@darkpills cybersecurity blog

Sharing knowledge and experiments on cyber security topics.

Hunting for gadget chains in Symfony 1 (CVE-2024-28859 - CVE-2024-28861)

During a recent engagement, I came accross a Symfony 1 application which contained several deserialization from untrusted user inputs. However, there was no public gadget chains available for Symfony 1, only for Symfony 2 and onwards. So I decided to look for gadgets for the version of the audited application. I finally expanded the work to all versions of Symfony 1 as a challenge, from 1. Read more →

BreizhCTF 2024 - Mobile OwnApp and Web Popup Creator Write-ups

BreizhCTF is the largest physical CTF in France and gathered 600 participants the 17th may 2024. This post is the write-up of 3 excellent challenges written by Worty: 2 mobile challs on “OwnApp” and 1 web on Popup Creator. I’d like to thank all BreizhCTF team for the great work they are doing each year so that this event is a success: BDI, Kaluche, Saax, Icodia, and all the challs creators from ESNA! Read more →

Breaking Java Random PRNG: UYBHYS 2022 challenge Writeup

A little challenge was introduced on twitter to win a ticket to Unlock Your Brain 2022 conference. This article is a write-up of the solution and explores the implementation of Java Random PRNG. Disclaimer: I am not a cryptographic expert, just a security enthousiast. The conference The conference Unlock Your Brain Harden Your System aka “Unlock” or #UYBHYS is organized since 2015 by the Cantine numérique Brest and DIATEAM in Brest (France). Read more →

Wordpress Tatsu builder preauth RCE (CVE-2021-25094)

An unrestricted file upload in Wordpress Tatsubuilder plugin version <= 3.3.11 enables an unauthenticated attacker to perform a remote code execution (RCE) on the server host due to multiple weaknesses in font import feature and put 100,000 websites at risk. The add_custom_font action can be used by anonymous users to upload a rogue zip file which is uncompressed under the public wordpress upload directory. Read more →

PHP unserialize write-up with Admin RCE in All in one SEO pack (CVE-2021-24307)

This article provides a detailed walkthrough and tips on how to exploit PHP unserialize vulnerability. It is based on a real world case: Wordpress plugin All in one SEO pack <= 4.1.0.1. It enables authenticated users with “aioseo_tools_settings” privilege (most of the time admin) to execute arbitrary code on the underlying host. Read more →

Vincent MICHEL (@darkpills)

I work as a pentester in a cyber security company. This blog aims at sharing my thoughts and experiments on different topics if it can help otheres: web and internal penetration tests, vulnerability research, write-ups, exploit development, security best practices, tooling, and so on... I previously worked as a senior software developer and switched to this wonderfull land of security :)