parzel's Avatar

parzel

@parzel.bsky.social

Hacker based in Berlin | Working at modzero.bsky.social | he/him

93 Followers  |  246 Following  |  5 Posts  |  Joined: 02.10.2023  |  1.5918

Latest posts by parzel.bsky.social on Bluesky


Preview
[MZ-25-03] INSTAR 2K+ and 4K Series

PSA update your INSTAR cameras. Our teammate Michael Imfeld identified a critical RCE (CVE-2025-8760) on 2k+ and 4K devices. Find the advisory here:
modzero.com/en/advisorie...

14.08.2025 13:28 โ€” ๐Ÿ‘ 9    ๐Ÿ” 4    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
When Backups Open Backdoors: Accessing Sensitive Cloud Data via

A colleague of mine found exposed credentials potentially granting access to Synology Teams backups. Check the full analysis and scan your tenants for IOCs. #cybersecurity #infosec #disclosure

modzero.com/en/blog/when...

27.06.2025 17:20 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Belegsammlung fรผr ein AfD-Verbotsverfahren Der Verfassungsschutz stuft die AfD in seinem Gutachten als gesichert rechtsextrem ein. Das reicht nicht fรผr ein Parteiverbot, sagt Innenminister Alexander Dobrindt. Darum รผbernehmen wir nun den Job u...

Innenminister Dobrindt meint: Die Einstufung der AfD als โ€žgesichert rechtsextremโ€ reicht nicht fรผr ein Parteiverbot?
Kein Problem โ€“ wir legen nach: Mit unserer Belegsammlung schaffen wir die Grundlage fรผr ein umfassendes Gutachten zum AfD-Verbotsverfahren. Mehr dazu: fragdenstaat.de/aktionen/afd...

23.05.2025 06:54 โ€” ๐Ÿ‘ 1227    ๐Ÿ” 489    ๐Ÿ’ฌ 36    ๐Ÿ“Œ 14
SensePost | Psexecโ€™ing the right way and why zero trust is mandatory Leaders in Information Security

Both defenders and red teamers will be interested in this tool drop and deep dive into psexec from Aurรฉlien.

He, Michael, and Reino built susinternals that makes use of the Microsoft signed psexec service binary on the host instead of the more easily flagged RemCom.

sensepost.com/blog/2025/ps...

11.02.2025 13:22 โ€” ๐Ÿ‘ 9    ๐Ÿ” 5    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
ROPing our way to RCE

ROPing our way to โ€œYay, RCEโ€ - and a lesson in the importance of a good nights sleep!

Follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http

modzero.com/en/blog/ropi...

07.02.2025 17:10 โ€” ๐Ÿ‘ 7    ๐Ÿ” 4    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 1
Preview
Verdachtsfall Rechtsextremismus: Wir verรถffentlichen das 1.000-seitige Verfassungsschutz-Gutachten zur AfD Die Alternative fรผr Deutschland steht im Verdacht, rechtsextrem und verfassungsfeindlich zu sein. Der Verfassungsschutz beobachtet die Partei und hat ein ausfรผhrliches Gutachten erstellt. Wir verรถffen...

NEU: Hier ist das geheime Verfassungsschutz-Gutachten zur AfD in voller Lรคnge. Fast 5000 Quellen hat die Behรถrde in den vergangenen Jahren ausgewertet, jetzt hat @netzpolitik.org das Gutachten verรถffentlicht.

03.02.2025 06:30 โ€” ๐Ÿ‘ 1437    ๐Ÿ” 592    ๐Ÿ’ฌ 15    ๐Ÿ“Œ 25

In Chrome:

Object.values(this)[165].bind(this)()

27.01.2025 16:41 โ€” ๐Ÿ‘ 22    ๐Ÿ” 7    ๐Ÿ’ฌ 4    ๐Ÿ“Œ 0
Post image

This is a great post on bug bounty reddit!

OP reported an IDOR, gets paid $2,000, and then realizes it never was IDOR. It's just a cached response...

