Skip to content
View johnjhacking's full-sized avatar

Block or report johnjhacking

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
johnjhacking/README.md

Hack the Galaxy.

Welcome to my portfolio. My name is John Jackson, also known to many as "Mr. Hacking".
I am the founder of now defunct hacking group Sakura Samurai.

I may not research with a group, however, I'm still continously honing my skills and performing security research. This portfolio will be for organizing all of my work/accomplishments. Keep in mind that I cannot possibly link all of the news articles related to my research, otherwise this portfolio will be too long. In addition, I may link to blog posts from my old website - but my website is outdated and only running for the sake of archive and backlinks; Github will be my primary operating portfolio now.

I'm also the author of Corporate Cybersecurity: Identifying Risks and The Bug Bounty Program. Click on the image to see my book!

Wikipedia

My portfolio consists of the following sections:
• Certifications: All of the certifications I have achieved, in order of most to least recent.
• Awards: Any relevant Information Security awards.
• Created Tools by Popularity: A list of all of the tools I have created that aren't part of guide or a tool specific to a CVE proof of concept.
• Guides: Writeups pertaining to education, such as certifications.
• My Identified Common Vulnerabilities & Exposures (CVES): My assigned CVE identifiers with a quick summary on each, neatly linked with corresponding writeups or proof of concepts.
• Archive: All of the blog posts that I have written, including ones not associated with CVEs.

Certifications

‣ Certified Red Team Professional
‣ Offensive Security Certified Professional
‣ Certified Network Defense Architect
‣ Certified Ethical Hacker | Master
‣ Certified Network Defender
‣ Certified Penetration Testing Engineer
‣ Security+
‣ A+
‣ ITIL Foundation
‣ Metasploit Pro Certified Specialist
‣ AppSpider Enterprise Certified Specialist
‣ Pro Labs: Dante
‣ Pro Labs: Zephyr

Awards

‣ Certificate of Appreciation, Information Warfare: Centre For Strategic Communication and Information Security, Ukraine
‣ Medal for Service and Valor, 3rd Degree: Joint Forces of the Armed Forces of Ukraine

Created Tools by Popularity

Tool Name Usage Stars Forks Link

BadgerDAPS

Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.

Stars Stars

Github

ez-iRZ

Exploit for CVE-2022-27226, CSRF to RCE in iRZ Mobile Routers

Stars Stars

Github

Signal DLL Hijacking

DLL Malware for Signal Desktop. Utilizes missing dbghelp.dll

Stars Stars

Github

RokuRogue

A script for brute forcing Roku TVs and installing applications remotely.

Stars Stars

Github

Jorogumo

Red Team Stored XSS SVG phishing-companion tool with the ability to serve a malicious login page, or clone an html page and implement custom javascript. It then generates a relevant SVG.

Stars Stars

Github

Guides

Guide Name Description Link

Buffer Overflow Guide

This Bufferflow Guide includes instructions and the scripts necessary for Buffer Overflow Exploitation. This guide is a supplement for TheCyberMentor's walkthrough. Includes companion scripts. It's pretty old as it was used for the original OSCP which has since been reworked.

Github

The Ultimate CRTO Preparation Guide

The ultimate guide to passing the Certified Red Team Operator exam by Zero Point Security.

Link

OSCP Reborn - 2023 Exam Preparation Guide

Revamped OSCP guide, tailored to be relevant for the latest revision of the OSCP which includes Active Directory exploitation.

Link

My Identified Common Vulnerabilities & Exposures (CVES)

Name Severity Description Associated Risk Additional Comments Proof of Concept
CVE-2024-38143: Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability

4.2 MEDIUM

An unauthenticated attacker could exploit the vulnerability by interacting with a malicious wireless network from the lock screen of a device.

Successful exploitation results in possible escalation to NT AUTHORITY\SYSTEM

Primary attack method requires physical access to the device. As a secondary option, an attacker could pair this with social engineering, but it would still require an in-person presence. Attack vector would be a threat actor who steals a laptop, but is locked out of the computer and wants to access the data/doesn't want to completely reformat or swap drives.

N/A
CVE-2023-47800: Natus NeuroWorks and SleepWorks Use of Hard-coded Credentials

9.8 CRITICAL

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Remote code execution via MSSQL paired with CrackMapExec. Data theft, tampering, or destruction. Negatively affecting medical patients' results.

More likely to be exploited by a threat actor on the internal network, have used this on multiple medical client networks so it's relevant for pivoting.

Writeup
CVE-2023-24068: Signal Desktop Attachment Modification

7.8 HIGH

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file.

Native spear fishing. If a backdoored attachment gets forwarded to a group chat, everyone can end up compromised.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal and intelligence agencies, both domestic to the US and foreign.

