Lightnews — Scholar-powered news

💥 leonjza

@leonjza.bsky.social

410 followers 140 following 77 posts

[ 'cto @sensepost.com', '@orangecyberdef', 'caffeine fueled', '(╯°□°)╯︵ ┻━┻', 'security guy', 'metalhead', 'i saw your password', 'KOOBo+KXleKAv+KXlSnjgaM=' ]

Posts Media Videos Starter Packs

Pinned

💥 leonjza @leonjza.bsky.social · Nov 10

Slides for our talk "TTP Emulation in(2024)" that I did with Wrath_ZA@x at 0xcon_jhb@x is now available here!

In this talk we covered a purple teaming approach that leverages custom payload development to maximise red&blue collaboration. Check it out!

github.com/leonjza/publ...

4 4

Reposted by 💥 leonjza

Paged Out! @pagedout.bsky.social · 6d

pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!

Please please please share to spread the news - thank you!

1 15 15

💥 leonjza @leonjza.bsky.social · 13d

Romhack was absolute 🔥! The conference, the community, the vibe - all of it was just something else. Special mention to merlos1977@x and the CybersaiyanIT@x team for making the speaking experience excellent too. 🙃

1 7

💥 leonjza @leonjza.bsky.social · 20d

🇮🇹👋

1 3

💥 leonjza @leonjza.bsky.social · 22d

Soon™

Private invites at Romhack next week, public release a while later.

A snippet of the pipetap source code repo's README file mentioning its features.

Reposted by 💥 leonjza

Julia Evans @b0rk.jvns.ca · 24d

added a cheat sheet to the official Git website

(with a lot of help from other folks who work on the website)

git-scm.com/cheat-sheet

Git Cheat Sheet

git-scm.com

10 61 300

💥 leonjza @leonjza.bsky.social · Sep 10

Thats okay. On the plus side, you’ll get a more polished version later. 🙃

💥 leonjza @leonjza.bsky.social · Sep 10

If you're at RomHack at the end of the month, come tell me your @github.com username and I'll give you early access to the @sensepost.com tool repo for PipeTap at the con! 🙃

Below is a demo of the proxy in action.

www.youtube.com/watch?v=or8Y...

PipeTap WIP Demo

YouTube video by Leon Jacobs

www.youtube.com

1 2 2

💥 leonjza @leonjza.bsky.social · Sep 10

So far PipeTap can:

- Proxy reads/writes (even some async ones).
- Be a client, incl. the ability to have the *actual* connection in a remote process for those targets that do client pid validation.
- Proxy TCP <-> Named pipe for arbitrary Python clients.
- And more to come!

1 1

💥 leonjza @leonjza.bsky.social · Sep 10

Ofc, I'm aware alternatives exist (and that really, using just a Frida hook you can get far), but I wanted something more versatile.

💥 leonjza @leonjza.bsky.social · Sep 10

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

The proxy view for PipeTap, a Windows Named Pipe Analysis Tool

2 7 7

Reposted by 💥 leonjza

sam henri gold @samhenri.gold · Sep 6

Did you know your MacBook has a sensor that knows the exact angle of the screen hinge?

It’s not exposed as a public API, but I figured out a way to read it and make it sound like an old wooden door.

110 2K 7.6K

💥 leonjza @leonjza.bsky.social · Aug 27

Using @radareorg.bsky.social to dynamically get the virtual address of a @golang.org embed.FS structure to extract some sus embed's with go-embed-extractor¹ in this "dodgy-go-bin" 🔥

¹ github.com/BreakOnCrash...

Extracting embedded files using gee and radare2.

2 1

Reposted by 💥 leonjza

Phrack Zine @phrack.org · Aug 19

Phrack turns 40.
The digital drop is live.
Download it. Archive it. Pass it on.
💾 www.phrack.org
#phrackat40 #phrack72

Phrack 40th Anniversary ansi art by Harvest

84 160

💥 leonjza @leonjza.bsky.social · Aug 19

Hah! Made it to a @badsectorlabs.com LWiS release with my collection of bloatware exploits released @defcon.bsky.social earlier this month!

Check out the POC's for CVE-2025-3462, CVE-2025-3463, CVE-2025-27812, CVE-2025-27813, CVE-2025-5491 and CVE-2025-27811 here: github.com/sensepost/bl...

GitHub - sensepost/bloatware-pwn: LPE / RCE Exploits for various vulnerable "Bloatware" products

LPE / RCE Exploits for various vulnerable "Bloatware" products - sensepost/bloatware-pwn

github.com

💥 leonjza @leonjza.bsky.social · Aug 10

Always dig the @defcon.bsky.social artwork around the convention center.

💥 leonjza @leonjza.bsky.social · Aug 3

👋 Vegas! 🔥👀

Reposted by 💥 leonjza

SensePost @sensepost.com · Jul 31

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...

A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

6 10

💥 leonjza @leonjza.bsky.social · Jul 23

Had a fairly complex exploit for an LPE, when @ipmegladon.bsky.social showed me a way to make it a one-liner last night. Gosh I love working with the people @sensepost.com.

Reposted by 💥 leonjza

_RastaMouse @rastamouse.me · Jul 20

[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...

Modular PIC C2 Agents

All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are a...

rastamouse.me

4 9

Reposted by 💥 leonjza

jiska @naehrdine.bsky.social · Jul 11

The Apple Watch has a closed down ecosystem, only compatible with the iPhone. Nils reverse engineered its interfaces to open it up for Android! ✨ WatchWitch ✨ allows using your Apple Watch ⌚ on Android devices, interpreting your health data, answering messages on the Watch & more. (1/2)

The WatchWitch app in context, showing the Apple
Watch and the paired iPhone as well as the Android phone running the app.

1 10 16

💥 leonjza @leonjza.bsky.social · Jun 27

This was fun to see coming to life given the situation Adriaan found himself in! And in no time, he made a plan 🙃

SensePost @sensepost.com · Jun 26

Adriaan was struggling to get an interactive shell on the *nix application server he had popped, so he wrote a turn-based mini binary to give you a semi-interactive shell in restrictive environments. Writeup & code are at
 👇
 sensepost.com/blog/2025/no...

A screenshot of the tool in action firing up an ssh session to another host. ./shellnot --daemon &
./shellnot --session 1 --input "ssh root@2.domain.com"
./shellnot --session 1 --output
ssh root@2.domain.com

root@2.domain.com”s password:
./shellnot --session 1 --input "toor"
./shellnot --session 1 --output

Last login: Sat May 24 16:45:40 2025 from 10.0.0.2
[root@localhost ~]$ ?
./shellnot --session 1 --input "id"
./shellnot --session 1 --output
id
uid=1001(root) gid=1001(root) groups=1001(root),970(docker),998(wheel)

Reposted by 💥 leonjza

Dave Aitel @daveaitel.bsky.social · Jun 26

talosintelligence.com/vulnerabilit...

1 4

💥 leonjza @leonjza.bsky.social · Jun 18

Exciting, and good luck with the prep work!

Reposted by 💥 leonjza

SpecterOps @specterops.io · Jun 17

Introducing the BloodHound Query Library! 📚

@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

Introducing the BloodHound Query Library - SpecterOps

The BloodHound Query Library is a community-driven collection of BloodHound Cypher available at https://queries.specterops.io

ghst.ly

10 14