cybersec.md

Cybersecurity Content

• Go back to Home page (awesome list)
• See also Exploitation specific content

Summary

• 2023
• 2022
• 2021
• 2020
• 2019
• 2018
• 2017
• 2016
• Other

2023

• "A Deep Dive into Penetration Testing of macOS Applications (Part 1)"
• "A look at CVE-2023-29360, a beautiful logical LPE vuln"
• "A Journey Into Hacking Google Search Appliance"
• "A new method for container escape using file-based DirtyCred"
• "A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition"
• "A Potholing Tour in a SoC"
• "A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM"
• "A Red-Teamer diaries"
• "A story about tampering EDRs"
• "Abusing undocumented features to spoof PE section headers"
• "All cops are broadcasting: TETRA under scrutiny"
• "Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Route"
• "Analysis on legit tools abused in human operated ransomware"
• "Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway":
  • Part 1
  • Part 2
• "Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991"
• "ARM64 Reversing And Exploitation" (8ksec)
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
  • Part 6
  • Part 7
• "Audio with embedded Linux training"
• "Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike"
• "Back to the Future with Platform Security"
• "Bash Privileged-Mode Vulnerabilities in Parallel Desktop and CDPATH Handling in MacOS"
• "Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs - CVE-2023-35803"
• "Behind the Shield: Unmasking Scudos's Defenses"
• "Breaking Fortinet Firmware Encryption"
• "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability"
• "Breaking Secure Boot on the Silicon Labs Gecko platform"
• "Bypassing PPL in Userland (again)"
• "chonked"
  • "minidlna 1.3.2 http chunk parsing heap overflow (cve-2023-33476) root cause analysis"
  • "exploiting cve-2023-33476 for remote code execution"
• "CAN Injection: keyless car theft"
• "Coffee: A COFF loader made in Rust"
• "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"
• "CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup"
• "CVE-2023-36844 And Friends: RCE In Juniper Devices"
• "CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent"
• "Debugger Ghidra Class"
• "Debugging D-Link: Emulating firmware and hacking hardware"
• "Deep Lateral Movement in OT Networks: When is a Perimeter not a Perimeter?"
• "Defining the cobalt strike reflective loader"
• "Detecting BPFDoor Backdoor Variants Abusing BPF Filters"
• "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel"
• "Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”"
• "Diving Into Smart Contract Decompilation"
• "Diving into Starlink's User Terminal Firmware"
• "Drone Security and Fault Injection Attacks"
• "Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device"
• "Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)"
• "Escaping the Google kCTF Container with a Data-Only Exploit"
• "Exploitation of Openfire CVE-2023-32315"
• "Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers"
• "Exploiting null-dereferences in the Linux kernel"
• "EPF: Evil Packet Filter"
• "Escaping from Bhyve"
• "ESP32-C3 Wireless Adventure A Comprehensive Guide to IoT"
• "Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis"
• "Executing Arbitrary Code & Executables in Read-Only FileSystems"
• "Exploit Engineering – Attacking the Linux Kernel"
• "Exploiting MikroTik RouterOS Hardware with CVE-2023-30799"
• "Exploiting a Remote Heap Overflow with a Custom TCP Stack"
• "Exploring Android Heap Allocations in Jemalloc 'New'"
• "Fantastic Rootkits: And Where To Find Them":
  • Part 1
  • Part 2
  • Part 3
• "Finding and exploiting process killer drivers with LOL for 3000$"
• "Finding bugs in C code with Multi-Level IR and VAST"
• "Finding Gadgets for CPU Side-Channels with Static Analysis Tools"
• "For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation"
• "FortiNAC - Just a few more RCEs"
• "Fortinet Series 3 — CVE-2022–42475 SSLVPN exploit strategy"
• "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues"
• "From C, with inline assembly, to shellcode"
• "Fuzzing Farm":
  • "Fuzzing GEGL with fuzzuf"
  • "Evaluating Performance of Fuzzer"
  • "Patch Analysis and PoC Development"
  • "Hunting and Exploiting 0-day [CVE-2022-24834]"
• "Ghidra" (Craig Young):
  • "A Guide to Reversing Shared Objects with Ghidra"
  • "Reversing a Simple CrackMe with Ghidra Decompiler"
  • "Vulnerability Hunting with Ghidra"
  • "Patching a Bug from a Ghidra Listing"
  • "Vulnerability Analysis with Ghidra Scripting"
• "Hacking Amazon's eero 6 (part 1)"
• "Hacking Brightway scooters: A case study"
• "Hardware Hacking to Bypass BIOS Passwords"
• "How a simple K-TypeConfusion took me 3 months long to create a exploit? [HEVD] - Windows 11 (build 22621)"
