Contact us: info@akimbocore.com

Published: 06 August 2021

Linux PrivEsc: Abusing SUID

Recently during a CTF I found a few users were unfamiliar with abusing setuid on executable on Linux systems for the purposes of privilege escalation. If an executable file on Linux has the “suid” bit set when a user executes a file it will execute with the owners permission level and not the executors permission level. Meaning if you find a file with this bit set, which is owned by a user with a higher privilege level than yourself you may be able to steal their permissions set.


Continue Reading

Published: 06 August 2021

Web Application Defence: Filtering User Input

Effectively filtering user input is one of the best ways to prevent an awful lot of web application vulnerabilities. There are several ways to approach this, each with their own pros and cons so I’ll run through them here an then you can think of the best way to combine them for your context. It’s important to remember though, that filters are context specific, there is not one filter that will work for a whole application and that’s what can make writing an effective filter tricky.


Continue Reading

Published: 06 August 2021

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much more secure [/sarcasm]: Password1.


Continue Reading

Published: 06 August 2021

An Introduction to Hardware Hacking

I’m currently writing up a series on hardware hacking fundamentals, and before I get into the specifics – I thought it sensible to add a piece on why hardware security is important and to lay out the major themes of what I’ll be discussing.

Firstly, with physical devices, the attackers have more options when it comes to attacking the devices and it should be noted that breaking a specific device might not be the final aim. As an attacker over the internet, I only have exposed network services to “play” with, but if I’m testing a physical device the attack surface can be much wider. With options including network services, radio frequency input/output, on-chip debugging, exposed serial ports, memory extraction, etc, etc.


Continue Reading

Published: 06 August 2021

Calculating the Details of Awkward Subnets

I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that!


Continue Reading

Published: 06 August 2021

Calculating Subnets and CIDR Quickly

A friend of mine mentioned recently that he has to work out subnet masks in his head for an exam and commented in reality he’d just use a subnet calculator. Whilst this is probably true, there’s a quick trick that might help if you’re calculating subnets under duress. This isn’t a full write up and offers no real explanation of why it works, it’s just pointing out a trick you may have missed which might come in handy one day!


Continue Reading

Published: 06 August 2021

British Airways Breach (2018)

I wanted to talk a little bit about the British Airways breach; I won’t be focusing on the intention to fine from the ICO. I’ll just be talking a little about vulnerabilities, how they can be addressed, and the issues mitigations may bright. I’ll also be talking about a security incident that hit the ICO and how it was potentially very similar to what happened to British Airways.


Continue Reading

Published: 06 August 2021

Equifax Breach (2017)

In 2017 Equifax were breached, the breach was discovered on July 29[5] and an announcement was published on Sept 7.[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.[3]


Continue Reading

Published: 06 August 2021

IDOR: Insecure Direct Object Reference

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.


Continue Reading

Published: 06 August 2021

CSRF: Cross-site Request Forgery

Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. An attacker’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.

For example, a user navigates to a malicious site and this site in turn sends a request to the vulnerable function on the vulnerable web site. This is where “Cross-site” comes from, it is a malicious site sending a request to the vulnerable site.


Continue Reading

Published: 06 August 2021

HSTS: HTTP Strict Transport Security

HSTS is a web security mechanism to prevent downgrade attacks, it’s a mechanism that allows a web server to instruct web browsers to only communicate with the server over SSL, so that all subsequent traffic is encrypted, even if a user attempts to visit an insecure link (the browser will ‘correct’ the user and request the secure site instead).

HSTS works by the server sending a header to the web browser, the header is:


Continue Reading

Published: 06 August 2021

Path Traversal Cheat Sheet: Windows

Got a path/directory traversal or file disclosure vulnerability on a Windows-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:


Continue Reading

Published: 06 August 2021

Path Traversal Cheat Sheet: Linux

Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:


Continue Reading

Published: 06 August 2021

Introduction to Radio Hacking

In my introduction to hardware hacking, I mention that radio systems may be part of the attack surface for a hardware device penetration test. So I thought I’d give a gentle introduction to hacking with an SDR here!

Firstly, what’s an SDR? It stands for software-defined radio, and refers to a category of devices which allow you to interface with radio. There are a lot of SDR devices on the market to choose from when you first get started – a RTL-SDR can be picked up for £15 and devices from Ettus Research go well into the thousands of pounds.


Continue Reading

Published: 06 August 2021

An Introduction to Logic Analyzers

Logic Analyzers are inexpensive devices that allow you to just take a look at what a small number of pins on a chip are up to. They can be hooked into software like PulseView to read pin output and decode it into something more useful. Many decoders are available, but in this introduction we’ll have a quick look at PulseView and reading (decoding) UART data.

I’ve previously written about UART and how to find them with a JTAGulator, but here’s a different approach.


Continue Reading