Research & Tutorials | OffSec

Blog

Research & Tutorials

OffSec experts share cutting-edge vulnerability research, tool reviews, tutorials, virtual lab and content walkthroughs.
MACOS LOCAL PRIVILEGE ESCALATION VIA CFPREFSD
Research & Tutorials

May 6, 2021

6 min read

CVE-2021-1815 – macOS local privilege escalation via Preferences

Apple fixed three vulnerabilities in macOS 11.3’s Preferences. Here we present our writeup about how we identified one of the issues, and how we exploited it.

Read more
Intel CET In Action

Research & Tutorials

Intel CET In Action

In this article, we’ll examine how effective CET is at mitigating real-world exploits that make use of ROP or stack based buffer overflow vulnerabilities.

Apr 29, 2021

9 min read
MS-teams-privilege-escalation

Research & Tutorials

Microsoft Teams for macOS Local Privilege Escalation

Security researchers at Offensive Security discovered a vulnerability in the XPC service of Microsoft Teams. Here’s how it works and how to secure it.

Nov 17, 2020

13 min read
TJNULL’S GUIDE TO BUILDING A HOME LAB

Research & Tutorials

How to Build a Cybersecurity Homelab

Build your own home lab with this extensive guide from TJnull. He covers the why and how, offers points of consideration, and shares his top resources.

Sep 23, 2020

19 min read
AMFI Syscall

Research & Tutorials

AMFI syscall

Csaba Fitzl covers the `dyld` restriction decision process in macOS and a previously undiscussed or undocumented AMFI (AppleMobileFileIntegrity) system call.

Jun 9, 2020

10 min read
DEBUGGING MACOS KERNEL

Research & Tutorials

macOS Kernel Debugging with SIP

As security researchers, we often find ourselves needing to look deep into various kernels to fully understand our target and accomplish our goals. Doing so on the Windows platform is no mystery, as there have been countless well-written posts about kernel debugging setups. For macOS, however, the situation is slightly different. There are many great

May 12, 2020

9 min read
analyzing-a-creative-attack-chain

Research & Tutorials

Analyzing a Creative Attack Chain Used to Compromise a Web Application

In this piece, we’ll analyze a creative scenario where a malicious actor can use an attack chain to exploit a web application via Simple Network Management Protocol (SNMP) > Cross-site scripting (XSS) > Remote Code Execution (RCE).

Sep 3, 2019

5 min read
Yahoo XSS 0-Day

Research & Tutorials

Yahoo DOM XSS 0day – Not fixed yet!

After discussing the recent Yahoo DOM XSS 0day with Shahin from Abysssec.com, it was discovered that Yahoo’s fix set in place on 6:20 PM EST, Jan 7th, 2013 is not effective as one would hope.

Jan 8, 2013

2 min read
Onity Door Unlocker Round Two

Research & Tutorials

Onity Door Unlocker, Round Two.

On one of our engagements, we figured an Onity Hotel door unlocker would be useful to us. Inspired by the “James Bond” type setup we saw on the Spiderlabs blog post, we thought we’de try to build a small, simple and “TSA friendly” version of the Onity key unlocker.

Oct 23, 2012

2 min read
Stand-Alone EM4x RFID Harvester

Research & Tutorials

Stand-Alone EM4x RFID Harvester

Continuing off from our last RFID Cloning with Proxmark3 post, we wanted to build a small, portable, stand-alone EM4x RFID tag stealer. We needed an easy way of storing multiple tag IDs whilst “rubbing elbows” with company personnel. The proxmark3 seemed liked an overkill and not particularly fast at reading em4x tags so we figured we’d try hooking up our RoboticsConnection RFID reader to a Teensy and see if we could make them play nicely together.

Sep 27, 2012

2 min read
Cloning RFID Tags with Proxmark 3

Research & Tutorials

RFID Cloning with Proxmark 3

Our Proxmark 3 (and antennae) finally arrived, and we thought we’d take it for a spin. It’s a great little device for physical pentests, allowing us to capture, replay and clone certain RFID tags.

Sep 24, 2012

5 min read
FreePBX Exploit Phone Home

Research & Tutorials

FreePBX Exploit Phone Home

During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in full disclosure by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX. This vulnerability sounded intriguing, and as usual, required verification in the EDB. At first glance, the vulnerability didn’t jump out at us, especially as we are not familiar with the inner workings of asterisk. After a couple of emails back and forth with Martin, the path to code execution became clearer:

Mar 23, 2012

3 min read
The Art of Human Hacking

Research & Tutorials

The Art of Human Hacking

It’s hard to believe that the social-engineer.org project began 14 months ago. This project started from a simple idea ­ to build the world’s first framework for social engineers. In these 14 months, this project has grown into the leading resource for all real social engineering education. The CTF that we held at Defcon 18 proved beyond doubt that this resource was greatly required.

Dec 19, 2010

2 min read

Showing 27 - 39 of 41 entries