Load site modules...
lade...
random avatar

maxpowell - Network

Posts Subscribe

Yo, it seems Scylla made its comeback!https://hyperiongray.net/hg

https://infosec.exchange/@MaxPow...

Yo, it seems Scylla made its comeback!

hyperiongray.net/hg

2.4.2024 12:01Yo, it seems Scylla made its comeback!https://hyperiongray.net/hg
https://infosec.exchange/@MaxPow...

So after two weeks fighting against the Juice Shop project I come back to pentest a bit the new website our company is creating and ya boi...

https://infosec.exchange/@MaxPow...

So after two weeks fighting against the Juice Shop project I come back to pentest a bit the new website our company is creating and ya boi found a XSS. <3

17.8.2023 07:14So after two weeks fighting against the Juice Shop project I come back to pentest a bit the new website our company is creating and ya boi...
https://infosec.exchange/@MaxPow...

Auditd needs a set of rules to be defined in order to generate alerts. The default configuration is garbage, you cannot install it, enable...

https://infosec.exchange/@MaxPow...

Auditd needs a set of rules to be defined in order to generate alerts. The default configuration is garbage, you cannot install it, enable it and leave it running. You must apply a configuration that works for you.

In order to deal with this we can apply a quick set of rules developped by our friend Florian. :)

github.com/Neo23x0/auditd

1.8.2023 08:06Auditd needs a set of rules to be defined in order to generate alerts. The default configuration is garbage, you cannot install it, enable...
https://infosec.exchange/@MaxPow...

So first of all, what the hell is auditd?tl;dr - It's just another logging software that gives you a lot of info about what is happening...

https://infosec.exchange/@MaxPow...

So first of all, what the hell is auditd?

tl;dr - It's just another logging software that gives you a lot of info about what is happening in your host.

Someone wants to add a new user to the machine? This is going to be logged.

The www-data user has executed the 'whoami' command? This is going to be logged.

1.8.2023 08:02So first of all, what the hell is auditd?tl;dr - It's just another logging software that gives you a lot of info about what is happening...
https://infosec.exchange/@MaxPow...

Okay, now it's time to play with auditd and to ask myself why the hell I've waited so long to install it.For the record, I...

https://infosec.exchange/@MaxPow...

Okay, now it's time to play with auditd and to ask myself why the hell I've waited so long to install it.

For the record, I successfully installed sysmon on every Windows endpoint, however, our linux servers are quite critical, so I was busy deploying a dedicated syslog config. <3

1.8.2023 07:56Okay, now it's time to play with auditd and to ask myself why the hell I've waited so long to install it.For the record, I...
https://infosec.exchange/@MaxPow...

Fun fact, after almost a month and right before taking the app to prod, I notice that there are no password requirements for user creation....

https://infosec.exchange/@MaxPow...

Fun fact, after almost a month and right before taking the app to prod, I notice that there are no password requirements for user creation. As a result, you can create any user with a one character password.

God dammit, I didn't check that. :/

26.7.2023 06:34Fun fact, after almost a month and right before taking the app to prod, I notice that there are no password requirements for user creation....
https://infosec.exchange/@MaxPow...

I've tried everything I know, but it seems we only managed to get those three vulns.I would say that our hardening guide was good enough...

https://infosec.exchange/@MaxPow...

I've tried everything I know, but it seems we only managed to get those three vulns.

I would say that our hardening guide was good enough and I should be happy about it, but as a hackerino I want to break more things. :/

Anyways, it was fun!

29.6.2023 12:38I've tried everything I know, but it seems we only managed to get those three vulns.I would say that our hardening guide was good enough...
https://infosec.exchange/@MaxPow...

Dang it, it is possible to create users in the store with 1 character passwords.It seems someone forgot to mention password minimum...

https://infosec.exchange/@MaxPow...

Dang it, it is possible to create users in the store with 1 character passwords.

It seems someone forgot to mention password minimum requirements hehe (totally not me 👀​)

29.6.2023 10:03Dang it, it is possible to create users in the store with 1 character passwords.It seems someone forgot to mention password minimum...
https://infosec.exchange/@MaxPow...

Wel well well, this website is supposed to be an online store, so let's mess with the products, the cart, the payment process, etc.First...

https://infosec.exchange/@MaxPow...

Wel well well, this website is supposed to be an online store, so let's mess with the products, the cart, the payment process, etc.

First thing I tend to try in this situations is send garbage like "I would like to buy -1 books of this ID". Suddenly WordPress shows me a HTTP 500 critical error hahahaha.

Is this a vuln? I don't know, I wouldn't say so. Basically it's a bad practice because they are not checking parameters and boundaries of their products.

I will probably just include this as additional information along with many visual bugs I've seen.

Anyways, I just love breaking things <3

29.6.2023 09:22Wel well well, this website is supposed to be an online store, so let's mess with the products, the cart, the payment process, etc.First...
https://infosec.exchange/@MaxPow...

Another day, another slay.I prefer using ZAP instead of Burp because open source goes brrRrRrRr, so after a quick manual review it seems...

https://infosec.exchange/@MaxPow...

Another day, another slay.

I prefer using ZAP instead of Burp because open source goes brrRrRrRr, so after a quick manual review it seems that a Javascript library they are using is outdated and is vulnerable to XSS.

We have a WAF that blocks this kind of requests, but there are no XSS protection headers configured on the web server, so this is another vuln for me. Medium leveln vuln in my opinion if we put everything together.

29.6.2023 07:22Another day, another slay.I prefer using ZAP instead of Burp because open source goes brrRrRrRr, so after a quick manual review it seems...
https://infosec.exchange/@MaxPow...

OH, it seems that the forgot password form only shows the "We have sent you an email" message if the account exists. Well, now I...

https://infosec.exchange/@MaxPow...

