My Scorecard

These are some of my major security accomplishments. Some are documented on this blog, others may be elsewhere.

Zero-Day Discoveries

Here’s a selection of my favorite discoveries that I was able to write about publicly:

• Ubuntu Linux privilege escalation via snapd (dirty_sock):
  • Technical writeup
  • Exploit source code
  • Media coverage: The Register
• Ollama drive-by attack
  • Technical writeup
  • Exploit source code
  • Media coverage: The Register
• Three Privilege Escalation Bugs in Google Cloud Platform’s OS Login
  • Technical writeup
  • Media coverage: Google VRP prize winners announcement
• Firefox for Android - LAN-based intent triggering
  • Technical writeup
  • Media coverage: ZDnet
• Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials
  • Technical writeup
  • Exploit source code
• LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo)
  • Technical writeup
  • Exploit source code
• Stealing Bitcoin with Cross-Site Request Forgery (Ride the Lightning + Umbrel)
• Out-of-Band XXE in Plex Media Server
• Serv-U FTP: Privilege Escalation to Remote Code Execution

And a few more CVEs that I didn’t get around to blogging about:

• CVE-2018-7669: LFI in Sitecore
• CVE-2018-13415: XXE in SSDP Parsing of Plex Media Server
• CVE-2018-13416: XXE in SSDP Parsing of Universal Media Server
• CVE-2018-13417: XXE in SSDP Parsing of Vuze Bittorrent Client

Offensive Security Tactics

• GitLab blog:
  • GCP post exploitation tactics and techniques
  • Stealth operations: The evolution of GitLab’s Red Team
  • How we run Red Team operations remotely
  • Why are developers so vulnerable to drive-by attacks? - also includes a zero-day drive-by RCE disclosure for GitLab GDK
  • How GitLab measures Red Team impact: The adoption rate metric

Open Source Software

• cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
• linkedin2username: OSINT Tool: Generate username lists for companies on LinkedIn.
• passphrase-wordlist: Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords.
• uptux: Linux privilege escalation checks (systemd, dbus, socket fun, etc)
• RTAP: Red Team Assessment Platform - reporting, visualizations, and analytics for cybersecurity red teams
• evil-ssdp: Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response.

Talks / Recordings / Etc.

• BSides: Google Cloud Post Exploitation Tactics and Techniques
• ProjectDiscovery HardlyStrictlySecurity: Beyond Code: Leveraging open source strategies for red teaming