These are some of my major security accomplishments. Some are documented on this blog, others may be elsewhere.
Zero-Day Discoveries
I have a much longer list of CVEs assigned, but these are some of my favorite.
- Ubuntu Linux privilege escalation via snapd (dirty_sock):
- Ollama drive-by attack
- Three Privilege Escalation Bugs in Google Cloud Platform’s OS Login
- Firefox for Android - LAN-based intent triggering
- Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials
- [LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo)]
- Stealing Bitcoin with Cross-Site Request Forgery (Ride the Lightning + Umbrel)
- Out-of-Band XXE in Plex Media Server
- Serv-U FTP: Privilege Escalation to Remote Code Execution
Offensive Security Tactics
- GitLab blog:
- GCP post exploitation tactics and techniques
- Stealth operations: The evolution of GitLab’s Red Team
- How we run Red Team operations remotely
- Why are developers so vulnerable to drive-by attacks? - also includes a zero-day drive-by RCE disclosure for GitLab GDK
- How GitLab measures Red Team impact: The adoption rate metric
Open Source Software
- cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
- linkedin2username: OSINT Tool: Generate username lists for companies on LinkedIn.
- passphrase-wordlist: Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords.
- uptux: Linux privilege escalation checks (systemd, dbus, socket fun, etc)
- RTAP: Red Team Assessment Platform - reporting, visualizations, and analytics for cybersecurity red teams
- evil-ssdp: Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response.
Talks / Recordings / Etc.
- BSides: Google Cloud Post Exploitation Tactics and Techniques
- ProjectDiscovery HardlyStrictlySecurity: Beyond Code: Leveraging open source strategies for red teaming