CVSS 8.8 (HIGH), zero privileges, automated operation - according to the CISA-ADP, Technical Impact: total. CVE-2026-42608 in Grav CMS - pathtraversal via the FormFlash component, where the only POST parameter __form-flash-id Turns any page with a form to the entry point. An unautrified attacker...
Environment requirements for wireless pentest
Before you go to the facility, you need a set of three protocols: Wi-Fi (802.11), Bluetooth Low Energy (BLE) and ZigBee (802.15.4).
Iron:
• Wi-Fi adapter with monitor mode and packet injection support - Alfa AWUS036ACH (2.4/5 GHz) or...
Key terms: what you need to understand before the first team
Before dismantling specific attacks on network protocols with a pentest, we will deal with the concepts. Without them, further commands turn into a set of letters.
Community string in the SNMP protocol - essentially a password for...
Web Packaging Methodology in CTF
Before you get into specific vulnerabilities, you need a system. Without it, you will spend an hour on phase-sharing directories when the answer lies in the commentary to HTML. Here is my order of action on any web-tass:
The first 60 seconds - open the site in...
How AiTM Attack Works at the level of an HTTPsession
Before you getinto the tools, you need to understand what is happening at theprotocol level. AiTM is not a page clone or a screenshot of the loginform. This is a complete reverse proxy that condoms, whichconterifies a TLS connection on both...
Allowlist of five commands, function validateCommandInjection() and verification validateArgsForLocalFileAccess() - three layers of protection between user input and subprocess in Flowise. Payload with npx -c It's been all three. Next to the timeline - AVideo with two eval()-sink on the client...
Fazing place in the attack chain
Fazing is areconnaissance and resource development tool for MITRE AT&CK.Vulnerability Scanning (T1595.002, Reconnaissance) - automated searchfor weaknesses in publicly available applications. Found through afactory bug turns into an exploit - Exploits...
T1078.004 Cloud Accounts - a place in kill chainand why SOC stalls
T1078.004 (CloudAccounts) in MITRE AT&CK covers four tactics at once: InitialAccess, Persistence, Privilege Escalation and Defense Evasion.Atypical situation - one technique closes the attacker several stagesat the same time...
Adjustments to the environment
Before you open the first file - about iron and insulation. The error at this stage is worth the compromise of the worktation.
Hardware requirements:
Software stack - two VM:
• Windows (FlareVM, Mandiant project, is actively supported on GitHub: IDA Pro...
Generated neural networks are a useful thing until those who want to divorce you are not picked up. Fraudsters quickly realized: LLM (large language model, big language model) is a great tool for plausible personalized phishing, careful forgery of letters for a specific company and bypassing...
Chronology: from CVE-2026-21510 to zero-clickvector CVE-2026-32202
To disassembleCVE-2026-32202, you need to unwind the chain from January 2026 - itwas then that APT28 began to use a bundle of two vulnerabilities inthe campaign against Ukraine and the EU countries.
January 2026.According...
38 minutes from the first SNMP query to the domain-adminpassword. The Internal Pentest of the Logistics Company - Nmap Showthe port of 161/udp with a default community string, and the SNMPhappily give the names of hosts, interfaces and runningvir. Two SMB-balls with anonymous access, file...
In January 2024, the hacktivist group CARR (Cyber Army of Russia Reborn), which Mandiant in April 2024 associated with the APT44/Sandworm, climbed into the water control systems in Muleshoe, Texas - less than 40 miles from the Cannon airbase, where the command of the US Air Force special...
On the penultimate project for fintech, we received read-only IAMkeys “for auditing”. After four hours - full access to theproduction-bouquet with personal data. Chain: iam:PassRole on theforgotten ti-role, Lambda-function with execution role, readingSecrets Manager, from there credentials from...
On the pentest fintech company, I found an S3-backet with Baks of DB in three minutes - aws s3 ls s3://company-prod-backups --no-sign-request. Inside were SQL-dumps with PII for hundreds of thousands of customers, API keys to payment gateway and .env-clairy from credentials from RDS-instand. The...
Prototype Pollution rarely looks like a loud vulnerability. Usually it all starts with a piece of code that no one considers dangerous: the function of merging objects, analysis of parameters into the structure of settings, universal helper for deep copy, an empty config object, which then goes...
The beginning of 2026 threw two CVE, which are worth dismantling on the stand. CVE-2026-39337 - pre-auth RCE PHP injection in ChurchCRM, CVSS 10.0 from 10.0. Without a login, without a password, without any user interaction - just send an HTTP request and get a shell. CVE-2026-27681 - SQL...
Here I will analyze all three types of XSS in web applications, not retelling OWASP wikis (the hundredth time it makes no sense to rewrite the stove), but through the analysis of specific HTTP queries, server responses and DOM behavior. I will show how the search for XSS vulnerabilities on a...
AnatomyCVE-2026-0300: out-of-bounds in User-ID Authentication Portal
CVE-2026-0300 - buffer overflow type CWE-787(Out-of-bounds Write) the User-ID Service Authentication Portal(Captive Portal) of the PAN-OS operating system. According to theNVD, the vulnerability allows an unauthentic...
Three weeks ago, on the internal bank infrastructure pentest, we got Domain Admin in 47 minutes. The chain is banal to the limit: Responder in custom VLAN, NTLMv2-hash service accounting via LLMNR reporting (T1557.001), hashcat, lateral movement via CrackMapExec with a common password of the...
