Today, I’ll be cracking open the AC1200 Dual Band Wi-fi Router vM32A3_V1410_240222 and attempting to get a UART shell! Let’s dive right into it. Opening the Router My first step was to identify the mechanisms keeping the router sealed. I found some screws hidden beneath plastic feet on the bottom of the router. I began by removing them as seen in the photo below. After I removed them, I still struggled to get the device open. I thought I might need to rip out the antennas to do it and I d...| Ally Petitt
Introduction On November 19th, 2024, Qualys publicly disclosed five local privilege escalation vulnerabilities discovered in the needrestart binary that comes installed by default on Ubuntu Server installations. They disclose the technical details of these here, however, I will be attempting to rediscover CVE-2024-48990 prior to reading the technical details based purely on the information from the CVE description and references. Then, I will create my own exploit that gives me a reverse shel...| Ally Petitt
Introduction Last week, I came across a piece of firmware that I was particularly curious about. As with typical analysis on such an image, I extracted the squashfs root using binwalk and found the web service, httpd, that I was targeting. A smile spread across my face as I typed a command into the terminal to run httpd in QEMU user mode, but after pressing the “Enter” key, I saw it: $ sudo chroot . ./qemu-armeb-static /usr/sbin/httpd -n cannot open /dev/nvram Cannot open /dev/nvram. This...| Ally Petitt
Introduction Hello everyone and welcome to the first exclusive post on my new personal website! I am very excited to be here and I hope that you are as well. The picture above is a bit dramatic, but communicates the message that I have decided to move forward. Those who have been following me will know that I first began my technical blog on Medium, which was an approachable outlet for sharing my knowledge as I first entered the field. I will graduate from high school this month, which marks ...| Ally Petitt
Author: Ally Petitt Introduction Christmas break is notoriously refreshing for high schoolers like myself, however, unlike most high school students, I got to spend mine doing the most fascinating work in the world: security research. I had previously used Savannah, a GNU bug tracker, to submit a bug report, so when I noticed that the underlying technology, Savane, was open source, I knew I had to put it on my list of research projects. To my surprise, I was able to discover 3 CVEs within the...| Ally Petitt
https://images.pexels.com/photos/374559/pexels-photo-374559.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=1 Introduction Whitebox penetration testing can be intimidating. Complex web applications may contain hundreds of thousands of lines of code and deciphering the connection between the various web components and their numerous implementations is challenging. A powerful, yet simple technique to approach the code review of such an application is to break it into manageable pieces. In this ...| Ally Petitt
https://img.rasset.ie/001babea-1600.jpg Introduction Linux users often take pride in their ability to compile their own code. In spite of this, a subtle yet critical attack vector has existed for over 20 years with high potential impact when exploited. Cleverly disguised within the configure.ac file, this attack vector allows malicious actors to execute code on your system before the compilation process even begins. While the absence of known exploits may lull users into a false sense of secu...| Ally Petitt
https://images.pexels.com/photos/5483149/pexels-photo-5483149.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=1 Introduction Discovering a CVE was always an idea that enticed me, but I had no idea how to achieve it. Encountering the authentication bypass that I will explain in this article was both unexpected and deeply inspiring. In my preparation for the OSWE, I decided to practice identifying the exam vulnerabilities in real, open-source applications, which would both give me practice for ...| Ally Petitt
Introduction This article is a walkthrough that demonstrates the solution to a particular situation that computer owners may encounter when updating their system. For readers who do not fit into the scenario listed below, this is also a great article for familiarizing yourself with the practical application of logical volume manager (LVM). Otherwise, feel free to modify your approach as works best with your scenario. Scenario: You have a hard drive with all your files on it that uses physical...| Ally Petitt
Introduction Firmware is a critical component of electronic devices. It is the program that is installed on embedded systems that defines their functionality. Firmware is responsible for initializing the hardware components as the computer boots up, enabling the device to function properly. Attacks against firmware have been of increasing interest to hackers due to their relative ease to exploit in a world of increasingly more secure application- and network-layer security practices. Firmware...| Ally Petitt
