Gl1tch | Risk - Articles

 I have to tell you about the latest "copy-paste" disaster in cybercrime history. This is pure gold. Microsoft recently took down a massive cyber-fraud ring called "RedVDS." These guys were basically running an "all-inclusive" rental shop for cyber criminals. You just drop some crypto, and they hand you an unrestricted Windows virtual server like, "Here you go, buddy, go scam whoever you want." They used these servers to hijack corporate emails (BEC) and run massive phishing campaigns. We’re talking about $40 million stolen in the U.S. alone! But here’s the kicker: How did this massive network get busted? (Pay attention here). The guy who built the system set up an automated virtualization infrastructure (QEMU) to spin up thousands of servers instantly. Everything looked super professional up to that point. But then, peak laziness kicked in. Think of it like this: you build a high tech printing press to make thousands of fake passports, but you...

  Phishing attempts are getting sneakier, often leveraging homoglyph attacks or unusual characters to trick employees. I put together a simple but effective query to scan for new users created with "weird" characters in the email domain that indicates a potential sign of a spoofed or malicious account creation attempt. KQL Breakdown: This query scans 7 days of CloudAppEvents for the `Create user.` action, then checks the new user's email domain for any non-ASCII characters (characters outside the standard English keyboard set: $\text{U+0000}$ to $\text{U+007F}$) . This is a great starting point for spotting internationalized domain name (IDN) abuse or other sophisticated L3 attacks. CloudAppEvents | where TimeGenerated > ago(7d) | where ActionType == "Create user." | extend Email = tostring(parse_json(RawEventData).EmailAddress) | extend Domain = tostring(split(Email,"@")[1]) | where Domain matches regex @"[^\u0000-\u007F]" | project Ti...

 So, did you know that the password for the security surveillance system in the Louvre museum was LOUVRE ? To guess and try stuff, you don’t need to be a hacker with a thick belt. You just need to be a human and think for a second then give it a try. SOURCE: https://www.dailymail.co.uk/sciencetech/article-15261387/Louvre-password-video-surveillance-heist.html

 If you have a windows laptop and you don’t know the password for some reason (!) (Maybe it’s not yours ?) and want to login without entering the password, here’s a simple way to hack it without being too technical. You just need to bypass the password protection. I didn’t try this method on other windows versions, you can give it a try but for windows 10 and windows 11 it works perfectly fine. (You need an empty physical pen drive to bypass) Step 1: Download Hiren Boot ISO file: https://www.hirensbootcd.org/ Step 2: Mount the iso file to your USB (You will lose all of the data) You can use RUFUS to do this. I will skip this step. Step 3: Start the windows computer you want to bypass the password, and open the BIOS menu. Depends on the manufacturer the BIOS menu can be opened with F12, ESC or Delete buttons from the keyboard during system boot. Step 4: Select the USB from BIOS menu to boot. Step 5: It will open live os, similar to a windows environment but it’s not… We will use ...

Have you ever heard of a ticket so powerful it gives you access to an entire Active Directory environment? That’s exactly what a  Golden Ticket  does. An attacker can create a Ticket Granting Ticket (TGT) using the KRBTGT account hash. This allows an attacker to impersonate  any user , access  any resource , and remain  undetected for as long as they want . Golden Ticket attacks are difficult to detect and devastating when successful. The  core vulnerability  that enables a Golden Ticket attack lies in the  design of Kerberos authentication in Active Directory , specifically how  Ticket Granting Tickets (TGTs)  are  trusted  and  validated . The Root Cause: The entire Kerberos trust model in AD depends on the secrecy of the KRBTGT account’s password hash. What Does That Mean? The KRBTGT account is a special built-in account in Active Directory. It is used by the Key Distribution Center (KDC) to sign and encrypt TGTs. A...