• "How NATs Work":
  • Part 1
  • Part 2
  • Part 3
  • Part 4
• "How I Hacked my Car":
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
  • Part 6
• "How To Secure A Linux Server"
• "Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing"
• "In-depth analysis on Valorant’s Guarded Regions"
• "Intel BIOS Advisory – Memory Corruption in HID Drivers "
• "Intercepting Allocations with the Global Allocator"
• "Introduction to SELinux"
• "JTAG 'Hacking' the Original Xbox in 2023"
• "Kernel Exploit Factory"
• "Learn Makefiles With the tastiest examples"
• "Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)"
• linux-re-101
• "Linux Kernel Teaching"
• "Linux Malware: Defense Evasion Techniques"
• "Linux Red Team":
  • "Exploitation Techniques"
  • "Privilege Escalation Techniques"
  • "Persistence Techniques"
• "Linux rootkits explained – Part 1: Dynamic linker hijacking"
• "Linux Shellcode 101: From Hell to Shell"
• "Local Privilege Escalation on the DJI RM500 Smart Controller"
• "Lord Of The Ring0":
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
• "Low-Level Software Security for Compiler Developers"
• "LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863"
• "Malware Reverse Engineering for Beginners":
  • Part 1
  • Part 2
• "Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects"
• "mast1c0re"
  • "Introduction – Exploiting the PS4 and PS5 through a game save"
  • "Part 1 – Modifying PS2 game save files"
  • "Part 2 – Arbitrary PS2 code execution"
  • "Part 3 – Escaping the emulator"
• "Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts"
• "Meterpreter vs Modern EDR(s)"
• "mTLS: When certificate authentication is done wrong"
• "MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis"
• "NVMe: New Vulnerabilities Made Easy"
• "Obscure Windows File Types"
• "Old Bug, Shallow Bug: Exploiting Ubuntu at Pwn2own Vancouver 2023"
• "OPC UA Deep Dive Series":
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
• "OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept"
• "P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm"
• "P4wnP1-LTE"
• "Patches, Collisions, and Root Shells: A Pwn2Own Adventure"
• "Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours"
• "Persistence Techniques That Persist"
• "Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500"
• "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray"
• "Producing a POC for CVE-2022-42475 (Fortinet RCE)"
• "PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer"
• "PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749"
• "Pwning Pixel 6 with a leftover patch"
• "Pwning the tp-link ax1800 wifi 6 Router: Uncovered and Exploited a Memory Corruption Vulnerability"
• "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel"
• "Red vs. Blue: Kerberos Ticket Times, Checksums, and You!"
• "Retreading The AMLogic A113X TrustZone Exploit Process"
• "DualShock4 Reverse Engineering":
  • Part 1
  • Part 3
  • Part 3
• "Revisiting CVE-2017-11176"
• "Rust Binary Analysis, Feature by Feature"
• "Rust to Assembly: Understanding the Inner Workings of Rust"
• "SHA-1 gets SHAttered"
• "Shambles: The Next-Generation IoT Reverse Engineering Tool to Discover 0-Day Vulnerabilities"
• "Shell in the Ghost: Ghostscript CVE-2023-28879 writeup"
• "Shifting boundaries: Exploiting an Integer Overflow in Apple Safari"
• "Smashing the state machine: the true potential of web race conditions"
• "SRE deep dive into Linux Page Cache"
• "Stepping Insyde System Management Mode"
• "THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"
• "The art of Fuzzing: Introduction"
• "The art of fuzzing: Windows Binaries"
• "The art of fuzzing-A Step-by-Step Guide to Coverage-Guided Fuzzing with LibFuzzer"
• "The Blitz Tutorial Lab on Fuzzing with AFL++"
• "The Dragon Who Sold His camaro: Analyzing Custom Router Implant"
• "The Linux Kernel Module Programming Guide"
• "The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders"
• "The Silent Spy Among Us: Smart Intercom Attacks"
• "The Untold Story of the BlackLotus UEFI Bootkit"
• "Sshimpanzee"
• "Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was"
• "Your not so "Home Office" - SOHO Hacking at Pwn2Own"
• "Unauthenticated RCE on a RIGOL oscilloscope"
• "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel"
• "Uncovering HinataBot: A Deep Dive into a Go-Based Threat"
• "Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp"
• "Understanding a Payload’s Life Featuring Meterpreter & Other Guests "
• "Understanding the Heap - a beautiful mess"
• "Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)"
• "Windows Installer EOP (CVE-2023-21800)"
• "Writing your own RDI /sRDI loader using C and ASM"
• "Zenbleed"
• "Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement"

