SolarPuttyDecrypt

During a recent Red Team engagement, I was able to become domain admin on the client’s network; I decided to investigate further into the “sys admin” workstations and management network in order to recover more information about the network topology and assets, dumping more password and gaining access to firewalls/switches and servers’ VLANs. Enumerating the sysadmin’s workstations, I discovered a windows tool used to connect via SSH. Solar-PuTTY Solar-PuTTY is a solarwinds version (with improved GUI and couple more functionalities) of the...


Posted By

Windows Kernel Debugging & Exploitation Part1 – Setting up the lab

Recently I was thrilled with the opportunity to build a PoC for ms-14-066 vulnerability aka “winshock” (CVE-2014-6321). While that will be material for another blog post, in order to debug the vulnerability, I had to set up a lab with windows kernel mode debugging enabled. So, without any further ado, here my setup and the steps used in order to enable Windows Kernel Debug. Setup Host system: Windows 10 with VMware Workstation 15.1.0 (build-13591040) Guest systems: Windows 7 x86 ultimate sp1 (debugger) ...


Posted By

State of Industrial Control Systems (ICS) in Italy

Industrial Control System, what are they? TL;DR: In a nutshell, Industrial control systems (ICS) are “computers” (PLC) that control the world around you. They're responsible for managing the air conditioning in your office, the turbines at a power plant, the lighting at the theatre or the robots at a factory Industrial Control System (ICS) is a general term used to describe several types of control systems and associated instrumentation used for industrial process control. Such systems can range from a few modular...


Posted By

Announcing ECG’s Closed Beta

After a lot of effort and a long month of alpha testing, today I’m proud to announce the launch of ECG’s closed beta. What is ECG? (tl;dr) ECG is a TCL static source code analysis tool. It is the first commercial solution able to detect real and complex security vulnerabilities in TCL/ADP source-code. Want to know more about ECG? Visit ECG's main website! What is TCL? TCL is a high-level, general-purpose, interpreted, dynamic programming language. It was designed with the goal of being very...


Posted By

Rubyzip insecure ZIP handling & Metasploit RCE (CVE-2019-5624)

This is a re-posting of the original article "On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)" that I have wrote on Doyensec During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entrypoint to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path...


Posted By