Just a blog to preserve some thoughts about Red Teaming :)

Index of /

:: That loyal MySQL is a rogue one: a tale of a (partially) failed idea :: 2020-07-12 01:03:37 +0000 ::
Hooking mysqld to steal net-NTLM hashes from developers.

:: GetEnvironmentVariable as an alternative to WriteProcessMemory in process injections :: 2020-05-28 11:22:33 +0000 ::
Brief description of how to use GetEnvironmentVariable as an alternative to WriteProcessMemory

:: From memory corruption to disable_functions bypass: understanding PHP exploits :: 2020-02-09 01:13:37 +0000 ::
Overview of PHP internals related with disable_functions and how common exploits works

:: Tunneling traffic through MySQL service (or your mysqld is my new SOCKS5) :: 2019-12-06 13:48:08 +0000 ::
Description of how to pivot though the MySQL service. Turning MySQL into a SOCKS5 that can be used by proxychains.

:: Isolating the logic of an encrypted protocol with LIEF and kaitai :: 2019-11-01 12:00:00 +0000 ::
Article describing how we used LIEF to isolate target functions and kaitai to describe the protocol.

:: CSS Injection Primitives :: 2019-10-16 01:00:00 +0000 ::
Collection of CSS / HTML primitives. Tricks to use as an alternative to JavaScript (exfiltration, timing, etc.)

:: Remote Code Execution in Aruba Mobility Controller (ArubaOS) - CVE-2018-7081 :: 2019-09-04 01:00:00 +0000 ::
Walkthrough of discovering CVE-2018-7081 (memory corruption). Proof of Concept inside :)

:: Stealthier communications & Port Knocking via Windows Filtering Platform (WFP) :: 2019-06-05 13:30:07 +0000 ::
Example of how WFP can be used to communicate with an infected machine

:: Rethinking the inotify API as an offensive helper :: 2019-04-01 11:00:00 +0000 ::
Examples of how the inotify API can be useful for the Red Team

:: Searching systematically for PHP disable_functions bypasses :: 2018-12-09 13:00:00 +0000 ::
Some ideas about how to extract hidden parameters in PHP functions and how to find potential bypasses

:: Building simple DNS endpoints for exfiltration or C&C :: 2018-11-09 15:00:00 +0000 ::
Brief tutorial of how to use backend pipes in PowerDNS for exfiltration

:: Writeup Navaja Negra 2018 CTF :: 2018-10-11 12:00:00 +0000 ::
Solutions to the challenges made by me in Navaja Negra CTF (Web, Pwn, Rev. & Misc.)

:: Vulnerability in Swoole PHP extension [CVE-2018-15503] :: 2018-08-14 13:11:37 +0000 ::
Description of how the vulnerability was found and a few indications about its explotability

:: Improving PHP extensions as a persistence method :: 2018-07-28 12:00:10 +0000 ::
Article about how to build backdoors for the Zend Engine.

:: Hacking a game to learn FRIDA basics (Pwn Adventure 3) :: 2018-07-05 13:00:37 +0000 ::
Learn the basic usage of Frida with this tutorial. Build your own cheat with Frida.

:: Exfiltrating credentials via PAM backdoors & DNS requests :: 2018-06-27 13:37:00 +0000 ::
Description of how to backdoor PAM and exfiltrate credentials via DNS requests. Capture credentials FTW!

:: Beyond pty.spawn - use pseudoterminals in your reverse shells (DNScat2 example) :: 2018-05-08 12:00:00 +0000 ::
Quick article about how to improve well-known tools used in pentests. Forkpty() FTW!!

:: Defeating WordPress Security Plugins (Revisited) :: 2018-03-09 12:00:00 +0000 ::
Article about how to subvert file integrity checks made by most popular WordPress Plugins

:: Parasiting web server process with webshells in permissive environments :: 2018-02-24 12:00:00 +0000 ::
Example of how to abuse permissive environments to infect processes with custom code using ptrace

:: JavaScript AntiDebugging Tricks :: 2018-02-08 12:00:00 +0000 ::
List of antidebugging techniques applied to JavaScript (focused on browsers)

:: Writeup (CTF) - ImpelDown CodeGate PreQuals 2018 (MISC) :: 2018-02-03 10:00:00 +0000 ::
Solution to an easy python jail challenge

:: Loading "fileless" Shared Objects (memfd_create + dlopen) :: 2018-02-02 12:00:00 +0000 ::
An example of how to drop modules on a target using the syscall memfd_create