Multiple vulnerabilities in Synametrics' Synaman Apr 05, 2022 While doing a CTF box, I escalated privileges using an unintended path that led to the below discoveries. Synametrics definition of Synaman: “SynaMan - A Remote File Manager - Share large files with colleagues without compromising on security.” // mark this sentence CVEs registered CVE-2022-26250: LPE via weak service permissions CVE-2022-26251: RCE and privilege escalation by using the default web UI administrative features. Affected versions and platforms Synaman 5. ...
ElearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) review Feb 26, 2022 Context After a few months away from ElearnSecurity certifications, mostly due to OSCP preparation, I decided to take the second web course and certification they offer: Web Application Penetration Tester eXtreme (eWPTXv2). It was the logical sequel to the ElearnSecurity web application pentester certification (eWPT) I took a while ago and the course outline seemed promising. I passed the certification recently and wanted to give some insight on both the course and the exam. ...
Multiple vulnerabilities in SonicWall SMA 100 Jan 05, 2022 I recently found two vulnerabilities in SonicWall’s Mobile Access (SMA) web interface. You can read the full disclosure here. Useful links: Responsible disclosure CVE assigned: CVE-2021-20049, CVE-2021-20050 SonicWall’s advisories: SNWLID-2021-0030, SNWLID-2021-0031
PHP's open_basedir is not a security feature Dec 19, 2021 What is PHP’s open_basedir? open_basedir is a directive of the php.ini file that takes paths as values. Quoting PHP’s manual: open_basedir string Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off. When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. ...
ElearnSecurity Certified Incident Responder (eCIR) review Aug 08, 2021 Context After a real good experience with ElearnSecurity content, I decided to enroll for the eLearnSecurity Certified Incident Responder (eCIR) certification course. To be honest, I previously had experience with incident response and the following lines are to be taken with this in mind, especially if you never have done some before. Course As usual for ElearnSecurity, the course material consist in both slide presentations, videos and practical labs. My overall impression on the course is that it is good, but not complete. ...
ElearnSecurity Web application Penetration Tester (eWPT) review Jun 20, 2021 Context I passed eLearnSecurity eJPT’s certification a couple of months ago and decided to take some more certifications from this company, in accordance with that, my employer paid me a yearly subscription to their learning plateform INE. Cost is $750 a year, plus $400 for most (any?) certification exams. But there is a reduction on the first one you take with the yearly subscription so I ended up paying only 200 dollars for this one. ...
Elearnsecurity Junior Penetration Tester (eJPT) review Mar 31, 2021 Context A few months ago, I decided to change job to focus more on pentesting and offensive activities while I never done it before. I thus decided to obtain at least one certification in that domain to put on my CV. After going through the jungle of certification’s business and organisations I found eLearnSecurity eJPT to fit my requirements which were: practical knowledge course and exam, recognized on the market and cheap. ...
Bypassing Chrome's URL restrictions Mar 07, 2021 Context Studying about Content Security Policy (CSP) features, I came across a nice bypass of Chrome’s URL restrictions that the browser implements to prevent leak of HTML data. However, Chrome dropped the feature on which with the bypass rely on in its 89 version released stable a few days ago so it is no longer possible to trigger. The idea of Chrome developpers was to prevent exfiltration of HTML content done after triggering injections vulnerabilities through restrictions on what characters can be present in an URL. ...
Finding an infosec job in Italy Feb 14, 2021 Italy is not known for information security and finding a job in this area, or any other really, in this country is not as easy as it seems. It as now been a year I am in Milan and I would like to share what would have been useful for me before I arrived. The following is a mix of facts and opinions, so do not take it too straightforward and adapt it to your particular case. ...
MacOS forensic I Nov 22, 2020 Forensic, MacOS & Volatility I recently came to investigate on a MacOS memory dump and raw disk. In this serie of posts there are some commands, guidelines and tricks I could not find while doing it with volatility on the memory dump. Next, I will probably dump someone’s mac (as I do not possess one) to see if I can get my hands on a more recent version of the OS. ...