From RPC To RCE: VMWare Log Insight CVE-2022-31704

Preparations Recently I noticed that horizon3 team's blog on VMWare Log Insight's IOCs and technical analysis and decided to take a look at this bug myself. I registered for a trial version of Log Insight on VMWare's website and downloaded OVA images for both 8.10.2 (patched version) and 8.10.0 (vunlerable version) versions. After basic setup … Continue reading From RPC To RCE: VMWare Log Insight CVE-2022-31704

Browser Exploitation: A Case Study Of CVE-2020-6507

Motivation I've been wanting to learn about V8 Pwn for quite a while for essentially no reason, but didn't have the opportunity to do so. Recently I happened to have some spare time to do free research, so I turned my attention to browser exploitation. I'd recommend readers to watch LiveOverflow's browser exploitation series before … Continue reading Browser Exploitation: A Case Study Of CVE-2020-6507

My Steps of Reproducing ProxyShell

本文由斗象TCC史辛泽荣誉出品,偷图偷代码还不给署名的我劝你好自为之。 Preface A few days ago, Orange dropped another two Microsoft Exchange attack chains on his BlackHat presentation. The two new attacks are ProxyOrcale, which focuses on the Padding Orcale Attack, and ProxyShell, which exploits a Path Confusion vulnerability to achieve arbitrary file write and eventually code execution. This blog assumes readers have read Orange's … Continue reading My Steps of Reproducing ProxyShell

A research on generating CodeQL database for close-sourced applications

Motivation I adore CodeQL a lot despite the fact that I have only been working with it for less than 3 months. It's so powerful at analyzing applications and it can save a tremendous amount time doing code review. However, nothing is perfect. There are a few downsides of CodeQL. First, it only works when … Continue reading A research on generating CodeQL database for close-sourced applications

BambooFox CTF 2021 Writeup

Man, I suck. For the first time, I've decided to actually include the challenge files. Hope the organizers don't DMCA me. Calc.exe Online (Web) http://chall.ctf.bamboofox.tw:13377 author: splitline Solution They gave us the source code, yay. http://chall.ctf.bamboofox.tw:13377/?source <?php error_reporting(0); isset($_GET['source']) && die(highlight_file(__FILE__)); function is_safe($query) { $query = strtolower($query); preg_match_all("/([a-z_]+)/", $query, $words); $words = $words[0]; $good = … Continue reading BambooFox CTF 2021 Writeup