objdump is a command line tool that can be used to gain insight into an executable binary. In this article, the tool will be used to dump all of the headers of the ELF binary heapedit with the command below. Then, we will analyze and explain each section of output from the top to the bottom. objdump -x ./heapedit Executable and Linkable Format (ELF) files are a common file format for object files, executable binaries, core dumps, and shared libraries. It provides a standardized format for sto...| Ally Petitt
Introduction This article will explain the tools and techniques used by web application penetration testers and security researchers to successfully bypass web application firewall (WAF) protections. WAFs are a cybersecurity solution to filter and block malicious web traffic. Common vendors include CloudFlare, AWS, Citrix, Akamai, Radware, Microsoft Azure, and Barracuda. Depending on the combination of mechanisms used by the firewall, the bypassing methods may differ. For instance, WAFs may u...| Ally Petitt
Computer Forensics for File Recovery https://edgy.app/wp-content/uploads/2018/04/dataleakhackerGorodenkoff-970x546.jpg Introduction When a file is “deleted”, its contents aren’t typically erased from the storage device that it was stored on. More often than not, the blocks that stored the file are marked as unallocated and the filesystem pointers are removed from it. The implication is that the file still exists on the disk until it is overwritten. There are many methods to recovering ...| Ally Petitt
Introduction Hey everyone, this is a pretty quick article on LUKS drive encryption on Linux with the cryptsetup library. By following the steps outlined here, you will be able to encrypt a drive, decrypt it, and mount it. This was done in a Kali Linux VM and commands may vary for other distributions. Disclaimer: This is not an area that I have much experience in so if details are inaccurate, I apologize in advance. Creating a new partition I’m using a virtual machine with 2 virtual hard dis...| Ally Petitt
Introduction Snort is an open source Intrusion Prevention System (IPS) that detects malicious network traffic by comparing the network packets to a set of rules, often created by Snort and the community. Snort can be used as a packet sniffer, packet logger, and intrusion prevention system. In this article, I’ll go over some of the first steps of installing, configuring, and running Snort so that new users have a place to branch off of. Quick Install You can install this on Ubuntu easily wit...| Ally Petitt
Linux Penguin Introduction This article will begin with a high-level overview of the Ubuntu boot process and will continue to dig deeper into the role of SecureBoot in it when enabled. Some of the concepts I will be covering include shim, EFI variables, and MOKs. The information presented here was aggregated from the sources listed at the bottom of this article. Commands and example output will also be included to help present the topic in a more comprehensive way. Understanding the boot proc...| Ally Petitt
Data Loss Prevention What is Data Loss Prevention? Data Loss Prevention (DLP) is a strategy for preventing data exfiltration and destruction. Examples of data include financial information, customer data, trade secrets, and other confidential information that could harm a company or its customers if exposed. Common causes of data loss include: Human error- accidental deletion of sensitive files, misconfiguring security settings, or being the victim of a social engineering attack. Insider thre...| Ally Petitt
Hi guys, I made a mistake. In my frustration trying to debug my C program, I inadvertently deleted all the files within my /usr/include folder. I didn’t realize at the time that this was a very important folder! As explained here, it stores the Linux kernel’s libc header files! Rookie mistake, but luckily for us, there’s ways to fix it. If your /usr/include folder is also looking more empty than the shelves during COVID, I come bearing the solution. Getting Kernel Headers You’ll want...| Ally Petitt
Why Create a Cloud Server? As many security-conscious people are aware, saving something in the cloud really means saving it on somebody else’s computer. When using cloud services, you don’t own the data that you upload, nor do you own the program that you’re using. Additionally, it is within the cloud service provider’s rights to delete your data or remove your access to it if they had technical issues, went bankrupt, or you missed a bill. Not all of them will do that, but there is ...| Ally Petitt
DNS Cache Poisoning on Home Lab Walkthrough https://www.okta.com/sites/default/files/media/image/2021-04/DNSPoisoning.png Overview In this article, I will be walking you through a common method of implementing DNS cache poisoning on a network. I’ll illustrate my process with screenshots, commands, and explanations. You are welcome to follow along and gain hands-on experience with DNS spoofing to further reinforce the knowledge that you already have. Intended Audience This is intended for a ...| Ally Petitt
Wait, you can do that? The answer is a resounding “yes”. And I’m not the only one who got my OSCP at the age of 16. Meet Mihai, Vanshal, Grant, and this person from Reddit. Admittedly, the number of us is few and far between when compared to the typical demographic of OSCP test-takers. To add to this, I’m a woman and I haven’t seen any other women my age do this. Still, people have done it and it possible. I present to you, the beautiful: https://www.credential.net/7370f6c4-31c5-498...| Ally Petitt