OH, it seems that the forgot password form only shows the "We have sent you an email" message if the account exists.

Well, now I would include this as a low level vuln and comment about the /author endpoint.

We got our first one bois!

28.6.2023 16:17OH, it seems that the forgot password form only shows the "We have sent you an email" message if the account exists. Well, now I...
https://infosec.exchange/@MaxPow...

In my opinion, I would not even include this in the report because that's the way WordPress work.Maybe I would just add it as a note,...

https://infosec.exchange/@MaxPow...

In my opinion, I would not even include this in the report because that's the way WordPress work.

Maybe I would just add it as a note, but not as a vuln.

Of course you could try with something like the company name or so, but that doesn't tell you anything

28.6.2023 15:26In my opinion, I would not even include this in the report because that's the way WordPress work.Maybe I would just add it as a note,...
https://infosec.exchange/@MaxPow...

I know the username of one of the team members, so if I send a GET request to example.com/author/<username>, I get a 200 OK.So, this...

https://infosec.exchange/@MaxPow...

I know the username of one of the team members, so if I send a GET request to example.com/author/<username>, I get a 200 OK.

So, this could be seen as a information disclosure vuln, but:

1. I would need to bruteforce every possible combination to get the username and that would cause A LOT of noise and probably result in a block by the firewall.

2. You still don't have any password, so you can't do much.

Tip: try to look for any request for the /author/ endpoint in your logs ;)

28.6.2023 15:24I know the username of one of the team members, so if I send a GET request to example.com/author/<username>, I get a 200 OK.So, this...
https://infosec.exchange/@MaxPow...

Ok, in this case where we got absolutely nothing to deal with, it is common to start looking for the login page. It is usually at...

https://infosec.exchange/@MaxPow...

Ok, in this case where we got absolutely nothing to deal with, it is common to start looking for the login page. It is usually at /wp-login.php

By default wordpress leaks usernames in the login error messages, but in this case we changed that to just display a generic text.

Let's look for something else

28.6.2023 15:18Ok, in this case where we got absolutely nothing to deal with, it is common to start looking for the login page. It is usually at...
https://infosec.exchange/@MaxPow...

And here we go! :DI'm not an expert in WordPress, but the first thing I like to do is run WPScan in order to give me some quick insights...

https://infosec.exchange/@MaxPow...

And here we go! :D

I'm not an expert in WordPress, but the first thing I like to do is run WPScan in order to give me some quick insights about any misconfiguration, outdated plugins and so on. Remember to get an API key on their website to get the vulnerabilities.

In this case the application is not in production, so I can run any aggressive method I want.

As I expected, everything is fine and I can't get any info because I added authentication and disabled all unwanted methods.

28.6.2023 14:58And here we go! :DI'm not an expert in WordPress, but the first thing I like to do is run WPScan in order to give me some quick insights...
https://infosec.exchange/@MaxPow...

I will be the one carryong out the internal pentest and I will compare all the results with an external pentest from a third party.I know...

https://infosec.exchange/@MaxPow...

I will be the one carryong out the internal pentest and I will compare all the results with an external pentest from a third party.

I know they will find more things than me, but we will find out. :blobcatcookienom:

28.6.2023 07:58I will be the one carryong out the internal pentest and I will compare all the results with an external pentest from a third party.I know...
https://infosec.exchange/@MaxPow...

Sheesh, I've been out for a while. I will try to stay more active in here.First thing I will do is...pentest a wordpress...

https://infosec.exchange/@MaxPow...

Sheesh, I've been out for a while. I will try to stay more active in here.

First thing I will do is...pentest a wordpress installation!

After developping our wordpress hardening guide, I will pentest an internal wordpress of the company. Wish me luck!

28.6.2023 07:53Sheesh, I've been out for a while. I will try to stay more active in here.First thing I will do is...pentest a wordpress...
https://infosec.exchange/@MaxPow...

WHAT! So, after a month I check my question and someone replied with the same problem I have.This person was so brave to debug the problem...

https://infosec.exchange/@MaxPow...

WHAT! So, after a month I check my question and someone replied with the same problem I have.

This person was so brave to debug the problem and discovered that Microsoft takes the certificate with the highest thumbprint () as the authentication certificate.

I will try to test this on my servers, but if this is true, I will just hate Microsoft more than ever.

11.4.2023 15:00WHAT! So, after a month I check my question and someone replied with the same problem I have.This person was so brave to debug the problem...
https://infosec.exchange/@MaxPow...

I'm writing a detailed Wordpress hardening guide for my company and it's the first time I'm working with WP.I've been...

https://infosec.exchange/@MaxPow...

I'm writing a detailed Wordpress hardening guide for my company and it's the first time I'm working with WP.

I've been following the official WP security guide but even with it there are a lot of other options that must be implemented in order to achieve a good security level

23.3.2023 11:16I'm writing a detailed Wordpress hardening guide for my company and it's the first time I'm working with WP.I've been...
https://infosec.exchange/@MaxPow...

I just found out that our one of our Dell systems does not allow the use of the character 'ñ' in a password because it is detected...

https://infosec.exchange/@MaxPow...

I just found out that our one of our Dell systems does not allow the use of the character 'ñ' in a password because it is detected as a non-printable character.

Bruh...

21.3.2023 15:23I just found out that our one of our Dell systems does not allow the use of the character 'ñ' in a password because it is detected...
https://infosec.exchange/@MaxPow...
Subscribe
To add news/posts to your profile here, you must add a link to a RSS-Feed to your webfinger. One example how you can do this is to join Fediverse City.
         
Webfan Website Badge
Nutzungsbedingungen   Datenschutzerklärung  Impressum
Webfan | @Web pages | Fediverse Members

⬆️

⬇️