Java RMI for pentesters part two — reconnaissance & attack against non

In the current part we will talk about actual automated reconnaissance as well as attacks against them. The article will make use of RMI interface / server which was presented and thoroughly explained in the first part. Its source code can also be found on GitHub, here.

Java RMI for pentesters: structure, recon and communication (non-JMX Registries).

Java RMI server is a virtual entity exposed over the network that allows other remote parties (clients) to execute methods on a system (technically a JVM running on that system) on which it is running. It’s nothing exceptional in the programming world — where similar concepts like Remote Procedure Call (RPC) are widely used.

Ethical Hacking (Part 1): OWASP Top 10 and DVWA

If you intend to delve into the world of ethical hacking and particularly web application penetration “pen” testing a good starting point is understanding what OWASP is and more particularly the OWASP Top 10.

TryHackMe. Hacking a Vulnversity Machine.

A write-up for myself:) If you're interested in learning ethical hacking/ pentesting, check my TryHackMe Vulnversity walkthough.

Exploiting fine-grained AWS IAM permissions for total cloud compromise

This is a real case study of how to enumerate and use IAM permissions to your advantage. I strongly suggest you read my previous article on how IAM permissions work. It’s long, but necessary to understand most of the things we did here.

Exploiting AWS IAM permissions for total cloud compromise: a real world example

In part 1 we compromised an account with multiple permissions, but no Administrator access. We found a potential role that would allow us to escalate privileges, following one of the methods in Rhinosecuritylab’s post. Briefly explained, we’ll try to create an instance and attach to it a privileged role at creation time.

AWS IAM explained for Red and Blue teams

When I started getting into AWS pentesting, one of the hardest things to fully understand was IAM. AWS documentation is usually great, but can be extensive, and IAM has a lot of similar terms. You have users, roles, groups, managed policies, inline policies, instance roles, etc… This article will try to shine some light on the subject, as well as some ways to enumerate this information with different tools.

Recipe for a successful phishing campaign (part 2/2)

In part 1 we saw general considerations you should keep in mind in order to start setting up your infrastructure, as well as technical steps to setup your domain with SPF and DKIM records. In this part we’ll get to a score of 10/10 and I’ll show you how to manage big campaigns, as well as 10 tips at the end to improve your reception percentage. We’ll also talk about SMTP relays and when you should use them.

Recipe for a successful phishing campaign

Having participated in multiple phishing campaigns over the years, both in offensive as well as defensive teams, I’ve learned from trial and error a lot of these things to pay attention to. This article will try to summarize them.

HTB ‘Cache’ [writeup]

Cache required a combination of enumeration and instincts rather then using extensive range of scanning tools. Exploiting this vulnerability in the web-based application’s (openEMR) login portal exposed the application’s user credentials. Using this, the account was accessed.

Grindr's Bug Bounty Pledge Doesn't Translate to Security

At [email protected], Luta Security CEO Katie Moussouris stressed that bug bounty programs aren't a 'silver bullet' for security teams.

HTB Admirer [Writeup]

For this machine, using gobuster command exposed the credentials to access the open FTP port which led to finding out about the vulnerable MySQL database that allows foreign server to import arbitrary data exposing credentials.


Writeup-Vulnhub-Kioptrix. The exploitation of a vulnerable FreeBSD OS machine, rooting it by escalating privileges. The Target machine being used in Kioptrix 2014 available on Vulnhub.

Combining Hadoop and MCollective for total network compromise

This is the story of how only two insecure configurations allowed us to take down an entire cloud hosted company. It was a gray box pentest for a relatively big client, in which we were tasked with assessing the security of about 5 development endpoints, accessible only using a client certificate.

How a badly configured DB allowed us to own an entire cloud of over 25K hosts

On part 1 we briefly explained how we got administrator privileges to almost all BMC devices hosting a native Openstack cloud. In this part we’ll show how we used these to achieve complete compromise.

How To Hack: Jerry From HackTheBox

Welcome to my third article. Today we will be looking at Jerry from HackTheBox. This is a realistic and very easy box. The article will again be similar to my first and second article, because I will provide some more information on the Box and why it is vulnerable.

How a badly configured DB allowed us to own an entire cloud of over 25K hosts

In this write up we’ll see how we were able to combine direct sqlmap connection to a database with BMC/IPMI exploitation to compromise a big cloud-hosted client.

HackTheBox: Popcorn

My goal is to document my journey on achieving the OSCP Certification. This Medium blog is not the place where you can find a quick writeup for a box.

How To Hack: Bastion From HackTheBox

Welcome to my second article here on Medium. Today we will be looking at Bastion from HackTheBox. This is a rather realistic box in my opinion and it made a lot of fun. This article will be similiar to my first article, because I will provide some more information on the Box and why it is vulnerable.

Stealing your data using XSS

Turned on machine, started active + passive discovery of domains and all in-scope assets of . Used many tools like Sublist3r, Amass, findomain, subfinder, etc.