2022

• "A journey into IoT":
  • "Chip identification, BUSSide, and I2C"
  • "Discover components and ports"
  • "Firmware dump and analysis"
• "Attacking Titan M with Only One Byte"
• "Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu"
• "Bypassing software update package encryption ":
  • "Extracting the Lexmark MC3224i printer firmware"
  • "Exploiting the Lexmark MC3224i printer"
• "Bypassing vtable Check in glibc File Structures"
• "Blind Exploits to Rule Watchguard Firewalls"
• "BPFDoor - An Evasive Linux Backdoor Technical Analysis"
• "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"
• "DirtyCred Remastered: how to turn an UAF into Privilege Escalation"
• "Dumping the Amlogic A113X Bootrom"
• "Dynamic analysis of firmware components in IoT devices"
• "Embedded Systems Security and TrustZone"
• "Exploiting CSN.1 Bugs in MediaTek Basebands"
• "exploiting CVE-2019-2215"
• "Firmware key extraction by gaining EL3"
• "Fortigate - Authentication Bypass Lead to Full Device Takeover"
• "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables"
• "Hunting for Persistence in Linux"
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
• "Hacking Some More Secure USB Flash Drives":
  • Part 1
  • Part 2
• "Linux Hardening Guide"
• "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg"
• "Linux Kernel Exploit (CVE-2022–32250) with mqueue"
• "Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys"
• "Missing Manuals - io_uring worker pool"
• "Netgear Orbi":
  • "orbi hunting 0x0: introduction, uart access, recon"
  • "orbi hunting 0x1: crashes in soap-api"
  • "nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861)"
• "nday exploit: libinput format string bug, canary leak exploit (cve-2022-1215)"
• "Overview of GLIBC heap exploitation techniques"
• "pipe_buffer arbitrary read write"
• "Pixel 6 Bootloader"
  • "Booting up"
  • "Emulation, ROP"
  • "Exploitation"
• "Port knocking from the scratch"
• "Pulling MikroTik into the Limelight"
• "Researching Xiaomi’s Tee to Get to Chinese Money"
• "Reversing embedded device bootloader (U-Boot)":
  • Part 1
  • Part 2
• "Reverse engineering integrity checks in Black Ops 3"
• "Reverse engineering thermal printers"
• "Tetsuji: Remote Code Execution on a GameBoy Colour 22 Years Later"
• "The Dirty Pipe Vulnerability"
• "The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022"
• "The toddler’s introduction to Heap exploitation":
  • "Part 1"
  • "Part 2"
  • "Overflows"
  • "Use After Free & Double free"
  • "FastBin Dup to Stack"
  • "FastBin Dup Consolidate"
  • "Unsafe Unlink"
  • "House of Spirit"
  • "House of Lore"
• "Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability"
• "Turning Google smart speakers into wiretaps for $100k"
• "Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router"
• "Vulnerabilities in Tenda's W15Ev2 AC1200 Router"
• "Write a Linux firewall from scratch based on Netfilter"

