• From Zero to Hero Part 1: Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)

    |

    From Zero to Hero Part 1: Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)


  • |

    Smuggling an (Un)exploitable XSS

  • |

    CVE-2020-16171: Exploiting Acronis Cyber Backup for Fun and Emails

  • |

    Bug Bounty Platforms vs. GDPR: A Case Study


  • H1-212 CTF: Breaking the Teapot!

    With the h1-212 CTF, HackerOne offered a really cool chance to win a visit to New York City to hack on some exclusive targets in a top secret location. To be honest, I’m not a CTF guy at all, but this incentive caught my attention. The only thing one had to do in order to […]

    /

  • CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data

    The authors of check_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the oldstable version 1.2.8p25 and below of both check_mk and check_mk Enterprise. It’s basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure […]

    /

  • CVE-2017-14956: AlienVault USM Leaks Sensitive Compliance Information via CSRF

    I usually try to avoid blogging about Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, just because they are basically everywhere – except if they can be used to achieve something cool 😉 In this specific case I have found a particularly interesting CSRF vulnerability, which allows attackers to extract very sensitive compliance information…from a costly […]

    /

  • Upgrade from LFI to RCE via PHP Sessions

    I recently came across an interesting Local File Inclusion vulnerability in a private bug bounty program which I was able to upgrade to a Remote Code Execution. The interesting fact about this and what makes it different is that the underlying operating system was pretty hardened and almost all usual ways to upgrade your LFI […]

    /

  • OK Google, Give Me All Your Internal DNS Information!

    In late January, I have found and reported a Server-Side Request Forgery (SSRF) vulnerability on toolbox.googleapps.com to Google’s VRP, which could be used to discover and query internal Google DNS servers to extract all kinds of corporate information like used internal IP addresses across the company as well as A and NS records exposing all kinds of hosts like […]

    /

  • RCESEC-2016-012: Mattermost <= 3.5.1 Error Page Cross-Site Scripting / Content Injection

    I’m quite busy with bug bounties lately, but sometimes I still discover stuff, which might also be interesting for the rest of you ;-). So here’s quick writeup about a quite interesting vulnerability in the open source Slack-alternative Mattermost, which I have found in December last year and coordinated with the Mattermost team. You can also read about the full advisory […]

    /

  • HamburgSides 2016: Magic Superpowers!

    The year 2016 comes to an end quickly and so it was time for another Sides conference. This year’s HamburgSides, formerly known as BSidesHH, was held in the Bucerius Law School in Hamburg next to the 33C3. I’ve been supporting this event since the very first BSidesHH in 2014, so I had to attend this year […]

    /

  • 44CON London 2016: When Hackers Meet a Corgi!

    Have you ever been to 44CON in London? In case you haven’t, you need to go there in 2017! To be honest it was my first time attending, but it took just one 44CON for me to become excited and that not only because of the Corgi crew member – but also because of all the workshops, talks and people […]

    /

  • SLAE Course and Exam Review

    As you may have noticed, I have posted a couple of articles about my SecurityTube Linux Assembly Expert exam during the last months. Now that I have successfully completed the course, I just want to share my thoughts about it for those of you who think about taking the course but are unsure if it’s the right one. What is […]

    /