Everything you care about in one place

Follow feeds: blogs, news, RSS and more. An effortless way to read and digest content of your choice.

Get Feeder

carnal0wnage.attackresearch.com

Carnal0wnage & Attack Research Blog

Get the latest updates from Carnal0wnage & Attack Research Blog directly as they happen.

Follow now 170 followers

Latest posts

Last updated over 4 years ago

WeirdAAL update - get EC2 snapshots

over 4 years ago

I watched a good DEF CON video on abusing public AWS Snapshotshttps://www.youtube.com/watch?v=-LGR63yCTtsI...

The Duality of Attackers - Or Why Bad Guys are a Good Thing™

over 4 years ago

The Duality of Attackers - Or Why Bad Guys are a Good...

What is your GCP infra worth...about ~$700 [Bugbounty]

almost 5 years ago

BugBounty story #bugbountytipsA fixed but they didn't pay the bugbounty story...Timeline:reported 21...

Devoops: Nomad with raw_exec enabled

about 5 years ago

"Nomad is a flexible container orchestration tool that enables an organization to...

Minecraft Mod, Follow up, and Java Reflection

over 5 years ago

After yesterday's post, I received a ton of interesting and creative responses...

Minecraft Mod, Mother's Day, and A Hacker Dad

over 5 years ago

Over the weekend my wife was feeling under the weather. This meant...

Jenkins - CVE-2018-1000600 PoC

almost 6 years ago

second exploit from the blog posthttps://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlChained with CVE-2018-1000600 to a Pre-auth Fully-responded...

Jenkins - messing with exploits pt3 - CVE-2019-1003000

almost 6 years ago

References:https://www.exploit-db.com/exploits/46453http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlThis post covers the Orange Tsai Jenkins pre-auth exploitVuln versions: Jenkins &lt...

Jenkins - Identify IP Addresses of nodes

almost 6 years ago

While doing some research I found several posts on stackoverflow asking how...

Jenkins - decrypting credentials.xml

almost 6 years ago

If you find yourself on a Jenkins box with script console access...

Jenkins - SECURITY-180/CVE-2015-1814 PoC

almost 6 years ago

Forced API token changeSECURITY-180/CVE-2015-1814https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-changeAffected VersionsAll Jenkins releases <= 1.605All LTS releases <=...

Jenkins - SECURITY-200 / CVE-2015-5323 PoC

almost 6 years ago

API tokens of other users available to adminsSECURITY-200 / CVE-2015-5323API tokens of...