Publications

Magento for Security Audit

06/09/2023 Magento, also known as Adobe Commerce since it was bought by Adobe in 2018, is a popular CMS for e-commerce web applications, powering 2.3% of them as of 2021 (according to Statista). This article provides an overview of its inner workings from a security point of view as well as some key points to keep in mind when auditing Magento-based applications.

Web Architect - An Introduction

06/09/2023 This article is the first of a series detailing various security aspects of the most common technologies one can encounter on the web, starting with CMSs. As of today, most of the Content Management Systems (CMS) market shares are detained by PHP based solutions (WordPress accounting for most of it, admittedly). Thus, they are really common to find during web pentest engagements. This article and the following ones will tell you everything you need to know to get started when facing one of them, by studying two of the most common ones...

GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!

04/09/2023 During the pentest of an Active Directory environment, we recently came across a situation in which we were able to relay the authentication data of a user having write permissions on a sensitive Group Policy Object (GPO). Due to the peculiarities of GPOs’ implementation in Active Directory, existing tools do not allow their exploitation in NTLM relaying contexts. We however devised a new versatile exploitation vector that can be implemented through relaying, as well as a tool automating the attack, GPOddity, available on Synacktiv’s...

Windows secrets extraction: a summary

20/04/2023 Post-exploitation in Windows environments often implies secrets collection. The collected secrets can be reused for lateral or vertical movement, making them high value assets. Most people already know the LSASS process, but other secrets such as LSA secrets and DPAPI ones could also allow privilege escalation or access to sensitive resources. This article will describe the different types of secrets that can be found within a Windows machine, and public tools that can be used to retrieve them.

PHP filter chains: file read from error-based oracle

21/03/2023 The possibilities allowed by filter chains will never stop amazing us. Last time we saw that using them in a PHP file inclusion function would lead to remote code execution. Since then, another way to abuse them was published at the end of the DownUnderCTF 2022! Let's see how PHP filters can also be used to read local files when their content is not printed, thanks to an error-based oracle.

CI/CD secrets extraction, tips and tricks

01/03/2023 This article aims at describing how to exfiltrate secrets that are supposed to be securely stored inside CI/CD systems. For that purpose, the examples of Azure DevOps and GitHub Actions will be detailed, and the tool we developed to automate extraction will be presented.

A dive into Microsoft Defender for Identity

23/11/2022 We recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft Defender 365. This article will present its architecture, analyze its detection logic and abilities and present some bypasses, as well as general Red Team advices to stay under the Blue Team’s radar.

PHP filters chain: What is it and how to use it

18/10/2022 Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious. In this article we will explain how to combine a recently discovered technique called PHP filters [LOKNOP-GIST], to transform file inclusion primitives in PHP applications to remote code execution. To support our explanations we will rely on a Laravel file inclusion gadget chains that was discovered during this research.

Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there !

10/10/2022 During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations. These investigations allowed us to successfully exploit the vulnerability, and are summarized in this article.

Traces of Windows remote command execution

13/09/2022 A real ninja leaves no traces. However, in the Windows context, a lot of information are disseminated when performing actions and can be leveraged by DFIR analysts. Focusing on remote command execution techniques used by attackers and red-teamers, this article aims to get a collection of artifacts that can collected by analysts.