Secure77

Techblog and Security

RE: DC-932L Hacking a Webcam Part 1 – Getting a Shell

Introduction and Story I remember, more then a year ago I watched this fantastic video from stacksmashing about reverse engineering and rebuilding a custom firmware for a webcam. I was absolutely stunned that this is possibile and thought about to try this some time on a device I have at home. As usual, time passes

NTLM Attack in Metabase CVE-2022-24853

Metabase GeoJSON API Endpoint Back in September 2021, Metabase released a security announcement regarding its GeoJSON API endpoint: GeoJSON URL validation can expose server files and environment variables to unauthorized users We’ve discovered a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables).

gMSA Passwords

Doing one of the recent HTB Boxes i came across the tool https://nettools.net and learned how you can retrieve gMSA passwords with it: https://nettools.net/howto-retrieving-gmsa-password-details/ Additional to the howto from NetTools you can change the encoding for the desired attribute to only retrieve the current password this will print you only the current password as hex

PHP Voting System – Unauthenticated Remote Code Execution

Today i just found another exploit in the PHP Voting System. The file /admin/candidates_add.php is vulnerable against unauthenticated file upload which can use for RCE. Exploit DB entry: https://www.exploit-db.com/exploits/49846 Vulnerable file candidates_add.php You just need to send a POST with multipart/form-data so you can upload any file you wish. There is no cookie or file

PHP Voting System – Admin Authentication Bypass (SQLI)

Today i found a new exploit in the PHP Voting System. Exploit-DB entry: https://www.exploit-db.com/exploits/49843 The /admin/login.php is vulnerable against SQL injections and so you can bypass the admin authentication. login.php As you can see the first check if($query->num_rows < 1)against the username is only checking the number of rows. With the following statement you always

openSSH commands unter Windows absichern

Seit Windows Server 2019 kann der openSSH Server über die Features oder per Powershell einfach nach installiert werden. Siehe Windows Server 2019 openSSH. Aber auch für Windows Server 2016 und älter besteht die Möglichkeit openSSH als Server Variante einfach zum laufen zu bekommen: Windows Server 2016 openSSH. In dem Beitrag geht es um das Einschränken