Security Researcher - Founder of Malicious Group Research - Synack Red Team Operator - DoD researcher of the year 2022 - Top 10 web attacks in 2023 - CRTO
I am extremely flattered to even have my work reach the desk of some of the hackers I look up to, but to be nominated, and then win the 8th position in the Top 10 web hacking techniques of 2023... I don't even know what to say. I'm shocked. ❤️
#0day
#research
#bugbounty
#informationsecurity
How I *AM* able to abuse Akamai to abuse F5, to abuse all of their customers. This is a bug chain that doesn't require a bug on the target domain to exploit them. But what do I know, I am a freelance nobody.
Here is part two of my request smuggling paper(s), in which I focus on a completely different gadget, with a completely different vector, for critical impact without requiring the target to have a bug to work... AGAIN😈
#0day
#research
#infosec
#bugbounty
So, please explain how the exact same bug chain is a P2 on one program (which I understand), and a P4 to another?
HTTP Smuggle + Internet Wide Poison + Host Injection = full domain take over on all endpoints.
Interesting... it seems 90% of the InFoSeC cOmMuNiTy doesn't produce any unique research themselves. Why do I feel like the other 10% are producing the research and tools for the other 90% to abuse for profit?
Infosec == marketing, not hacking
In my upcoming blog post, I will demonstrate how to implement your own RDI/sRDI in C. I will show you step by step how to transform the code to be fully position-independent code (PIC).
I am going to post my paper again, because a few people couldn't find it due to the site links (fixing soon). Also, I am working on a tool that uses multiple providers instead of one to setup convert channels for C2 infrastructure across providers.
New 0day research paper coming s00n... current title is "HTTP is dead, long live HTTP" 😈 I am going to show you the most severe smuggle chain I have found in my research - (that I will talk about publicly that is), and this should open the flood gates to more research.🐞🪲🐛 🔫
I have earned enough from bug hunting in the first 6 months this year to focus my time and energy back to more C/C++/Python development and RE/Debugging work. I will still be bug hunting, but I will be covering more ground doing the stuff I want to do, and not for a job per se.😈
@bg_anders
@anarchynpeace
@KanekoaTheGreat
His only job is to protect one man, not to save citizens watching when a terrorist attacks. Citizens of EVERY Country will be treated to SECOND (if at all) when a terrorist tries to assassinate a world leader. To pretend to be special enough to be "saved too" is naïve at best.
Soon, I will release more 0day smuggling chains dealing with different gadgets. F5 is currently working to fix this bug, but they are not the only ones vulnerable. 😈 As soon as F5 is patched, it ill be released publicly.
#research
#bugbounty
#0day
#infosec
Global Result:
The goal to Bug Bounty is to always assume the target has a vulnerability. Until you have exhausted every single method you can think of, and every wordlist you have... THEN move to the next program. To many people run a scan, don't see low-hanging fruit, then move on.
STOP THAT
For anyone wanting to test the GOADv2 vSphere setup, I am uploading it now under a ALPHA TESTING period to work out all the smaller bugs that may arise.
The build from Windows works.
The build from Linux is being finalized today.
SUBJECT TO CHANGES:
Interesting... I recommend someone take a look at smuggling to cookie injection, especially on VPN devices... Citrix? 🫣
If I can make the server set a cookie value for me on the VPN... maybe I can... (be back later) 😈
@NinjaParanoid
They can literally change out Cobalt Strike for BRc4 in my paper, which should add a few more layers of obfuscation from direct detection methods.
I fucking HATE the fact the InFoSeC world is fucking pay to play. If you don't pay out of pocket for certs, you don't fucking exist... and if you DO save up and pay (when you live paycheck to fucking paycheck) there is ZERO guarantee ANYTHING will come of it, and loss of money.
By playing with SysInternals and a debugger, I can bypass Kernel level anti-cheat that costs 30k per license, and currently has over 60+ games on Steam... I did this because I was bored and wanted to see unreleased stuff in a game. This should have been A LOT HARDER TO DO FFS!!😡
#infosec
QUESTION: Is it illegal to offer a paid EaaS (Evasion As A Service) service? Where the "client" pays to have their shellcode packaged into our custom loaders/evaders to bypass a specific AV/EDR stack?