Writeup
CVE-2023-24069: Signal Desktop Attachment Recovery After Deletion

3.3 LOW

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation./p>

Recovery of deleted attachments, rendering deletion pointless.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal agencies or within eDiscovery and legal hold processes.

Writeup
CVE-2022-27226: CSRF to RCE in iRZ Mobile Routers through 2022-03-16

8.8 HIGH

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Remote code execution via compromised credentials or chained credential theft.

Likely to be abused if access to this router is obtained. Exploitation is trivial.

Writeup
CVE-2021-45919: Studio 42 elFinder through 2.1.31 Stored XSS

5.4 MEDIUM

Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.

Credential theft via phishing, but possible escalation to RCE via phishing if the correct conditions are achieved.

Unlikely to lead in an enterprise compromise, possible account theft.

Writeup
CVE-2021-43032: XenForo through 2.2.7 Stored XSS

4.8 MEDIUM

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

Credential theft via phishing

Possible account theft.

Writeup
CVE-2021-23827: Keybase Exposure of Sensitive Information to an Unauthorized Actor

5.5 MEDIUM

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality. Local filesystem access is needed by the attacker.

Recovery of deleted attachments, rendering deletion pointless.

Unlikely to be abused by your everday threat actor. This is of particular interest to federal agencies or within eDiscovery and legal hold processes.

Writeup
CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulting in sensitive information exposure

7.5 HIGH

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths.

The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

Possible discovery during web application hacking.

Writeup
CVE-2021-24495: Wordpress Marmoset Viewer Plugin Reflected XSS

6.1 MEDIUM

A reflected cross site scripting vulnerability exists on the ‘id’ parameter of the Wordpress Marmoset Viewer plugin. A threat actor can utilize a specially crafted payload and append it to the id parameter included in the Marmoset Viewer. The cross site scripting vulnerability can lead to the potential theft of cookies or credentials, giving the threat actor the ability to take over a victim’s account or steal other sensitive information.

Credential theft via phishing

This may be chained with a post-authenticated exploit, unlikely to be used otherwise.

Writeup
CVE-2021-27653: Pega Chat Access Group Portal Improper Access Control

6.6 MEDIUM

Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

Theft of sensitive data and credential material to perform Administrative account takeover.

There's high associated risk based on how trivial it is.

Advisory
CVE-2021-28919: npm Netmask SSRF Bypass

9.1 CRITICAL

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Bypass for prevntive measures against a wide array of attacks including but not limited to SSRF, RFI, LFI, XSS, etc

High associated risk, very likely.

Writeup
CVE-2021-29662: Perl Data::Validate::IP Module Access Control Bypass

7.5 HIGH

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

Bypass for preventive measures within Perl for SSRF, RFI, LFI, XSS, etc

Lower associated risk against modern code, likely against older assets.

Writeup
CVE-2020-28360: npm Private-IP SSRF Bypass

9.8 CRITICAL

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges.

Indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

High probability of exploitation. A modern day filter bypass technique.

Writeup
CVE-2020-27403: TCL Improper Access Control

6.5 MEDIUM

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows an attacker on the adjacent network to arbitrarily browse and download sensitive files over an insecure web server running on port 7989 that lists all files & directories.

An unprivileged remote attacker on the adjacent network, can download most system files, leading to serious critical information disclosure

High probability of exploitation if outdated TCL TV is on the internal network.

Writeup
CVE-2020-28055: TCL Local Privilege Escalation

7.8 HIGH

A vulnerability in the TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below by TCL Technology Group Corporation allows a local unprivileged attacker, such as a malicious App, to read & write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system.

Fake system upgrades by writing to the /data/vendor/upgrage folder.

Low liklihood, requires multiple factors to align.

Writeup
YOURLS Admin Panel Stored XSS

5.4 MEDIUM

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Credential theft.

Improbable from an APT perspective, likely for targeted exploitation.

Writeup

Archive

Popular repositories Loading

  1. Buffer-Overflow-Guide Buffer-Overflow-Guide Public

    This Bufferflow Guide includes instructions and the scripts necessary for Buffer Overflow Exploitation. This guide is a supplement for TheCyberMentor's walkthrough. Please watch his walkthrough if …

    Python 542 72

  2. badgerDAPS badgerDAPS Public

    Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.

    Python 37 3

  3. RokuRogue RokuRogue Public

    A script for brute forcing Roku TVs and installing applications remotely.

    Python 10 1

  4. Signal-DLL-Hijacking Signal-DLL-Hijacking Public

    DLL Malware for Signal Desktop. Now utilizes missing dbghelp.dll since Signal patched cryptbase.

    HTML 9 3

  5. ez-iRZ ez-iRZ Public

    Forked from SakuraSamuraii/ez-iRZ

    Exploit for CVE-2022-27226

    Python 1

  6. johnjhacking johnjhacking Public

    Forked from thmsgbrt/thmsgbrt

    My awesome README.md

    Mustache 1