S’étant qualifiés en ligne pour les finales, quelques ingénieurs de SCRT se sont rendus à Moscou pour participer avec l’équipe “w3stormz” à la finale du concours de piratage éthique PHDays.
Continue reading Finales PHDays 2014Author: Alain Mowat
NeDi Remote Code Execution
During a recent intrusion test, we discovered that NeDi was used in our target infrastructure. Since this application’s source code is freely available on the developer’s website (www.nedi.ch) I thought I’d have a look and see whether it would be possible to take control of a server through it.
Continue reading NeDi Remote Code ExecutionRemote Command Execution in HP TippingPoint Security Management System
During a recent security audit, SCRT discovered a TippingPoint SMS server that exposed a famously exploitable JBoss invoker to any unauthenticated user. By using this invoker, it is possible to upload new applications on the server that are then run with the permissions of the JBoss application server (which happens to be running as root in this case). The server can then be compromised entirely by uploading new files into the SMS application’s folder and then accessing them through a Web browser. This could be done with the help of a very practical tool called jimmix which makes it possible to invoke commands on a JBoss server from the command line.
Continue reading Remote Command Execution in HP TippingPoint Security Management SystemProgramme Insomni’hack
Le programme des conférences d’Insomnihack est maintenant disponible sur le site de l’événement: http://insomnihack.ch/conferences/
Continue reading Programme Insomni’hackInsomni’hack 2014
Les premiers speakers ont été annncées, tout comme la liste des workshops de cette année. Les inscriptions sont donc maintenant ouvertes pour Insomni’hack 2014!
Continue reading Insomni’hack 2014Insomnihack 2013 – Central Directory
And here I was thinking everybody knew SQL injections and that this challenge wouldn’t last an hour. And yet only one team was able to complete it before the end of the contest. o_O
Continue reading Insomnihack 2013 – Central DirectoryInsomnihack 2013 – Facebookalypse
This challenge was definitely one of the harder web missions and based on a redefined session handler mechanism that was initially discovered in a relatively well-know Firewall brand. It is also very similar to the example you can find on PHP’s own documentation here : http://php.net/manual/en/function.session-set-save-handler.php
Continue reading Insomnihack 2013 – FacebookalypseInsomni’hack contest wrap-up
After 8 hours of intense hacking, pycured ended up on top in this year’s Insomni’hack contest, in front of [TechnoPandas] and Int3pids.
Continue reading Insomni’hack contest wrap-upInsomni’hack 2013
Insomni’hack 2013 aura lieu du 21 au 22 Mars 2013 à Palexpo à Genève.
Au niveau des nouveautés, on trouvera cette année des workshops toute la journée du Jeudi 21 précédant les conférences qui auront lieu la journée du 22 et le concours qui débutera le 22 à 18h.
Continue reading Insomni’hack 2013SCRT au Geneva Beach Rugby
Le week-end dernier, SCRT a participé pour la deuxième fois au tournoi entreprise du “Geneva Beach Rugby” des fêtes de Genève.
Continue reading SCRT au Geneva Beach Rugby