https://images.pexels.com/photos/3760778/pexels-photo-3760778.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=1 If you’re anything like me, you discovered Impacket, either through a course, Ippsec, or your own research, and you look at the scripts. Your grin turns into horror as you realize the sheer amount of scripts that end with “exec”. They all give you remote access but when do you use which one!? Don’t worry, I have your back. Let’s break them down. PsExec PsExec works by writ...| Ally Petitt
If your VPN log looks something like this: I’m here to help. During my time working through the PEN-200 labs, I’ve faced the constant struggle of losing connection to the host every few minutes to seconds. I tried to troubleshoot this “Inactivity Timeout” error with an Offsec employee for 3 hours to no avail. Finally, I figured out the solution and I am here to share it with those of you who have the same struggle. Cause of This Error In a successful OpenVPN connection, the VPN serve...| Ally Petitt
The Pen-200 is the prerequisite course for the OSCP exam. As such, the writeups for the labs are incredibly difficult to find. As someone who has relied heavily on the accessibility of HTB walkthroughs, I’ve never been in an environment where I wasn’t one Google search away from figuring out the next step in solving a box. Needless to say, 0xdf couldn’t help me much with the Pen-200 labs. The Pen-200 labs were a struggle not because I was incompetent, but because I didn’t have enough ...| Ally Petitt
An 18-year-old hacker gained admin access to Uber on September 15, 2022. These are the steps that the hacker took: The hacker obtained an Uber employee’s phone number. He directed the employee to a phishing site that looked like an Uber login page. The employee logged in and the hacker gained his credentials. The hacker tried to get around the MFA by doing a Multi-Factor Authentication Fatigue attack. This attack consists of spamming MFA requests to the employee until he gets annoyed enough...| Ally Petitt
Introduction This article contains information that I have gathered as I’ve done research on incident response. This aims to be actionable for red teamers to know what to look out for and for blue teamers to aid in the creation of an effective incident response plan. Key Roles the CISO ensures cyberattacks are promptly investigated. coordinating efforts of incident response during a cyberattack. investigating which data may have been stolen. containing and securing compromised systems to pr...| Ally Petitt
Foreword To avoid detection, it is best to use tools that are native to the victim’s computer. FTP with Windows Host While having a shell on the Windows machine, start an FTP server on your host machine. Follow these steps if you don’t already have FTP server installed: sudo apt-get install vsftpd sudo service vsftpd start service vsftpd status #status should be active To check if your server is working, type ftp localhost. If you see the message “Connected to localhost”, your FTP se...| Ally Petitt
How Does Antivirus Software Actually Work? Antivirus software acts as a defense from trojans, viruses, ransomware, spyware, adware, and much more. There are 3 main ways that it detects malware: signature-based detection, heuristic-based detection, and anomaly-based detection. Signature-Based Detection The scanner will search for specific strings in a program and check for them in a database of known viruses. The strings are often the payload of the malicious code. If the signatures match, th...| Ally Petitt
When first learning Kerberos, it can feel like you’re being chased by the three-headed dog. Not to fear, however, because today I’ll be explaining a high-level overview of Kerberos authentication. Kerberos was designed to provide secure authentication to services over a potentially insecure network. It is used by many organizations to implement single sign-on (SSO). Kerberos Terminology In order to understand the step-by-step explanation, it is important to have a basic understanding of t...| Ally Petitt
Introduction Hey everyone! This is a write-up of how I was able to pwn the Mustacchio machine. I hope you enjoy! Notes: This was done on a Kali Linux machine so the commands might be slightly different if you are on Windows Enumeration To begin, I scanned for open ports using RustScan. RustScan, for those who have never heard of it, is essentially a much faster version of Nmap. You can use Nmap if you prefer. My results were as follows: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-...| Ally Petitt
| ally-petitt.com
Author’s note: This article was initially published on Synack’s README. They have great content and I recommend that you browse their articles if you are interested cybersecurity. Editor’s note: This post from Ally Petitt describes her journey towards earning the vaunted OSCP at 16 > and being an active part of the Synack Red Team at 17. Check out Ally’s blog for more of her write-ups > on vulnerabilities she’s discovered, hacking techniques and more.| Ally Petitt