24.01.2025 14:14 โ€” ๐Ÿ‘ 50    ๐Ÿ” 5    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 0
Paged Out!

Issue #2 joined the 'over 100K downloads' club. All thanks to you!
Now Issue #4 is applying for a membership there, and it's not far from getting in :)

Want to help? Tell your friends about us!
pagedout.institute

14.01.2025 08:41 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I am glad you like it!

12.01.2025 11:15 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I wrote a blog post about SSTI in Thymelaf - hopefully it helps some people pentesting up-to-date Spring Boot applications :)

11.01.2025 11:47 โ€” ๐Ÿ‘ 4    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

(please re-post for reach - thank you!)
Learned a cool new Linux trick? Know an interesting quirk in a network protocol? Or have something else to share?

Write a 1-page article for the #6 issue of Paged Out! :)
pagedout.institute?page=cfp.php

Soft deadline is Feb 1st.

07.01.2025 07:41 โ€” ๐Ÿ‘ 30    ๐Ÿ” 33    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Flare-On 2024 Solutions and Commentary
YouTube video by BasteG0d69 Flare-On 2024 Solutions and Commentary

My videos for Flare-On 2024 are live! Watch me reverse engineer all the challenges from start to end. ๐ŸŽ‰๐Ÿฅณ

+ Commentary video featuring SuperFashi, where we review the chals together.

* 45 hours of content
* 400+ GB of raw footage

Merry Christmas! Link: www.youtube.com/watch?v=vwW9...

25.12.2024 23:58 โ€” ๐Ÿ‘ 49    ๐Ÿ” 11    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1

Re-sharing to keep bluesky rolling

go.bsky.app/EhGFSVj

24.12.2024 00:13 โ€” ๐Ÿ‘ 45    ๐Ÿ” 13    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 3
A thumbnail with a blue, black, and green gradient background, with the VS Code and GitHub Copilot logos in the foreground and a graphic of the Copilot Chat window hovering below.

A thumbnail with a blue, black, and green gradient background, with the VS Code and GitHub Copilot logos in the foreground and a graphic of the Copilot Chat window hovering below.

Announcing GitHub Copilot Free!

A new free tier for GitHub Copilot, available for everyone today in VS Code.

No trial. No subscription. No credit card required.

Learn more in our blog: aka.ms/copilot-free

18.12.2024 18:28 โ€” ๐Ÿ‘ 365    ๐Ÿ” 139    ๐Ÿ’ฌ 14    ๐Ÿ“Œ 54
Remote Code Execution with Spring Properties Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!

Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

26.11.2024 23:57 โ€” ๐Ÿ‘ 76    ๐Ÿ” 36    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 2
Preview
Digging for XSS Gold: Unearthing Browser Quirks with Shazzer YouTube video by PortSwigger

I can highly recommend Shazzer from @garethheyes.co.uk, such a great tool for XSS research!

27.11.2024 09:11 โ€” ๐Ÿ‘ 22    ๐Ÿ” 4    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

25.11.2024 17:31 โ€” ๐Ÿ‘ 63    ๐Ÿ” 43    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 0
In-depth IT Security

Hello Bluesky ๐Ÿ‘‹

We are an IT security company. Our team consists of like-minded hackers located in Germany and Switzerland.

Our core areas of expertise are comprehensive technical security analyses, penetration tests and red teaming services.

Want to learn more about us?
Check: modzero.com/en/

21.11.2024 14:21 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
The PrintNightmare is not Over Yet Following the publication of my blog post A Practical Guide to PrintNightmare in 2024, a few people brought to my attention that there was a way to bypass the Point and Print (PnP) restrictions recomm...

During a #redteam at @modzero.bsky.social we discovered a limited but neat bypass for #printnightmare. I talked to @itm4n about it and he had an indepth look. Read about it here:
itm4n.github.io/printnightma...
#itsec

17.11.2024 15:11 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@parzel is following 20 prominent accounts