Publications

The reverse-engineering team presentation

13/04/2022 A lot of candidates, or simply fellow reversers, ask us how our team usually works: what kind of technologies are we looking into? What kind of projects? Do we work solo? How do we handle remote? etc. The goal of this blogpost is to share what we can about our internals, so you don't have to reverse us.

elFinder: The story of a repwning

30/03/2022 We recently identified a path traversal issue in the elFinder software. It is assigned CVE identifier CVE-2022-26960. While the vulnerability is pretty classical, the story of its discovery is not. Keep on reading for the details.

Pwn2Own Austin 2021 : Defeating the Netgear R6700v3

25/03/2022 Twice a year ZDI organizes a competition where the goal is to hack hardware and software. During November 2021, in Austin, hackers tried to exploit hardware devices such as printers, routers, phones, home automation devices, NAS and more. This blogpost describes how we successfully took over a Netgear router from the WAN interface.

Finding gadgets like it's 2022

14/03/2022 So you have found an application vulnerable to Log4Shell, but the bypass gadgets are not working, and you did not manage to use a gadget from Ysoserial? If you read our last articles on finding Java gadgets you might have found a new one with gadget inspector. But what if gadget inspector did not find a valid chain? You might stop and be desperate because, as we saw, manual gadget research is not an easy task! In this article we will present a new methodology and multiple CodeQL queries to find gadget chains in Java a...

Heap tricks never get old - Insomni'hack teaser 2022

08/02/2022 The Synacktiv team participated in the Insomni'hack teaser 2022 last week-end and placed 9th out of 280 teams. The onetestament challenge was pretty interesting and taught me a few tricks so I have decided to write a detailed solution. In this writeup, I have tried to illustrate the thought process behind solving this challenge, rather than just the usual solve.py (which you can still find at the end of the article). Expect to see some (old) heap tricks and enjoy the read!

Unransomware

31/01/2022 During a ransomware incident, CSIRT Synacktiv noticed that the bitlocker mechanism was used to encrypt company and user files. This blogpost does not intend to retrace the whole incident response process. The idea is to illustrate how we managed (or not) to recover encryption keys and save a few workstations from their terrible fate. The incident took place few months ago.

Captain Hook - How (not) to look for vulnerabilities in Java applications

19/01/2022 During my 6-months intership, I developed a tool to ease vunerability research on Java applications. I used several software and libraries, and faced a number of issues throughout the development of this tool, Captain Hook. This article describes Captain Hook's development process from the beginning along with its challenges.

Dissecting NTLM EPA with love & building a MitM proxy

14/01/2022 Why you never managed to connect to this fre*king NTLM EPA protected website and how to finally reach it.

Yet another BEC investigation on M365

22/11/2021 Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one of this publication.

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

04/11/2021 During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution. ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users. We decided to dig into this solution. However, our research barely started that a wild exploitation on this solution was announced. In this article we will explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the ...