Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

One-Time-Pwn: Unauthenticated account takeover via One-Time Password

Maksym Hensitskyi

15 January, 2026

Security features are meant to strengthen authentication, but sometimes they do the opposite. Due to a logic flaw, the mechanism intended to enhance security instead functions as a backdoor. As a result, an attacker could compromise any registered account in the application simply by knowing its email address. The web application implemented several security measures to protect its OTP-based authentication flow. Each OTP was a uniformly random 6‑digit code, and users were limited to three OTP verification attempts per code. After the third incorrect attempt, a new OTP had to be requested. Additionally, new OTP requests were throttled, enforcing a one‑minute cooldown before another code could be issued. In theory, this combination of rate limiting and cooldown logic was meant to prevent brute‑force attacks.

READ article

Other articles

Desktop app security 101

Adam Borczyk

09 January, 2026

In Securitum, we also perform security audits of desktop applications – everything ranging from a simple interface to complex systems with custom network protocols. Some of these apps are simply a wrapper around a database connection. It means that we can directly log in to the DB server and just issue SQL commands in there, all within the permissions granted to our role. This approach is called 2 tier architecture (client < - > DB) and is not recommended for security reasons, unless you can implement business logic and permission validation entirely on a database level, through grants, functions, procedures and such.

READ article

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Extremaly quick AD takeover during Insider Threat audit

Jakub Żoczek

05 December, 2025

Insider Threat is a type of security test in which an auditor acts as a malicious employee and attempts to attack the organization from the inside. In this way, internal threats can be detected that the company might face in the event of an employee's workstation access being compromised, as well as the potential risk when the employee themselves has malicious intentions. The client provides a workstation configured identically to other employee workstations, as well as additional credentials that allow connection to email systems, the Intranet, or VPN. In other words - an artificial employee is created whose goal is to detect vulnerabilities, exfiltrate sensitive data, or - if possible - take control of the network or key servers.

READ article

Illustration of Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Hidden vulnerabilities with visible consequences – from enumeration, through Blind SQL Injection, to the database administrator

Patryk Bogdan

24 November, 2025

As security auditors, we daily encounter solutions whose exact structure or logic is unknown to us. Therefore, one of the first and fundamental steps in conducting a security audit is the process of gathering information about the solution being tested. In this case, the story concerns a web application.

READ article

How "simple" math can crash your app. Support for exponential number format leads to Denial of Service.

Kamil Szczurowski

14 November, 2025

During one of the audits, I noticed that some application accepted numbers in the exponential format (for example 5e10), however, all the fields were strongly typed – I couldn’t set any of the fields to a number higher than the Integer maximum value. Nevertheless, I kept that fact in my mind and continued to check other numerical fields with vast numbers that would exceed the integer limit. After some time, I finally found a field that did accept a number higher than integer, float or double, which meant that the variable type was BigInteger. Finding such variable type and a possibility to use exponential number format created a new vector for an attack – if application allows conducting any arithmetic equation, there is a chance to conduct a Denial of Service (DoS) attack.

READ article

How Secure Are Your Application Secrets? Another lesson from the last pentest

Mateusz Lewczak

07 November, 2025

What began as a harmless pair of JAR and JNLP files turned into a full path to remote code execution. Exposed configuration files, hardcoded DESede keys, and lenient APIs stacked up until every safeguard collapsed.

READ article

Breaking the TUI: From Client Quirks to Dual Local Privilege Escalation on AIX

Wiktor Szymanik

31 October, 2025

In a recent security assessment, I stumbled upon an interesting setup that, at first glance, looked like just another terminal emulator driving a TUI application. Further investigation led to an exploit that chained multiple steps and fully compromised the tested host. Before we dive into the chain itself, I'll briefly explain a few terms and concepts - important context for the rest of the article.

READ article

Even the best can be beaten bypassing EDRs with custom malware

Dominik Antończak

24 October, 2025

During one of the audits, I received an interesting task. The goal was to gain access to the systems responsible for backups and then, perform a ransomware simulation. During the audit, access was gained to only one of these systems, and this was since most of these machines were outside of the Active Directory (AD). Logging in, even with Domain Administrator (DA) privileges, was restricted, but having DA access allowed me to obtain the local admin password using LAPS, which gave me access to the HYPER-V-B machine. From there, I was able to log into HYPER-V-E (the target machine). Access to the rest (4 others) was not achieved.

READ article

From Source Files to Admin: Exploiting Hardcoded Credentials in a Web App

Krystian Działowy

16 October, 2025

This case perfectly reflects what we face every day in our work as pentesters. A host running a MariaDB database that required no authentication caught my attention during a recent network infrastructure test. This initial finding prompted me to investigate a web application on the same machine with intense focus.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?