i5nipe

@K4L1_FS parabéns kali 😽

Prometi e ta ai =) Não foi fácil e também não foi difícil. Agradecimentos a todo mundo que me ajudou nessa jornada, amo vocês 🥰🌸 [Textão amanhã no LinkedIn]

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk @justbronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…

🫠

Finally, with @hw16, we managed to bypass the @Cloudflare mTLS protection after around 5 days of work. I'd like to share a few golden tips for bug bounty hunters who might face something similar in the future. But first, here's a quick summary: The target was a banking app with multiple security layers: • Heavy Frida detection mechanisms • Strong root detection • Google SafetyNet/Play Integrity checks • Runtime hooking detection • APK tampering protection (crashed immediately if repackaged/modified) At first, @fridadotre was detected and crashed the app on my device but strangely worked on another device even though both had the same Android version, root method, Frida server version, and architecture. After investigation, we discovered the app had anti-hooking detection that triggered when using aggressive Frida hooks on sensitive KeyStore operations. The Solution: We wrote a minimal Frida script that: 1. Passively monitored certificate operations without modifying behavior 2. Intercepted KeyManagerFactory.init() - the exact moment when mTLS certificates are loaded 3. Extracted the X.509 client certificate and RSA private key (4096-bit) 4. Encoded them using Android's Base64 encoder 5. Formatted as PEM files ready for use Found the mTLS certificate with a unique UUID-based alias in the Android KeyStore. The certificate was being dynamically loaded during the SSL handshake initialization Extracted Files: • client_cert.pem → Client certificate (valid for 2 years) • client_key.pem → RSA private key (PKCS#8 format) We then created a PKCS#12 bundle using OpenSSL to combine the certificate and key into a single file, which could be imported into various tools and browsers for testing or @Burp_Suite Key Takeaway: When facing anti-tampering mechanisms, be surgical hook only what you need, when you need it. Aggressive hooking triggers detection; passive monitoring flies under the radar. This was an awesome challenge and my first time encountering such strong ssl Pinning defenses Attached some image from the mobile api and frida output the certificates #bugbountytips #frida #Magisk #mtls

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 @JimSycurity went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ ghst.ly/3Lpmjzv

Stealing Microsoft Teams access tokens in 2025 blog.randorisec.fr/ms-teams-acces…

Android TikTok RCE From WebView XSS to native lib overwrite via Zip Slip led to full RCE: 1. Universal XSS 2. JavaScript bridge → open internal deep-link 3. Launch protected activity 4. Split APK 5. Zip Slip → overwrite native lib 6. App restart → RCE @dphoeniixx/practical-android-pentesting-a-case-study-on-tiktok-rce-4a82e79cc7c6" target="_blank" rel="nofollow noopener">medium.com/@dphoeniixx/pr…

0-click vulnerability affected Android in Dolby's DDPlus decoder-CVE-2025-54957 Malformed audio could lead to memory corruption and crashes. Android decodes audio locally, making this exploitable without user interaction just by receiving crafted RCS voice message by @natashenka

New Pixnapping Attack: allows any Android app without permissions to leak info displayed by other apps exploiting Android APIs and a hardware side channel (CVE-2025-48561) Pixnapping is not fixed and probably affects all Androids. PoC: Not available yet. Steal 2FA codes 👇

TombWatcher from @hackthebox_eu is an assume breach Windows AD box. BloodHound shows a path abusing targeted Kerberoasting, GMSA, password change, and shadow creds. Then there's AD Recycle Bin and ESC15. 0xdf.gitlab.io/2025/10/11/htb…

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! youtube.com/watch?v=zr5y6B…

A new NetExec module: certipy-find🔥 As ADCS is still configured insecurely in many environments, I decided to integrate the certipy find command into NetExec. Now you can quickly find and enumerate vulnerable templates before bringing out the big guns.

My IPv6 name now fits nicely on the line, thanks @offsectraining

This blog post about impostor certificates by @SquiblydooBlog is a gem and very relevant right now. Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware. And why revokation is important. squiblydoo.blog/2024/05/13/imp…

I wrote an article about this RCE I discovered via LaTeX injection, a pretty rare case, to be honest. Hope you find it helpful! Here is the blog post, take a look and enjoy :) blog.koalasec.co/from-latex-inj… #BugBounty #bugbountytip #RCE #infosec

hashcat v7.1.0 released! This update includes important bug fixes, new features, and support for new hash-modes, including KeePass with Argon2. Read the full write-up here: hashcat.net/forum/thread-1…

I am back to posting to ADSecurity.org in my free time (which I have again). I plan on adding new content relating to Active Directory & Azure AD (now Entra ID). First up is "Entra & Azure Managed Access Revisited". This article expands on one I wrote years ago about how to jump from Azure AD/Entra ID to Azure. This new article covers managing Elevated Access as well as logging. adsecurity.org/?p=4455 Enjoy!

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ @bytewreck drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI