
//
A cybersecurty hobbyist showed how to use vm2 JavaScript sandbox vulnerabilities to get into a Linux server, find a hash, and root access in a HackTheBox Codify challenge. Web cache issues, which can leak info, need careful monitoring; techniques like underscores in headers and fuzzing help prevent these attacks. The OSTE-Web-Log-Analyzer is a tool in Python for analyzing web logs to spot web attacks. C2 Cloud makes pentesting simpler with its web interface for handling backdoor sessions. To get Wi-Fi passwords from Windows after a breach, you need admin rights or the user’s context, and it’s suggested to not use WPA2 PSK for private networks.The Xen hypervisor got updated to fix handling of page table entries for superpages. Mahmoud Attia explains how to automate finding XSS vulnerabilities and avoid WAF detection using certain tools. A blog post explained how to create a backdoored Amazon Machine Image (AMI). Another post shows an exploit for BioTime software, allowing directory walking and code execution. A step-by-step method was given to analyze and get a malicious file from a site. MayflyHack has new cybersecurity resources like setting up a SCCM lab, network architecture, image creation, infrastructure deployment, and config management. The site itself provides tutorials for developing cyber security environments. Red Team Attack Lab uses real systems and vulnerabilities for offensive cybersecurity without cloud service costs. OpenGFW firewall is open-source, inspired by China’s firewall. Using Validin, 36 phishing domains linked to Latrodectus were found. Global Socket helps to securely communicate through firewalls using encrypted traffic. Japan EQ Locator helps visualize earthquake data, available on GitHub.QuickStego hides text in images, while QuickCrypto does the same with encryption. A Local Privilege Escalation (LPE) vulnerability in macOS filesystems was discovered and patched. Samuel Groß discussed finding vulnerabilities in image format parsers that impact Apple’s messenger apps. DroneXtract is softwre for analyzing DJI drone data. Articles explore Windows Containers creation and windows APIs. Web cache attacks can lead to site takeovers, but James Kettle suggests defenses like not caching error pages. FreeTube is a YouTube app for private viewing, and SearXNG is a private metasearch engine that doesn’t track users.
[more...]