Using a JTAGulator
Published: 06 August 2021 Last Updated: 03 July 2023
JTAG is short for Joint Test Action Group and generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.
It can be useful to hardware hackers in various ways, such as extracting device IDs, extracting firmware, overwriting memory.
Continue Reading
Extracting Flash Memory using JTAG
Published: 06 August 2021 Last Updated: 03 July 2023
I previously mentioned dumping memory contents using SPI, with a BusPirate. Sometimes that’s not feasible – such as if the flash memory module is a little inaccessible and you’re not feeling like deconstructing the board just yet.
An alternative is to pull memory over JTAG. I talked about accessing JTAG and interacting with a chip using OpenOCD previously, however this time around I’d like to go a step further.
Continue Reading
Same-origin Policy
Published: 06 August 2021 Last Updated: 03 July 2023
Same-Origin Policy (SOP) is a critical part of the security implemented within a web browser. It’s the part of your browser’s security system that prevents malicious pages from reading confidential information from other sites. So thepiratebay.com can’t read data from barclays.com because it’s blocked by SOP.
The way that it works simply, is that pages of different origins can send requests to other domains, but not process their responses. Certain items aren’t covered by SOP, such as images and scripts – this is because these are considered assets to be used within an application and not considered to affect the security of that application.
Continue Reading
PrivEsc: Unquoted Service Path
Published: 06 August 2021 Last Updated: 05 July 2023
One method for escalating permission from Local/Domain User to Local Administrator, is "Unquoted Service paths". In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we'll explore how to find these issues and how to quickly determine if they're exploitable or not.
Continue Reading
PrivEsc: Insecure Service Permissions
Published: 06 August 2021 Last Updated: 03 July 2023
I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!
Continue Reading
MSSQL Injection Cheat Sheet
Published: 05 August 2021 Last Updated: 03 July 2023
A cheat sheet of common Microsoft SQL payloads.
Continue Reading
MySQL Injection Cheat Sheet
Published: 05 August 2021 Last Updated: 03 July 2023
A cheat sheet of common MySQL/MariaDB payloads.
Continue Reading
PrivEsc: Group Policy Preference Passwords
Published: 11 December 2015 Last Updated: 05 July 2023
Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).
GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.
Continue Reading
LulzSec: 5 Years On
Published: 26 June 2016 Last Updated: 03 July 2023
LulzSec were an international hacking crew and today marks 5 years since the end of their most well-known campaign: the “50 Days of Lulz”.
They were a hacking crew spread across the planet taking down websites for the lulz. The members were Sabu, Pwnsauce, Tflow, Topiary, Kayla, Avunit, Viral, and a few others who were involved to lesser degrees. The members of LulzSec. Five years ago they set sail on an uneasy and brutal ocean: the Internet. Their mission? To laugh at the security of major organisations around the world. They exposed corporations, governments, often the general population itself, and quite possibly everything in between, just because they could.
Continue Reading
Hackers on Hackers
Published: 30 October 2016 Last Updated: 03 July 2023
So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…
“Hackers” is a movie that I hold fondly in my heart for disregarding all realism and jumping straight in to Hollywood style hacking scenes; It shows hacking more like black magic and spell-casting than the realistic 14 hours staring at green text on a black background scenes I see in my day job as an ethical Hacker.
Continue Reading
Strong Passwords: The Problem with Rotation
Published: 10 June 2021 Last Updated: 09 November 2022
Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.
Continue Reading
Exploiting Path Traversal
Published: 07 June 2021 Last Updated: 05 July 2023
Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.
Continue Reading
Exploiting SQL Injection with Sqlmap
Published: 07 June 2021 Last Updated: 03 July 2023
We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.
Continue Reading
SQL Injection: Filter Evasion with Sqlmap
Published: 07 June 2021 Last Updated: 03 July 2023
We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.
Continue Reading
Finding Command Injection
Published: 07 June 2021 Last Updated: 05 July 2023
Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing a threat actor to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.
Continue Reading