Back in 2020, during an external pentest, I stumbled upon a visible Solr administration panel. With nothing else of interest, I focused on this specific application to test what was hidden underneath.
Continue reading Apache Solr 8.3.1 RCE from exposed administration interfaceInsomni’hack 2023 CTF Teaser – DoH ! writeup
For this 2023 edition, i chose to focus on the DoH (DNS Over Https) protocol because it has gained popularity for attackers as a command and control (C2) communication channel for hiding DNS traffic through HTTPS rather than using the traditional DNS tunneling. In this post, i will describe in details how to solve the challenge.
Continue reading Insomni’hack 2023 CTF Teaser – DoH ! writeupInsomni’hack 2023 – hex-filtrate writeup
In this forensic challenge, a company has been compromised and their initial investigation led to a suspicious workstation. The CEO was very anxious about a potential exfiltration, and we were provided with a network dump of that workstation in the hope that we would be able to help him make some sweet dreams again.
Continue reading Insomni’hack 2023 – hex-filtrate writeupAttacking Android Antivirus Applications
Although the usefulness of security tools such as Antivirus, VPN and EDR is now indisputable in business circles, these solutions often need a lot of privileges and permissions to work properly, also making them an excellent target for an attacker. The presence of a bug in one of these types of solutions could allow a malware to elevate its privileges and cause more damage to the organization.
Continue reading Attacking Android Antivirus ApplicationsBypassing PPL in Userland (again)
This post is a sequel to Bypassing LSA Protection in Userland and The End of PPLdump. Here, I will discuss how I was able to bypass the latest mitigation implemented by Microsoft and develop a new Userland exploit for injecting arbitrary code in a PPL with the highest signer type.
Continue reading Bypassing PPL in Userland (again)Producing a POC for CVE-2022-42475 (Fortinet RCE)
Late last year a new remote code execution vulnerability was discovered in Fortinet’s SSLVPN service. Given the relative lack of information surrounding it at the time, and the fact I’d have some uninterrupted research time due to a lengthy flight, I decided to attempt to produce a POC for the vulnerability.
Continue reading Producing a POC for CVE-2022-42475 (Fortinet RCE)Getting Started With SplunkUI
When developing new Splunk apps with a customised user interface, everything but SplunkUI is deprecated. Thus, it is only a matter of time before you need to jump from that building with faith.
Continue reading Getting Started With SplunkUIEngineering antivirus evasion (Part III)
Previous blog posts addressed the issue of static artefacts that can easily be caught by security software, such as strings and API imports:
- https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
- https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
This one provides an additional layer of obfuscation to target another kind of detection mechanism used to monitor a program’s activity, i.e userland hooks.
Continue reading Engineering antivirus evasion (Part III)Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizin
In our journey to try and make our payload fly under the radar of antivirus software, we wondered if there was a simple way to encrypt all the strings in a binary, without breaking anything. We did not find any satisfying solution in the literature, and the project looked like a fun coding exercise so we decided it was worth a shot.
Continue reading Statically encrypt strings in a binary with Keystone, LIEF and radare2/rizinAutomatically extracting static antivirus signatures
This blog post accompanies the talk we gave at Insomni’hack 2022. The source code as well as the slides can be found at:
https://github.com/scrt/avdebugger
Continue reading Automatically extracting static antivirus signatures