In this blog, I’ll be discussing an Open-Redirect vulnerability that I found out a few days ago in Instagram’s Android Application.

First we’ll look at what an Open-Redirect vulnerability is and what threats/risks it poses, and then I’ll dive into the details of the actual issue itself.

What is URL Redirection?

URL Redirection, or URL Forwarding or just Redirection, is a feature of applications to direct users to different pages or subdomains of the same or sometimes an external application. URL Redirections help in easy navigation of the app and its resources.

Open Redirection

When an application redirects a user to a fixed URL, or safely…

Git is a Version Control System used to track and monitor modifications made in files/folders during application development. Git works by helping developers easily ‘commit’ changes to a source code during development or testing and that then gets ‘pushed’ onto the live application. This provides developers with an advantage of ease of development.

A .git repository in our case are folders having source code files and configurations of a project. It contains version history of a project as well as all the changes made to a project over a certain period of time. …

In this blog, we’ll be looking at the USB Rubber Ducky or the BadUSB. We’ll start by an introduction to BadUSBs, what makes USBs “Bad” and then we’ll look at creating our own BadUSB.

What is a USB Rubber Ducky (or BadUSB)?

USB Rubber Ducky (famously seen in the Mr. Robot TV series) is not a traditional USB drive. In fact, a USB Rubber Ducky (or BadUSB, in general) is a keystrokes injector, which acts as an HID (Human Interface Device) when plugged into a computer, and mimics one. Originally developed by HAK5, it is a handy little tool for hackers and pentesters allowing them to get a…

In this blog, we’ll discuss how service paths can be abused to escalate privileges in Windows systems. As usual, we’ll look at the theoretical aspects of this abuse, and then we’ll have a practical walkthrough of the abuse.

In the MITRE ATT&CK Framework, Privilege Escalation is listed as an Enterprise Tactic bearing the ID TA0004. Abusing Unquoted Service Paths is a sub-technique of the Hijacking Execution Flow technique (T1547) bearing the technique ID T1547.009.

Quoted and Unquoted Service Paths:

When a service is installed/created and its executable path contains spaces, then it is a concern of secure coding to enclose the path in quotes, but…

In this blog, we will have an in-depth look at BloodHound. We will start by discussing what BloodHound is, how to install and configure it, and finally what can a potential attacker achieve with BloodHound.

What is BloodHound?

BloodHound is a JavaScript based web application that is compiled with Electron and uses Neo4j as the backend database. BloodHound uses graphs to map out the Active Directory environment, and then helps in identifying various attack paths to move laterally within the domain or to escalate privileges.

In this blog, we will be discussing the basics of exploit development by exploiting a stack overflow vulnerability in a simple application. We will look at a simple memory structure, program execution in memory, causes of buffer overflow and then finally, as always, a practical demonstration of the attack.

What is Buffer Overflow?

Buffer overflow is simply overflowing the buffer space that a program or application has been allocated in the memory.

Stack Memory Structure

The memory stack is a part in the memory assigned to an application or program for its execution. It is responsible for holding the local data, parametric values and return addresses during…

In this blog, we will be focusing on abusing the Replication of Directory Services feature of an Active Directory environment. As always, we will first discuss the Directory Services Replication feature of Active Directory and then we will walkthrough both the theoretical and practical aspects of the abuse.

DCSync Attack is listed as an Enterprise Credential Dumping technique on the MITRE ATT&CK Framework, bearing the ID 1003.006.

What is AD Replication?

In most of the cases, organizations need multiple Domain Controllers to manage AD Objects in the environment. To keep these multiple Domain Controllers in sync with each other Microsoft introduced the Directory Replication…

This attack targets the Kerberos Authentication Protocol in an Active Directory environment, and attempts to retrieve the service accounts’ passwords or tickets that can then be cracked offline to reveal cleartext credentials. Kerberoasting has been listed in the MITRE ATT&CK framework as an Enterprise Attack Vector, bearing the ID T1208. In a nutshell, Kerberoasting has the following three steps:

  1. Identify Active Directory accounts with Service Principal Names (SPNs) set.
  2. Request service tickets for the service accounts using SPN values.
  3. Use mimikatz or some other credential dumping tool to get the service tickets.
  4. Crack the service tickets for clear text credentials.

This attack demonstrates how an attacker can abuse some AD misconfigurations and rights of the DNS Admins group in a Windows environment and can successfully own the Domain Admins, Enterprise Admins or the Domain Controller depending upon where the DNS service is actually configured and running from.

By default, Domain Controllers are also DNS Servers meaning, that a user who is a part of the DNS Admins group can successfully abuse his rights and get code execution on the Domain Controller.

Anatomy of the attack:

Successful exploitation of the attack requires a compromised user, part of the DNS Admins group, to load an arbitrary…

With the exponential rise in cyber-attacks, and the attackers using defense evading tools and frameworks; it has become important to know the tricks and techniques of the cyber offenders and the arsenal that attackers may use to exfiltrate data from, or penetrate into, a compromised system.

We’ll be looking into one such tools and creating an attack scenario where the attacker will compromise a Windows 10 system and then exfiltrate sensitive data using Mimikatz. Below is the lab setup:

  • Attacking System: Kali Linux
  • Target System: Windows 10
  • AV: disabled

First let’s have a brief introduction of Mimikatz.

What is Mimikatz?

If you’re into…

Shahrukh Iqbal Mirza

A passionate hacker/pentester/red-teamer, part-time CTF player and ocassional bug bounty hunter. Advocate for “Hacking Is NOT A Crime.”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store