Die Potsdam Cyber Games des @Hasso_Plattner_Institute gehen in die Zielgerade. Es bleibt weiter Spannend!

Wer ist mit dabei?

Actualité chargée pour les amateurs:

- aujourd'hui (25 avril) à 18h: publication du challenge du SSTIC sur https://www.sstic.org/2025/challenge/
- demain (26 avril) de 9h à 18h: « speedrun » du FCSC sur https://fcsc.fr (nouvelles épreuves à réaliser en temps contraint, potentiellement qualifiantes pour l'équipe France)

How many unauthenticated file transfer servers are still exposed online in 2025?

A critical flaw in CrushFTP, tracked as CVE-2025-2825, is being actively exploited in the wild. The vulnerability affects versions 10.0.0 through 10.8.3 and version 11.0.0, and it allows remote attackers to bypass authentication entirely using specially crafted HTTP or HTTPS requests. Public proof-of-concept code is already circulating, lowering the barrier for exploitation.

Shadowserver, a nonprofit security watchdog, reported that over 1,500 vulnerable instances remain online as of March 30, 2025. Just two days earlier, around 1,800 instances were detected, with more than half located in the U.S. These numbers suggest that many organizations haven't taken mitigation steps despite clear warnings.

The CrushFTP team has urged users to either patch immediately or, if an update isn't feasible, isolate installations using a DMZ configuration. This can reduce the attack surface but is not a long-term fix.

This type of vulnerability is particularly concerning because unauthenticated access to managed file transfer software often leads to sensitive data exposure or ransomware deployment. Groups like Cl0p have historically targeted platforms like MOVEit, Accellion FTA, and GoAnywhere MFT using similar flaws. In January, Cl0p claimed responsibility for exploiting Cleo file transfer software to breach dozens of companies.

CrushFTP's CVE-2025-2825 carries a CVSS score of 9.8. That reflects the ease of exploitation and the potential impact of compromise. For systems handling regulated or confidential data, the urgency is not optional—patching is essential.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

Im Umfeld des @RaumZeitLabor formt sich gerade ein neues #CTF-Team. Wenn ihr Bock habt euch regelmäßig vor Ort in Mannheim mit anderen zum lernen und pwnen zu treffen, guckt mal nächsten Montag 28.04. um 19Uhr zum ersten regulären Treffen im Space vorbei. Alle Skill-Level sind willkommen. Weitere Infos folgen voraussichtlich dannach auf Website/Mailingliste/Wiki/Masto
https://raumzeitlabor.de/kontakt/anfahrt/

Manchmal sieht man einfache Dings sofort, manchmal nicht. Dann helfen Schlafen, Frischluft und Bewegung. Und dann ein Neustart zum Erfolg.

Frohe Ostern allerseits - und viel Spass beim Capture The Egg!

1/3
Ich konnte neulich nichts an eine fremde Datei anhängen die Mode 666 (rw-rw-rw-) war. Linux (natürlich), Fehlermeldung grad nicht zur Hand:

echo bla >> /tmp/logfile

Was war geschehen?

From Vibe Coding to Vibe Decoding
Using AI to decompile a binary and reverse engineer functions including S-boxes.

https://c.mov/nfuncs-agent/

New Open-Source Tool Spotlight

Google's GRR (GRR Rapid Response) is an open-source framework for remote live forensics and incident response. It allows security teams to investigate systems at scale without interrupting operations. Used for data collection, analysis, and hunting. #CyberSecurity #DFIR

Project link on #GitHub https://github.com/google/grr

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

DEFCON 33 CTF Write-Up Series #1: jxl4fun2 (pwn):

https://blog.cykor.kr/2025/04/DEFCON-33-Series-jxl4fun-pwn

DEFCON 33 CTF Write-Up Series #2: tinii (rev):

https://blog.cykor.kr/2025/04/DEFCON-33-Series-tinii

DEFCON 33 CTF Write-Up Series #1: jxl4fun2 (pwn):

https://blog.cykor.kr/2025/04/DEFCON-33-Series-jxl4fun-pwn

DEFCON 33 CTF Write-Up Series #2: tinii (rev):

https://blog.cykor.kr/2025/04/DEFCON-33-Series-tinii

Good morning, does anyone have a security/dev contact at Garmin?

I'd like to talk to them about Ph0wn CTF...

Thanks.

AI tool solves cyber tasks 3,600× faster than humans.
It’s called CAI—and it’s open-source, autonomous, and already winning real CTFs.

The best part? Even non-professionals using CAI have reported confirmed bugs to major bug bounty platforms.

Could this reshape who gets to participate in cybersecurity?

Read more: https://blueheadline.com/cybersecurity/cai-ai-hacker-tool-faster/

Today, I participated in @defcon Quals #CTF with @shellphish! After missing last year's quals due to family traditions (https://defcon.social/@Zardus/112378834023606154), it was great to be back! We got 5th place and (unless our calculations are off) are heading to finals!

I've never had a chance to look at Rust, but DEFCON CTF Qualifications got me to make a few first steps. No flag, but some experience what works how in (remote) code execution and in finding fake flags. Looking forward for the write-ups to learn how to do privilege escalation!

@defcon
#ctf #cybersecurity #DEFCON #rust

apparently file permissions in Rust are hard:
-rw-r-r-r-r owner group 1337 myfile

Rainy Sunday, poking at Earth from VulnHub.

Ran dirsearch, tried nikto, got the usual noise.
Then I noticed something in the nmap scan:
earth.local and terratest.earth.local

/etc/hosts to the rescue.

Sometimes the trick isn’t brute force, it’s reading carefully.
Pentesting 101: Don’t ignore the scan output!