17/12/2020Typo3 is an open source CMS we have recently encountered during one of our missions. We successfully exploited a configuration leak on this CMS to gain remote code execution on this application. This article describes the different steps to go from unauthenticated user to unsafe object deserialization and gain code execution.
26/11/2020You probably already have encountered a fanatical WAF during an engagement that turned you crazy preventing your almighty SQL injection from being exploited properly. This will never happen again thanks to a novel advanced technique based on artificial intelligence and block chain analysis. Read this article to know how. Disclaimer: this is click-bait.
26/08/2020Have you ever compromised a Cisco ISE with CVE-2017-5638? But what could you do next? This is a good network access but it can actually give you more. After a little digging, we found that guests passwords were stored in plaintext or encrypted (configuration dependent). This article explains how to extract the encrypted passwords, the encryption key and why it matters.
07/05/2020In this second article, we will focus on the vEdge components which are basically routers (physical or virtual). A patch was recently published for a vulnerability we found: Cisco IOS XE SD-WAN Software Command Injection Vulnerability (CVE-2019-16011)
23/04/2020We wrote a new tool that automatically loots all sensitive information from misconfigured Symfony applications. This post describes the type of data it can loot and how. If you just want to use it, check our Github repo! So let's get started and see what we can grab from the web profiler.
20/04/2020Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It is more and more used by customers in order to connect their on-premises Active Directory with online services such as Office365, SharePoint, Teams, etc. The aim of this article is to briefly present Azure AD and to explore the different attacking paths this new cloud environment offers to pentesters and red teamers.
30/03/2020Liferay is one of the most known CMS written in Java that we encounter sometimes during assessment. Last week, we stumbled on the blog post from Code White Security entitled "Liferay Portal JSON Web Service RCE Vulnerabilities" describing an interesting issue. Unfortunately, there is no PoC associated with it, but as we love RCEs at Synacktiv, this is a good opportunity to learn something.
25/03/2020In late 2019, a customer asked Synacktiv to perform a security assessment in a few days of their SD-WAN project based on the Cisco SD-WAN solution. During this engagement, we actually found a few interesting vulnerabilities in different components. For this first article, we will focus on the vManage component which was recently patched to address the following vulnerabilities: CVE-2019-16012: vManage Cypher Injection CVE-2019-16010: vManage Stored XSS
28/01/2020Azure DevOps is becoming more and more used by customers as Microsoft pushes them to replace their on-premises VSTS Server with the cloud version, Azure DevOps. So what can we do if we compromise a build agent? Or even a basic developer account? This article aims at explaining how this whole build jobs works and what it can be (ab)used for.
12/12/2019During a recent engagement, we came across an old outdated instance of the Kibana software. It was affected by two severe public vulnerabilities (CVE-2018-17246 and CVE-2019-7609). However, in the context, none of them was readily exploitable. In this article, we describe how we managed to takeover the software all the same, with a new exploitation technique. Don't expect any 0-dayz dropping in the following, only a new way to exploit two already known issues.