Screenshot of TIOBE index ranking for Fortran, reading: This Month: 10 This Month Last Year: 12 Change: ^ Programming Language: Fortran Ratings: 1.79% Change: +0.72%
Brb, need to update my resume. Changing "wrote Fortran exploit for the lulz" to "crafted totally serious exploit in the 10th most popular programming language in the world". Sauce: www.tiobe.com/tiobe-index/
Roses are red, the sky is blue β
This week's #Metasploit wrap-up has Windows secrets dump improvements (and a JetBrains TeamCity login scanner, too!)
We're bad at poetry but good at shells. Check out the latest. www.rapid7.com/blog/post/20...
Screenshot of upcoming disclosure from ZDI with the below text: ZDI CAN: ZDI-CAN-22675 VENDOR(S): SonicWALL SEVERITY: CVSS: 7.1 REPORTED: 2024-03-27 (0 days ago) DEADLINE: 2024-07-25 Discovered by: Erik Wynter
So I did a thing...
I think I speak for everyone when I say that the world will be a better place if the Teams outage is never fixed.
Purging Teams from my phone has been by far the best mental health decision I've made in years. 10/10 would delete again.
- Have you tried this pentesting tool?
- Ah that's interes- It has a swastika in the logo
- You're so funny. It's pretty innovative bec-
- It has a swastika in the logo
- It's really cool how-
- It has a swastika in the logo
- Seriously though, I use-
- Swastika. In. Logo.
A cropped screenshot showing the CVE-2023-22515-Scan repo by user ErikWynter (me) with 69 stars.
Nice
Before the break, I started looking at CVE-2022-1471 in Confluence et al, which led me learn about SnakeYAML deserialization. It was quite the ride, full of open source drama and related vulns. I wrote it all up in this blog post!
#vuln #vulnerability #poc #java #deserialization #snakeyaml #yaml
Pretty annoyed that it took me around 25 years to realize it's fine to pursue math just because you like it, even if you're nothing like the Good Will Hunting guy.
I'd really appreciate it if one of you could give me a heads up the next time I have an important school assignment due in my dreams.
Congrats to LinkedIn for killing MyNetwork notifications by including this 'Catch up' nonsense.
A colleague just mentioned that he was doing a pentest for an adult website. This gave me so many ideas for stupid jokes with a pun on "penetration" testing that I had to sit down for a minute.
Screenshot of a LinkedIn notification: "You're one of a few experts invited to add to this collaborative article: What are the most effective ways to overcome impostor syndrome in programming?"
Oh geez, they must think I'm far more experienced and knowledgeable than I actually am...
Hi all! Earlier this year I found several vulnerabilities in OpenNMS, including a pretty funny privesc to RCE chain. I just published a writeup here: medium.com/@erik.wynter...
I also wrote a Metasploit module, the PR is open here: github.com/rapid7/metas...
Say what you will about LinkedIn, it is by far the best place to receive updates on infosec news from 3+ months ago.
![~ $ curl -v http://user:pass@scanme.nmap.org 2>&1 | head -n 20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 45.33.32.156:80...
* Connected to scanme.nmap.org (45.33.32.156) port 80
* Server auth using Basic with user 'user'
> GET / HTTP/1.1
> Host: scanme.nmap.org
> Authorization: Basic dXNlcjpwYXNz
> User-Agent: curl/8.3.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 07 Nov 2023 20:49:12 GMT
< Server: Apache/2.4.7 (Ubuntu)
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
{ [1043 bytes data]
~ $](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:e7clnaj3c5dxdylerpema4is/bafkreih3evycde5pw3kxm4ii7f7qfjjhtzt22j6v47dytygreh6le3t2xu)
~ $ curl -v http://user:pass@scanme.nmap.org 2>&1 | head -n 20 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 45.33.32.156:80... * Connected to scanme.nmap.org (45.33.32.156) port 80 * Server auth using Basic with user 'user' > GET / HTTP/1.1 > Host: scanme.nmap.org > Authorization: Basic dXNlcjpwYXNz > User-Agent: curl/8.3.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue, 07 Nov 2023 20:49:12 GMT < Server: Apache/2.4.7 (Ubuntu) < Accept-Ranges: bytes < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html < { [1043 bytes data] ~ $
Embarrassed I didn't know this, but TIL that most browsers used to let you perform HTTP basic authentication by specifying the creds in the URL, eg: "http://username:password@example.com". cURL still supports this:
Haha yeah that's a challenge I think about regularly, of helping my kids understand and appreciate the crucial difference between things you kind of aren't supposed to do (an essential part of hacking) and things you simply shouldn't do (because they are unethical or simply too dangerous).
I played UNO junior today for the first time with our eldest and I have never been this happy to get absolutely destroyed. 10-1 with zero cheating. Yes, it was THAT brutal.
The real tragedy of the commons is people using game theory concepts incorrectly.
If you want a hit offsec post, just write "PoC for CVE-SomeMajorVuln" followed by a random cURL request. No one's going to notice on time to stop the inevitable stream of retweets.
Image of an indigenous woman flipping the bird and smiling. The caption reads: Fuck Christopher Columbus.
Happy Indigenous Peoplesβ Day
Hi all, I just published a Python scanner for CVE-2023-22515, the critical vulnerability in Atlassian #Confluence Server and Data Center that is actively being exploited in the wild. The scanner does NOT include an exploitation component. Get it here: github.com/ErikWynter/C...
Hi all, I just published a Python scanner for CVE-2023-22515, the critical vulnerability in Atlassian #Confluence Server and Data Center that is actively being exploited in the wild. The scanner does NOT include an exploitation component. Get it here: github.com/ErikWynter/C...
Amazing. The only thing missing is like $500,000 to sponsor op-eds arguing that remote work is bad for people...
Salaries: $100
Laptops: $200
Electricity: $180
Marketing: $210
Office space: $5,000,000
Career development: $50
someone who is good at the economy please help me budget this. my company is dying.
god forbid a man have hobbies
Saturn Devouring His Son
This meal just cost me $78 at the Newark airport. This is why Americans think the economy is terrible.
Left Exit 12 Off Ramp meme. Left Exit 12 text: Doing legit vuln research so I can have a career. Off ramp text: Writing Fortran exploits for the lulz. Car label: me
Why am I like this
Hey all, what would be the best platform/app for learning Python on Android? I know Android is far from ideal but it's the most feasible option for my SO rn. So far they've been using the Sololearn app, but the free version is very limiting due to the "hearts" system.
