During a DFIR (Digital Forensics and Incident Response) Case, we encountered an ESXi Hypervisor that was encrypted by the Ransomware LockBit 2.0. Suspicious SSH logons on the Hypervisor originated from an End-of-Life VPN Appliance (SonicWall SRA 4600). It turns out, this was the initial entry point for the Ransomware attack. Follow us into the forensics […]
Compass Security Blog
Offensive Defense
ArcGIS [1] is a family of software providing geographic information system services. While testing a customer’s ArcGIS architecture we came across a SAML login flow. In this blogpost we show how we found and exploited an AES-CBC padding oracle in this flow.
A write-up of the OWASP Toronto January talk which mainly focused on the correlation and integration of results generated by automated tools in application security such as SAST, DAST and SCA. Alexandre Larocque concludes whether old-fashioned PDF reports are still worth it.
Black box analysis of a not so smart card in ID-1 form factor that is in use for the billing of washing machines and tumble driers.
As every year, some Compass Security Analysts travelled to Geneva and attended the Insomni’hack conference and it’s enjoyable CTF.
For this task, we had SSH access to the server guess.insomni.hack and the task was to read the flag in the /home/flag directory. We were able to get the flag without even solving the challenge :)
Similar to the previous challenge we were provided with an Excel spreadsheet (vba02-bitminer_4052500b4f2120d3d3ae458b339ec1f16e89e870.xls) that again contained macro code that would be executed when opening the document.
In this challenge we were provided with an Excel spreadsheet (vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls). Analyzing the document using olevba (https://github.com/decalage2/oletools/wiki/olevba) quickly revealed that it contains obfuscated VBA macro code that is executed when the document is opened. Challenge Description Our Solution
The vbaby challenge was a simple ASP web application that accepted a single page parameter. We initially thought that it could be a local file inclusion vulnerability and therefore tried a path traversal attack:
This challenge was about LDAP injection.
© 2023 Compass Security Blog