Postauth RCE in latest NagiosXI

Last time I described few XSS bugs for latest Nagios (5.6.9). During the research and code review I found a possibility for RCE. Below you will find the details from the journey. Here we go...

Multiple XSS bugs in Nagios 5.6.9

This time I decided to check latest version of Nagios (5.6.9). Below you'll find few details from few hours of testing. Here we go...

Testing SSRF in LiquiFireOS

During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...

Testing Android apps - mini lab

Last time when we talked about Android apps on the blog we tried to play "Assasin's Creed". Today I decided to build a small lab to prepare it for future projects. Below you'll find few notes about it. Here we go...

From 0 to 0day - quick fuzzing lesson

In most time the question(s) you're asking me via blog or twitter is: "how to prepare a fuzzing lab" or "how to perform an analysis of the crash we found". I decided to spent last few days for preparing a small example for you to give you the answer(s) for both of the questions. Below you will find the details. Here we go...

XSS in Oracle EPMS

I was asked to help during the webapp pentest of Oracle EMPS. I decided to share one found XSS bug with you. Below you will find the details. Here we go...

Reading spam for a breakfast

Today I woke up at 5:00 AM and I decided that this is a great moment to read some SPAM. ;) Coffee is ready so here we go...

Quick memory review - extracting secrets from Hikivision iVMS-4200

Last time I tried to use Sysinternals to check few things in Windows 10. This time I tried to get some more details (read: passwords;)) to use it during lateral movement (if needed). Below you will find the details of this scenario. Here we go...

Sysinternals Suite - quick review for Windows 10

Sometimes during the project at the Client's office you can see that environment there is mostly hardened well (so for example we can not install new soft, we can not open new ports or add users and we can not connect our laptop to the network, etc). In that scenario I decided to check some tools from Sysinternals Suite. Below you'll find few notes. Here we go...

Crashing EximiousSoft Logo Designer

Last time I tried to crash HoneyView and Better JPEG. This time I decided to check Logo Designer 3.82. Below you will find the details. Here we go...

Fool-AV-riend - Windows 10

Few days ago I was reading one of the tutorials related to 'pentesting AD'. They are all pretty cool. You can learn a lot from the content presented by the authors. But my question is...

Crashing HoneyView 5.31

During last week I was looking for some new soft to fuzz. This time I tried Honeyview (v. 5.31). Below you will find the details. Here we go...

Crashing Better JPEG

Last week I tried to fuzz few 'new' soft I found somewhere online. Below you will find the details about one image viewer called Better JPEG (v.3.0.3.0). Here we go...

Responding to Windows 10

I decided to prepare a small Windows-based VM to check few cases related to 'workstation security'. Below you will find the details about Windows 10 I used against Kali Linux. Here we go...

Random bytes in VLC 3.0.8

Last time we had some fun with previous versions of VLC. This time I decided to run VLC 3.0.8 on Windows 7 (32bit) and prepare a fuzzer to help. Below you will find some results. Here we go...

PicoCTF 2014 - both overflow challenges

In this post I decided to describe a quick way to exploit both overflow challenges from PicoCTF 2014. Below you will find the details. Here we go...

PicoCTF 2014 - execute

This time I tried to execute (a challenge from PicoCTF 2014). Below you will find quick details. Here we go...

PicoCTF 2014 - format

Last time I tried best shell from PicoCTF 2014. Today I tried to solve the format challenge. Below you will find the details. Here we go...

Protostar CTF - format2

In the meantime I decided to try next format-challenge from Protostar CTF - format2. Below you will find the details. Here we go...

PicoCTF 2014 - best shell

Last time I tried to solve few challenges from Pico CTF 2013. This time I decided to check few cases from next edition - 2014. Below we will try to solve "best shell" . Here we go...

Testing DVNA

I was looking for example vulnerable webapps based on NodeJS and that's how I found Damn Vulnerable NodeJS Application. I decided to check it. Below you will find the details. Here we go...

