This blog is about something I found recently regarding Cisco Unified Call Manager (CUCM).  While playing around with SeeYouCM Thief, which is designed to download parse configuration files from Cisco phone systems, I noticed something interesting within…

Recently I came upon an attack path in BloodHound that looked like this: I had control of a computer object (an Exchange server) that effectively had WriteDacl over the domain. I had a few constraints as well: All systems were configured with EDR I only had…

TL;DR for Hackers & Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested. 好久沒有打部落格了，紀錄一下這次我在 WebConf 2023 上的演講，大概就是把

This is a cross-post blog from DEVCORE. You can check the series on: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack S

Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dan

P.S. This is a cross-post blog from Zero Day Initiative (ZDI) This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain w

Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the

The series of A New Attack Surface on MS Exchange: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack Surface on MS Excha

Physical access controls are designed to prevent unauthorized access to secure areas directly. Examples of physical access controls…

I will update this post regularly, I am starting with a few of my most commonly used snippets.

TL;DR

Firstly I want to say that I highly recommend https://pwnable.kr/play.php to learn exploit development, the site is full of nice and easy…

Hi everyone, it’s been some time since I last posted but I was just playing IO WARGAME and decided to write some up some solutions in the…

As you should know by now, this blog has moved but incase you have missed it, check back to the site daily: https://labs.p64cyber.com

https://labs.p64cyber.com/hunting-for-vulnerabilities-in-android-apps-with-burp-and-apk-tools/

Today I am sharing more than one post, the new site, P64. Over time P64 will become the number one online offensive security resource, it…

“Day 80: Becoming a Version Detection Ninja with GIT” is published by Diddy Doodat.

A bug alowed executable file uploads from patients into the EHR system. A double click on the wrong file could execute malicious code.

Two IDOR bugs leak private data on healthcare providers; their e-mail, phone and address.

The bugs lead to potential access to data of 130k healthcare providers; including their own cyber risk insurance policy documents.

Compromising logins of Ahold Delhaize USA employees for >3.5 years (or even 18 years?). Escalating a XSS bug to Perl SSTI RCE. Full…