@strawp profile picture
@strawp@infosec.exchange @strawp
Joined April 2008
  • Tweets 13,431
  • Following 384
  • Followers 804
576 Photos and videos
Pinned Tweet
@strawp@infosec.exchange@strawp
15 Nov 2022
If you miss Twitter back in pre-2010 days when it was just full of geeks sharing cool stuff, then get on Mastodon. infosec.exchange/@strawp is where I'll be now 👋
1
Replying to @sampilgrim
@sampilgrim this guy who rides a penny farthing says he wouldn't know how to pop a wheelie on it. cotswoldjournal.co.uk/news/1… I figured if anyone could manual one, you could. Make it happen! 😁

Meet the 'penny-farthing man' of Shipston

If you’ve been to Shipston in the past few months, there’s a good chance you’ve encountered Mark Connor.

cotswoldjournal.co.uk
1
YES! You found one! I pretty much laughed all the way through that😂
103
I did a thing
LRQA Cyber Labs
@LRQA_Cyber_Labs
14 Dec 2022
Popular document storage solution, ONLYOFFICE, affected by multiple vulnerabilities. Our latest post by @strawp shows how to exploit this for unauthenticated remote code execution. labs.nettitude.com/blog/expl…
3
7
@strawp@infosec.exchange retweeted
LRQA Cyber Labs
@LRQA_Cyber_Labs
14 Dec 2022
Popular document storage solution, ONLYOFFICE, affected by multiple vulnerabilities. Our latest post by @strawp shows how to exploit this for unauthenticated remote code execution. labs.nettitude.com/blog/expl…

CVE-2021-43444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution

About 18 months ago, I was conducting a pentest of a document management platform. It was designed with the goal of providing a secure document storage and sharing solution for some high impact use...

lrqa.com
10
17
Oh Jesus 🤦‍♂️
Senior PowerPoint Engineer
@ryxcommar
4 Nov 2022
congrats to every Twitter employee who commits their entire venv/ for avoiding the layoffs. Elon needs allstars like you who can push 200k lines of code in a single merge.
I used to do this as a software developer, but now I actually am a hacker I take it more seriously and have playlists and shit
Fesshole🧻
@fesshole
26 Oct 2022
I work from home as software developer. When I'm bored I turn of the lights and play techno music to pretend I'm in a hacker movie.
1
1
Oh yay, haven't had a fun OpenSSL vuln since heartbleed 🍿
This tweet is unavailable
A masterclass of OSINT. It's wild that: 1. RU military communicate by normal phone calls (I guess TEAMS would be a no-no 😁) 2. In RU you can just buy call records on the black market bellingcat.com/news/uk-and-e…
1
2
@strawp@infosec.exchange retweeted
Saajan Bhujel ❄@saajanbhujel
16 Oct 2022
Hey everyone👋, Read my blog about "How I Got $10,000 From GitHub For Bypassing Filtration oF HTML tags". @GitHubSecurity #bugbountytips #bugbounty #GitHub #cybersecurity saajanbhujel.medium.com/how-…

How I Got $10,000 From GitHub For Bypassing Filtration oF HTML tags

Hey everyone👋, I hope you’re having an A week🚀! In today’s blog, I am going to tell you that, “How I Got $10,000 From GitHuB”.

infosecwriteups.com
38
208
865
This sort of methodology is very useful. Find something that talks HTTP, find the API endpoints, exploit
Corben Leo
@hacker_
29 Sep 2022
I hacked a gaming company this year. Here's how I did it:
1
How are there any Exchange servers left standing at this point?
strandjs - strandjs@bsky.social
@strandjs
30 Sep 2022
Please stop running on prem exchange.....
@strawp@infosec.exchange retweeted
Rob Fuller@mubix
21 Sep 2022
Yup… every single time…
Oddvar Moe
@Oddvarmoe
19 Sep 2022
Always
2
5
66
A year ago I would not have bothered attempting to get into an account with MFA, but last week I used this same technique and got 8 accounts in an org over 2 days on a remote SE test. MFA is snake oil. grahamcluley.com/ubers-hacke…

Uber’s hacker *irritated* his way into its network, stole internal documents

Uber has suffered a security breach which allowed a hacker to break into its network, and access the company’s internal documents and systems. How did they do it? By bombarding an employee with a…

grahamcluley.com
@strawp@infosec.exchange retweeted
🥝🏳️‍🌈 Benjamin Delpy
@gentilkiwi
15 Sep 2022
Always fabulous to see editors low the Windows Security level When Citrix SSO is enabled... passwords are stored in *user processes* (in addition to system ones) Ho yeah, *even if you have Credential Guard* Yeah, that's what Citrix is calling "SSO" > Will be in #mimikatz 3 🥝
17
290
775
I don't rate the new lock screen clock in iOS 16 🤨
1
So weird out of all the fancy places in London this ceremony happens outside what is now just a fancy shopping mall
Oh nice! This was a feature of Burp that I hadn't noticed was added portswigger.net/research/bro…
@strawp@infosec.exchange retweeted
LRQA Cyber Labs
@LRQA_Cyber_Labs
31 Aug 2022
Learn four of the most effective network relaying attacks against Windows domains. Defenders - learn how to mitigate against them! By Paul Finger. labs.nettitude.com/blog/netw…

Network Relaying Abuse in a Windows Domain

Network relaying abuse in the context of a legacy Windows authentication protocol is by no means a novel vector for privilege escalation in a domain context.

lrqa.com
2
44
98
When were the terms of service for Truth Social written?
@strawp@infosec.exchange retweeted
Rob Fuller@mubix
21 Aug 2022
This is something you should watch. These two individuals know more about scanning than a very large majority of Infosec combined. I would sit in DEFCON lines to see this talk.
runZero, Inc.@runZeroInc
17 Aug 2022
Thurs Aug 25th, join us for "The Evolution of Network Scanning" w/ @nmap founder Gordon "Fyodor" Lyon and runZero & Metasploit founder @hdmoore , live on Youtube! Register for a calendar invite & to receive the session recording: eventbrite.com/e/the-evoluti…
3
72
238
Load more