Pivoting through Tomcat

On a recent pen-test engagement we had come across a Tomcat server with default creds. Trying to old tried and true methods with Metasploit did not work to get a shell on the box , which was running proprietary IBM_AIX. The exploit would be successful but no connect-back. Because of the limited time instead of trying to test for egress (and later finding out theres no payloads for metasploit), we tried another method of uploading a JSP .war file to the box that once deployed, enabled us to browse and run commands. Continue reading

How not to roll out a website

I’m posting this now because the hosting company has seem to finally fix the issues, I tried emailing and tweeting to them but got no response from any of the parties.

A few weeks ago there was some buzz on Rage Against the Machine’s site: Rage Against the Machine, Public Enemy & Cypress Hill member were forming a supergroup called Prophets of Rage. On the day of announcement they posted a mysterious webpage with just a countdown clock, http://prophetsofrage.com . Continue reading

SSH Tunneling RDP Using Putty

Recently I was trying RDP from a Windows10 laptop through SSH on a Debian web-server to an internal Windows7 box that was on a different VLAN. I had only a Windows10 laptop with Putty to do it. So Basically Win10laptop>debianwebserver>win7through a secure ssh session and get to the internal Win7 without port forwarding on the router.

I had access to SSH account on the Debian web-server, so I was able to use this as a pivot point to get into the internal network. Luckily even though the Debian web-server and Win7 box were on different VLANs, the VLANs were able to talk to each other. The Debian web-server was on , it could still ping Win7 on

Just in case your head is spinning trying to read this, below is a diagram how I achieved this using Putty. Im posting it here so next time I need to do this I dont need to try to figure it out again.


Windows 10 RS1 14316

The build brings new changes targeting previously exploited dll-hijacking and uac bypass method vulnerabilities.

cliconfg.exe – can no longer be used as target for autoelevation as MS changed it manifest to autoelevate=false.

mmc.exe – event viewer console fixed, dll hijacking no longer works.

fake IIS inetmgr.exe launch from inetsrv appinfo hardcoded directory fixed too – Windows will not allow you to run & autoelevate anything except legit InetMgr.exe from system32inetsrv directory.

Bypasses alot of the methods used by UACme that is posted in my ::Wiki::

OpenSSH xauth command injection

Affected configurations: All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.

Vulnerability: Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).
Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth(1), which was not written with a hostile user in mind, as an attack surface.

Mitigation / Workaround:
disable x11-forwarding: sshd_config set X11Forwarding no
disable x11-forwarding for specific user with forced-commands: no-x11-forwarding in authorized_keys

::More Info::

This also affects DropBear, from their Changelog:
“Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions”

Mitigation / Workaround:
disable x11-forwarding: re-compile without x11 support: remove #define ENABLE_X11FWD in options.h

::More Info::

Bypass Biometrics with Inkjet Printer


Researchers, Kai Cao and Anil Jain, from the Department of Computer Science and Engineering at Michigan State University have loaded up an inkjet printer with cartridges designed for printing electronic circuits, and used the output to fool smartphone fingerprint sensors on a Samsung Galaxy S6 and a Huawei Honor 7. They just needed a reversed scan of the victim’s fingerprint, and an inkjet printer loaded up with ink and paper from printed electronics specialist AGIC. Read more of their paper ::HERE::