 Have you ever seen a JWT token that reveals way more than it should? In offensive security, we always inspect JWTs for: Weak or guessable signing keys (e.g., "secret") Use of none algorithm Missing or improperly enforced exp claims Sensitive data in payload (passwords, tokens) JWTs are NOT encrypted by default. Don’t store secrets inside them before encrypting sensitive data. You may not believe but this is extremely common in JWT tokens, especially by junior developers because they think tokens are safe and unreadable so they just put all relevant info inside, because this is an “EASY WAY” of coding... Password inside JWT?! Never store passwords (even hashed) in a JWT payload. JWTs are just base64-encoded—not encrypted! We can break hashed passwords too. We can also break some encryption algorithms like MD5, so you should choose a good algorithm for encryption. Credit Card Info in Payload? Huge PCI-DSS violation and security risk. This data could be exposed in logs, browser...

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...

This month I did lots of bounties alone… Had a very nice findings and one of them was RCE (Remote Code Execution) using a SAMBA vuln. (CVE-2021-44142) I always try to teach my girlfriend the hacking world, she doesn’t like coding stuff but last week, she learned the logic behind the SQL and Template Injections, she is not in IT, and knowing this may not work for anything at all but this is what you get if you have a nerd boyfriend. Can’t quit energy drinks, I know it’s not healthy but I keep drinking them. My favorite one is red-bull, I think that’s the best one. They sell a big 24 pack box at Costco and I grab one box whenever I go to Costco. But I also like Blue&Yellow Amper or Volt (Mexican energy drink brands). Cheap and fast alternative to Redbull. We say 3B (Tres Bae) when something is dead cheap in Mexico. So it’s a 3B alternative. Recently I have been focusing strongly on improving some things in my business, I also hired a 3 new pentesters from Europe who can work with me,...

 Scenario Overview: A corporate network restricts inbound connections  but allows outbound traffic  (e.g., HTTP, HTTPS). We need to access an internal RDP (3389)  server behind the firewall from an external attacker-controlled machine. Constraints: Firewall blocks inbound RDP, SSH, and VPN. Only outbound HTTP/HTTPS is allowed. Direct reverse shells are detected. Sneaking in without getting caught, when it’s not allowed: Chisel (TCP/HTTP Tunneling) Chisel creates an encrypted tunnel  over allowed protocols (HTTP/WebSockets), bypassing firewall restrictions. Step-by-Step Exploitation 1. Setup the Chisel Server (Attacker Machine) On the attacker machine (public IP: 10.10.10.10), start the Chisel server in reverse mode (to allow victim-initiated connections): Listens on port 8080 (HTTP-friendly to evade detection). --reverse ensures ports are opened on the server (attacker) rather than the client (victim). 2. Victim Machine (Internal Network) Connects Back On the...

Artificial Intelligence and Machine Learning (AI/ML) models are rapidly becoming the bedrock of modern business operations, I had opportunity to do security assignments with AI features in different companies and I I also made lots of research and investigation, and chance to do tinkering on computer and ML models, to find more and more ways to hack these models. The whole AI thing is actually simply relying on DATA. The way it works with data is heavily relying on mathematical concepts where Prediction, Probability, discrete math, calculus, etc. But we don’t need any of these. What we want is DATA. Before hacking anything, you should first learn how it works. AI models reliance on DATA for it’s core functionality makes it vulnerable to a subtle, and devastating attack vector: data poisoning . There are other attack vectors as well, but I want to focus on DATA POISONING Technique in this text, since it’s one of the biggest attack vectors and it’s also the most difficult to secure compl...

  Bad controls can increase the attack surface significantly, compared to not having controls at all. A minimal physical barrier might offer a sliver of deterrence, poorly implemented security controls can significantly increase the attack surface compared to having no controls at all. This is because flawed controls can introduce new vulnerabilities and provide a false sense of security, making systems more susceptible to exploitation. Poorly implemented authentication might introduce bypass vulnerabilities, effectively opening up access points that wouldn't exist without it. A flawed encryption mechanism could provide a false sense of data protection while actually being easily broken, making sensitive information more readily available to attackers than if it were unencrypted but its vulnerability was known. I've seen companies that implemented an encryption mechanism, believing they had addressed security. The critical oversight was that their chosen encryption method was ...