Cybersecurity information flow

大多数情况下，攻击者会利用信任关系，通过入侵第三方外部供应商或承包商，在连接的虚拟机或混合环境中执行命令。

NextTrace, an open source visual route tracking CLI tool

An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDA…

2023 年，在Bitsight观察到的所有组织中，有35%的组织处理过KEV，其中绝大多数的组织有一个以上的KEV。

大多数情况下，攻击者会利用信任关系，通过入侵第三方外部供应商或承包商，在连接的虚拟机或混合环境中执行命令。

AttacKG: Constructing Knowledge-enhanced Attack Graphs from Cyber Threat Intelligence Reports

用友NC runStateServlet注入漏洞分析

在实际复现过程中也遇到了很多的问题，关键就是要利用前后端服务器对数据包的处理不同。

burp手工检测fastjson辅助

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.

" 今年年初，大约在1月中旬，您可能会看到GitHub发布的这个安全公告。在本文中，我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞，并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的惊人故事。剧透：这个漏洞允许泄露GitHub上所有生产容器的环境变量。"

This is a write-up for turing-complete, turing-incomplete, and turing-incomplete64 from the BSides San Francisco 2024 CTF!
turing-complete is a 101-level reversing challenge, and turing-incomplete is a much more difficult exploitation challenge with a very similar structure. turing-incomplete64 is a 64-bit version of turing-incomplete, which isn’t necessarily harder, but is different.
Let’s look at the levels!
turing-complete
My ideas doc said “Turing Machine?” from a long time ago. I don’t really remember what I was thinking, but what I decided was to make a simple reversing challenge with a finite tape and 4 operations - go left, go right, read, and write. All commands and responses are binary (1s and 0s), which is hinted at by the instructions being a series of binary bits.
The actual main loop, in C, is quite simple:
uint8_t tape[128]; // ...write the flag to the tape... for(;;) { uint8_t a = r(); if(a == 2) break; uint8_t b = r(); if(b == 2) break; if(a == 0 && b == 0) { ptr++; } else if(a == 0 && b == 1

Slay the Spider is a Minesweeper-like game where the user and computer try to uncover a spider. The challenge name and trappings are based on Slay the Spire, which is one of my favourite games.
When you start the game, there are several different enemy AI options:
1: The Angry One - Plays at Random 2: Cheater Mc Cheaterly - Knows the best places to play 3: Smartypants - Uses magical super AI for the best chance of winning 4: Captain Fastidious - Is sure that playing left to right is best
Those are loosely based on the classes from Slay the Spire.
The third - Smarypants - is the key. It chooses the target square based on a silly algorithm:
case AI_SMART: // Picks the average of the human move and the last computer move move.row = (human_move.row + last_computer_move.row) / 2; move.col = (human_move.col + last_computer_move.col) / 2;
The problem is that the human_move.row and human_move.col are set even when the move is invalid:
static move_t do_human_turn(game_t *game) { move_t move; printf("It's your (human) 

This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy!
First, browse the application. You should be able to create an error:
$ curl 'http://localhost:8080/display?name=test' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test
Note that has a image/jpeg content-type, so it might confuse the browser.
That issue grants access to two primitives:
a) Read any file via path traversal
b) The full path to the server
For example:
$ curl -s 'http://localhost:8080/display?name=../server.rb' | head -n20 require 'json' require 'sinatra' require 'pp' require 'singlogger' require 'open3' ::SingLogger.set_level_from_string(level: ENV['log_level'] || 'debug') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV['HOST'] || '0.0.0.0' set :port, ENV['PORT'] || '8080' SAFER_STREETS_PATH = ENV['SAFER_STREETS'] || '/app/safer-streets' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for

No Tools is a fairly simple terminal challenge, something for new players to chew on.
I suspect there are several different ways to solve it, but the basic idea is to read a file using only built-in functions from sh.
I personally solved it with the read built-in:
$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}
Another solution that my co-organizer developed used exec:
$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found

" 无工具挑战是一个相对简单的终端挑战，适合新手玩家尝试。\n我认为解决这个问题有几种不同的方法，但基本思路是仅使用sh内置函数读取文件。\n我本人是用read内置函数解决的：\n$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}\n我的另一位共同组织者开发的解决方案使用了exec：\n$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found"

The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that’s loaded as a CGI module. You might think that’s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know!
This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it’d be cool to make a multi-challenge series in case others didn’t know!
This write-up is intended to be fairly detailed, to help new players understand their first stack overflow!
Part 1: cant-give-in
The vulnerability
First, let’s look at the vuln! All three challenges have pretty similar vulnerabilities, but here’s what the first looks like:
char *strlength = getenv("CONTENT_LENGTH"); if(!strlength) { printf("ERROR: Please send data!"); exit(0); } int length = atoi(strlength); read(fileno(stdin), data, length); if(

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.

" 今年年初，大约在1月中旬，您可能会看到GitHub发布的这个安全公告。在本文中，我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞，并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的故事。剧透：这个漏洞允许泄露GitHub上所有生产容器的环境变量。"

用yakit的热加载魔术方法实现webfuzzer功能中的验证码识别。

PPPwn - PlayStation 4 PPPoE RCE