Jeffrey Bencteux

Serious Cryptography (book review)

Sat, 25 Apr 2026 07:58:22 +0000

A review of Serious Cryptography: A Practical Introduction to Modern Encryption (1st edition) by JP Aumasson

Missing system calls in the Linux kernel audit subsystem classes (CVE-2025-71239, CVE-2026-23241)

Sun, 08 Mar 2026 16:33:38 +0000

Introduction The Linux kernel audit subsystem is a security mechanism allowing one to detect potential threats on a Linux system. Its userland counterpart, auditd (the audit daemon), can be configured with different kind of rules. Part of these rules rely on hooking system calls in kernel land grouped by what are called classes. Some, relatively recent, system calls were missing from these classes, allowing one to bypass these type of auditd rules.

Local administrator account remote logon in Windows

Sat, 31 Jan 2026 17:14:47 +0000

Understanding windows sheningans of local accounts network logons.

Hack The Box Certified Defensive Security Analyst (HTB CDSA) review

Thu, 18 Dec 2025 19:24:41 +0000

A course and exam review of Hack The Box CDSA

Manual Configuration Manager (SCCM) credential harvesting

Sun, 05 Oct 2025 13:35:42 +0000

A corner-case of how to perform Configuration Manager credential harvesting, extracting NAA and various other secret policies.

CVE-2024-58250: The passprompt plugin in pppd in ppp before 2.5.2 mishandles privileges

Sun, 27 Apr 2025 13:14:10 +0000

The passprompt plugin in PPP project do not loose privileges permanently, leading to a potential privilege escalation under specific conditions.

Detecting insiders on GNU/Linux servers

Mon, 21 Apr 2025 09:54:11 +0000

Yet another auditd ruleset

CVE-2024-50306: Unchecked return value in Apache Traffic Server

Sun, 17 Nov 2024 15:44:08 +0000

Unchecked return value can allow Apache Traffic Server to retain privileges on startup.

Privileges relinquishing order in C

Tue, 01 Oct 2024 08:56:34 +0000

Dropping privileges is a common operation done by programs having setUID and/or setGID bits set. They do privileged operations such as binding a socket to a low port or opening files and then drop privileges to continue execution. However, user and groups have to be relinquished following a certain order otherwise these privileges could be regained later on, allowing attacker to escalate privileges. set*id() functions Linux has several system calls to relinquish privileges, either temporarily, to be able to regain it later in execution, or permanently.

CVE-2023-47480: unchecked return values of set*id() family functions in Puredata

Thu, 26 Sep 2024 07:21:30 +0000

GNU inetutils do not check return values of set*id() family functions, leading to potential privilege escalations in binaries such as ftpd or rcpd.

Linux process hollowing

Sat, 07 Sep 2024 10:00:18 +0000

Process injection, hollowing and stealth on Linux operating system

Windows explorer restrictions bypasses - filesystem access

Mon, 08 Apr 2024 15:23:20 +0000

Explaining and bypassing some Windows explorer restrictions.

CVE-2023-40303: unchecked return values of set*id() family functions in GNU inetutils

Mon, 14 Aug 2023 12:13:36 +0000

GNU inetutils do not check return values of set*id() family functions, leading to potential privilege escalations in binaries such as ftpd or rcpd.

On checking set*id() return values

Wed, 26 Jul 2023 08:06:11 +0000

If set*id() syscalls' return values are not checked, it can cause security issues such as privilege escalation.

CVE-2023-38336: Command injection in netkit-rcp

Tue, 18 Jul 2023 09:53:13 +0000

Netkit-rcp is vulnerable to a command injection in filenames used as copy arguments.

CVE-2023-36631: Circumventing Windows Firewall controls with... Malwarebytes' Windows Firewall Control

Wed, 21 Jun 2023 09:28:09 +0000

Malwarebytes' software for firewall management let unprivileged users perform administrative firewall actions without access controls allowing for local network rules bypass.

OSINT from images' metadata hosted on websites

Thu, 13 Apr 2023 07:14:27 +0000

TL;DR; Images hosted by websites contains numerous metadata fields depending on their filetype (JPG, PNG…). These fields include interesting information for reconnaissance purposes such as: names, telephone numbers, email addresses or URLs. Often, website editors do not strip the images hosted on their websites, making leaks of information possible. Introduction Imagine you are part of a red team and your task is to penetrate inside a company’s perimeter. First, you want to gather intelligence.