I think this weekend I am going to start turning my PoC paper/demonstration () into a full blown tool. I will need to setup a few new providers for testing, but I think by adding 4 or 5 providers, it should be a great asset for quick setup and obfuscation.
Malicious Group will be responsible for training the next generation of red team operators, malware developers, web application hackers, hacktivists, etc...
We use the latest SANS/Offsec/etc.. material and classes, as well as expanding on each topic.
How much does it cost? $0
2024 will be a good year, I can feel it. The goal is to continue the grind to take Malicious Group to the next level and to build a top-tier research group. I want to get some TA interviews, I want more 0day research, and we do it OUR way.
Our TG channel will allow 50 more soon.
This research inspires me to push harder into kernel development and reverse engineering. I just want to be a good hackers all around, with receipts to prove it...
This type of research is my next stepping stone.
New 0day research paper coming s00n... current title is "HTTP is dead, long live HTTP" 😈 I am going to show you the most severe smuggle chain I have found in my research - (that I will talk about publicly that is), and this should open the flood gates to more research.🐞🪲🐛 🔫
Remember when Debbie Wasserman Schultz silenced Bernie Sanders, got caught due to her corruption, had to leave the DNC because of it, is now is trying to silence ANOTHER Democrat... HER OWN PARTY FFS.
What a transparent and corrupt bitch.
Where was that one kid who said my research "burned" the bugs so other hunters couldn't abuse them for money?
0day means 0day. I said in both papers that F5 wasn't the only vulnerable backend.
I released my first of two papers on Oct 26; the following was from Nov 11th...
Thanks to
@bsdbandit
for the reminder 🙏, I am going to play a few games (maybe helldivers2?) then spin up the GraphQL Vulnerable by design instance on a VM. I need to cover the following with notes to study. 🐞🪲🐛
Our private TG group (Offensive R&D) has grown via word of mouth through private invites for years now to the point we had to limit members to 200. Due to great member feedback, I will increase the limit to 250 and let in another 50 people soon.
We go hard as fuck 24/7/365.😈😜
@All_Source_News
@DominioPblico3
Growing up the elders would have slapped me over the head for taking pictures of myself, for acting like a fucking diva and creating evidence for the sake of vanity especially while doing dirt. What the fuck is wrong with people now adays. Internet made people sick, like a virus.
GOADv2 vSphere done. I will package it up over the weekend and upload it to github for everyone who wants to automate the GOADv2 setup on vSphere. I am going back now to verify that the EDR on Ubuntu gets setup correctly, but other than that it is done.
Studied a lot today. Finished up the API and GraphQL labs on PortSwigger, and about to finish reading the Hacking API's book by Corey J. Ball. I even pulled a few GraphQL endpoints from BBP programs to poke at a bit.
Tomorrow is a new day.
My drug dealing colleagues make over 100k a year, and work about 4 hours a day. While I am here, working hard everyday, 10+ hours, 7 days a week, and I make a fucking fraction of that... this shit is getting on my nerves something fierce.
Updated paper title to "Writing your own RDI/sRDI loader using C and ASM", but don't worry... the Assembly (MASM in this case) is very simple and easy to follow, and I will have notes about what everything does, and how to swap to NASM if needed.
About 50% done.
I think the next blog post in the queue will be about how to write your own tools to fill gaps in bug bounty hunting. I will show how I was able to snag a few 4 and 5 figure bounties by writing a tool from scratch in python, and every single step I took during the process. 🐛🐞🔫
By tonight, we should be setting up a network lab with 84 cores and 1152GB of RAM. When done, it should be 4 total servers running vSphere 8, purely for Malware Analysis, Malware Development, EDR/AV/SIEM practice/exposure, Red Team labs, and whatever else we can think of. 😈💀🤣
Haha, my OSINT homies just showed me how they can use DMV, Real Estate and IRS records to track someone's life from their license plate. It is amazing how far OSINT has come since the days of paying insiders to run queries for you. 🤣 Now everyone's data is for sale.
@vxunderground
@AlvieriD
*IF* this wasn't a mistake...
1) Someone from LB had a bad experience IRL and this is get back?
2) Maybe the people who own the bar also own other companies/partners?
3) Maybe they are testing new tools?
Either way, I am prolly wrong, but it doesn't look good for their brand.
I made a lot of updates and optimizations. This version now downloads the ISO and stores them on the datastore automatically. pfSense only uses 1 private network (DHCP) to save vmnic/portgroup space. Tailscale is automatically enabled with key on setup...
