Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

CVE-2025-8890 Authenticated RCE in SDMC NE6037 router

Grzegorz Bronka

19 December, 2025

When testing connectivity of the SDMC NE6037 router inputting a quote character into the "ping" utility revealed an error indicating a Remote Code Execution (RCE) vulnerability. It is quite common to find RCE vulnerabilities in routers’ connectivity tools (such as ping or traceroute). The user-supplied parameters are passed without sanitization as a parameter to a shell command. This was confirmed to be the root cause in this instance.

READ article

Other articles

Insider Threat: How to Take Over a Domain Inside an "Unhackable" Network

Dominik Antończak

20 June, 2025

It's been a month since I joined the company as part of the IT support team at least, that's the official story. I've already met the guys in the Office, great crew, but that's beside the point because my real objective is very different. This kind of situation we simulate during the insider penetration tests.

READ article

Inter-process Communication Vulnerability – Unrestricted Write Permissions in VPN Service

Mateusz Lewczak

30 May, 2025

Inter-Process Communication (IPC) is simply the set of mechanisms that let two or more processes on the same machine exchange data or signals. Across Windows, Linux and macOS you'll find pipes or FIFOs, shared memory regions, message queues and—crucially for many modern services—sockets (named pipes on Windows, UNIX Domain Sockets on Unix-like systems, and Mach ports/XPC on macOS). These primitives differ in performance and complexity, but they all serve the same goal: enable a less-privileged component (for example, a user-facing GUI) to invoke functionality in a more-privileged daemon (like a VPN manager).

READ article

TunnelVision – Selective Denial-of-Service Vulnerability

Mateusz Lewczak

23 May, 2025

During a recent security audit, I identified that the tested VPN was vulnerable to a known implementation flaw referred to as TunnelVision (CVE-2024-3661). This vulnerability affects how routing tables are managed by certain VPN services, particularly in the way they interact with DHCP protocols. The discovered flaw allows an attacker to reroute selected traffic outside of the intended VPN tunnel. This bypass can potentially expose user data or, specifically under Windows, cause a selective denial-of-service (DoS) scenario. This article describes in detail how the vulnerability can be triggered, demonstrates a practical proof-of-concept, and provides mitigation recommendations.

READ article

Privilege Escalation through Docker group membership and… sudo backdoor?

Dominik Antończak

16 May, 2025

During a security audit, a high-risk vulnerability was discovered in an environment where a user named "securitum_insider_user" held membership in the docker group. This membership, combined with specific misconfigurations in the operating system, allowed for privilege escalation to root-level access. Once root privileges were obtained, I deployed a custom script that captured sudo passwords from unsuspecting users on the same host. Although no sensitive information was ultimately retrieved beyond those credentials, this demonstrates how even seemingly small permission oversights can compromise an entire system.

READ article

Two-Step Exploit: From Initial Request to Complete Admin Takeover

Mateusz Lewczak

09 May, 2025

During a penetration test of a desktop application's backend interface, a critical flaw was identified that allows unauthenticated users to execute SQL queries by sending specially crafted requests. Although the backend was intended to restrict unauthenticated queries to simple SELECT statements on a specific configuration table, the actual implementation failed to properly validate the structure and scope of those queries. As a result, it is possible to use SQL injection techniques, specifically the UNION operator to extract sensitive data from unrelated tables in the database.

READ article

Logging into any application user account using 'X' as a password? A real case of unauthenticated backdoor access!

Sebatian Jeż

30 April, 2025

During one of audits I performed a pentest of custom web platform providing organisational and personnel management functionality. The assessment was conducted with a black box methodology, allowing to interact with the system exclusively through the exposed HTTP interface and without privileged source code access.

READ article

Remote Configuration Disclosure and Code Execution in a Legacy TYPO3 Instance

Dariusz Tytko

25 April, 2025

During an external penetration test I identified a critical vulnerability that grants unauthenticated users full visibility of the application side configuration and a direct path to server side code execution. The target site operates on TYPO3 CMS version 6.2.31, a release line that addresses some patches, including the security bulletin referenced as typo3 psa 2020 001. Because the instance still exposes the auxiliary validateHash controller, any visitor can request a Hash based Message Authentication Code for an arbitrary value. TYPO3 relies on that to protect form metadata sent from client to server, once an attacker can mint valid HMACs, every integrity barrier collapses. The following sections reproduce the proof of concept chronology performed during the audit.

READ article

Overriding Data Loss Prevention Controls via Misconfigurations and Endpoint Security Bypass

Dominik Antończak

17 April, 2025

Data Loss Prevention (DLP) solutions are often implemented in corporate environments to prevent unauthorized exfiltration of intellectual property, code, and other sensitive materials. These systems typically rely on a combination of monitoring, filtering, and dynamic rule enforcement to detect any suspicious attempt to copy critical files to unapproved external devices or cloud-based services.

READ article

Unrestricted File Upload Leading to Arbitrary Code Execution and NTLM Hash Disclosure

Dominik Antończak

11 April, 2025

During a security audit, I found a critical vulnerability in the file upload mechanism of an application designed to receive user-submitted requests. This vulnerability enables attackers to upload and subsequently execute malicious files on the server with administrative privileges. Furthermore, it allows a maliciously crafted PDF file to steal the NTLM hash of the user who opens it, potentially enabling lateral movement and privilege escalation within the infrastructure. This write-up provides technical details, a proof of concept (PoC), and recommended remediation strategies.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?