DMARC Identifier Alignment: relax, don't do it, when you want to go to it

Wed, 25 Jan 2023 10:14:27 +0000

From subdomain takeover to phishing mails TL;DR; if you have a subdomain takeover for a given domain, and default DMARC alignment settings, you can create emails that passes SPF and DMARC for phishing purposes. DKIM, however, cannot be passed for the domain but a trick is possible to make emails look more trustworthy. This post and more are now part of a book I wrote on email security: Introduction I like Mozilla’s definition of a subdomain takeover:

Microsoft Azure security technologies certification and beyond (book review)

Wed, 11 Jan 2023 08:31:00 +0000

Book by David Okeyode

Nmap - detecting the network mapper

Tue, 03 Jan 2023 09:38:20 +0000

Detecting network scans When we speak about detection, you can often hear “let’s detect attackers' scans”. I believe that sentence is thrown in order to detect intruders on early stages of an attack. However there are a few issues with this mindset as blindly detecting all types of scans made on a security perimeter will drive the SOC crazy with the amount of false positive and legit alerts generated. It will not improve the level of detection you have either because you will not be able to treat all the alerts and may miss the ones revealing the presence of intruders.

Divin'n'phishin with executable filetypes on Windows

Wed, 26 Oct 2022 14:08:57 +0000

In order to find phishing payloads, one needs to understand how executable filetypes on Windows are handled, finding which ones can be delivered to mail clients, thus users, without being caught by mail defences in between and without requesting multiple validation steps from that user for execution once clicked on. Other filetypes are also relevant for phishing even if they are not executable per-se, they are also mentionned in this article.

Evading command-line detection with doskey

Sat, 22 Oct 2022 09:23:03 +0000

the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.

Zero-point Security's Red Team Ops II (CRTL) review

Wed, 19 Oct 2022 08:13:16 +0000

Context The recent release of the Red Team OPS II course by Zero-point Security caught my attention on Twitter in August. Since the Red Team Ops I course was, in my opinion, very good content, I decided to buy the RTO II bundle and give it a go. Course The course description and syllabus can be found on Zero-point Security website. Zero-point Security makes it clear this is a deeper dive into red teaming and I can only agree.

ELearnSecurity Certified Threat Hunting Professional (eCTHPv2) review

Sun, 10 Jul 2022 07:57:19 +0000

Context Since I took the eLearnSecurity Certified Incident Responder (eCIR) a good while ago and that according to eLearn, the Certified Threat Hunting Professional (eCTHPv2) is the next stepping stone, I decided to give it a go. The person that made the course’s material also being one of my former colleagues, Slavi Parpulev, and the fact we joked internally about me getting certified by him gave me one more good reason to study for it.

Penetration testing Azure for ethical hackers (book review)

Sun, 05 Jun 2022 09:18:17 +0000

Book by David Okeyode & Karl Fosaaen

Multiple vulnerabilities in cifs-utils

Thu, 12 May 2022 07:45:35 +0000

I recently found two bugs in cifs-utils, the userland tools of SMB implementation in Linux, which led to the release of version 6.15. The full article can be read at https://improsec.com/tech-blog/multiple-vulnerabilities-in-cifs-utils. Useful links: Responsible disclosure CVE assigned: CVE-2022-27239, CVE-2022-29869 cifs-utils version 6.15 advisory

Zero-point Security's Red Team Ops (CRTO) review

Sun, 01 May 2022 10:18:49 +0000

Context I recently took Zero-point Security’s Red Team Ops) course and associated exam (CRTO). It is also known as Daniel Duggan’s a.k.a Rastamouse course, even if since then Zero-point security has released other courses on offensive programming. It is so far the best learning experience I had on an online certification and I wanted to share a bit of what to expect from the course as well as what you can gain from it.

Multiple vulnerabilities in Synametrics' Synaman

Tue, 05 Apr 2022 12:00:00 +0000

While doing a CTF box, I escalated privileges using an unintended path that led to the below discoveries. Synametrics definition of Synaman: “SynaMan - A Remote File Manager - Share large files with colleagues without compromising on security.” // mark this sentence CVEs registered CVE-2022-26250: LPE via weak service permissions CVE-2022-26251: RCE and privilege escalation by using the default web UI administrative features. Affected versions and platforms Synaman 5.

ElearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) review

Sat, 26 Feb 2022 17:52:20 +0000

Context After a few months away from ElearnSecurity certifications, mostly due to OSCP preparation, I decided to take the second web course and certification they offer: Web Application Penetration Tester eXtreme (eWPTXv2). It was the logical sequel to the ElearnSecurity web application pentester certification (eWPT) I took a while ago and the course outline seemed promising. I passed the certification recently and wanted to give some insight on both the course and the exam.