Crashing WebAccess/HMI Designer 2.1.9.31

During last week one of the cases was to run fuzzer with some new software to find some new bugs. This time I decided to check WebAccess/HMI Designer (version 2.1.9.31). Below you will find the details...

Crashing FortiGate VM 6.2.1 - httpd

After (some about) 6-8 months today I finally found a moment to go back to the idea I discussed with a friend ('Ścisła Dieta Homarowa' aka. 'Tylko homary Team' ;)) and "check those VM image(s) for (few) popular 'network appliances'". That's how I tried to play with my good old friend - Fortinet. :) Here we go...

Crashing DCISoft - 1.21

Last time I tried to run a quick fuzz against DCISoft. This time I'll try to achieve similar results for latest version - 1.21. Here we go...

Crashing Omegon Fluid Technology 2

This time I decided to check the software called "Omegon Fluid Technology". Below you will find few quick results...

PicoCTF 2013 - rop3

This time I tried to solve rop3 challenge from PicoCTF 2013. Below you will find the details...

ECTF 2014 - the-beginner challenge

After a while I decided to check challenge from ETF 2014 called the-beginner. Below you will find the details. Here we go...

Protostar CTF - format1

This time I decided to check format1 challenge from Protostar CTF. Here we go...

Wakanda CTF

This time I tried Wakanda CTF prepared by xMagass. Here we go...

ret2libc1 challenge

This time we will check ret2libc1 challenge. "Practice, practice, practice..." Here we go...

ret2shellcode challenge

I like this kind of challenges so I decided to do another one - ret2shellcode. Here we go...

stackoverflow-intro challenge

This time I decided to check one simple challenge found somewhere between other challenges found at github. We will check stackoverflow-intro (pretty similar to few cases from Protostar CTF). Here we go...

Symfonos:1 CTF

Today I decided to check Symfonos:1 CTF shared by VulnHub. Here we go...

blind_fmt_stack challenge

Below we'll check another challenge from CTF games I found somewhere on the github. This time we will try to solve blind_fmt_stack challenge. Here we go...

PicoCTF 2013 - rop2

This time I decided to check next challenge from Pico CTF (2013) called rop2. Below you will find the details...

Bulldog2 CTF

This time I decided to check Bulldog:2 CTF from VulnHub prepared by Nick Frichette. Below you will find the details. Here we go...

PicoCTF 2013 - rop1

Next level from PicoCTF 2013 I tried was related to ROP exploitation. Let's see the details...

PicoCTF 2013 - overflow5

This time I tried overflow5 from Pico CTF 2013. Below you will find the details...

Creating evil module for Wordpress

Last time when I created 'evil module' we talked about web based on Drupal. Today we will try to achieve similar results for Wordpress. Here we go...

PicoCTF 2013 - overflow4

This time we will check overflow4 challenge. Let's do it...

PicoCTF 2013 - overflow3

Let's move directly to part3 of the "overflow's challenges" from Pico 2013 - overflo3. Here we go...

PicoCTF 2013 - overflow2

Last time we tried to exploit overflow1. Today we will check next challenge - overflow2. Here we go...

PicoCTF 2013 - overflow1

First overflow1 challenge from PicoCTF 2013. Old but (still) good for a practice. ;) Let's do it...

Escalate_Linux:1 CTF

This time I decided to check one the latest VM available at VulnHub called Escalate_Linux:1 (by Manish Gupta). Let's go...

Protostar CTF - format0

Today we will start format string part of the Protostar CTF. Below very first part - format0. Here we go...

Protostar CTF - stack7

Today we will try to solve the last part of the Protostar CTF related to stack overflows - stack7.
Here we go...

Protostar CTF - stack6

This time we will need to return to the library...

Protostar CTF - Stack5

Today we will try to solve next part of the Protostar CTF - stack5. Below you will find the details. Here we go...

