Preparations Recently I noticed that horizon3 team's blog on VMWare Log Insight's IOCs and technical analysis and decided to take a look at this bug myself. I registered for a trial version of Log Insight on VMWare's website and downloaded OVA images for both 8.10.2 (patched version) and 8.10.0 (vunlerable version) versions. After basic setup … Continue reading From RPC To RCE: VMWare Log Insight CVE-2022-31704

Motivation I've been wanting to learn about V8 Pwn for quite a while for essentially no reason, but didn't have the opportunity to do so. Recently I happened to have some spare time to do free research, so I turned my attention to browser exploitation. I'd recommend readers to watch LiveOverflow's browser exploitation series before … Continue reading Browser Exploitation: A Case Study Of CVE-2020-6507

To be fair, the attack chain is pretty straight forward. I kinda hope all the other vulnerabilities are easy to analyze like this one… log4j By looking at log4j's official documents, it's not hard to get an idea on how it basically works. To build a test environment, start a new Java project, and add … Continue reading Log4j Analysis: More JNDI Injection

本文由斗象TCC史辛泽荣誉出品，偷图偷代码还不给署名的我劝你好自为之。 Preface A few days ago, Orange dropped another two Microsoft Exchange attack chains on his BlackHat presentation. The two new attacks are ProxyOrcale, which focuses on the Padding Orcale Attack, and ProxyShell, which exploits a Path Confusion vulnerability to achieve arbitrary file write and eventually code execution. This blog assumes readers have read Orange's … Continue reading My Steps of Reproducing ProxyShell

Motivation I adore CodeQL a lot despite the fact that I have only been working with it for less than 3 months. It's so powerful at analyzing applications and it can save a tremendous amount time doing code review. However, nothing is perfect. There are a few downsides of CodeQL. First, it only works when … Continue reading A research on generating CodeQL database for close-sourced applications

Preface I finally got my shit together and decided to sit down and learn Java deserialization. So, I decided it'd be the best way to learn by analyzing the PoCs online, and ysoserial just happens to be one. I will probably analyze all the CommonCollections gadgets first, then move onto the rests. This is how … Continue reading Taking a peek at Ysosreial CommonCollection1 Gadget

Intro The exploitation of this RCE consists of two parts, one being the lack of authentication validation to h5-vsan endpoint, and another being the unsafe reflection usage in Java which then caused a JNDI injection. I was not smart enough to come up with the JDNI attack chain, but certainly learned a lot while attempting … Continue reading Learning JNDI Injection From CVE-2021-21985

About this post Maybe it's just a coincidence, but I have been noticing a lot of SQLite Injections lately. From last year's Pico Mini Competition, to the recent concluded Pico 2021 and Angstrom CTF, they all have some degrees of SQLite filter bypassing problems in the event. I want to take the chance and talk … Continue reading Some SQLite Injection

Introduction As part of my job, I was asked to analyze the recent disclosed CVE-2021-22986. By the time I wrote this, I saw some other analysis online which differs from mine, so I thought it'd be interesting to share my point of view. Also note that I am a noob, so there is a chance … Continue reading CVE-2021-22986 F5 REST Unauthenticated RCE Analysis

Man, I suck. For the first time, I've decided to actually include the challenge files. Hope the organizers don't DMCA me. Calc.exe Online (Web) http://chall.ctf.bamboofox.tw:13377 author: splitline Solution They gave us the source code, yay. http://chall.ctf.bamboofox.tw:13377/?source <?php error_reporting(0); isset($_GET['source']) && die(highlight_file(__FILE__)); function is_safe($query) { $query = strtolower($query); preg_match_all("/([a-z_]+)/", $query, $words); $words = $words[0]; $good = … Continue reading BambooFox CTF 2021 Writeup