@FightHaven
Haha, when I was in high-school, the school bully was shot after fucking with the quiet nerdy kid too many times... little did the bully know, the quiet kids cousins were vetted/verified hitters from a local crip set about 45 mins away.
Bully ended up getting shot at McDonalds.
#Bugbountytips
When you are crawling a target, and see "node_modules" directory, make sure to verify each one of those modules being used has a public namespace associated with it. If not, you may be able to setup a dependency confusion bug and show MASSIVE impact...
Thank you to everyone who voted for my research paper on abusing Akamai and F5 to compromise top Government, Financial and Corporate targets without those target networks containing a vulnerability themselves. ❤️❤️
Paper:
I am finding a lot of cache poisoning bugs, but it is all about narrowing down the ones that have more impact than a poison-cache to open-redirect, (which I guess could be a poison-cache to DoS as well)... do people report those? 🤔
I 100% support Malware-As-A-Service, and I think EVERYONE WITH SKILLS should be in this game at the moment. If you got money and good job already, then fuck off, this isn't for you... this is for those hackers who can PROVE their skills to bypass and evade on demand.
Get Paid!
These guys do a great job covering bug bounty related material... including my own stuff. 🤣 Keep up the work boys, most of us inspire to be on your levels. Kudus and great work on the podcast! ❤️
Coming in at number 8 is "From Akamai to F5 to NTLM... with love." by
@deadvolvo
!
Abusing Akamai with request smuggling, to abuse F5 with cache poisoning, to abuse traffic routes, to steal NTLM credentials.
Get the low down here:
I am thinking the next paper/post will be about how to bypass a handful of different AV solutions with C and ASM, and will be co-authored with some mates from the Malicious Group TG channel... Once we figure things out I will get more specific.
If my job hunt doesn't work out, I am going to open a small business doing IT stuff for local businesses. Anything from cable pulling to security audits. Starting to put together a site and offerings now. You "professional hackers" are just too cool for me. 🤣
I just achieved a PoC for a complete takeover of an entire banking/financial network's edge servers. The entire public facing (10 countries with subdomains including www) endpoints can be hijacked via smuggle/caching.
Company has a RDP 😒 Waiting on reply (3 days now?) 🤣
I now have about 15 to 20 tools written in C with 100% Native API usage, with both syscall and spoof syscall options. Next will be to simply compile them into obj's and test with a coff loader.
UAC bypasses, Token impers, HWID enum, etc, going into a custom kit purely for keks😜
So... if I write a bug report, and it is accepted, that is *MY* report. How can a program come back, and literally redact the entire report?! This report showed multiple issues, and techniques I wanted to look back on, but the program left and redacted EVERYTHING?!
@FightHaven
So, on your wedding day, a rando crashes your wedding, fucks the maid of honor, and YOU AND YOUR MATES ALL CATCH CHARGES FOR GIVING HIM A UNFAIR BEATDOWN?! Wow, congratulations... while you are in jail, he is prolly banging your girl now too.
I feel *VERY* honored to be named the 2022 researcher of the year, and I will continue to assist the DoD (and their partners) in their cyber security mission. Thanks again! 🙏
Done with my day job... now to write up some AD network automation. I will be using Terraform to build vSphere vSwitches and Port-Groups, as well as pfSense and its configuration, then Windows servers, then ansible install method from GOAD.
Will share when done.
#research
#analysis
I recommend you guys keep an eye on my homie caster. He is constantly getting better and better at network analysis and I will soon use him for a few projects for Malicious Group coming up.
New paper almost done. It is currently at about 15 minute read but should be around 20 when done. It will be a quasi-continuation of my previous paper on 0day request smuggling, but can be read alone without requiring previous context.
Should be done today or tomorrow morning.😈
Due to my "lack of work experience" I may have to look at intern positions just to add something on my resume. Being a hobbyist hacker doesn't apply, and my hacking achievements over the last few years apparently mean nothing if I don't have WeB hAcKeR certs to go with them. 🤨
@anthonyjdella
@Microsoft
Bruh... your "gf" may have to leave the US, and your first idea is to pander for her online instead of asking her to marry you?! YOU THINK THIS WILL END WELL?!