Multiple vulnerabilities in SonicWall SMA 100

Wed, 05 Jan 2022 19:29:17 +0000

I recently found two vulnerabilities in SonicWall’s Mobile Access (SMA) web interface. You can read the full disclosure here. Useful links: Responsible disclosure CVE assigned: CVE-2021-20049, CVE-2021-20050 SonicWall’s advisories: SNWLID-2021-0030, SNWLID-2021-0031

PHP's open_basedir is not a security feature

Sun, 19 Dec 2021 16:17:50 +0000

What is PHP’s open_basedir? open_basedir is a directive of the php.ini file that takes paths as values. Quoting PHP’s manual: open_basedir string Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked.

ElearnSecurity Certified Incident Responder (eCIR) review

Sun, 08 Aug 2021 17:30:38 +0000

Context After a real good experience with ElearnSecurity content, I decided to enroll for the eLearnSecurity Certified Incident Responder (eCIR) certification course. To be honest, I previously had experience with incident response and the following lines are to be taken with this in mind, especially if you never have done some before. Course As usual for ElearnSecurity, the course material consist in both slide presentations, videos and practical labs. My overall impression on the course is that it is good, but not complete.

ElearnSecurity Web application Penetration Tester (eWPT) review

Sun, 20 Jun 2021 14:08:14 +0000

Context I passed eLearnSecurity eJPT’s certification a couple of months ago and decided to take some more certifications from this company, in accordance with that, my employer paid me a yearly subscription to their learning plateform INE. Cost is $750 a year, plus $400 for most (any?) certification exams. But there is a reduction on the first one you take with the yearly subscription so I ended up paying only 200 dollars for this one.

Elearnsecurity Junior Penetration Tester (eJPT) review

Wed, 31 Mar 2021 08:00:04 +0000

Context A few months ago, I decided to change job to focus more on pentesting and offensive activities while I never done it before. I thus decided to obtain at least one certification in that domain to put on my CV. After going through the jungle of certification’s business and organisations I found eLearnSecurity eJPT to fit my requirements which were: practical knowledge course and exam, recognized on the market and cheap.

Bypassing Chrome's URL restrictions

Sun, 07 Mar 2021 19:36:32 +0000

Context Studying about Content Security Policy (CSP) features, I came across a nice bypass of Chrome’s URL restrictions that the browser implements to prevent leak of HTML data. However, Chrome dropped the feature on which with the bypass rely on in its 89 version released stable a few days ago so it is no longer possible to trigger. The idea of Chrome developpers was to prevent exfiltration of HTML content done after triggering injections vulnerabilities through restrictions on what characters can be present in an URL.

Finding an infosec job in Italy

Sun, 14 Feb 2021 10:27:41 +0000

Italy is not known for information security and finding a job in this area, or any other really, in this country is not as easy as it seems. It as now been a year I am in Milan and I would like to share what would have been useful for me before I arrived. The following is a mix of facts and opinions, so do not take it too straightforward and adapt it to your particular case.

MacOS forensic I

Sun, 22 Nov 2020 11:11:01 +0000

Forensic, MacOS & Volatility I recently came to investigate on a MacOS memory dump and raw disk. In this serie of posts there are some commands, guidelines and tricks I could not find while doing it with volatility on the memory dump. Next, I will probably dump someone’s mac (as I do not possess one) to see if I can get my hands on a more recent version of the OS.

Courses

Sun, 08 Nov 2020 09:34:27 +0000

Disclaimer All of this material is my intellectual property but you can reuse it for your own purposes as long as you quote me and/or link to this website. I believe knowledge is to be shared so feel free to do so. I try to update the PDFs as often as I can. If you notice a typo or an error, feel free to reach me: jeff at bencteux dot fr.

Me

Sun, 08 Nov 2020 09:34:27 +0000

Rubrique-à-brac The name of this blog is a wink to Gotlib, a great comics writer and illustrator. whoami /id: Jeffrey Bencteux /alias: highlander/h1ghl4nd3r - “There can be only one” - good movie /interests: programming, network engineering, information security, CTF, general science /certifications: OffSec Experienced Penetration Tester (OSEP) Offensive Security Certified Professional (OSCP) Zero-Point Security Certified Red Team Lead (CRTL) Zero-Point Security Certified Red Team Operator (CRTO) HackTheBox Certified Defense Security Analyst (HTB CDSA) (HTBCERT-2E45A1A824) ELearnSecurity Certified Professional Penetration Tester (eCPPTv2) ELearnSecurity Certified Threat Hunting Professional (eCTHP) ElearnSecurity Certified Incident Responder (eCIR) ElearnSecurity Web Application Penetration Tester eXtreme (eWPTXv2) ElearnSecurity Web Application Penetration Tester (eWPT) ElearnSecurity Junior Penetration Tester (eJPT) AZ-500: Azure Security Engineer AZ-900: Microsoft Azure Fundamentals /vulnerabilities