jeu 20/04/2023 - 13:12Post-exploitation in Windows environments often implies secrets collection. The collected secrets can be reused for lateral or vertical movement, making them high value assets. Most people already know the LSASS process, but other secrets such as LSA secrets and DPAPI ones could also allow privilege escalation or access to sensitive resources. This article will describe the different types of secrets that can be found within a Windows machine, and public tools that can be used to retrieve them.
lun 17/04/2023 - 16:08During hardware assessments, it is common to come across devices implementing U-Boot. This article aims to describe what it is, why it could be interesting from an offensive perspective, and the attack surface associated with this popular bootloader.
mar 21/03/2023 - 11:38The possibilities allowed by filter chains will never stop amazing us. Last time we saw that using them in a PHP file inclusion function would lead to remote code execution. Since then, another way to abuse them was published at the end of the DownUnderCTF 2022! Let's see how PHP filters can also be used to read local files when their content is not printed, thanks to an error-based oracle.
ven 03/03/2023 - 08:44When a hardware keylogger is found on a computer, you can assume the user account and its secrets are compromised. In this article, we will present how to get access to the data stored on both a basic keylogger and a more advanced model with Wi-Fi access.
mer 01/03/2023 - 09:20This article aims at describing how to exfiltrate secrets that are supposed to be securely stored inside CI/CD systems. For that purpose, the examples of Azure DevOps and GitHub Actions will be detailed, and the tool we developed to automate extraction will be presented.
lun 13/02/2023 - 02:03In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition  with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.
ven 20/01/2023 - 16:34 Using the recent io_uring Linux kernel API to build a fast and modular network scanner in the Rust language
ven 06/01/2023 - 13:23 Discussions about Windows authentication mechanisms over HTTP and the evolution of our MitM proxy.
mer 04/01/2023 - 09:26Bhyve is a hypervisor for FreeBSD. This blogpost will describe how a limited OOB write vulnerability in an adapter emulator can be turned into code execution allowing to escape from the guest machine.
mar 06/12/2022 - 16:40Pwn2own is a competition where hackers try to execute arbitrary code on selected devices. This blogpost will describe two vulnerabilities found in the Netgear RAX30 router, and explain how both were patched the day before the event.