Askar

I finalized a few updates for DNSStager, including Linux and macOS payloads that can be used to stage your payload over DNS. You will be able to fetch and run your payload over DNS on Linux and Mac boxes using several new payloads and custom execution techniques, with the ability to modify your loader within DNSStager itself. A new release of DNSStager is coming soon! https://t.co/V9ZB08vaLz

I had the chance to dig into a popular Linux-based DHCP server which I wanted to look at for a while now. I spent some time tracing through the application source code, focusing on the management interface and how it handles authentication, parsing, object creation and brushing up on some DHCP protocol internals along the way. And after mapping out the flow, I found that a chain of misconfigurations can lead to unauthenticated remote command execution as root on the network level. No memory corruption or logic bugs in the code itself, just some misconfigurations and features (ab)use that together create a clean path from a regular TCP connection to arbitrary root command execution. A good reminder that sometimes you don't need a 0day to pwn a service, sometimes a deep dive at the code will help you, and it's much easier nowadays with LLMs for sure. Will share a detailed blog post walking through the full chain soon. #offsec #cybersecurity

Simple modifications to the techniques your agent uses during code review, combined with full access to the deployed environment, or giving it the ability to deploy it directly, can significantly improve the vulnerability discovery process. In a recent code review, the agent discovered a full unauthenticated RCE chain by combining an authentication bypass with SSTI under non-default login configurations. Providing the agent with the right tooling and building automated pipelines to retrieve product documentation, recent bug reports, and non-default configurations will expand your attack surface when hunting for critical vulnerabilities. I will share a detailed guide on my setup and how this bug was discovered once the vendor releases a fix. #offsec #redteam #pentest

Last night, as part of my weekend research time, I was reviewing a codebase of a previously audited open-source project. As part of the process, I used a small agent I built before to help identify entry points, perform source/sink mapping, and assist with other analysis tasks. And after some tweaking, it ended up finding a 0-day RCE that allows low-privileged client accounts to execute arbitrary commands on the server. The vulnerability only works under non-default configurations, which limits its real-world impact, but it was still interesting to observe how the agent conducted the review. My goal was to evaluate the effectiveness of vulnerability research under different configurations and instructions. And from what I observed on multiple cases, AI doesn’t magically find bugs for you. Without proper context, tooling, and a well-defined methodology, you won't find much interesting stuff. #offsec #cybersecurity

Vulnerability research with LLMs is certainly much easier nowadays from what I have observed. However, that doesn’t mean you will find critical 0-days simply by pointing an agent at the codebase of a target application. That could work for small and simple applications, but not for applications with previously audited codebases. As a researcher, you still need a solid methodology and clear objectives. You must define how the review should be performed and what the agent should be looking for. The more knowledge you have about the codebase, the better instructions you can provide, which will definitely lead to more accurate analysis and more critical findings, or at least reveal attack paths worth investigating. LLMs don’t replace researchers. They help the ones who already know what they are doing. #offsec #cybersecurity #redteam

I got some time this evening to play with an idea that has been on my mind for a while to utilize GitHub Firehose (https://t.co/tQmK3iELTH) to monitor public code pushes in real time searching for unsafe functions for a specific language, generic keywords or secrets pushed publicly to Github. Using Github FireHose is straightforward, and you can use it for targeted monitoring as part of offensive operations by filtering commits from a specific committer email or domain to map packages that may contain secrets or unsafe functions to start your code analysis from. Or you can use it for generic bug hunting where public commits are scanned for exposed secrets, suspicious keywords, or unsafe functions. I know there are already commercial platforms that do this, but as an independent researcher it’s still a nice way to quickly spot some low-hanging fruit and expand on it to apply your own logic. Another interesting integration could be feeding the filtered code snippets into your favorite LLM and having it perform more customized audits tailored to your specific needs. I’ll share the code and some documentation for this once I have it finalized! #cybersecurity #offsec

I disconnected a bit over the weekend and conducted a code review against a Robotic Process Automation (RPA) software and found an interesting RCE 0-day chain in their latest version. The chain combined Broken Access Control (BAC) with a file upload flaw. For me, these kinds of chains are becoming harder to find nowadays, but they are still present in modern software. It was a fun one to dig into, and I hope I can share more details about it. Meanwhile, I’m planning to write more content about my humble static code analysis work on https://t.co/11XlMhnHSz , where I’ve already published some of my previous findings. #offsec #cybersecurity