dotfiles - A Treasure Trove

What are dotfiles? Dotfiles, for the context of this blog, are a collection of files, often starting with dots (as the name implies) where users (developers, system admins, etc) store their personalised configurations for a variety of software. These dotfiles are often pushed to a git repository and contain configuration files for software such as Vim, VSCode, Zsh, .aliases, git, and so on. A common use case for dotfiles is when users join new companies and get issued a work laptop....

May 26, 2024 · 3 min

Tracking via GitHub Keys

Have you ever been in a situation where you are managing a large number of users and one of them has committed sensitive information to a repository on GitHub? The issue is exaggerated even more when the username is ambiguous, the .patch file does not have any helpful information and generally, no solid details are present to find out who made the commit. Depending on how your organisation works, you may be able to use ....

April 22, 2023 · 2 min

Credential Harvesting via Postman

Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different ‘pages’, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly....

August 28, 2022 · 2 min

urlscan.io Dorking

urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage....

April 15, 2022 · 4 min

Blue Team Level 1 Review

Blue Team Level 1 is a certification offered by Security Blue Team. The certification is aimed at entry to junior level roles and consists of six primary domains. At the time of writing the cost for the certification was roughly NZ$800, which included access to training material for 4 months and 100 hours of access to a lab environment. The training went over Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Management, and Incident Response....

January 25, 2022 · 2 min

CVE-2021-40848 Mahara | CSV Injection

Mahara is an electronic portfolio system that is used as an eLearning tool by education institutions around the globe. The software contains the ability to export records from the system into a CSV file. This blog will cover how that functionality can be abused (when inputs are not escaped correctly), to conduct local command execution (aka CSV injection). For this demonstration, two accounts will be used. The first account will be the malicious actor where CSV injection payloads are saved into editable inputs....

November 3, 2021 · 3 min

eLearnSecurity eJPT Review

eLearnSecurity Junior Penetration Tester (eJPT) is a certification offered by eLearnSecurity. The training for this certification is provided by the parent company called INE (Inter Network Experts). In order to train for eJPT, INE offers a Penetration Testing Student (PTS) pathway, free of charge, under the recently launched starter pass. The training itself consists of 38 hours worth of content, including slides, videos, practical labs and three practice black boxes. Coming from HackTheBox background, I had familiarity with most of the tools and concepts offered....

July 11, 2021 · 1 min

Organisation Registration Bypass – Matrix Synapse

Matrix is an open standard and protocol for real-time communication. One of the Matrix package is a reference homeserver, known as Synapse. This means that Synapse is essentially a server that organisations and communities can run, to host and access their own Matrix server. This also means that those organisations are able to control who can sign up and access that particular server. To register on a server, the portal asks for details such as name, password, and email....

April 5, 2021 · 2 min

Unvalidated Redirect HTML Viewer – Element Messenger

Element (formerly Riot and Vector) is an open source instant messaging application implemented over the Matrix protocol. Matrix is known for supporting end-to-end encryption and the application itself is available for various platforms, including Desktop, Mobile and Web. This post will only be addressing the mobile version, which contained the vulnerability at the time this was written. Firstly, the Android application in question is available at this link, with the code base for the application hosted here....

October 28, 2020 · 3 min

CVE-2020-26163 BigBlueButton | Host Header Injection

Back in April, one of the systems I was testing was a video conferencing application, known as BigBlueButton, an open source challenger to Zoom. The BigBlueButton installation comes with a user friendly interface, known as Greenlight, which ties in nicely with the BigBlueButton server. While most of the corporate installations would be using LDAP authentication, at times, installation will be based on standard username and password login mechanism, which is handled by Greenlight....

May 25, 2020 · 3 min