFILE to a file path of y...
Pivoting: Setting up a port proxy with netsh on Windows
Pivot by setting up a portproxy between your machine and a machine in another network using “netsh interface portproxy add v4tov4 listenport= connectport= co...
Tunneling network traffic over DNS with Iodine and a SSH SOCKS proxy
Setting up a DNS tunnel and SOCKS proxy to send/receive data via restricted networks.
Hidden in plain sight: Alternate Data Streams
Have you ever wondered how a file in a file listing is shown with size 0 bytes but can still contain data? Or maybe wondered where all that meta data is stor...