Publications

WHFB and Entra ID : Say Hello to your new cache flow

05/06/2024
Pentest
During security assessments, the cache can be a goldmine on Microsoft environments. Red teamers are familiar with MSCache or DCC2 hashes, which could be a fast track to a privileged account. However, when using WHFB and a cloud-only Entra ID environment, these hashes no longer exist. This blogpost aims at analyzing the cache components of Entra ID-joined devices with WHFB configured and provides a toolkit to use them.

Inside the iOS bug that made deleted photos reappear

23/05/2024
Reverse-engineering
Last week, Apple released iOS 17.5. Since then multiple people reported seeing photos on their phone they had previously deleted. The bug was fixed in 17.5.1. In this blogpost we will dive into how the bug appeared and how it was fixed by Apple.

Hijacking GitHub runners to compromise the organization

22/05/2024
In a recent engagement we managed to compromise a GitHub app allowed to register self-hosted runners at the organization level. Turns out, it is possible to register a GitHub runner with the ubuntu-latest tag, granting access to jobs originally designated for GitHub-provisioned runners. Using this method, an attacker could compromise any workflow of the organization and steal CI/CD secrets or push malicious code on the different repositories.

Understanding and evading Microsoft Defender for Identity PKINIT detection

06/05/2024
Pentest
A few months following our blogpost on Microsoft Defender for Identity, new alerts related to Active Directory Certificate Services were added. This article will focus on suspicious certificate usage alerts: the detection mechanism will be explained as well as how to avoid raising any alert. In addition, a PowerShell script will be released to perform Kerberos authentication via PKINIT with the Windows API, from a non domain-joined machine.

iOS: a journey in the USB networking stack

30/04/2024
Système
In this article, we give a small journey inside the implementation of networking interfaces exposed by iOS when connected via USB. These are used for sharing a computer's connection with iPhone (tethering), sharing an iPhone's connection with a computer (reverse tethering) and since the latest versions of iOS, USB networking even carries RemoteXPC packets which seems to be the future common ground for all Apple based cross-device communications.

👻 Souls without bodies, phantom types shenanigans 👻

26/04/2024
Outils
In this article, we will present strange data types that only exist in the realm of types, called phantom types. We will also briefly introduce GADTs, and how to emulate some of their safety guarantees in languages where they are not available. This simple technique can go a long way towards making APIs safer and more expressive.

So I became a node: exploiting bootstrap tokens in Azure Kubernetes Service

23/04/2024
Pentest
During one of our assessments, we managed to retrieve a Kubernetes bootstrap token from an AKS pod. It was a good opportunity to get a closer look at these tokens, how they work and how to exploit them. In this first blog post, we will describe the inner working of bootstrap tokens, the node authorization mode, signers and certificate controllers. Then we will show how to exploit a pod sharing the host network namespace in an AKS environment to leak such a token. The information provided in this blog post is based on Kubernetes v1.28 ...

OUned.py: exploiting hidden Organizational Units ACL attack vectors in Active Directory

19/04/2024
Pentest
Exploitation of Organizational Units (OUs) ACLs received comparatively little attention when it comes to the security analysis of domain objects permissions in Active Directory environments. Yet, their successful exploitation could lead to the compromise of all OU child objects, and thus to high-impact privilege escalation scenarios. Building upon the work of Petros Koutroumpis, this article will present how an attack based on the manipulation of the gPLink attribute of Organizational Units could be exploitable through several common ...

Quantum readiness: Introduction to Modern Cryptography

18/04/2024
Cryptographie
This article is the first of a series of articles regarding Post-Quantum Cryptography in 2024. It builds upon Synacktiv's 2021 article, "Is it post quantum time yet?", by presenting the evolutions that happened since then in the PQC world as well as various constructions that will be reused in the next articles. These articles will especially focus on giving the reader a good understanding of the attack surface one should consider when designing and implementing a PQC algorithm. This article considers that the concepts presented in o...

Entra ID Banned Password Lists: password spraying optimizations and defenses

17/04/2024
Pentest
Banned Password Lists is a feature of the Password Protection component of Entra ID providing additional security for password-based authentication by enforcing both a global and a custom list of banned words for user passwords. This article aims at analyzing its implementation with the objectives to improve password spraying attacks for red team operators while providing better defenses for blue teams.