Publications

Captain Hook - How (not) to look for vulnerabilities in Java applications

19/01/2022 During my 6-months intership, I developed a tool to ease vunerability research on Java applications. I used several software and libraries, and faced a number of issues throughout the development of this tool, Captain Hook. This article describes Captain Hook's development process from the beginning along with its challenges.

Dissecting NTLM EPA with love & building a MitM proxy

14/01/2022 Why you never managed to connect to this fre*king NTLM EPA protected website and how to finally reach it.

Yet another BEC investigation on M365

22/11/2021 Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one of this publication.

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

04/11/2021 During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution. ADSS offers multiple functionalities such as managing password policies for administrators or self password reset/account unlock for Active Directory users. We decided to dig into this solution. However, our research barely started that a wild exploitation on this solution was announced. In this article we will explore the details of several vulnerabilities that allow an unauthenticated attacker to execute arbitrary code on the ...

Finding gadgets like it's 2015: part 2

28/10/2021 We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on version 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Car hijacking swapping a single bit

26/10/2021 Used to interact with various ECU (Electronic Control Unit) in a car, the UDS (Unified Diagnostic Services) service is widely deployed by car constructors. This generic high level protocol is used to extract ECUs state, configure them or even update their firmware. When the implementation lacks cryptography support inside an ECU, the security level can decrease dramatically. This short blog post presents an hardware attack leveraging all diagnostic functions to an unauthorized tester.

Finding gadgets like it's 2015: part 1

18/10/2021 We found a new Java gadget chain in the Mojarra library, one of the most used implementation of the JSF specification. It uses a known entry point to start the chain and ends with arbitrary code execution through Java's Expression Language. It was tested on versions 2.3 and 3.0 of the Eclipse implementation of the JSF specification.

Is it post quantum time yet?

28/09/2021 Quantum computing. Among all the fashionable IT buzzwords, this one comes prominently. Quantum computing, or the idea people get of it, feeds a lot of fantasy. This trend is supported by the news that sometimes relay hazy information about a topic they do not fully grasp. Getting a precise view of the state of quantum computing and its implications on security is not easy if you are not familiar with the topic. In this article, we will try to answer this seemingly simple question: is it post quantum time yet?

Cracking Radmin Server 3 passwords

17/09/2021 Reverse-engineering a hashing mechanism and optimizing password cracking

macOS XPC Exploitation - Sandbox Share case study

08/09/2021 Usually we don't do blog posts about CTF challenges but we recently stumbled across a challenge that was a good opportunity to talk about several macOS/iOS internals, security mechanisms and exploit methods...