Finding and utilising leaked code signing certificates

Posted on by Tijme Gommers.

Using services such as GitHub or VirusTotal, it is possible to find leaked code signing certificates. For some, the password can be cracked, after which they can be used to sign malicious code. In this blog post I explain this process, including responsible disclosure measures.

Read

A foundation for kernel exploitation via Cobalt Strike

Posted on by Tijme Gommers.

Dell's DBUtil kernel driver is vulnerable for an arbitrary kernel memory read/write (CVE-2021-21551). This blog describes how to utilise it in a Cobalt Strike (CS) Beacon Object File (BOF) to perform kernel exploitation. As an example, we escalate privileges to NT AUTHORITY\SYSTEM.

Read

Harvesting credentials via HTTP Request Smuggling

Posted on by Tijme Gommers.

By abusing an HTTP Request Smuggling vulnerability on Outlook Web Access (OWA) for Exchange, it is possible to steal credentials of unsuspecting Active Directory users trying to authenticate to OWA.

Read

A web application crawler for bug bounty hunting

Posted on by Tijme Gommers.

Not Your Average Web Crawler (NYAWC) is a Python package that enables you to crawl web applications for requests instead of URL's. With NYAWC you can execute your malicious payload on all in-scope requests of a web application.

Read

Stealing passwords from McDonald's users

Posted on by Tijme Gommers.

By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald's user.

Read

Adding a placeholder to a UITextView in Swift

Posted on by Tijme Gommers.

Swift doesn't support placeholders in UITextView's natively, so here is the proper way to implement a placeholder in a UITextView. You can do it yourself in under 1 minute.

Read