Protostar CTF - Stack4

Now[0, 1, 2, 3] we are finaly here :) and we want to solve the Stack4 challenge. Let’s do it! Now...

Protostar CTF - Stack3

After a while [0, 1, 2] - it’s time to solve Stack3 from Protostar CTF. Let's do it!

Protostar CTF - Stack2

I think it is a good time to start stack2 challenge from Protostar CTF. Below you will find the details. Here we go...

Protostar CTF - Stack1

Just like last time we will start directly from the new challenge - this time we will check stack1. Here we go...

Protostar CTF - Stack0

I decided to check one old CTF called Protostar (again;)). This time we will try to solve some 'stack challenges'. Let's start from the beginning...

XSS in Zurmo CRM

If you are already familiar with last 2 cases[1, 2] we can run our 'new Burp settings' with 'another webapp'. This time let's try Zurmo CRM. Here we go...

XSS in TestLink 1.9.19

Last time we talked about automating Burp scans to find few more low-hanging fruits during bug hunting. Today we will try to achieve similar results - this time for latest TestLink (1.9.19 available at Bitnami). Here we go...

XSS in DokuWiki

Last time we talked about DokuWiki when I was checking Bitnami resources. Today I decided to try it again but this time I used Burp Proxy to automate the process of finding bugs in webapps. Here we go...

Basic protocol fuzzing

Below you will find few notes related to basic protocol fuzzing. Here we go...

Unquoted path for CA Deploy Agents

Sometimes during pentest(s) we can find some not-so-usual ports open. Few of them you can find described here or here in latest posts. But today we will check "that 6600/tcp" port open. Here we go...

Few more quick tests

Last time I described small script you can use (or create) during your pentests. Below you will find a little continuation of the paths started last time. So...

Lazy Enlil

Sometimes during pentests we can find pretty similar "environment(s)". By environment - this time - I mean open ports, possible (mis)configuration bugs or default passwords still used for access the target box/app. That's why I decided to start 'something new'...

Reading Kibana

In the meantime I decided to check one of the webapp we can find during internal infrastructure pentests - Kibana. Below you will find the details.

Quick review of my CTFs

Below you will find a quick summary for the CTF games I described on the blog.

Crashing DeviceNet Builder

Below you will find few details from just another fuzzing session - this time I tried DeviceNet Builder (2.04) from DeltaElectronics. Here we go...

Unquoted path in ActiveFax Server 6.70

Found last week during some 'Windows 7 exercises'... Few details you'll find below...

Crashing Alternate Pic View

This time I decided to check Alternate Pic View. Below you will find few details. Here we go...

Unquoted path in Softros LAN Messenger

Found last week during some 'Windows 10 exercises'... Few details you'll find below...

Crashing Edraw Max

Below you will find few details from just another fuzzing session - this time I tried Edraw Max (7.9.3). Here we go...

Born2Root 2 CTF

This time I decided to check CTF prepared by Hadi Mene called "Born2Root". Let's find out how to solve it...

FourAndSix:2 CTF

Last time when I tried CTF from series prepared by Fred Wemeijer it was "4n6 - part 1". This time we will check 2nd VM - FourAndSix:2. Here we go...

FourAndSix:1 CTF

This time I tried 1st VM from the series called FourAndSix by Fred Wemeijer. Below you will find the details...

Stack Overflows for Beginners - CTF - part 1

When I was searching for some 'new VM' at VulnHub I saw that there is a "Stack Overflows for Beginners: 1" CTF. I decided to try it...

RootThis CTF

Next CTF I tried was RootThis CTF from VulnHub prepared by Fred Wemeijer. Below you will find few details from the journey...

Creating evil module for Drupal

During few pentests I saw that there is a Drupal installed on remote box. I was wondering if there is a way to get a shell when we already have admin's credentials. Below you will find a way that worked for me few times. Here we go...

