Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Something like 80% of hacks start from some sort of a phishing attack.

Sending malicious excel/word files was a very large avenue for this for years!

DDE (dynamic data exchange) essentially allowed for remote code execution on the machine, once the document was opened.

In security class, as a junior in college, I created a demonstration of this using a Word file that would download my Github repo from the internet that would attempt to find the string "11". Once this string was found, it would replace it with "pwned". Essentially, it was a keylogger, waiting for a particular string. I was trying to mimic the bitcoin address switching malware.

Although Microsoft has locked down on this for a couple of years, people occasionally find bypasses that make this exploitable again.

Interesting because the request is made BEFORE authentication has been done, making a request on the router, by the router, to bypass authentication.

This essentially bypasses authentication on POST requests, entirely. From there, there are several configuration settings that can set (including Admin password).

After having the Administrative password, it is trivial to enable SSH access (for yourself) to run arbitrary commands. I personally would not call this a RCE bug; I would call this is a privilege escalation bug that can lead to RCE.

Used a URI feature that broke everything.

By using a double quote, it escaped the command line parameters, allowing for additional switches to be called.

This is a basic command injection. This can be seen by the `reboot` query that was sent.

Why is compromising these publicly facing routers so easy? It just feels like a terrible thing that people can go on Shodan, look for vulnerable routers and use a known exploit to take it over...

Just a press release of some interesting information that are viewable on Tinder.

This essentially gave anyone the ability to watch, in real time, as someone rated people... Kind of a sad fate :(

Just because a port is open, does not mean that it is vulnerable!

But, where there are services running, there are potential vulns. So, this is a guide on the exploitation of common services on different ports.

This is a Java Deserialization issue, at its core. Deserialization is really hard! If something is being de/serialized, that you control, it is likely a good path to go down.

This is the same bug that initially got the hackers into Equifax... Update your stuff people!

Man, these people sure worked hard for this exploit! An RCE bug and a sandbox escape to get onto the Google Pixel...

There were three features being used together, that triggered an odd OOB race condition.

The sandbox escape is from a use-after-unmap? Whatever that means! Likely, a use-after-free of some kind.

Eventually, after the sandbox escape, a ROP (return oriented programming) technique is used. In the wild, creating a REAL chain of gadgets can be difficult, but is possible!

The first vulnerability is a blind SQL injection within the password reset functionality. By sending an array of passwords, instead of a single password, the input is not sanitized correctly.

Additionally, a custom SQL parser can have REALLY bad endings. By abusing the fuzzy search feature, any password can be reset!

RIPsTech has lots of amazing articles; just an FYI.

This guy spent 400 hours of his time on reversing and exploiting this device! That is dedication!

This is an amazing article about the ENTIRE process for hacking something. From the initial threat modeling into the remote code execution.

Has a good hardware debugging process for getting the firmware off of the device, too.