Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Windows Server Update Service (WSUS) is a Microsoft tool that allows IT admins to manage updates for Windows systems.

The upgrade process contains a cookie that is encrypted using AES-128-CBC. It is passed BinaryFormatter.Deserialize() from the cookie once decrypted. This is a known sink that can be used to get RCE.

The API endpoint POST /ClientWebService/Client.asmx is the vulnerable endpoint. The cookie is encrypted but I don't understand how they are able to encrypt the data and then have that be decrypted and used for the deserialization attack. The PoC just has hardcoded data so maybe the key is hardcoded in the application. According to this article, this can be used to get RCE with SYSTEM privileges. Pretty dangerous bug!