Contact us: info@akimbocore.com

A Quick Malware Teardown

Published: 06 August 2021

A follower sent me a suspicious looking file recently to get my opinion on its behavior and to see if I could pull out a little detail on how it’s working. “Suspicious looking” because at the time, it was getting a zero score on VirusTotal but it appeared to be doing something just a little dodgy in the background. I wanted to post some notes around my quick tear down of the malware show that since so much malware is poorly written and obfuscated you can often do a large amount of analysis of a file’s behaviour in a short period of time.


Continue Reading

HTTP Header Injection

Published: 06 August 2021

HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that an attacker can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.


Continue Reading

PrivEsc: DLL Hijacking

Published: 06 August 2021

I posted earlier about Privilege Escalation through Unquoted Service Paths and how it’s now rare to be able to exploit this in the real world due to the protected nature of the C:\Program Files and C:\Windows directories. It’s still possible to exploit this vulnerability, but only when the service executable is installed outside of these protect directories which in my experience is rare. Writing that post though got me thinking about another method of privilege escalation which I think is a little more common to see – DLL Hijacking.


Continue Reading

Windows Desktop Breakout

Published: 06 August 2021

Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down an attacker but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be tricky, so I’ll run you through how I assess them here, highlight some of the tricks and the methodology that I use with the intention that both breakers and defenders can get a better look at their options.


Continue Reading

Linux PrivEsc: Abusing SUID

Published: 06 August 2021

Recently during a CTF I found a few users were unfamiliar with abusing setuid on executable on Linux systems for the purposes of privilege escalation. If an executable file on Linux has the “suid” bit set when a user executes a file it will execute with the owners permission level and not the executors permission level. Meaning if you find a file with this bit set, which is owned by a user with a higher privilege level than yourself you may be able to steal their permissions set.


Continue Reading

Web Application Defence: Filtering User Input

Published: 06 August 2021

Effectively filtering user input is one of the best ways to prevent an awful lot of web application vulnerabilities. There are several ways to approach this, each with their own pros and cons so I’ll run through them here an then you can think of the best way to combine them for your context. It’s important to remember though, that filters are context specific, there is not one filter that will work for a whole application and that’s what can make writing an effective filter tricky.


Continue Reading

Custom Rules for John the Ripper

Published: 06 August 2021

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much more secure [/sarcasm]: Password1.


Continue Reading

An Introduction to Hardware Hacking

Published: 06 August 2021

I’m currently writing up a series on hardware hacking fundamentals, and before I get into the specifics – I thought it sensible to add a piece on why hardware security is important and to lay out the major themes of what I’ll be discussing.

Firstly, with physical devices, the attackers have more options when it comes to attacking the devices and it should be noted that breaking a specific device might not be the final aim. As an attacker over the internet, I only have exposed network services to “play” with, but if I’m testing a physical device the attack surface can be much wider. With options including network services, radio frequency input/output, on-chip debugging, exposed serial ports, memory extraction, etc, etc.


Continue Reading

Calculating the Details of Awkward Subnets

Published: 06 August 2021

I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that!


Continue Reading

Calculating Subnets and CIDR Quickly

Published: 06 August 2021

A friend of mine mentioned recently that he has to work out subnet masks in his head for an exam and commented in reality he’d just use a subnet calculator. Whilst this is probably true, there’s a quick trick that might help if you’re calculating subnets under duress. This isn’t a full write up and offers no real explanation of why it works, it’s just pointing out a trick you may have missed which might come in handy one day!


Continue Reading

British Airways Breach (2018)

Published: 06 August 2021

I wanted to talk a little bit about the British Airways breach; I won’t be focusing on the intention to fine from the ICO. I’ll just be talking a little about vulnerabilities, how they can be addressed, and the issues mitigations may bright. I’ll also be talking about a security incident that hit the ICO and how it was potentially very similar to what happened to British Airways.


Continue Reading

Equifax Breach (2017)

Published: 06 August 2021

In 2017 Equifax were breached, the breach was discovered on July 29[5] and an announcement was published on Sept 7.[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.[3]


Continue Reading

IDOR: Insecure Direct Object Reference

Published: 06 August 2021

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.


Continue Reading

CSRF: Cross-site Request Forgery

Published: 06 August 2021

Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. An attacker’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.

For example, a user navigates to a malicious site and this site in turn sends a request to the vulnerable function on the vulnerable web site. This is where “Cross-site” comes from, it is a malicious site sending a request to the vulnerable site.


Continue Reading

HTTP Security Headers: Strict-Transport-Security

Published: 06 August 2021

HTTP Strict Transport Security (HSTS) enforces the use of HTTPS in the web browser, ensuring that no information is sent to the domain (and optionally subdomains too), even if the user attempts to navigate to a HTTP page. This additionally mitigates the risk of cookies without the "secure" flag set, by enforcing all traffic is HTTPS only.


Continue Reading