🙋♂️Ayo, I did a thing, check out the latest episode where we chat about approaching Pwn2Own targets, some advice and answer some .NET questions🔥
ctbbodcast thanks for having me (give them a sub people, they do cool shit)
SinSinology
3,364 posts
SinSinology
@SinSinology
Pwn2Own 20{22,23,24*2,25*3,26*2}, i look for 0-Days but i find N-Days & i chase oranges 🍊
Joined June 2018
- 🔥You see, I've been trying hard to promote my training by dropping blogs, poc, teaching different countries/cons, following that idea this Sat I thought, what if, I dropped 3 exploits & 3 blogs on the same day? so after sleeping only 2 hours in the last 48h, they're ready😏🫳🎤
- it took me so much time to finish this exploit but I finally did it! my first guest-to-host virtualbox escape is finally ready, using a combination of 2 bugs I can target the latest version :) Eternal thank you to my dear friend Corentin @OnlyTheDuck for constantly encouraging me
00:00 - 🔥💀After 40 hours of constant reversing of weird looking c++ and no sleep, I Finally cooked the CVE-2024-47575 fortimanager unauthenticated RCE 🩸we’re back, and despite all the buzz about FortiManager - the saga is about to continue. Please, remove this from the Internet *even if fully patched* speak soon.
00:00 - 🚨🚨🚨PoC DROP! As part of today's triple exploit drop 🔥, here is the link to 1/3 poc, Progress Whatsup gold Pre-Auth Remote Code Execution 🩸 using the GetFileWithoutZip Primitive 🪲 to achieve a write what where and then popping a she'll 🤷♂️ github.com/sinsinology/CV…
GIF 
GIF- 🕵️♂️Here is the Exploit for the second 🤞 pre-auth Remote Code Execution 🔥 targeting progress whatsup gold which exploits a dangerous .NET WCF Service over NetTcpBinding UnAuThenTicated 🤷♂️ github.com/sinsinology/CV…
- 🚨🚨🚨 PoC DROP!!! We at watchTowr have released our latest work 🔥 on exploiting MOVEit Transfer, ability to access all your SECRET files 🩸 only by having your username, this was a .NET Target 😏, So fuckin proud of the exploit chain WE crafted 🔥🤝 🔥Progress just un-embargoed a very closely guarded auth bypass in MOVEit Transfer's SFTP mechanism - CVE-2024-5806. We were lucky enough to receive a tip-off :-) Enjoy our analysis, we had a lot of fun. labs.watchtowr.com/auth-bypass-in…
- 🔥 I've just published the details of my latest progress pre-auth Remote Code Execution this is CVE-2024-4885
- My English has never been good, I tried to translate what I had in my mind and I hope this shows how I feel Every step of this journey was a challenge—long hours, sacrifices, and moments when it felt impossible. But it was all worth it. I’m so proud and honored to have won 1st
And that’s a wrap! #Pwn2Own Automotive 2025 is complete. In total, we awarded $886,250 for 49 0-days over the three day competition. With 30.5 points and $222,250 awarded, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) is our Master of Pwn. #P2OAuto - PoV: you wakeup and go run a pwn2own exploit @thezdi
00:00
exhausted, last entry tomorrow - 🚨🚨DO NOT PANIC! I'm publishing my detailed analysis of CVE-2024-29855 which targets Veeam Recovery Orchestrator Authentication 🩸, this has a score of CVSS 9 🪲, but IMHO its not as severe, however, I like the technical details of it, so here we go 🔥
- 🔥💀 Here is the "Real" writeup and exploit for the pre-auth deserialization RCE I reported to Ivanti CVE-2024-29847 Apparently, folks at horizon3 tried to write about my bug before me but they did it wrong
- A no bull shit staright up fAcTuAl RCE, choke on thishop skip jump over to our latest blog post - analysing Fortinet's FortiJump CVE-2024-47575, FortiJump-Higher (we love this name😄) and beyond (PoC included) labs.watchtowr.com/hop-skip-forti…