LazySysAdmin CTF

This time I tried to solve CTF called LazySysAdmin prepared by @TogieMcdogie. You can find it here thanks to VulnHub. Here we go...

Crashing XnView 2.48

Last time when we talked about bugs in XnView I was surprised 'how good' can be the response 'from the Vendor'. But when 'response' is not 'responsible' - responsible disclosure is pointless. So, here we go...

DLL Injection - part 2

Last time when DLL injection was mentioned on the blog was related to exploiting 7zip by replacing DLL files. This time we will try something else...

DC-1:1 CTF

Next CTF from VulnHub I tried was DC-1 prepared by DCAU. Below you will find few details about it...

Temple Of Doom1 CTF

This time I tried "Temple Of Doom CTF" from Vulnhub. Below you will find few details...

MinU:1 CTF

This time I tried MinU:1 CTF from VulnHub resources, prepared by 8bitsec. Below you will find the details...

Fowsniff CTF

Next CTF from VulnHub I tried - Fowsniff - is prepared by berzerk0. Below you will find few details. Here we go...

HackDay Albania CTF

This time we will check "HackDay: Albania" CTF from VulnHub. Below few details from the game...

SolidState CTF

This time I decided to check SolidState CTF prepared by ch33z_plz. Below you will find the details...

Zico2 CTF

This time I decided to play one 'old' CTF VM. I tried Zico2 from VulnHub resources. Below you will find few details from the journey...

Reading ActiveMQ

Last time (I tried to scan some ports and) I followed the Rabbit. This time we will try to be the last in the line... to get some info from ActiveMQ server. Here we go...

Go! RabbitMQ, go!

After a while I decided to check few other machines available on Bitnami (and/or TurnKeyLinux). This time - just like before - I used Ubuntu 18 server to re-create environment and install 'application' from the scratch. Today we will try RabbitMQ. 

Sleepy - CTF

I woke up again at 3 AM so it was... a good time to finish one of the CTF(s) I started few weeks ago - this one is called Sleepy ;) . Machine you can find online thanks to VulnHub Team. Below few details from the journey...

RCE in Enterprise VA MAX

Just like few times before I was looking for some new VM appliance to check. This time I found "Enterprise VA MAX" prepared by loadbalancer.org. Below you will find few details about the bug I found in version v8.3.4 (afaik 'latest' one). Here we go...

RCE in ZenLoad Balancer

Last time we had a pleasure to check some RCE(s) in Artica. This time I decided to try ZenLoad Balancer. Below you will find few details...

RCE in Artica

Last time somewhere online I found Kaspersky Proxy Server ISO. It was a little surprise for me when I saw that this 'appliance' is based on Artica Proxy. Below you will find few details from the journey...

Reading TrendMicro - OfficeScan

When I was googling for some 'new software' (to check it during my simple fuzzing) I found an old installer of TrendMicro OfficeScan. It occurred that we can 'crash the agent app'... Below you will find few more details...

Exploiting BlazeDVD

I wasn't very satisfied after my last case so I decided to check another software. This time I tried to exploit BlazeDVD. Below you will find few details about it. Here we go...

Exploiting VUPlayer

Lately I decided to perform another 'quick autopsy' of the bug found few years ago in VUPlayer. Here we go...

Crashing Zelio Soft 2

Yesterday I found the software called Zelio Soft 2. I decided to fuzz it a little bit. Below you will find few results from the night (24h fuzzing with 1 sample). Here we go...

Jarbas CTF

Below you will find few details about "Jarbas" - CTF prepared by Tiago Tavares. Thanks to the VulnHub - VM is waiting for you here. Let's go...

DerpNStink CTF

Today we will try CTF prepared by Bryan Smith called DerpNStink: 1. You can find it available here. Let's try it...

Depth CTF

This time we will try Depth CTF prepared by Dan Lawson (available here thanks to the VulnHub). Here we go...

Simple CTF

Below we will check Simple CTF prepared by Robert Winkel. You can find this VM here. So...