2021

• "A dive into the PE file format":
  • "Introduction"
  • "DOS Header, DOS Stub and Rich Header"
  • "NT Headers"
  • "Data Directories, Section Headers and Sections"
  • "Imports (Import Direcory Table, ILT, IAT)"
  • "PE Base Relocations"
  • "Writing a PE Parser"
• "Breaking 64 bit aslr on Linux x86-64"
• "Complete Guide to Stack Buffer Overflow (OSCP Preparation)"
• "CVE-2021–20226 a reference counting bug which leads to local privilege escalation in io_uring."
• "Digging into Linux namespaces":
  • Part 1
  • Part 2
• "Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"
• "Learning Linux Kernel Exploitation":
  • Part 1
  • Part 2
  • Part 3
• "Linux Kernel Exploitation":
  • "Debugging the Kernel with QEMU"
  • "Smashing Stack Overflows in the Kernel"
  • "Controlling RIP and Escalating privileges via Stack Overflow"
• "New Old Bugs in the Linux Kernel"
• "Recovering a Full PEM Private key when Half of it is Redacted"
• "Reverse Engineering Bare-Metal Firmware":
  • Part 1
  • Part 2
  • Part 3
• "Reverse Engineering Yaesu FT-70D Firmware Encryption"
• "The Oddest Place You Will Ever Find PAC"
• "Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel"

2020

• "BGET Explained Binary Heap Exploitation on OP-TEE":
  • Part 1
  • Part 2
• "Exception(al) Failure - Breaking the STM32F1 Read-Out Protection"
• "Hardware Hacking 101: Identifying and Dumping eMMC Flash"
• "House of Muney - Leakless Heap Exploitation Technique"
• "My Methods To Achieve Persistence In Linux Systems"
• "nRF52 Debug Resurrection":
  • Part 1
  • Part 2
• "NTLM Relay"
• "SSHD Injection and Password Harvesting"

2019

• "Executable and Linkable Format 101":
  • "Sections and Segments"
  • "Symbols"
  • "Relocations"
  • "Dynamic Linking"
• "Hacking microcontroller firmware through a USB"
• "Hardening Secure Boot on Embedded Devices for Hostile Environments"
• "Pew Pew Pew: Designing Secure Boot Securely"
• "Pwn the ESP32 Secure Boot"
• "Reverse-engineering Broadcom wireless chipsets"
• "Virtualization Internals":
  • Part 1
  • Part 2
  • Part 3
  • Part 4

2018

• "CVE-2017-11176: A step-by-step Linux Kernel exploitation":
  • Part 1
  • Part 2
  • Part 3
  • Part 4
• "eMMC Data Recovery from Damaged Smartphone"
• "My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE"

2017

• "HiSilicon DVR hack"
• "How I Reverse Engineered and Exploited a Smart Massager"
• "Linux ptrace introduction AKA injecting into sshd for fun"

2016

• "Bypassing Secure Boot using Fault Injection"
• "munmap madness"
• "Implementation of Signal Handling"
• "Practical Reverse Engineering"
  • "Digging Through the Firmware"
  • "Scouting the Firmware"
  • "Following the Data"
  • "Dumping the Flash"
  • "Digging Through the Firmware"
• "Understanding and Hardening Linux Containers"

Other

• "A Noobs Guide to ARM Exploitation"
• "Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing"
• "Advanced Compilers: The Self-Guided Online Course"
• "ARM TrustZone: pivoting to the secure world"
• "Introduction to encryption for embedded Linux"
  • "Introduction to encryption for embedded Linux developers"
  • "A hands-on approach to symmetric-key encryption"
  • "Asymmetric-Key Encryption and Digital Signatures in Practice"
• "Debugger Ghidra Class"
• "Laser-Based Audio Injection on Voice-Controllable Systems"
• "Linux Kernel map"
• "Linux Insides"
• "Linux Syscalls Reference"
• "mjsxj09cm Recovering Firmware And Backdooring"
• "Satellite Hacking Demystified(RTC0007)"
• TEE Reversing
• "THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"
• USB-WiFi
• "VSS: Beginners Guide to Building a Hardware Hacking Lab"