Exploiting CVE-2018-1038 - Total Meltdown

This week I had some free time to look into CVE-2018-1038 aka Total Meltdown. The aim was to create a quick exploit which could be used to elevate privileges during an assessment. I ended up delving into Windows memory management more than I had before.…

Read more »

Understanding and Evading Get-InjectedThread

One of the many areas of this field that I really enjoy is the "cat and mouse" game played between RedTeam and BlueTeam, each forcing the other to up their game. Often we see some awesome tools being released to help defenders detect malware or shellcode execution, and knowing just how these defensive capabilities function is important when performing a successful pentest or RedTeam engagement. Recently I came across the awesome post "Defenders Think in Graphs Too!", which can be found over on the SpectreOps blog here. This post is the start of a series looking at "dat…

Read more »

Exploring Cobalt Strike's ExternalC2 framework

Posted on

As many testers will know, achieving C2 communication can sometimes be a pain. Whether because of egress firewall rules or process restrictions, the simple days of reverse shells and reverse HTTP C2 channels are quickly coming to an end. OK, maybe I exaggerated that a bit, but it's certainly becoming harder. So, I wanted to look at some alternate routes to achieve C2 communication and with this, I came across Cobalt Strike‚Äôs ExternalC2 framework. ExternalC2 ExternalC2 is a specification/framework introduced by Cobalt Strike, which allows hackers to extend the default HTTP(S)/DNS/SMB C2 communi…

Read more »

Moving jobs and exploiting flash (CVE-2018-4878)

Recently I joined the MDSec team after seeing many of the cool things that they had contributed to the community, and to hopefully pick up some of their awesome skills. Shortly after joining I was pointed to a small research project, CVE-2018-4878, a Flash vulnerability classified as a "Use-After-Free". This vulnerability was being exploited in the wild, however due to the way in which the malware was encrypted, it was not possible to recover a live sample of the exploit. Basing research on some redacted screenshots and snippets disclosed on Twitter, I was able to create a working de…

Read more »