Skip to main content

Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.
Illustration of Pentest Chronicles

Latest insight

Illustration of One-Time-Pwn: Unauthenticated account takeover via One-Time Password

One-Time-Pwn: Unauthenticated account takeover via One-Time Password

Maksym Hensitskyi

Security features are meant to strengthen authentication, but sometimes they do the opposite. Due to a logic flaw, the mechanism intended to enhance security instead functions as a backdoor. As a result, an attacker could compromise any registered account in the application simply by knowing its email address. The web application implemented several security measures to protect its OTP-based authentication flow. Each OTP was a uniformly random 6‑digit code, and users were limited to three OTP verification attempts per code. After the third incorrect attempt, a new OTP had to be requested. Additionally, new OTP requests were throttled, enforcing a one‑minute cooldown before another code could be issued. In theory, this combination of rate limiting and cooldown logic was meant to prevent brute‑force attacks.

READ article

Other articles

Illustration of Wipe and Rise: How Deleting Folder on Windows Enables LPE

Wipe and Rise: How Deleting Folder on Windows Enables LPE

Mateusz Lewczak

Time-of-check-to-time-of-use (TOCTOU) race conditions have plagued Windows software for decades, yet they still surface in modern code. During a recent audit of TestedAPP we uncovered a textbook example: the application's background service first checks whether a cache directory exists and, milliseconds later, deletes it without re-validating the path. Because every non-privileged user can create files and folders inside the application tree, an attacker can win the race, swap the legitimate directory for an NTFS mount point, and redirect the deletion to any location on the system drive.

READ article
Illustration of IAM – Privilege Escalation in Azure Cloud

IAM – Privilege Escalation in Azure Cloud

Adam Borczyk

In my recent analysis of Identity and Access Management (IAM) controls within Azure Cloud environments, I identified a significant risk related to improper role assignments. Specifically, the use of broad built-in roles, such as Owner and Contributor, without granular permission management can lead to unrestricted access. Although the tested environment contained a limited number of accounts, this misconfiguration represents a substantial security risk that can compromise cloud infrastructure and sensitive data.

READ article
Illustration of Inter-process Communication Vulnerability – Unrestricted Write Permissions in VPN Service

Inter-process Communication Vulnerability – Unrestricted Write Permissions in VPN Service

Mateusz Lewczak

Inter-Process Communication (IPC) is simply the set of mechanisms that let two or more processes on the same machine exchange data or signals. Across Windows, Linux and macOS you'll find pipes or FIFOs, shared memory regions, message queues and—crucially for many modern services—sockets (named pipes on Windows, UNIX Domain Sockets on Unix-like systems, and Mach ports/XPC on macOS). These primitives differ in performance and complexity, but they all serve the same goal: enable a less-privileged component (for example, a user-facing GUI) to invoke functionality in a more-privileged daemon (like a VPN manager).

READ article
Illustration of TunnelVision – Selective Denial-of-Service Vulnerability

TunnelVision – Selective Denial-of-Service Vulnerability

Mateusz Lewczak

During a recent security audit, I identified that the tested VPN was vulnerable to a known implementation flaw referred to as TunnelVision (CVE-2024-3661). This vulnerability affects how routing tables are managed by certain VPN services, particularly in the way they interact with DHCP protocols. The discovered flaw allows an attacker to reroute selected traffic outside of the intended VPN tunnel. This bypass can potentially expose user data or, specifically under Windows, cause a selective denial-of-service (DoS) scenario. This article describes in detail how the vulnerability can be triggered, demonstrates a practical proof-of-concept, and provides mitigation recommendations.

READ article
Illustration of Privilege Escalation through Docker group membership and… sudo backdoor?

Privilege Escalation through Docker group membership and… sudo backdoor?

Dominik Antończak

During a security audit, a high-risk vulnerability was discovered in an environment where a user named "securitum_insider_user" held membership in the docker group. This membership, combined with specific misconfigurations in the operating system, allowed for privilege escalation to root-level access. Once root privileges were obtained, I deployed a custom script that captured sudo passwords from unsuspecting users on the same host. Although no sensitive information was ultimately retrieved beyond those credentials, this demonstrates how even seemingly small permission oversights can compromise an entire system.

READ article
Illustration of Two-Step Exploit: From Initial Request to Complete Admin Takeover

Two-Step Exploit: From Initial Request to Complete Admin Takeover

Mateusz Lewczak

During a penetration test of a desktop application's backend interface, a critical flaw was identified that allows unauthenticated users to execute SQL queries by sending specially crafted requests. Although the backend was intended to restrict unauthenticated queries to simple SELECT statements on a specific configuration table, the actual implementation failed to properly validate the structure and scope of those queries. As a result, it is possible to use SQL injection techniques, specifically the UNION operator to extract sensitive data from unrelated tables in the database.

READ article
Illustration of Remote Configuration Disclosure and Code Execution in a Legacy TYPO3 Instance

Remote Configuration Disclosure and Code Execution in a Legacy TYPO3 Instance

Dariusz Tytko

During an external penetration test I identified a critical vulnerability that grants unauthenticated users full visibility of the application side configuration and a direct path to server side code execution. The target site operates on TYPO3 CMS version 6.2.31, a release line that addresses some patches, including the security bulletin referenced as typo3 psa 2020 001. Because the instance still exposes the auxiliary validateHash controller, any visitor can request a Hash based Message Authentication Code for an arbitrary value. TYPO3 relies on that to protect form metadata sent from client to server, once an attacker can mint valid HMACs, every integrity barrier collapses. The following sections reproduce the proof of concept chronology performed during the audit.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us