LOTP
Living Off the Pipeline
#cli #njection #config #input #env #var #js #sh #py #groovy #kotlin #go @reconcore
Living Off the Pipeline
The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.
#cli #njection #config #input #env #var #js #sh #py #groovy #kotlin #go @reconcore
Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
#report #methods #apt #edr @reconcore
#report #methods #apt #edr @reconcore
Responder:
#netsec #protocol @reconcore
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
#netsec #protocol @reconcore
GitHub
GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication…
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat...
TaskHound
#windows #ad #bloodhound #schedtasks @reconcore
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
For backstory/lore and detailed explanations: see the associated Blog Posts - Part 1 and Part 2.
#windows #ad #bloodhound #schedtasks @reconcore
CVE-2025-12674: KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
#cve #wordpress #rce @reconcore
The KiotViet Sync plugin for WordPress (versions up to and including 1.8.5) is vulnerable to arbitrary file uploads, due to missing file type validation in the create_media() function.
This vulnerability allows unauthenticated attackers to upload arbitrary files to the server, which may lead to remote code execution.
#cve #wordpress #rce @reconcore
GitHub
GitHub - Nxploited/CVE-2025-12674: KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload - Nxploited/CVE-2025-12674
CVE-2025-68615 - new vulnerability in snmptrapd may lead to RCE Net-SNMP snmptrapd vulnerability
#vulnerability #rce #bufferoverflow @reconcore
#vulnerability #rce #bufferoverflow @reconcore
GitHub
Net-SNMP snmptrapd vulnerability
### Impact
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
### Patches
Users of Net-SNMP's snmptrapd should upgrade immediat...
A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.
### Patches
Users of Net-SNMP's snmptrapd should upgrade immediat...
CVE-2025-68456 Unauthenticated Craft CMS users can trigger a database backup
#vulnerability #cve #db @reconcore
#vulnerability #cve #db @reconcore
GitHub
CVE-2025-68456 - GitHub Advisory Database
Unauthenticated Craft CMS users can trigger a database backup
PCredz
#netsec #protocol @reconcore
This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
#netsec #protocol @reconcore
GitHub
GitHub - lgandx/PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth…
This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interfa...
Risks of OOB Access via IP KVM Devices
#mitm #kvm @reconcore
Recently, cheap IP KVMs have become popular. But their deployment needs to be secured...
#mitm #kvm @reconcore
SANS Internet Storm Center
Risks of OOB Access via IP KVM Devices - SANS ISC
Risks of OOB Access via IP KVM Devices, Author: Johannes Ullrich
Media is too big
VIEW IN TELEGRAM
cheatengine-mcp-bridge
#engine #code #llm #python #debugging #automation #mcp #re #pentest #memory #analysis #ctf #tools @reconcore
Connect Cursor, Copilot & Claude directly to Cheat Engine via MCP. Automate reverse engineering, pointer scanning, and memory analysis using natural language.
#engine #code #llm #python #debugging #automation #mcp #re #pentest #memory #analysis #ctf #tools @reconcore
Ashwesker-CVE-2026-21440: CVE-2026-21440 is a critical path traversal vulnerability affecting the AdonisJS framework, specifically its multipart file upload handling.
#vulnerability #cve @reconcore
#vulnerability #cve @reconcore
Top 10 web hacking techniques of 2025:
Nominations - last updated 2026-01-06
→ Eclipse on Next.js: Conditioned exploitation of an intended race-condition
→ Next.js, cache, and chains: the stale elixir
→ Unexpected security footguns in Go's parsers
→ Under the Beamer
→ Opossum Attack
→ The Fragile Lock: Novel Bypasses For SAML Authentication
→ Funky chunks: abusing ambiguous chunk line terminators for request smuggling
→ Funky chunks - addendum: a few more dirty tricks
→ Cross-Site WebSocket Hijacking Exploitation in 2025
→ SVG Filters - Clickjacking 2.0
→ Nonce CSP bypass using Disk Cache
→ Novel SSRF Technique Involving HTTP Redirect Loops
→ SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
→ Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests
→ ORM Leaking More Than You Joined For
#technique #websec @reconcore
Nominations - last updated 2026-01-06
→ Eclipse on Next.js: Conditioned exploitation of an intended race-condition
→ Next.js, cache, and chains: the stale elixir
→ Unexpected security footguns in Go's parsers
→ Under the Beamer
→ Opossum Attack
→ The Fragile Lock: Novel Bypasses For SAML Authentication
→ Funky chunks: abusing ambiguous chunk line terminators for request smuggling
→ Funky chunks - addendum: a few more dirty tricks
→ Cross-Site WebSocket Hijacking Exploitation in 2025
→ SVG Filters - Clickjacking 2.0
→ Nonce CSP bypass using Disk Cache
→ Novel SSRF Technique Involving HTTP Redirect Loops
→ SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
→ Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests
→ ORM Leaking More Than You Joined For
#technique #websec @reconcore
PortSwigger Research
Top 10 web hacking techniques of 2025: call for nominations
Update: nominations are now closed, and voting is live! Cast your vote here Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentati
WerDump
#poc #bof #c2 #lsass @reconcore
A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass
By default this BOF, writes WerFaultSecure.exe to the temp directory of the user's context with a random filename and saves the dump in the same directory as .dll. This is a POC Bof, It could be extended and modified the way you like and add many improvements like remote dump. All temporary files gets cleaned up after the dump.
#poc #bof #c2 #lsass @reconcore
CVE-2026-21858 + CVE-2025-68613 n8n Full Chain
FOFA:
HUNTER:
ZoomEye:
#security #exploit #poc #rce #vulnerability #injection #sandbox #bypass #n8n @reconcore
n8n Ni8mare - Unauthenticated Arbitrary File Read to RCE Chain (CVSS 10.0)
www.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858
FOFA:
app="n8n"HUNTER:
product.name="N8n"ZoomEye:
app="n8n"#security #exploit #poc #rce #vulnerability #injection #sandbox #bypass #n8n @reconcore
Livewire Component Property Hydration Remote Code Execution (CVE-2025-54068)
Livewire is a full-stack framework for Laravel that makes building dynamic interfaces simple, without leaving the comfort of Laravel.
#vulnerability #cve #rce #exploit @reconcore
Livewire is a full-stack framework for Laravel that makes building dynamic interfaces simple, without leaving the comfort of Laravel.
A critical remote code execution vulnerability (CVE-2025-54068) exists in Livewire versions before 3.6.4. The vulnerability is caused by improper control of code generation during component property update hydration. When a Livewire component processes user input from the snapshot, the framework fails to properly sanitize object types, allowing attackers to inject malicious payloads that get executed on the server. If an attacker knows the APP_KEY of the Laravel application, the exploitation becomes even more straightforward.
#vulnerability #cve #rce #exploit @reconcore
CVE-2025-52691 SmarterMail Pre-Auth RCE
Blog post: Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)
#vulnerability #research #cve #rce @reconcore
Blog post: Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)
#vulnerability #research #cve #rce @reconcore
Intercept: How MITM attacks work in Ethernet, IPv4 & IPv6
#blog #netsec #technique #protocol #mitm @reconcore
A deep technical dive into how MITM attacks actually work in Ethernet, IPv4, and IPv6 networks from ARP and DHCP to IPv6 RA, DNS, and FHRP spoofing.
#blog #netsec #technique #protocol #mitm @reconcore