CVE-2023-34096: Path Traversal Vulnerability in Thruk Monitoring Web Interface

Important Note: All of the findings listed here were previously reported to the manufacturer of the software.As part of the responsible disclosure policy, we waited for a response of the manufacturer (confirming the vulnerability, issuing a patch, or accepting that they won't solve the finding) before sharing this post.IntroductionDuring a Penetration Test performed to a Security Company I was able to identify certain findings that could affect the...

Read More

Cracking Passwords: Brute-force Attack with Hydra (CLI) + xHydra (GTK)

Recently on Security StackExchange, I saw a lot of people asking how to use properly THC Hydra for Password Cracking, so in this post I'm going to explain how to install the command line utility, and also how to install the graphical user interface (GUI) for it. Then you can find step by step instructions on how to use this tool properly to attack an http-form-post that simulates a Login form for a corporate website. Hope you...

Read More

Blitz CTF 001 Writeup (Step by Step Solutions) [CTF365]

A few days ago, we received an invitation to the BlitzCTF001, a very short and fast cybersecurity CTF. The challenges contained in this CTF covers: Crypto (Encoding), SQLi, Broken Access Control, Session Manipulation and Steganography. In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope...

Read More

Password Management in GNU/Linux by using passwd command

A password (commonly knows as passwd in linux) is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification,...

Read More

[Malware Classifier] Malware Analysis Tool - Adobe

In this post I am going to talk about a new tool: "Adobe Malware Classifier", this is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerabl...

Read More

(D)DoS Deflate - A script designed to Block a Denial of Service Attack

Nowadays a common problem for many companies is Distributed Denial of Service Attack (DDoS), so in this post is explained: what is a DDoS and a possible solution for it? Distributed Denial of Service (DDoS): In computing, this attack is an attempt to make a machine (usually a web server) or a network resource unavaliable to its intended users, the reasons for this attack may vary, but it generally consists of efforts to temporarily or indefinitely...

Read More

ESET Security Challenge - Solution

Figure 1: New Search Engine in Development Scenario: A malicious code had access to a small enterprise of web developers, who are working on building a new search engine that will be participating on the market. Figure 1 shows a screenshot of the new project. To verify the functionalities of this new search engine, we are going to make some tests. First, we will enter the word "trololo" to see the results. The server response to the request...

Read More

Cracking a Simple Application (ByPass Login)

In this post I am going to explain how to solve a "Crackme" challenge that I found on the Internet, in this example you can see a Login form but we don't know the Username or the Password, so what do you think could be a possible solution?, or the first step to solve it?...

Read More