Published: 06 August 2021    Last Updated: 03 July 2023

JTAG is short for Joint Test Action Group and generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.

It can be useful to hardware hackers in various ways, such as extracting device IDs, extracting firmware, overwriting memory.

Published: 06 August 2021    Last Updated: 03 July 2023

I previously mentioned dumping memory contents using SPI, with a BusPirate. Sometimes that’s not feasible – such as if the flash memory module is a little inaccessible and you’re not feeling like deconstructing the board just yet.

An alternative is to pull memory over JTAG. I talked about accessing JTAG and interacting with a chip using OpenOCD previously, however this time around I’d like to go a step further.

Published: 06 August 2021    Last Updated: 03 July 2023

Same-Origin Policy (SOP) is a critical part of the security implemented within a web browser. It’s the part of your browser’s security system that prevents malicious pages from reading confidential information from other sites. So thepiratebay.com can’t read data from barclays.com because it’s blocked by SOP.

The way that it works simply, is that pages of different origins can send requests to other domains, but not process their responses. Certain items aren’t covered by SOP, such as images and scripts – this is because these are considered assets to be used within an application and not considered to affect the security of that application.

Published: 06 August 2021    Last Updated: 05 July 2023

One method for escalating permission from Local/Domain User to Local Administrator, is "Unquoted Service paths". In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we'll explore how to find these issues and how to quickly determine if they're exploitable or not.

Published: 06 August 2021    Last Updated: 03 July 2023

I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!

Published: 05 August 2021    Last Updated: 03 July 2023

A cheat sheet of common Microsoft SQL payloads.

Published: 05 August 2021    Last Updated: 03 July 2023

A cheat sheet of common MySQL/MariaDB payloads.

Published: 11 December 2015    Last Updated: 05 July 2023

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).

GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.

Published: 26 June 2016    Last Updated: 03 July 2023

LulzSec were an international hacking crew and today marks 5 years since the end of their most well-known campaign: the “50 Days of Lulz”.

They were a hacking crew spread across the planet taking down websites for the lulz. The members were Sabu, Pwnsauce, Tflow, Topiary, Kayla, Avunit, Viral, and a few others who were involved to lesser degrees. The members of LulzSec. Five years ago they set sail on an uneasy and brutal ocean: the Internet. Their mission? To laugh at the security of major organisations around the world. They exposed corporations, governments, often the general population itself, and quite possibly everything in between, just because they could.

Published: 30 October 2016    Last Updated: 03 July 2023

So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…

“Hackers” is a movie that I hold fondly in my heart for disregarding all realism and jumping straight in to Hollywood style hacking scenes; It shows hacking more like black magic and spell-casting than the realistic 14 hours staring at green text on a black background scenes I see in my day job as an ethical Hacker.

Published: 10 June 2021    Last Updated: 09 November 2022

Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.

Published: 07 June 2021    Last Updated: 05 July 2023

Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.

Published: 07 June 2021    Last Updated: 03 July 2023

We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.

Published: 07 June 2021    Last Updated: 03 July 2023

We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.

Published: 07 June 2021    Last Updated: 05 July 2023

Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing a threat actor to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.