PrivEsc: Unquoted Service Path
Published: 06 August 2021 Last Updated: 03 November 2022
One method for escalating permission from Local/Domain User to Local Administrator, is "Unquoted Service paths". In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we'll explore how to find these issues and how to quickly determine if they're exploitable or not.
Continue Reading
PrivEsc: Insecure Service Permissions
Published: 06 August 2021 Last Updated: 03 November 2022
I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!
Continue Reading
MSSQL Injection Cheat Sheet
Published: 05 August 2021 Last Updated: 03 November 2022
A cheat sheet of common Microsoft SQL payloads.
Continue Reading
MySQL Injection Cheat Sheet
Published: 05 August 2021 Last Updated: 03 November 2022
A cheat sheet of common MySQL/MariaDB payloads.
Continue Reading
PrivEsc: Group Policy Preference Passwords
Published: 11 December 2015 Last Updated: 03 November 2022
Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).
GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.
Continue Reading
LulzSec: 5 Years On
Published: 26 June 2016 Last Updated: 03 November 2022
LulzSec were an international hacking crew and today marks 5 years since the end of their most well-known campaign: the “50 Days of Lulz”.
They were a hacking crew spread across the planet taking down websites for the lulz. The members were Sabu, Pwnsauce, Tflow, Topiary, Kayla, Avunit, Viral, and a few others who were involved to lesser degrees. The members of LulzSec. Five years ago they set sail on an uneasy and brutal ocean: the Internet. Their mission? To laugh at the security of major organisations around the world. They exposed corporations, governments, often the general population itself, and quite possibly everything in between, just because they could.
Continue Reading
Hackers on Hackers
Published: 30 October 2016 Last Updated: 03 November 2022
So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…
“Hackers” is a movie that I hold fondly in my heart for disregarding all realism and jumping straight in to Hollywood style hacking scenes; It shows hacking more like black magic and spell-casting than the realistic 14 hours staring at green text on a black background scenes I see in my day job as an ethical Hacker.
Continue Reading
Strong Passwords: The Problem with Rotation
Published: 10 June 2021 Last Updated: 09 November 2022
Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.
Continue Reading
Exploiting Path Traversal
Published: 07 June 2021 Last Updated: 03 November 2022
Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.
Continue Reading
Exploiting SQL Injection with Sqlmap
Published: 07 June 2021 Last Updated: 03 November 2022
We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.
Continue Reading
SQL Injection: Filter Evasion with Sqlmap
Published: 07 June 2021 Last Updated: 03 November 2022
We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.
Continue Reading
Finding Command Injection
Published: 07 June 2021 Last Updated: 03 November 2022
Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing an attacker to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.
Continue Reading
Strong Passwords: The Problem with Complexity
Published: 07 June 2021 Last Updated: 04 November 2022
Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as Welcome!, Summer2020, or Password123456.
Continue Reading
Implementing Sub-resource Integrity
Published: 31 May 2021 Last Updated: 03 November 2022
Hosting web application content such as dynamic scripts and stylesheets on third parties such as Content Delivery Networks (CDNs) can allow for significant improvements to site performance and can reduce bandwidth costs. However, scripts included within a web application will execute within the user's browser with the same privileges as the currently logged in user. Therefore if a script is included from an external domain, that domain is trusted with the confidentiality and integrity of data stored within the application.
Continue Reading
Implementing Certification Authority Authorization (CAA)
Published: 14 April 2021 Last Updated: 03 November 2022
Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.
Continue Reading