SECarius

Using Microsoft SSO to Achieve Full Account Takeover

Fri, 22 Aug 2025 00:00:00 +0000

Hello there!

This article is the second one of a series where I will share how the service I have released 2 months ago, https://profundis.io, helps me every day in my bug bounty journey.

This time, Profundis simply helped find the vulnerable asset.

Finding the asset

The asset was discovered after doing some sorting of my target data. The query I used was simply host:*.domain.com AND title:* AND status_code:200. This query makes sure there is a full working website running on the subdomain, and that this website has some interesting content (by using title:* which means “there should be a title detected”)

How I found an RCE seconds after its publication

Thu, 21 Aug 2025 00:00:00 +0000

Hello there!

This article is the first one of a (probable) series where I will share how the service I have released 2 months ago, https://profundis.io, helps me every day in my bug bounty journey.

This first article will cover the basics of the alerting feature that streams domains of my bugbounty targets in real-time, allowing me to stay updated on any changes within the monitored scopes. I will cover this subject with a nice bounty I got recently for an RCE discovered thanks to this alerting feature.

What is a RCE after all? Just pieces of puzzle put together - RCE with bits and pieces (CVE-2024-36415)

Wed, 12 Feb 2025 00:00:00 +0000

Hey there,

For the part two of the series on my SuiteCRM vulnerabilities, I’ll explain how I managed, with a bit of creativity, to chain a few vulnerabilities and strange features together to achieve Remote Code Execution (RCE) on the SuiteCRM application.

Reminder: You might want to read the first part of the series, where I detail what is SuiteCRM and how I found the first vulnerability in the application. You can find it here. Everything here is done on a private lab

Using XSS filters against XSS filters - Unexpected SQL Injection (CVE-2024-36412)

Mon, 10 Feb 2025 00:00:00 +0000

Introduction

Hello there,

Since this is my first article in years, I needed something cool to write about. So, I finally decided to cover the CVEs I discovered last year in the popular tool SuiteCRM.

Back in February 2024, when I was still a full-time pentester, I was assigned a one-week pentest for a client. Looking at the scope, I came across a tool I had never seen before: SuiteCRM.

Do you know - How URIs works ?

Mon, 01 Feb 2021 00:00:00 +0000

Hey there,

Let’s start from the beginning (\o/), what is a “Uniform Resource Identifier” (URI)?

This document is based on RFCs 3986, 1808, 1738, 3966, and 2718, and I’m probably forgetting some. It also relies on this official list distributed by IANA (which has regulated official URIs since 2015) for all protocols (historical, provisional, and permanent).

Did I read everything? Absolutely.

In this article, I will sometimes use regex to define possible characters. For example: “it consists of characters a-zA-Z\d” means all letters of the Latin alphabet, both lowercase and uppercase, as well as numbers from 0 to 9.

Do you know - How to use Google?

Sat, 30 Jan 2021 00:00:00 +0000

Hey there,

This article is the result of my research for creating an OSINT (Open Source Intelligence) tool as part of a second-year engineering project at ENSIBS.

To create my tool, I had to delve into Google searches, but not just using Dorks as one might think. There are also parameters to be included in the URL that can enable or disable certain features of Google search. Essentially, all of Google’s little modes (time filters, advanced modes, etc.) can be toggled on or off via certain parameters.

Do you know - How emails format works ?

Fri, 01 Jan 2021 00:00:00 +0000

Hello there,

If you’ve ventured here, it’s because you think you know everything about email addresses. But are you sure?

In this article, we’re going to talk about the syntax of email addresses, and we’ll try to define what is valid and what is not.

Let’s start with the simplest. For you, an email address is simply:

uppercase or lowercase characters with a dash or a dot @ domain name . tld? Well, no!

Writeup ECW 2020 - Web - Casino Royal

Tue, 13 Oct 2020 00:00:00 +0000

French version

Cette année j’ai de nouveau participé à l’ECW, organisé par Thalès, Airbus et Diateam.

