Common programmer thought pattern: there are only three numbers: 0, 1, and n.
Starred Articles
In this post, I'll dive into the forgotten mechanics of ASCII's transport control characters, how they shaped early computing, and how they're now being abused in real-world vulnerabilities affecting modern applications.
MCP: May Cause Pwnage
05/04/2025I penetration tested the model context protocol (MCP) and had some fun breaking it. We ended up hacking a range of things, from cloud infrastructure to crypto.
WE delve into security threats related to the Model Context Protocol (MCP), which allows AI agents to interact with external tools dynamically, and see how MCP servers can control AI client behavior through prompt injection, leading to potential exploits.
Rather than examining only the current state of an entity, such as a user’s level of privilege, Longitudinal Data Analysis (LDA) employs a variety of methods to combine past state with current state to identify anomalous activity or configurations. In this blog, we will focus on how LDA can be leveraged to detect anomalous privilege changes.
New Articles
Heavy USB Forensics
05/05/2025In this blog post, we will delve into USB forensics, covering approximately 95% of the essential knowledge and techniques that a digital forensics examiner would require when investigating USB-related cases.
Application layer encryption can be useful. In such case, the browser built-in Web Crypto API provides several efficient encryption and secure random number generation features to JavaScript code.
Building a timeline during forensic investigations is super important - it helps you see what happened and when. In this post, I'll walk you through two simple but powerful ways to create timelines: using fls + mactime, and using Plaso / Log2Timeline (psteal, log2timeline, psort).
In this blog, we'll explore how the Windows utility Netsh.exe processes command-line arguments in a way that can lead to unexpected behavior - specifically, how users can execute firewall commands without fully typing out parameters. This Netsh's behavior can be abused to evade traditional Netsh process command-line monitoring.
In this article, we explain how Edge's autofill system works, the forensic value of its stored data, and the potential for exploitation by cybercriminals.
In-depth technical analysis of Pentagon Stealer, an evolving malware with Python & Golang variants that targets crypto wallets.
The Ultimate Guide to 403 Forbidden Bypass
05/02/2025In this article we'll break down how 403 errors work, why they occur and share real-world techniques to bypass them, helping you access restricted resources during your bug hunting process.
In this article, I'll break down how to set up and use different types of C2 redirectors. I'll show you the nuts and bolts of the C2 communication chain and give you practical examples you can actually use.
This technical analysis provides a comprehensive view of DragonForce ransomware's capabilities through both behavioral observations and in-depth technical analysis of a publicly available sample.
How I made $64k from deleted files
05/03/2025I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed API keys, tokens, and credentials.
Timestomping is a technique attackers use to manipulate file timestamps in order to hide their activities. Basically, they change the "last modified", "last accessed", or even "created" dates of files. In this article, we'll see how timestomping works on Linux systems and what you can do to uncover such activity.
Email input fields are a critical attack surface in web applications. Attackers often target these fields to exploit vulnerabilities ranging from XSS and SSRF to header injection and business logic flaws. This article provides a detailed methodology for testing email input fields including both foundational and advanced techniques with practical payloads for each scenario.
We explain how we were able to gain remote code execution by porting a Chromium 62 exploit to the particular version of a renderer used by an HTML to PDF converter.
Windows is and always will be a Potatoland
05/07/2025This blog post will dive into the world of some of the recently published potato techniques that can lead to more serious risks than "just" local Privilege Escalation.
What is PLeak, and what are the risks associated with it? We explored this algorithmic technique and how it can be used to jailbreak LLMs, which could be leveraged by threat actors to manipulate systems and steal sensitive data.
Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption
05/07/2025We go into the details of the Bring Your Own Installer technique, which can be used by threat actors to bypass EDR protection on a host through timed termination of the agent update process when inadequately configured.
We uncovered a vulnerability in macOS (CVE-2025-31191) that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. With the ability to run code unrestricted on the affected device, attackers could perform further malicious actions like elevating privileges, exfiltrating data, and deploying additional payloads.
ShimCache and AmCache Forensic Analysis
05/02/2025ShimCache and AmCache have lots to offer investigators. These artifacts collect metadata on PE files of interest (executed, viewed by user, etc.) and installed applications. As a result, the locations where Windows stores this metadata became key forensic artifacts.
We investigate a campaign leveraging an enhanced version of the More_eggs backdoor. We'll provide a technical analysis of the campaign, indicators of compromise (IOCs), tips for remediation, and activity detection rules to counter this threat.
DLL injection fundamental - Part1
05/01/2025In this first part, we will briefly explain what are DLL injections, how they work, and we will simulate a simple DLL injection with mavinject, a legitimate tool from Microsoft Application Virtualization (App-V), to inject a DLL into a running process (Notepad) using PowerShell.
SysOwned, Your Friendly Support Ticket
05/07/2025We discovered multiple pre-authenticated XML External Entity (XXE) injection vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 and CVE-2025-2778) in SysAid On-Premise, that allow attackers to extract sensitive files, interact with internal services, and potentially escalate privileges.
Fuzzing is an essential technique in finding vulnerabilities in software by providing invalid, unexpected data inputs to the targeted application. In this blog post, we will demonstrate how to fuzz a function from a Raspberry Pi Pico-W FreeRTOS firmware using AFL++ Unicorn mode.
