Our Blog
Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!
Reading time:
~15 min
Posted
by Javier Jimenez
on
22 December 2017
Intro Hello again and welcome to the third of our series. On today’s blog post we are going to see...
building the bsidescpt17 rfchallenge
Reading time:
~24 min
Posted
by Leon Jacobs
on
13 December 2017
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I...
gowitness – a new tool for an old idea
Reading time:
~4 min
Posted
by Leon Jacobs
on
27 November 2017
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to...
A distinguisher for SHA256 using Bitcoin (mining faster along the way)
Reading time:
~5 min
Posted
by frans
on
16 October 2017
This post assumes a passing familiarity with what a Distinguishing Attack on a cryptographic hash is, as well as the...
Outlook Home Page – Another Ruler Vector
Reading time:
~12 min
Posted
by etienne
on
11 October 2017
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This...
Macro-less Code Exec in MSWord
Reading time:
~5 min
Posted
by saif
on
09 October 2017
Authors: Etienne Stalmans, Saif El-Sherei What if we told you that there is a way to get command execution on...
Recreating certificates using Apostille
Reading time:
~3 min
Posted
by Rogan Dawes
on
06 October 2017
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for....
NotRuler – Turning Offence into Defence
Reading time:
~7 min
Posted
by etienne
on
02 October 2017
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool....
Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow
Reading time:
~21 min
Posted
by Javier Jimenez
on
20 September 2017
Intro Hello again! It’s been a while since the last blog post. This is due to not having as much...
DEEP INSERT – Card Skimmer Research
Reading time:
~17 min
Posted
by stuart
on
02 August 2017
So I get a phone call from Daniel on a Wednesday night, Stu, can you bring your hardware stuff with...
Abusing GDI Objects for ring0 Primitives Revolution
Reading time:
~21 min
Posted
by saif
on
29 July 2017
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One...
Linux Heap Exploitation Intro Series: Used and Abused – Use After Free
Reading time:
~9 min
Posted
by Javier Jimenez
on
28 July 2017
Intro After analysing the implementation of ptmalloc2 which, is a must read if you don’t know anything about the linux userland...
A new colour scheme
Reading time:
~2 min
Posted
by Admin
on
28 July 2017
SensePost has been hacking for 17 years and the time has come for a branding change. The change in logo...
objection – mobile runtime exploration
Reading time:
~4 min
Posted
by Leon Jacobs
on
11 July 2017
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection....
SensePost at BlackHat & Defcon 2017
Reading time:
~2 min
Posted
by Dominic White
on
26 June 2017
July is our favourite time of year, when thousands descend into Las Vegas for Blackhat/Defcon, or more commonly referred to...
Fuzzing Apache httpd server with American Fuzzy Lop + persistent mode
Reading time:
~10 min
Posted
by Javier Jimenez
on
20 June 2017
Intro Recently, I reported CVE-2017-7668 (Apache Server buffer-over-read). This is a cross-post from my personal blog where I explain how...
Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking!
Reading time:
~11 min
Posted
by Javier Jimenez
on
19 June 2017
Intro Hi there (again)! This series are going to an end as the next and feasible step is the widely...
Pentesting Enterprise Infrastructure – Journeyman Level
Reading time:
~2 min
Posted
by keiran
on
14 June 2017
Sophisticated attacks aim to hide from endpoint solutions Advanced hacking. Expert approaches We are inundated by advanced this, expert that,...
Womens Training Scholarship
Reading time:
~1 min
Posted
by daniel
on
25 May 2017
SensePost and BlackHat are proud to announce a new scholarship initiative for a woman in the information security field. The...
Sending AM-OOK using Metasploit and rftransceiver
Reading time:
~7 min
Posted
by Leon Jacobs
on
12 May 2017
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK)...
Painless intro to the Linux userland heap
Reading time:
~25 min
Posted
by Javier Jimenez
on
05 May 2017
-1 – Pre-Intro When looking at heap exploit tutorials most of the time I found myself lacking knowledge on the...
Outlook Forms and Shells
Reading time:
~16 min
Posted
by etienne
on
28 April 2017
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go...
The TRITON Won’t Protect You From Our Punches
Reading time:
~10 min
Posted
by saif
on
06 April 2017
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and...
Liniaal – Empire through Exchange
Reading time:
~7 min
Posted
by etienne
on
22 March 2017
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...
USaBUSe Linux updates
Reading time:
~6 min
Posted
by Rogan Dawes
on
10 March 2017
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...
Pass the Hash with Ruler
Reading time:
~5 min
Posted
by etienne
on
17 January 2017
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March....
Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects
Reading time:
~39 min
Posted
by saif
on
03 January 2017
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...