Our Blog
A journey implementing Channel Binding on MSSQLClient.py
Reading time:
~31 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
25 July 2025
A few weeks ago my friend Zblurx pushed a PR to Impacket in which he implemented the Channel Binding Token...
No Egress, No Shell, No Problem
Reading time:
~5 min
Posted
by adriaan.bosch@orangecyberdefense.com
on
26 June 2025
Context, context, context; Alright, imagine this – you’re on an engagement, find a few vulnerabilities, run a few exploits and...
Depscanner: Find orphaned packages before the bad guys do
Reading time:
~16 min
Posted
by Felipe Molina
on
03 June 2025
Context I recently shared with my colleagues the quickest method to getting banned from pypi.org, but, believe or not, that...
Investigating an in-the-wild campaign using RCE in CraftCMS
Reading time:
~35 min
Posted
by Nicolas Bourras
on
18 April 2025
Introduction In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The...
Intercepting HTTPS Communication in Flutter: Going Full Hardcore Mode with Frida
Reading time:
~27 min
Posted
by Jacques Coertze
on
16 April 2025
tl;dr In this blog post, I will share insights I learned while researching the Flutter framework and the reFlutter tool....
Is TLS more secure? The WinRMS case.
Reading time:
~10 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
14 April 2025
0/ TL;DR WinRM is protected against NTLMRelay as communications are encrypted. However WinRMS (the one communicating over HTTPS) is not...
Browser Cache Smuggling: the return of the dropper
Reading time:
~8 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
24 March 2025
A year and a half ago I wrote a blog post describing how browsers’ cache system can be abused to...
Leakymetry: Circumventing GLPI Authentication
Reading time:
~12 min
Posted
by guilhem.rioux@orangecyberdefense.com
on
21 March 2025
Intro GLPI (Gestionnaire libre de parc informatique) is a popular open-source software in France and Brazil. It is used to...
Using & improving frida-trace
Reading time:
~17 min
Posted
by Reino Mostert
on
19 March 2025
TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at...
NoSQL error-based injection
Reading time:
~6 min
Posted
by Reino Mostert
on
15 March 2025
TL;DR How to do NoSQL error-based injection In this second blog post (read the first one here), on NoSQL injection,...
Capchan – Solving CAPTCHA with Image Classification
Reading time:
~35 min
Posted
by adriaan.bosch@orangecyberdefense.com
on
13 March 2025
A few years ago, I tried my hand at the, now retired, CAPTCHA Forest CTF, which was part of the...
Getting rid of pre- and post-conditions in NoSQL injections
Reading time:
~10 min
Posted
by Reino Mostert
on
11 March 2025
TL;DR: I found a cool way to get rid of pre-conditions in NOSQL syntax injections I have been investigating NoSQL...
goLAPS
Reading time:
~3 min
Posted
by Felipe Molina
on
10 March 2025
Context During the last SenseCon we had at OrangeCyberdefense in May 2024 (see https://sensepost.com/blog/sensecon/), we usually either pick-up from a...
Diving Into AD CS: Exploring Some Common Error Messages
Reading time:
~26 min
Posted
by Jacques Coertze
on
07 March 2025
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact,...
InvokeADCheck – A PowerShell Module for Assessing Active Directory
Reading time:
~5 min
Posted
by niels.hofland@orangecyberdefense.com
on
06 March 2025
Introduction During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their...
PsExec’ing the right way and why zero trust is mandatory
Reading time:
~20 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
10 February 2025
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work...