Smarter Detections - Part 2: Creating SIGMA Exclusion Rules in CoPilot for Velociraptor Alerts
04/30/2025Velociraptor's implementation of SIGMA rules lacks support for field-level exclusions - a crucial feature when it comes to reducing false positives and alert fatigue. In this post, we will see how to close that gap.
Throughout this guide, we'll cover the most common - and most dangerous - JWT implementation flaws, how they are exploited, and how to detect or defend against them. We will learn how to exploit and defend against real-world JWT vulnerabilities like algorithm confusion, weak secrets, and kid injection.
Pwning the Ladybird browser
05/01/2025I found a use-after-free (UAF) bug leading to an arbitrary read/write in Ladybird, relatively new browser engine. This vulnerability provides us with complete control over the renderer and allows to mess with internal values, craft a fake vtable to gain control flow after a stack pivot, and overwrite stack return pointers to construct a ROP chain.
Unexpected behavior in Snowflake's Cortex AI
05/06/2025In this post, we'll examine how Snowflake’s CORTEX Search Service, a cutting-edge AI-driven search and retrieval tool, could end up exposing sensitive data within your Snowflake user base, even in a secure environment with tightly configured access and masking policies.
We detail CVE-2024-11477, a heap buffer overflow in the ZStandard (ZSTD) implementation of 7-Zip. The vulnerability is an out-of-bounds read, which, when controlled, leads to an uncontrolled heap buffer overflow.
An out-of-bounds write vulnerability has been reported in macOS (CVE-2024-44236). A remote attacker could exploit this vulnerability by enticing a victim to open a crafted file. A successful attack may result in code execution on the victim's machine in the context of the running process.
Leaking oAuth Token via Referrer Leakage
05/06/2025We discuss a security vulnerability that allows attackers to steal OAuth tokens via referrer policy overrides in Google Chrome. The attack scenario involves manipulating an OAuth authentication flow, redirecting users to a location with limited HTML injection capabilities, and leveraging Chrome's handling of the Link header to override the referrer policy.
We're going to dive into a super important topic when it comes to Linux forensics - evidence collection. We'll cover the classic tools like dd, dcfldd, and dc3dd, and also talk about modern memory acquisition methods and a very cool script called UAC.
We provide a technical overview of the SocGholish-to-RansomHub intrusion chains, including loader and C2 activity, alongside credential harvesting via WebDAV and SCF abuse.
We investigate CVE-2025-31324, an unrestricted file uploads vulnerability in SAP NetWeaver that adversaries can exploit to upload web shells and other unauthorized files to execute on the server.
In this post, we're going to be analyzing and reproducing two vulnerabilities that can be chained to execute remote command injection on SonicWall devices. First, CVE-2024-38475 a pre-authentication arbitrary file read in Apache HTTP., and its SoniWall twist. Second, CVE-2023-44221, a post-authentication remote command injection.
Still Recent
Getting Started with AI Hacking: Part 1
04/02/2025This blog post introduces the concept of AI hacking by discussing common attacks for various machine learning systems. The purpose is to help understand that machine learning is not perfect and some of the ways that threat actors might exploit those imperfections.
Kerberos Relay
04/21/2025We discuss Kerberos relay attacks, a method to gain unauthorized access within Active Directory environments. We review the theory behind the attack as well as its limitations. Additionally, we explore some practical scenarios including DNS poisoning, coerced authentication, and multicast poisoning.
This article details my journey in creating a PoC for CVE-2025-32433. From a simple tweet, I used AI support to diff the patched and vulnerable version, write a first PoC code and fix it.
Tracing malloc calls with PCode
04/21/2025This post focuses on interacting with PCode from a Ghidra script. In this example, I will explain how to implement a script for flagging suspicious malloc calls based on the use of arithmetic to calculate an allocation size. This coding pattern can commonly lead to a heap buffer overflow.
In this post, we'll explore Velociraptor, an endpoint monitoring and digital forensic tool that has native Sigma support. You'll learn how to integrate Sigma seamlessly, schedule automated scans, exclude noisy detections, and push alerts to Copilot (or any other incident management platform).
We will not only detail how the TROX Stealer installation process works technically, but also reveal the development patterns that demonstrate how this malware was packaged for large-scale deployment. Additionally, we'll examine the distribution mechanisms, including how the attackers leverage urgent messaging to deliver their payload.
A blog post to illustrates how an outbound trust combined with a misconfiguration in an AD CS template can become a critical escalation path, allowing us to perform cross-domain pivoting.
Oldies but Goodies
In this article, we will go over how to identify IDOR vulnerabilities (insecure direct object reference) and how you can exploit them. We will also be covering some advanced cases as well.
We discovered a vulnerability in the ollama client that can be triggered when a malicious API server responds to a request with gzip bomb HTTP response. This vulnerability can lead to an Out-Of-Memory (OOM) attack, causing the ollama server to crash.
This blog post gives a brief introduction to LLMs and some of their vulnerabilities. We go from start to finish with setting up Microsoft’s PyRIT and using it to attack a Crucible challenge. The purpose is to get you up and running without too much hassle of digging through code or searching the web for how to put the pieces together.
We provide a full attack flow that abuses Delegated Managed Service Accounts (dMSAs), to get persistence on a compromised Windows server.
Unearthed Arcana
An Introduction into Sleep Obfuscation
04/24/2023Sleep obfuscation is a really cool technique that has been around for a bit now. The goal of this post is to break down this technique, specifically, the Ekko sleep obfuscation implementation by C5pider, and modify it to bypass the tool Hunt Sleeping Beacons.