Collaborate Disseminate
Researchers are warning of flaws in two WordPress plugins – Slick Popup and WP Database Backup – including one that remains unpatched. Continue reading WordPress Plugin Has Unpatched Privilege Escalation Flaw, Warn Researchers
How can I can use one of these SUID files for gaining root access without messing with the box.
This was from LinEnum.sh:
-rws–x–x 1 root root 259272 Jun 1 2014 /old/usr/libexec/ssh-keysign
-rwsr-sr-x 1 daemon daemon 47… Continue reading Privilege Escalation (SUID Files) [on hold]
An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3]… Continue reading PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online
Intel has issued fixes for a slew of vulnerabilities, separate from the side-channel bugs disclosed last week. Continue reading Intel Fixes Critical, High-Severity Flaws Across Several Products
I had corrupted my sudo setup. With no possibility to login as root (locked root account, broken sudo), a search made it clear: use pkexec. It worked. So far, so good.
But that turns out to be a big security hole: a user tha… Continue reading sudo restrictions circumvention with pkexec: root shell
Suppose I have a low privileged UI running under a local user account and a high privileged service running under a SYSTEM account. What are the best practices to implement interaction between them? For example, how do I secu… Continue reading Secure interaction between UI and privileged service
During a penetration test, if a users NTLM hash or a valid Kerberos TGT is compromised, what attacks are possible if the user is not an administrator on any (in scope) workstations? For instance, it is possible to access (non… Continue reading What is possible with a non-administrative users Ticket Granting Ticket and/or NTLM hash?
Last night, I read a PDF detailing a privilege escalation attack a researcher had performed on a Django admin site. I’m curious- was the unfortunate application susceptible to this attack due to a misconfiguration, or rather … Continue reading Django admin site privilege escalation
I have a leaked thread handle that grants me THREAD_ALL_ACCESS over a thread of a process running as SYSTEM. My process is running unprivileged and has no special privileges. This means I do not have and cannot set SeAssignPr… Continue reading Privilege Escalation using a leaked thread handle without SeAssignPrimaryTokenPrivilege or SeImpersonatePrivilege
I want to know which windows versions are vulnerable to named pipe impersonation attack. And, are the techniques used in that attack for each version the same?
Continue reading Named pipe impersonation affected windows versions