OUR LATEST RESEARCH
How Circle Banned Tornado Cash Users
Tornado Cash is an open-source, decentralised cryptocurrency mixer. Using zero-knowledge proofs, this mixes identifiable funds with others, obscuring the original source of the funds. On 08 August 2022, the U.S. Office of Foreign Assets Control [...]
CVE-2021-44076: Cross-Site Scripting (XSS) in CrushFTP
During the course of our work, Nettitude have identified a stored Cross-Site Scripting (XSS) vulnerability within the CrushFTP web interface. CrushFTP is a file transfer server which supports multiple file transfer protocols, and provides a [...]
Network Relaying Abuse in a Windows Domain
Network relaying abuse in the context of a legacy Windows authentication protocol is by no means a novel vector for privilege escalation in a domain context. However, in spite of these techniques being well understood [...]
CVE-2022-30211: Windows L2TP VPN Memory Leak and Use after Free Vulnerability
Nettitude discovered a Memory Leak turned Use after Free (UaF) bug in the Microsoft implementation of the L2TP VPN protocol. The vulnerability affects most server and desktop versions of Windows, dating back to Windows Server [...]
Offensive Security: From OSCE to OSCE3
OSCE3 (Offensive Security Certified Expert 3) is a certification from Offensive Security which has replaced the (now retired) OSCE certification. This post explores a pentester's journey from being OSCE certified to becoming OSCE3 certified. Way [...]