Contact us: info@akimbocore.com

PrivEsc: Insecure Service Permissions

Published: 06 August 2021    Last Updated: 03 November 2022

I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!


Continue Reading

MSSQL Injection Cheat Sheet

Published: 05 August 2021    Last Updated: 03 November 2022

A cheat sheet of common Microsoft SQL payloads.


Continue Reading

MySQL Injection Cheat Sheet

Published: 05 August 2021    Last Updated: 03 November 2022

A cheat sheet of common MySQL/MariaDB payloads.


Continue Reading

PrivEsc: Group Policy Preference Passwords

Published: 11 December 2015    Last Updated: 03 November 2022

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).

GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.


Continue Reading

LulzSec: 5 Years On

Published: 26 June 2016    Last Updated: 03 November 2022

LulzSec were an international hacking crew and today marks 5 years since the end of their most well-known campaign: the “50 Days of Lulz”.

They were a hacking crew spread across the planet taking down websites for the lulz. The members were Sabu, Pwnsauce, Tflow, Topiary, Kayla, Avunit, Viral, and a few others who were involved to lesser degrees. The members of LulzSec. Five years ago they set sail on an uneasy and brutal ocean: the Internet. Their mission? To laugh at the security of major organisations around the world. They exposed corporations, governments, often the general population itself, and quite possibly everything in between, just because they could.


Continue Reading

Hackers on Hackers

Published: 30 October 2016    Last Updated: 03 November 2022

So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…

“Hackers” is a movie that I hold fondly in my heart for disregarding all realism and jumping straight in to Hollywood style hacking scenes; It shows hacking more like black magic and spell-casting than the realistic 14 hours staring at green text on a black background scenes I see in my day job as an ethical Hacker.


Continue Reading

Strong Passwords: The Problem with Rotation

Published: 10 June 2021    Last Updated: 09 November 2022

Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.


Continue Reading

Exploiting Path Traversal

Published: 07 June 2021    Last Updated: 03 November 2022

Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.


Continue Reading

Exploiting SQL Injection with Sqlmap

Published: 07 June 2021    Last Updated: 03 November 2022

We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.


Continue Reading

SQL Injection: Filter Evasion with Sqlmap

Published: 07 June 2021    Last Updated: 03 November 2022

We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.


Continue Reading

Finding Command Injection

Published: 07 June 2021    Last Updated: 03 November 2022

Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing an attacker to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.


Continue Reading

Strong Passwords: The Problem with Complexity

Published: 07 June 2021    Last Updated: 04 November 2022

Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as Welcome!, Summer2020, or Password123456.


Continue Reading

Implementing Sub-resource Integrity

Published: 31 May 2021    Last Updated: 03 November 2022

Hosting web application content such as dynamic scripts and stylesheets on third parties such as Content Delivery Networks (CDNs) can allow for significant improvements to site performance and can reduce bandwidth costs. However, scripts included within a web application will execute within the user's browser with the same privileges as the currently logged in user. Therefore if a script is included from an external domain, that domain is trusted with the confidentiality and integrity of data stored within the application.


Continue Reading

Implementing Certification Authority Authorization (CAA)

Published: 14 April 2021    Last Updated: 03 November 2022

Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.


Continue Reading

Controlled Chaos

Published: 10 March 2021    Last Updated: 03 November 2022

Major outages in major public cloud providers such as Azure and AWS are rare, but they do happen. Today OVH had a major incident: “OVH datacenter burns down knocking major sites offline” and they’re not the only ones to experience these issues, for example Amazon had a major outage in November and Microsoft had one in September.

This prompted me to write up an article on Akimbo’s recent work building resilience into our platform, so today I’m going to talk a little bit about a couple of the features of AWS that allow for significant resilience and I’m going to do that by running you through my recent experiments on our platform which can be roughly summarised as “Turning things off to see what breaks.”


Continue Reading