Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO
Syringe ready to inject bad stuff. Credit: https://pixabay.com/es/photos/jeringa-healthcare-aguja-medicina-417786/

Tainted love

It's all about sanitization

In the several past articles, we have briefly touched on the concept of taint analysis. In this article, we would like to fill in the gaps which maybe have been raised by these careless...



Toasting Marshmallow. Photo by hcmorr on Unsplash: https://unsplash.com/photos/qlHRuDvaxL8

Roasting Kerberos

Attacking a DC using kerberoast

Kerberos is a protocol developed by the MIT used to authenticate network services, is built using secret key cryptography and using a trusted third party server (named Authentication Server). This...



handshake

A Conflict of Interest?

You probably don’t see it.

Years ago, we faced something odd in a project: a customer was putting pressure on us while performing a One-Shot Hacking. The manager who hired us demanded preliminary results and made comments...



New York City Skyline

Querier Writeup

How to solve HTB Querier

In my opinion, Querier is a great box. We can learn a bit about Windows pentesting, a widely used operating system. The challenge begins with a public SMB where we will pass our first level. Next...



Parsing code. Photo by Markus Spiske on Unsplash: https://unsplash.com/photos/hvSr_CVecVI

Parse and Conquer

Why Asserts uses Parser combinators

As you might have noticed, at Fluid Attacks we like parser combinators, functional programming, and, of course, Python. In the parser article, I showed you the essentials of Pyparsing and we also...



Yellow police line tape on Unsplash: https://unsplash.com/photos/jM6Y2nhsAtk

Do not read this post

What if this post were a malicious link?

Why the f*ck did you click to this post? Seriously, why? Chances are, you were attracted to the title, paradoxically, suggesting not to do something. But, here you are. We are glad you did not...



greek statue with small angels.

Asymmetric DoS, slow HTTP attack

The story of David and Goliath

Have you ever heard the story of David and Goliath? David, a young boy, goes out to confront a giant, named Goliath. David is the underdog in this fight and is expected to lose. But, everyone...



Hand holding a pirate toy

Bounty Writeup

How to resolve HTB Bounty

Scanning Phase First, we check the IP of the Bounty machine and try a ping to see if we have access. ping host$ ping -c2 10.10.10.93 Then, we scan the ports with nmap. In this case, we’re going to...



man standing in front of blue and red lights

LibSSH new Vulnerability

New vulnerability on libssh CVE-2018-10933

The new vulnerability in LibSSH, tracked as CVE-2018-10933, resides on the server code which can enable a client to bypass the authentication process and create channels without permission. This...



Developers programming in an office

DevOops Writeup

How to resolve HTB DevOops

Scanning Phase First, we check the IP of the DevOops machine and try a ping to see if we have access. Then, we scan the ports with nmap. In this case, we’re going to use basic nmap. port scannning...



The Treacherous POODLE

The Treacherous POODLE

How does the SSL fallback's works

A gas vendor, each week receives gas, which he stores in pipes and discretely refills them with water. Each day sells this gas to his clients, unbeknown to an "auditor" in black robes - aka Poodle...



Release the beast

Release the BEAST!

Understanding the BEAST

The Browser Exploit Attack on SSL/TLS (B.E.A.S.T), - bet you thougth it was a rampage hack that launched nukes - it is a practical attack demonstrated by Thai Duong and Julian Rizzo at ekoparty in...




Service status - Terms of Use