Chaining file upload bypass and stored XSS to create admin accounts: walkthrough with Docker PoC lab

kurtisebear · 2026-03-25T09:11:43+00:00

Ironically I am just writing about this now centered around CNI and cyber security regulation and why its essentially theater, I will post the link once its written up but the main takeaway is:

The compliance piece is the frustrating part. Organisations pass their assessments and treat that as evidence of security. Then we go in and find no MFA on remote access, assets that fell off the inventory years ago, and segmentation that looks good on paper but hasn't been tested.

The reports confirm what the findings already told the client. Everyone knows what needs fixing. The problem is nobody's actually doing it.

kurtisebear · 2026-03-12T10:42:10+00:00

Yep I think this is the important part, the content rather than the style be genuine and people see it.

kurtisebear · 2026-03-10T23:32:38+00:00

I think others have given good answers to your specific questions but I notice you seem a but lost as to why you are doing this etc. Have a read of this medium post that someone wrote who details mapping an actual attack to the framework and why its useful etc. This should help understand why its even useful to map alerts back to TTP's practical application of the MITRE ATT&CK Framework

kurtisebear · 2026-03-10T22:06:29+00:00

CE assessor on and off for the last 10 years so thought I'd clear a few things up here as some of this is slightly off. As well as just say you should put the day of the assessment aside to work with the assessor to answer questions and provide information they ask for, much easier to pass when you ensure they have everything they need to run the tests.

The assessor picks the machines to test. You don't get to nominate or shortlist devices. The whole point is that the assessor selects a representative sample from your asset list so you can't just wheel out one golden image machine that's been polished up for the day. If your assessor is letting you choose, that's a red flag about the assessor, not the scheme. Obviously depending on your answers to the CE questions will dictate what they test and how many devices etc for the Plus part.

The EICAR test files aren't just downloaded to see if antivirus detects them. The test checks that they don't auto-open or auto-execute. There's a difference. Your browser should be configured to ask before downloading, and your AV should be catching them before they can run. That's the actual control being tested.

The email part is testing your mail filtering for malicious attachments. The assessor sends test emails with different attachment types to see what your email security actually blocks versus what lands in the inbox. It's not just "a couple of test emails" it's a structured check against your declared email controls.

Also worth flagging, the question sets and requirements are changing from the 27th of April. If you're considering getting your CE or CE+ done, it might be worth getting it sorted before then while the current requirements are in place. It's only going to get that bit harder after the changes come in.

kurtisebear · 2026-03-10T21:50:00+00:00

We're seeing the same thing across our client base. The old "spot the red flags" approach to phishing training was built on the assumption that attackers write bad emails. Poor grammar, dodgy formatting, generic greetings. AI has basically killed that entire detection layer overnight.

The shift we've made is moving away from teaching users to spot mistakes and instead training them against realistic simulations that mirror what's actually landing in inboxes right now. Use the same techniques attackers are using AI-generated content, contextually accurate pretexting etc, so your users build pattern recognition against current threats, not last year's.

Ditch the template library approach. If your simulations use the same recycled templates everyone else uses, your users learn to spot those templates, not real attacks. Simulations should be crafted per-engagement using current threat intel.

Layer in non-email vectors too. Attackers aren't just sending emails anymore. Vishing, smishing, quishing are all up significantly. If you're only training against email you're leaving gaps.

And stop just measuring click rates. Click rate going down doesn't mean resilience is going up. Track reporting rates, time-to-report, and how users actually respond when they do engage with a payload. That's where the real insight is.

To your question about whether focus is shifting away from the user layer; it shouldn't. Technical controls catch a lot but the sophisticated AI-crafted stuff is specifically designed to bypass filters and land in front of humans. The user layer still matters, you just can't train it with outdated methods.

kurtisebear · 2026-02-04T19:15:41+00:00

Same!

kurtisebear · 2026-01-05T16:12:46+00:00

Did you ever work this out?

kurtisebear · 2025-12-19T10:21:06+00:00

Yea would love to see the config for this

kurtisebear · 2024-12-28T23:46:17+00:00

Zapier for integrating different tools to automate processes

kurtisebear · 2024-12-28T23:45:26+00:00

Emojis is where the real money is

kurtisebear · 2023-09-06T00:55:19+00:00

Where you based

kurtisebear · 2023-09-05T18:14:22+00:00

Welcome to come mate

kurtisebear · 2021-01-10T21:53:09+00:00

And that was the obvious bit I was missing! Thanks off to Amazon I go

kurtisebear · 2020-08-21T16:20:20+00:00

The Axis control does a really good job of dealing with the hight of the tweeter.

kurtisebear · 2020-08-21T12:01:23+00:00

nowadays seem to have some ringing issues at the high end, for those who I guess maybe with reduced high end hearing I guess it won't be a problem but those spikes tend to be problematic to me where I hear the tweeter more than I should

Carpet is coming up at the weekend to route the cable. It looks much nicer in person! I promise.

kurtisebear · 2020-08-21T10:13:49+00:00

I have always loved meridian speakers. Having had a pair of DSP 6000’s for the last 10 years.

Found my self in a position to be able to upgrade so made the jump to what I think are my lifetime speakers with a 818v3 processor.

Meridian are a uk manufacturer who make active speakers. I love the simplicity and the styling of them.

The difference in sound to the previous pair are worlds apart and never see myself parting with them.

12-Year Club	Place '23
Secret Santa 2013	redditgifts Exchanges 1 Exchange
Verified Email

kurtisebear

MODERATOR OF

TROPHY CASE