Techblog and Security
The journey of recovering my lost arm. Background Back in the bad weather season, I was looking for a single player game that I could enjoy alongside my usual daily routine. I noticed the release of Oblivion remastered Edition and considered buying it, but the reviews shortly after release weren’t particularly promising, so I decided
Continue Reading „Tainted Grail – FoA – Unlock The Hidden Secrets“
The Software Smart Time Plus < 8.6 contains several vulnerabilities: which can be chained to achieve unauthenticated remote code execution as SYSTEM on the Windows host. Background and Research During a pentest I stumbled across the following web service on port 443: Smart Time Plus is a time tracking tool developed and published by the
Continue Reading „Smart Time Plus RCE – CVE-2024-53543“
With my researches, described on my other post Hunting for LPEs in Gaming Software. I was curious about GOG services which run as Local System. I installed GOG on a „fresh“ Windows 11 and Windows 10 system and focused again to the Service „GalaxCommunication“. As we can see the Service is still running with SYSTEM
Continue Reading „GOG Galaxy – CVE-2022-31262“
Recently I started to dive deeper into the topic „LPE on Windows“, obviously one of the first things you will learn is to look what runs as system and does it load anything were you have write access to. The Theory I started my learning with some very educating sources about DLL Ghosting and Sideloading.
Continue Reading „Hunting for LPEs in Gaming Software“
In my last post I described how to extract the firmware, this was quite easy. But to rebuild a firmware is something different. This is a three part long story I need to be honest here, just remembering back to this process is painful, I will just describe some problems about the whole process that
Continue Reading „RE: DC-932L Reversing a Webcam Part 3 – Building the Firmware „
In my last post I described how to get a shell on the device, but my final goal was to extract the firmware, manipulate some data in it and rebuild it so that I have a custom firmware for this device. This is a three part long story There are some good resources about this
Continue Reading „RE: DC-932L Reversing a Webcam Part 2 – Extracting the Firmware“
Introduction and Story I remember, more then a year ago I watched this fantastic video from stacksmashing about reverse engineering and rebuilding a custom firmware for a webcam. I was absolutely stunned that this is possibile and thought about to try this some time on a device I have at home. As usual, time passes
Continue Reading „RE: DC-932L Reversing a Webcam Part 1 – Getting a Shell“
Metabase GeoJSON API Endpoint Back in September 2021, Metabase released a security announcement regarding its GeoJSON API endpoint: GeoJSON URL validation can expose server files and environment variables to unauthorized users We’ve discovered a potential security issue with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables).
Continue Reading „NTLM Attack in Metabase CVE-2022-24853“
Doing one of the recent HTB Boxes i came across the tool https://nettools.net and learned how you can retrieve gMSA passwords with it: https://nettools.net/howto-retrieving-gmsa-password-details/ Additional to the howto from NetTools you can change the encoding for the desired attribute to only retrieve the current password this will print you only the current password as hex
Continue Reading „gMSA Passwords“
Today i just found another exploit in the PHP Voting System. The file /admin/candidates_add.php is vulnerable against unauthenticated file upload which can use for RCE. Exploit DB entry: https://www.exploit-db.com/exploits/49846 Vulnerable file candidates_add.php You just need to send a POST with multipart/form-data so you can upload any file you wish. There is no cookie or file
Continue Reading „PHP Voting System – Unauthenticated Remote Code Execution“