/ Recent content on Saksham Anand Hugo -- gohugo.io en-us Sun, 19 Apr 2026 00:00:00 +0000 /blog/clickfix-google-ads-discovery/ Sun, 19 Apr 2026 00:00:00 +0000 /blog/clickfix-google-ads-discovery/ Almost a year after my last ClickFix post, ClickFix continues to be all the rage and remains a technique of choice for initial access among many threat actors. ClickFix has since evolved from solving CAPTCHA and error prompts to impersonating documentation for products such as Claude Code, Mac storage cleaning guides, and malicious instructions via Medium blogs, among many other lures. This post will look at how a single ClickFix domain can be used to help discover many others. /blog/clickfix-infrastructure-discovery/ Sun, 23 Mar 2025 00:00:00 +0000 /blog/clickfix-infrastructure-discovery/ What is ClickFix? ClickFix is a social engineering technique increasingly being used by actors in the past few months. The technique relies on fooling users to run PowerShell or Terminal commands on their computers, through the use of fake error dialogue boxes. This post will look at how the domains involved in ClickFix script can be latched onto to discover additional infrastructure. The ClickFix script in this case was used to download the SectopRAT malware, you can read more about the malware itself on my friend Chris’s blog here. /blog/trace-that-sound/ Mon, 23 Dec 2024 00:00:00 +0000 /blog/trace-that-sound/ Google Meet, Microsoft Teams and Zoom are all examples of common conferencing software used across large companies - companies that are large enough to be a juicy target for threat actors located in sanctioned countries. These actors, often just tech-savvy average joes, seek to get ahead by earning a US tech company salary. While their intent may not inherently be malicious, deception and fraud in getting the job can pose a reputational and legal risk to companies. /blog/dotfiles/ Sun, 26 May 2024 00:00:00 +0000 /blog/dotfiles/ Dotfiles Backup, for the context of this blog is a framework/methodology/concept. It is a collection of files, often starting with dots (as the name implies) where users (developers, system admins, etc) store their personalised configurations for a variety of software. These collections are often pushed to a git repository and contain configuration files for software such as Vim, VSCode, Zsh, .aliases, git, and so on. A common use case for dotfiles is when users join new companies and get issued a work laptop. /blog/github-keys-tracking/ Sat, 22 Apr 2023 00:00:00 +0000 /blog/github-keys-tracking/ Have you ever been in a situation where you are managing a large number of users and one of them has committed sensitive information to a repository on GitHub? The issue is exaggerated even more when the username is ambiguous, the .patch file does not have any helpful information and generally, no solid details are present to find out who made the commit. Depending on how your organisation works, you may be able to use . /blog/postman-credentials/ Sun, 28 Aug 2022 00:00:00 +0000 /blog/postman-credentials/ Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different ‘pages’, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly. /blog/urlscan-dorking/ Fri, 15 Apr 2022 00:00:00 +0000 /blog/urlscan-dorking/ urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage. /blog/btl1/ Tue, 25 Jan 2022 00:00:00 +0000 /blog/btl1/ Blue Team Level 1 is a certification offered by Security Blue Team. The certification is aimed at entry to junior level roles and consists of six primary domains. At the time of writing the cost for the certification was roughly NZ$800, which included access to training material for 4 months and 100 hours of access to a lab environment. The training went over Security Fundamentals, Phishing Analysis, Threat Intelligence, Digital Forensics, Security Information and Event Management, and Incident Response. /blog/cve-2021-40848/ Wed, 03 Nov 2021 00:00:00 +0000 /blog/cve-2021-40848/ Mahara is an electronic portfolio system that is used as an eLearning tool by education institutions around the globe. The software contains the ability to export records from the system into a CSV file. This blog will cover how that functionality can be abused (when inputs are not escaped correctly), to conduct local command execution (aka CSV injection). For this demonstration, two accounts will be used. The first account will be the malicious actor where CSV injection payloads are saved into editable inputs. /blog/elearnsecurity-ejpt/ Sun, 11 Jul 2021 00:00:00 +0000 /blog/elearnsecurity-ejpt/ eLearnSecurity Junior Penetration Tester (eJPT) is a certification offered by eLearnSecurity. The training for this certification is provided by the parent company called INE (Inter Network Experts). In order to train for eJPT, INE offers a Penetration Testing Student (PTS) pathway, free of charge, under the recently launched starter pass. The training itself consists of 38 hours worth of content, including slides, videos, practical labs and three practice black boxes. Coming from HackTheBox background, I had familiarity with most of the tools and concepts offered. /blog/matrix-synapse-regex-bypass/ Mon, 05 Apr 2021 00:00:00 +0000 /blog/matrix-synapse-regex-bypass/ Matrix is an open standard and protocol for real-time communication. One of the Matrix package is a reference homeserver, known as Synapse. This means that Synapse is essentially a server that organisations and communities can run, to host and access their own Matrix server. This also means that those organisations are able to control who can sign up and access that particular server. To register on a server, the portal asks for details such as name, password, and email. /blog/element-unvalidated-redirect-through-html-viewer/ Wed, 28 Oct 2020 00:00:00 +0000 /blog/element-unvalidated-redirect-through-html-viewer/ Element (formerly Riot and Vector) is an open source instant messaging application implemented over the Matrix protocol. Matrix is known for supporting end-to-end encryption and the application itself is available for various platforms, including Desktop, Mobile and Web. This post will only be addressing the mobile version, which contained the vulnerability at the time this was written. Firstly, the Android application in question is available at this link, with the code base for the application hosted here. /blog/host-header-injection-bigbluebutton/ Mon, 25 May 2020 00:00:00 +0000 /blog/host-header-injection-bigbluebutton/ Back in April, one of the systems I was testing was a video conferencing application, known as BigBlueButton, an open source challenger to Zoom. The BigBlueButton installation comes with a user friendly interface, known as Greenlight, which ties in nicely with the BigBlueButton server. While most of the corporate installations would be using LDAP authentication, at times, installation will be based on standard username and password login mechanism, which is handled by Greenlight. /blog/cve-2020-12113/ Mon, 20 Apr 2020 00:00:00 +0000 /blog/cve-2020-12113/ As part of a penetration testing project at Catalyst IT, I conducted a test on an open source video conferencing system known as the BigBlueButton, an open source challenger to Zoom. The BigBlueButton contains a closed captions module, that allows a user to manually type captions, and all users with captions enabled can see them at the bottom of the screen. While the ability to add captions is only restricted to moderator level permissions, this issue is exaggerated, as when the breakout room functionality is used, all users are granted moderator level permissions, allowing them to write captions. /blog/easy-phish-hackthebox/ Thu, 30 Jan 2020 00:00:00 +0000 /blog/easy-phish-hackthebox/ Easy Phish is an Open Source Intelligence (OSINT) challenge on hackthebox.eu, which provides the challenge flag through publicity available information. This walk-through will be providing step by step instructions on how that flag can be obtained. Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why? With the challenge brief above, three main points can be identified: The scope of the target is secure-startup.com domain and/or other related entities. /about/ Mon, 01 Jan 0001 00:00:00 +0000 /about/ Hello, I am Saksham. /coffee/ Mon, 01 Jan 0001 00:00:00 +0000 /coffee/ This scale rates my coffee experience across Melbourne cafe's & coffee brewers. Ratings are based on an order of a White or Filter Coffee, ambience, and service. It's possible for cafes use the same beans/roaster but have different taste and brewing process. /public_key/ Mon, 01 Jan 0001 00:00:00 +0000 /public_key/ -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFpEjPcBEADBApS0rRxIlIc/cMnndb/p7oAlb4ECshiwe/4+2OsjuvWo /yFXsabxmN9qxHcLjFgVRBW4gbr2OVb1wTaEnOLp/jNIJyKSWQ8B6CN9JHjF 7u1y/86YKEpnxwa7UFfQF0YuRfK9O+tnNeIR7VmNJHJ4g6UCe/O5/xcDyJm6 Xhr90bUkRCFKQWp4rs/mnr9LBcarQfbxdxvbk4SrniuvdVBXIvjhSkj/Qw9R gD3owG4Ufv6+LDbmVrid6O+Hc7daU//y8kE7Vj2O2LXCRNfXocaGQpG4MPqo NWQIh1I/SwzihGMorM28u0dnTWB40a76Xf9J23AEupsw2J0Kh3GWn2I1YLcb VFiGdlN9jH0kQyfkhYM5DWaHGUDNata9Kv6bErCRY7B16y67F65iS8KIKNfC zwfhz3z95V6e3sav5Hn4iWvUOkuXCnJDUWkbcaTkWrQtd2HuVGEiGrskk0MN umsAcbgiFCNX3xtoees90MT+0DNWsvtoMJWhbBdRGqM5enKqdxZju5/E17Tc o/IYdIktowyv86nrjGEbgmANh/pJgCBsRDxb1w3AbYAk1Wvv1JvNQlyakzya clh7BZpwvWVX8vw9PbtszqlAYgbNFSqu2yq0TLXH6s9NCIH6njdNFJtlEWtV TxRFTL8/ioqWjkalYuVHYu8qzS2z0ruJeaLYrwARAQABzSNTYWtzaGFtIEFu YW5kIDxtZUBzYWtzaGFtYW5hbmQuY29tPsLBdQQQAQgAKQUCWkSM+QYLCQcI AwIJEOMmDFFb76cgBBUICgIDFgIBAhkBAhsDAh4BAAA78RAAgS/W4JkynmYQ tfqPKLqGgI0GpsycYrseizRc0tVh0Hqifr+GXeglRhnuNxuJqSGlxX75K6CB AXAjZXEXUTH3pFkDV6a06pT3VPqX7ZzHJYAouyaLFUwVHtSnTEVrq84AI5Tr QRvPTlXZ7CZwQHOj4IMVGJgtpmy9nOUsEjIGrRkJfRoUVYdxmynGqLBqmymo CO3r2MSWVJQ1oxEc1q1v19woX18FdhUpGAtqcwV4K5cK3ksElL5Q4dWnMauk I19uloFodQrVG5rA+i6qR5gqj/bGGRulrZc/z8ddsjjOYdM0Zich+GdjRbag b2c9B66n1t7abI4hygeC51v43dbjQS4yKq7qGO28dy+7pEYZa2nkuX7qfZzM 2xRp72CWKAZ/rp/lFaDmH6LBRJ9dVBOkEsArXCM2u57dA6fTcGldYMOo9NhT KQ1uIqaVFpEIO8NIpYj2LDO0hQEuLAEYdq4ld3uKbDNseVZHFFSLt9Szm6Aw J495DxWbQYpQtIThSKEwkzYvXuihR23BogOxvBtOh2gOkI/gNFET0EkvectC e0FFcTS6adsad1CG+fW629+ApkXpLvgxkG1qx5dOLscaykykzH5/tYmCZc49 Y4bB6K8nXA7gbb+PWhLXtvR0q60pScnTZpejWP6AF/zVSlz/ex95gKMwHT2J 1mBqZnmuwe7OwU0EWkSM9wEQAMQmCttSc/W3Wt7V4HIkEvHt3tk4XcxGCQJr OHHzY8Q+ePmV0wltG87t6LPx1wvqMU5MSJIe14Ls839UNU+A/vNTZ01GKl/J VIMIiUoUriDQfPHxqo7wJn12tgVa3HbNV2gHEklOO5SuF3yIl0zpLLUN7bvn gmdKDqcKBfGBrWkIr+JK4OCV/jGPTbJOw0o073ug8NjqDcNyJYNQ4tKetBKI ial5PNXaktDpTD6RAAJDvA7HrDAfT26FblaUBVRMIeKDSdWVxVapSM2MDQyD FnarQ5yAEg+/nUYAtA2iSl99guIf800r7nxs4le2dfJp7yfezjmIeGvdQrvu p1GAAbXhkrhHVK5IvrUA8PoSdXa6IujrgeuzZcezZ+QmDsvTebBO8gCi3QfS QQCou36VtQ6/RibRz7iqZTcUM84GePnAqRXy7N2F2ADkCoi3Pvqm08JHA+I4 koy7CgmSN9PuBcFBc1x/z2WNW/EAiO/AKx/dbbX+pLqfqI6mWkRj1pe0dWfr 8iMmLbL7hiB5RAf8AXtc3KGolu1DBITTrgdZTHVpgmpiqafLaJXS4tx0juc3 t8MN22heJp6hGyx0rIMwTG/0ToEcn115U5bnCxdPjpkN074m6x3nwEzS29Yh ebO9aM99kGvhP5aLWOmtIED3aeOI4JA7zQxFzPIQFCkqVp7fABEBAAHCwV8E GAEIABMFAlpEjPoJEOMmDFFb76cgAhsMAABNuBAAiZ6xb38OvzkX2RgvZwfh 41uCwujndsm4KE8RWT/ZXH7KT6nMIBy6dIwpQjEDCKZmEeQ8WhfhQIZ7sZT9 r/kqgfckrE04YtXyteskShJjP/vSvnmvqBieukd6RmWHA5vUNdonpZHJvAIE OnhfGtuxmfniJuFVid95tLfK4YkgDQSxEuivk3WjWnSBCWzoPTb8dzFMcuxw du0xTrgeZ76rFPG5cg7idl2TE023xDP2w2GNCYW/KmUZ4fcger43B/01hEXu V6yPVFz/9i7vQ00Pzn18Lj3K33kq1lANVrQ4DiBWp7H3MmBGU5E29ButqCAT fSB15jUuntzIUCIOPD59iCruNfNmK31iv+5pwyV6oY969yDJs7xcAeJuRKTc Px6eH/8RsznXTtnmBWR68NpNH2d6cb+svztRMizZT9kJQ4xWZ8a03wPttqv7 YWzYQz5Y790Gao+IIYEVIU1QI4hx1uXtZY3tHWZ0eEUgqDnVj3eFTi7c8LjO tWYJRmnRNyi6zswKgB4fIbY1F2dJadX89GY0h6rjKWW4P7dhnP6T8tKPrvb+ 6JoZ16DpzwsnZm60JendN5zcAnCFqlDmlr68wcWX/oG3oC6eHYQ0BxwAEMWY 6Ib/MoyVM2peAMKLzylTODdy5RHCrVs0xeZSqtwQJGC/zifpEi9c9TUx/qpD rh0= =TLSc -----END PGP PUBLIC KEY BLOCK-----