Blog

After the four weeks bootcamp from Pentester Academy, including lab access and live sessions with Nikhil Mittal I decided to take the CARTP exam and successfully passed it by compromising all resources in the Azure. Previously to the bootcamp I had some experience with Azure RM, but quite limited with AAD. Additionally I’ve done CRTP before, which I found it extremely useful for how to approach and prepare for the exam (read more about my experience with CRTP here).

The CARTP exam took me around 4 hours, and the reporting another 3 hours. In this article I’ll talk about the lab, taking notes, exam, reporting and resources. If you want to talk about it, you can write me on twitter @msd0s7.

Continue reading “Certified Azure Red Team Professional (CARTP) by Pentester Academy – exam review” →

• Crow is C++ microframework for web. (inspired by Python Flask)
• Crow v0.1 – https://github.com/ipkn/crow
• Crow v0.2 – https://github.com/CrowCpp/crow

Continue reading “Segmeation fault Denial of Service PoC – Crow webserver v0.1 and v0.2” →

SonarQube is a platform used for continuous inspection of code quality and code security™

The irony of the “code security” part comes from the fact the almost 3000 SonarQube interfaces are exposed to the internet and most of them don’t require authentication which gives everyone access to the source code of the projects analyzed for quality and security.

Additionally, some SonarQube versions come with the default admin:admin credentials.

Continue reading “SonarQube projects source code scrapper” →

Troubleshooting and debugging notes for CRTO – Certified Red Team Operator by Zero-Point Security using Cobalt Strike. If you encounter other issues/bugs that should be included write me on twitter @msd0s7 and I’ll add them.

Continue reading “Certified Red Team Operator (CRTO) troubleshooting notes” →

After three weeks in the lab, I decided to take the CRTP exam over the weekend and successfully passed it by compromising all the machines in the AD. I had very, very limited AD experience before the lab, but I do have OSCP which I found it extremely useful for how to approach and prepare for the exam.

The practical exam took me around 6-7 hours, and the reporting another 8 hours. In this article I’ll talk about the lab, taking notes, exam, reporting and resources. If you want to talk about it, you can write me on twitter @msd0s7. If you are interested in Azure and AzureAD, you can read more about my experience with CARTP (Certified Azure Red Team Professional) also from Pentester Academy.

Continue reading “Certified Red Team Professional (CRTP) by Pentester Academy – exam review” →

This blog presents the proof of concepts for two CVEs found in LeviStudioU Release Build 2019-09-21 exploiting XXE and Denial of Service.

Continue reading “XXE and DoS on LeviStudioU Release Build 2019-09-21 (CVE-2020-25186 and CVE-2020-16243 PoC)” →

Homebridge Config UI X is a web based management tool for Homebridge that allows you to manage all aspects of your Homebridge setup. Around 90 instances show on on Shodan – masscan port 8081 and 8181 may reveal more.

Continue reading “homebridge-config-ui-x: default creds, authenticated cmd exec and LFI” →

A while back I saw IppSec performing a remote packet capture using tcpdump and pipeing it to wireshark for live analysis. I thought that could be useful to do on a home router and save the packets to a raspberry pi on the same LAN for later analysis. There are 2 reasons why I wanted to save the packets remotely:

1. if the pcap file grows too big, the router may not have enough space to handle it and it may stop recording, it may reboot or even brick
2. if the ISP pushes an update and the router is rebooted, I may loose the capture file, or even the access to the router; bonus I can see what the update is about

The setup is straight-forward but I couldn’t find an exact answer for it. I needed to be able to send and listen for this packets on multiple interfaces, with multiple capture rules, while in the background, indefinite amount of time and without having to stop the capture to be able to analyze the results.

Continue reading “Remote packet capture with tcpdump and nc” →

Short answer: the auth bypass was not successful. A few notes on why this was not possible and what was tested.

Summary

1. Resources
2. What is Portainer
3. Set up the environment
4. Register admin account
5. JWT implementation
6. Authorization and authentication
7. Directory listing
8. Debug and recompile
9. Bolt database
10. Chisel service
11. Conclusion

Continue reading “Trying to bypass authentication in Portainer 1.24 Web UI (notes)” →

In this post I explain how a previous command injection vulnerability in one of Denmark’s ISP routers lead to find two backdoor accounts for Web interface and SSH that can affect up to 450 routers.

Summary

1. Previous vulnerability
2. Root LAN access
3. From LAN to WAN
4. Mitigation

Continue reading “Remote root access to Denmark routers due to backdoor accounts of ISP” →