Twitter has become a home for the worst conspiracy theories I have ever seen. This is now reddit levels of stupidity. It is amazing in 2024, how people have become dumber with the internet, not smarter. A select few will take advantage, but ALL the others seem lost as fuck.
I just want to join a small group of hackers who get paid selling their services, without doing blackhat shit. Is that so hard - or too much to ask for? Instead, I bug hunt because that is the only thing that quenches the thirst for hacking into shit at the moment.
Today, I will be testing CS 4.9.x against some lab machines. One without AV enabled (benchmark), and then 1 machine with defender, 1 machine with MDE and 1 machine with Elastic. I have the latest arsenal-kit, and a handful of tools to convert to BoFs.
This is for "Practice"😈🤣
Anyone interested in offensive security, malware development or bug hunting... I posted a new telegram invite link on my "about" page... we are currently working on C/C++ AV evasion, but anything offensive goes. No flaming, no shit talk... just education.
As much as I love security research, I also sorta like automation projects. I have taught myself Terraform, Packer, Vagrant, Ansible, etc... purely because it is fun to automate more complex network infrastructure.
Wondering if automation with a security background is in demand?
Yay, wrote my first UAC bypass today :) It isn't a 0day or anything, just a lesser known bypass abusing COM objects. I love getting in the middle of everything and saying... "What happens if I change this?", or "What happens if I use this flag combination?"🤣
Fuck I get bored hacking sometimes. Almost all the other people I hack with are full-time security engineers or red team operators during the day, so they are not available like I am.
I hack as a hobby since I made mistakes as a young adult.
It is what it is.
Idle hands... 😈
By playing with some UAC bypass variations dealing with COM Objects, I think I found a neat way to get a copy of ntdll.dll for unhooking without process suspension and without opening a handle for reading from implant binary.
Testing now to make sure.
Being written now, and will be released tomorrow more than likely, if not, this weekend. I have a lot of examples to cover, and a lot of attack chains:
As a security researcher, I am in a weird space, where I want access to the EDR and C2 frameworks to learn how each works so I can build experience with said technology. As an outsider, all my experience comes from ripped, or licensed version a colleague lets me borrow.
#bugbountytips
When you find a bug vulnerable to multiple variations (i.e. XSS), only report the most basic first, wait for the report to be triaged and resolved, then *ALWAYS* go back and re-try the other variations to see if you can bypass the fix. Turn 1 bug into 2+ reports.🐞
@DOJCrimDiv
@3xp0rtblog
Both non-RU hacker forums, and Crypto Mixer markets have a vacuum at the moment, especially after the collapse of BF. This would be the perfect time (I will say it again) to setup a massive honey-pot campaign.
But than again, what do I know? Just saying.
Once I get this lab build 100% working, I am going to make a video (series?) on building this lab from scratch for vSphere. I think there is a lot of interest for those trying to build their own labs, so I think it will benefit others for sure. 🐞🔫
I have officially started working on my offensive automation course and I have some interesting stuff planned. Not sure how long it will take or how I am going to put it out, but it is being created.
Verified, found something interesting with an Akamai product... have 10 reports waiting to be resolved (already reproduced and triaged), then I will write about it.
This isn't some kind of XSS/SQL/etc... bypass either.
🐞🐛🔫😈
I love
@intigriti
and their staff. I can't speak for anyone else obviously, but my experience with them has been great. I don't always find bugs on their platform, but I do make time to hunt on their invites, purely because of the mutual respect, and replies like this...
@vxunderground
I mean honestly... the US citizens have had their information leaked probably 2 to 3 times over already... is it *REALLY* worth money at this point?
Every day I become a better hacker.
Every day I find new ways to compromise world governments, critical infrastructure and fortune-500 companies.
I work for no one, and no one speaks for me but me, and what's even better... I am not alone. 😈
Sometimes you need to...
Wow, so apparently 4 different programs paid out today after a month+ of waiting. 💰 The best way to bug hunt in my opinion is keep pushing, never wait for reports to resolve and you will be pleasantly surprised when they are, like I was this morning. 😁
This week I will be spending the majority of the time in the PortSwigger labs. The more I focus on my own research, the further I get behind on other attack vectors, so I need more practice.
Today I am mentally defeated don't feel real good. I feel like I have wasted so much learning to hack, but I feel like it was all for nothing. I can't sit on a computer and hack when I should be stocking shelfs or waiting tables to earn money. Bug hunting is too time consuming.