Ce challenge était le seul (oui oui :/ ) lié réellement à la catégorie web. L’autre challenge dans la catégorie web relevait plus de la stéganographie que du web :/

Catégorie: Web Points: Pas assez (100) énoncé: Braquez le casino et récupérez le flag !

Voici un challenge web que j’ai mis +10h à résoudre, et dont j’ai eu le First blood ! \o/

Writeup ECW Finals 2018 - Audit Active Directory

Tue, 27 Nov 2018 00:00:00 +0000

French version

Challenge: Audit d’Active Directry Points: 315 pts Catégorie: Web~Forensics

Ce challenge était disponible lors de la finale de l’ECW qui s’est déroulée à Rennes Mercredi 21 novembre 2018, pour une durée de 6h.

(PS: je n’ai pas eu la présence d’esprit de prendre des captures d’écran lors de l’événement, je vais tenter d’expliquer le processus de mon mieux)

Énoncé: Des h4ck3rs ont réussi à rentrer dans notre système et à compromettre nos contrôleurs de domaine “ALPHA-DC, BETA-DC et GAMMA-DC” (il est également dit que les machines sont toutes à jour, inutile de perdre son temps a essayer de trouver un exploit).

Writeup NightHawk CTF Training Exercices - ImageMagick

Mon, 27 Aug 2018 00:00:00 +0000

French version

Ce challenge d’entrainement était disponible dans l’attente du NightHawk CTF 2018.

Catégorie: Web Points: 1000 pts

Énoncé (traduit du chinois) : “Can you find the flag in a directory? There is a flag in server https://flaskimage.herokuapp.com/""

En arrivant sur le site on tombe sur une petite interface qui nous propose d’upload une image aux formats :

png, jpg, jpeg, gif, mvg, svg

On à donc la possibilité d’upload une image mvg (Magic Vector Graphics). On sait également que le “moteur” utilisé pour traiter les images est ImageMagick.

Writeup NightHawk CTF Training Exercices - PHP Exploit

Mon, 27 Aug 2018 00:00:00 +0000

French version

Ce challenge d’entrainement était disponible dans l’attente du NightHawk CTF 2018.

Catégorie: Web

Points: 1300 pts

Énoncé (traduit du chinois) : Take the flag right, Just do it!!! https://shrimphp.herokuapp.com/

Lorsqu’on arrive sur le site, on est accueilli par le code source de la page php:

A première vue, à travers ce caractère d’entrée (qui est l’emoji de crevette), on doit Bypass le filtre de caractères, et exécuter une commande dans le eval(‘die(“‘ . substr($_, 0, 16) . ‘”);’);. La petite complexité c’est qu’on doit exécuter une commande avant que la fonction die s’exécute. Le tout doit être réalisé en moins de 16 caractères. Aïe Aïe Aïe…

writeup tjctf 2018 stupid blog

Tue, 21 Aug 2018 00:00:00 +0000

French version

Ce challenge était disponible pour le TJCTF 2018.

Catégorie: Web Points: 130 pts

Énoncé: “I created this blog site, but it doesn’t do much. I did hide a flag on here though. Maybe you can convince the admin user to give it to you?”

Cet énoncé nous donne deux indices: il faut convaincre l’utilisateur admin de nous donner le flag. Hummm… le challenge doit surement porter sur une XSS.

Who ami I?

Mon, 20 Aug 2018 00:00:00 +0000

Hey there !

If you’re reading this page, first of all, thanks :D

Who am I after all?

I’m Sicarius, I’ve been messing with web applications since 2018 and I’m trying to share some stories and experiences here. I’m a Cybersecurity Engineer graduated from the University ENSIBS in France, but to be honest, I’m more of a self-taught person. I do code things here and there ! I’m also the co-creator of https://profundis.io, a platform that helps you find hidden assets and get some bounties !