With the prior knowledge in mind, I come up with a simple idea. It’s common to see multiple Exchange Servers in corporate networks for high availability and site resilience. Can we relay the NTLM authentication among Exchange Servers?
We have also proved this attack works naturally on Microsoft Exchange Server. By leveraging the default activated Exchange Active Monitoring service, we can enter HealthMailbox's mailbox without passwords!
ProxyShell: The exploit chain we demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty
ProxyOracle! The attack on Exchange Server to recover any user's password in plaintext format
ProxyLogon! The most severe and impactful vulnerability in the Exchange Server history ever.
嗨! 好久不見，這是我在今年年初的研究，講述如何尋找一款知名行動裝置管理產品的漏洞，並繞過層層保護取得遠端程式碼執行的故事! 其中的漏洞經回報後在六月由官方釋出修補程式並緊急通知他們的客戶，而我們也在修補程式釋出 15 天後發現 Facebook 並未及時更新，因此透過漏洞取得伺服器權限並回報給 Facebook!
This post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got fixed in June. After that, we kept monitoring large corporations to track the overall fixing progress and then found that Facebook didn't keep up with the patch for more than 2 weeks, so we dropped a shell on Facebook and reported to their Bug Bounty program!
7 vulnerabilities in Pulse Secure SSL VPN: CVE-2019-11510, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11508, CVE-2019-11540, CVE-2019-11507
We would like to talk about the vulnerability which we accidentally discovered during our Red Team assessment services on Palo Alto SSL VPN.
直到 Jenkins 在 2018-12-05 發佈的 Security Advisory 修復了前述我所回報的動態路由漏洞! 為了開始撰寫這份技術文章(Hacking Jenkins 系列文)，我重新複習了一次當初進行代碼審查的筆記，當中對其中一個跳板(gadget)想到了一個不一樣的利用方式，因而有了這篇故事! 這也是近期我所寫過覺得比較有趣的漏洞之一，非常推薦可以仔細閱讀一下!
After Jenkins released the [Security Advisory](https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595) and fixed the dynamic routing vulnerability on 2018-12-05, I started to organize my notes in order to write this Hacking Jenkins series. While reviewing notes, I found another exploitation way on a gadget that I failed to exploit before! Therefore, the part two is the story for that! This is also one of my favorite exploits and is really worth reading :)
這篇文章主要是分享去年中針對 Jenkins 所做的一次簡單 Security Review, 過程中共發現了五個 CVE 如下： CVE-2018-1999002(Arbitrary file read vulnerability), CVE-2018-1000600(CSRF and missing permission checks in GitHub Plugin), CVE-2018-1999046(Unauthorized users could access agent logs), CVE-2018-1000861(Code execution through crafted URLs), CVE-2019-pending(Sandbox Bypass in Script Security and Pipeline Plugins)
This article is mainly about a brief security review on Jenkins in the last year. During this review, we found 5 vulnerabilities including: CVE-2018-1999002(Arbitrary file read vulnerability), CVE-2018-1000600(CSRF and missing permission checks in GitHub Plugin), CVE-2018-1999046(Unauthorized users could access agent logs), CVE-2018-1000861(Code execution through crafted URLs), CVE-2019-pending(Sandbox Bypass in Script Security and Pipeline Plugins)
根據公開資料掃描，全球共發現 1217 台 FTA 存活主機，主要分布地點為美國，其次加拿大、澳洲、英國與新加坡。 根據存活主機的域名、SSL Certificate 發現 FTA 使用客戶遍及政府、教育、企業等領域，其中不乏一些知名品牌。
According to a public data reconnaissance, there are currently 1,217 FTA servers online around the world, most of which are located in the US, followed by Canada, Australia, UK, and Singapore. Determine from the domain name and SSL Certificate of these servers, FTA is widely used by governmental bodies, educational institutions, enterprises, including several well-known brands.
從滲透的角度看待 Bug Bounty，從如何定位出目標到找出 Facebook 遠端代碼執行漏洞，並在過程中發現其他駭客的足跡...
Bug Bounty Hunting from Pentest View, and How to Find Remote Code Execution and Someone's Backdoor on Facebook Server...