Blog
Leakymetry: Circumventing GLPI Authentication
Intro GLPI (Gestionnaire libre de parc informatique) is a popular open-source software in France and Brazil. It is used to create a mapping of a network through an inventory plugin, but also to gather users’ issues through a ticket system.
Starting research As I was wondering how the update mechanism worked in GLPI, I saw something really interesting in this file.
It is important to note that most of the GLPI files are not accessible without authentication. Because of this, the attack surface on this software is reduced. However, the update.php script is accessible by an unauthenticated user. And this file contains juicy information. I started looking at it, and I immediately saw that this script under certain parameters, disclosed telemetry information.
Using & improving frida-trace
TL;DR In this blog I want to show you how useful frida-trace can be at hooking thousands of methods at a time. I also wrote some scripts for improving its output a bit.
I often find that half of the problem is finding out what you don’t know. Take a mobile application for instance:
Which class is responsible for the SSL pinning? Which class does the crypto? What method is used to retrieve data from the local storage? Once you have enough information, life becomes a lot easier. Unfortunately, finding this information can be difficult – especially when the mobile application you’ve been given is obfuscated beyond recognition, and the client refuses to provide you the original version, or the source code.
NoSQL error-based injection
TL;DR How to do NoSQL error-based injection
In this second blog post (read the first one here), on NoSQL injection, I discuss how to do error-based injection. I think this might be a novel approach – at least my Google search-fu isn’t finding anything.
When trying to extract information via NoSQL injection, you typically make use of Boolean conditions to figure out a character. Portswigger has a couple of examples here.
In one of Portswigger’s examples, they consider the case where you can look up another user’s profile via a website that’s vulnerable to NoSQL $where injection. To get the first char of the admin user’s password, we then use the payload admin' && this.password[0] == 'a' || 'a'=='b
Capchan – Solving CAPTCHA with Image Classification
A few years ago, I tried my hand at the, now retired, CAPTCHA Forest CTF, which was part of the nullcon HackIM 2019. I wanted to solve it using computer vision and machine learning. This started me on a path of discovery and incremental improvements that finally resulted in capchan, a generic CAPTCHA to text tool.
This post is broken into four parts:
The first CTF The second CTF Neural Network Fundamentals Creating capchan ATTEMPT_ZERO Starting the CTF – I connected to the netcat instance, but after staring at hexadecimal, I immediately closed it and moved on to try another CTF.
Getting rid of pre- and post-conditions in NoSQL injections
TL;DR: I found a cool way to get rid of pre-conditions in NOSQL syntax injections
I have been investigating NoSQL injection for a bit, trying to make it better, or at least somewhat equivalent to SQL injection. One of the things that are tricky with NoSQL injection is getting rid of pre- and post-conditions.
For this post I’m focusing on MongoDB, so s/NoSQL injection/Mongo injection/g Background In case you forgot, most MongoDB queries will look something like this in the background:
goLAPS
Context During the last SenseCon we had at OrangeCyberdefense in May 2024 (see https://sensepost.com/blog/sensecon/), we usually either pick-up from a list of ideas or pitch our own to implement in the 24 hours to work on whatever project is itching you.
I proposed a few ideas. I’ll leave some of them here verbatim (I have removed the ideas that were only applicable internally), in case you want to tackle the challenges yourself or they inspire you to do something else:
Diving Into AD CS: Exploring Some Common Error Messages
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact, I can’t recall an internal I’ve done in the past two or more years that didn’t feature ADCS abuse in some manner or another.
We can all agree that when AD CS abuse works as intended, it is fantastic. As Tinus Green stated in his BSides talk, AD CS abuse is the teleport scroll to the top of the mountain. It allows us to rapidly gain high-privileged access to the domain and, from there, can target more lucrative objectives.
InvokeADCheck – A PowerShell Module for Assessing Active Directory
Introduction During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their formatting—or rather, the lack thereof. The various PowerShell scripts included public, as well as proprietary, scripts that were used for retrieving Active Directory objects and their attributes. Faced with resource and time constraints within the team, I proposed to try to come up with a better, more efficient way to conduct some of the checks that we do during an AD assessment. Inspired in part by the excellent work of Sean Metcalf, the author of Invoke-TrimarcADChecks, my colleague Justin (Justin–P) and I (N1ck3nd) set out to develop what would ultimately become the InvokeADCheck PowerShell module.
PsExec’ing the right way and why zero trust is mandatory
2021 was the year I met two incredible hackers, Michael and Reino with whom I had the opportunity to work with during my first ever SenseCon.
The Sensecon is an internal conference that lasts 3 days during which we meet people, share knowledge and have fun. There is also a day long hackathon during which we work on hacking subjects we are interested in.
For that hackathon, we wanted to dig into PsExec.exe in order to see if it is possible to communicate with it via a python script and thus not depend anymore on a windows system. Spoiler alert, we were able to! But for some reasons, the project died in a private repo.
make prs, not war
Everyday we’re faced with a choice – some glaringly obvious, others more subtle. The choice to give, or to take, is something that I believe is deeply rooted in each of us, and choosing to give, to contribute no matter how big or small, almost always ends up bigger than ourselves.
Imagined by us, and illustrated by the amazingly talented @christidutoit, I’m excited to show you “make pr’s, not war” – our 2024 SensePost artwork.