Josh Hawking

Bypassing Threatlocker With Powershell

June 2023 – We discuss and highlight how we bypassed one of the most heavily used ‘zero trust’ application whitelisting platforms. Their homepage ironically states that they block execution of anything not explicitly whitelisted ‘including ransomware’ but as we will show that wasn’t entirely accurate…

Hidden in Plain Sight

May 2023 – In this edition, we highlight how a decommissioned application was not fully removed as expected, allowing us to abuse legacy functionality to compromise an enormous amount of client and PII data.

SyncFusion: CVE-2023-26563/4/5

We discovered multiple high severity CVEs in Syncfusion’s software and discuss the advantages and disadvantages of utilising third-party solutions in your software.

This blog goes into detail about the issues themselves and the corresponding risks that they pose to businesses.

Single Sign On Security

SAML Shenanigans

March 2023 – With single sign-on becoming more common during our assessments, we cover one of the vulnerabilities we discovered during an engagement that let us forge SAML responses to escalate privileges in a web application.

Subdomain Takeovers

Subdomain takeovers are where an attacker is able to abuse dangling DNS aliases for cloud services to host their own content on an organisation’s subdomain. This content could consist of phishing pages, malware or anything else to compromise sensitive data.

Developers Hate This One Simple (Image) Magick Trick

ImageMagick is one of those really powerful libraries that always gets mentioned in regards to anything to do with image processing. Sure enough, it’s a case of doing “apt install” and installing the relevant library in whatever programming language is being used. And away you go, you now have support for dozens of image formats and the ability to resize, convert between them, add text, and so on. This is exactly what one of our clients had implemented into their web application, that we assessed in late January.

RCE – Really Crap Encryption

In December 2022, we completed a web application security assessment for a client who wanted assurance that their newly developed application was ready for production. The application allowed users to upload documents, rename files, create directories – basically acting as a web based file explorer. As a penetration tester, file upload functionality always raises alarm bells in our head as it’s deceivingly difficult to implement securely.

Accessing the Keys to The Kingdom

In October 2022, we completed an internal security assessment for a large tech organisation with clients in the legal industry, focused around the handling of sensitive documents for other companies. The scope was focused on their “user network” – which hosted their active directory domain which all of their workstations and laptops were all connected to. Our scenario assumed access to their office – while this may seem like a fairly extreme position to start with, our first day we arrived at their office, we were able to walk in and someone helpfully held the door open for us without asking who we were…

Compromising 5,000 Servers CTF-Style

In September 2022, we completed an internal security assessment for a large client in the tech industry. The scope was enormous – about 20,000 hosts in scope split over eight different countries. Of these 20,000 hosts, there were approximately 50 Windows machines in a single domain. Our scenario assumed a stolen laptop of the lowest privileged user. This user had a standard account on AD with no access to the Linux infrastructure.

From Previewing Files to Cracking Hashes

In August 2022, we completed a web application penetration test for a relatively new client. The scope was a pre-existing web application that allowed users to manage their calendars, plan events, upload documents and manage their accounts.

The application had been tested by a previous penetration testing supplier and received a clean bill of health, but that all changed once we had our hands on it…