<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Exploitation on Prepakis Georgios | Kernelstub | Security Researcher</title><link>https://blog.kernelstub.dev/tags/exploitation/</link><description>Recent content in Exploitation on Prepakis Georgios | Kernelstub | Security Researcher</description><generator>Hugo</generator><language>en-US</language><lastBuildDate>Mon, 16 Feb 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.kernelstub.dev/tags/exploitation/index.xml" rel="self" type="application/rss+xml"/><item><title>A Full Infrastructure Takeover on GSIS.GR</title><link>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</link><pubDate>Mon, 16 Feb 2026 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</guid><description>&lt;p&gt;&lt;strong&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-2-the-exposed-configuration-that-broke-everything"&gt;Phase 2: The Exposed Configuration That Broke Everything&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-3-ftp-and-the-forgotten-server"&gt;Phase 3: FTP and the Forgotten Server&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-4-oracle-webcenter-leaks-and-ldap-access"&gt;Phase 4: Oracle webCenter Leaks and LDAP Access&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-5-hardcoded-jwt-private-key"&gt;Phase 5: Hardcoded JWT Private Key&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-6-server-status-as-a-network-mapping-tool"&gt;Phase 6: Server-Statme as a Network Mapping Tool&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-7-iis-short-names-and-aspnet-backend"&gt;Phase 7: IIS Short Names and ASP.NET Backend&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-8-domibus-424--finding-the-zero-day"&gt;Phase 8: Domibme 4.2.4 – Finding the Zero-Day&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-9-from-xxe-to-ssh-on-borisgsisgr"&gt;Phase 9: From XXE to SSH on boris.gsis.gr&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-10-axis2-admin-service--deploying-a-backdoor"&gt;Phase 10: Axis2 Admin Service – Deploying a Backdoor&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-11-privilege-escalation-to-root"&gt;Phase 11: Privilege Escalation to Root&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-12-internal-network-pivot--the-1019318024-discovery"&gt;Phase 12: Internal Network Pivot – The 10.193.18.0/24 Discovery&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-13-staging-authentix-auth-and-the-database-goldmine"&gt;Phase 13: STAGING-AUTHENTIX-AUTH and the Database Goldmine&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-14-switches-firewalls-and-control-surfaces"&gt;Phase 14: Switches, Firewalls, and Control Surfaces&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-15-15-million-citizens--what-i-found"&gt;Phase 15: 15 Million Citizens – What I Found&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/h2&gt;
&lt;p&gt;Every engagement starts with comprehensive reconnaissance. SkuntScan, our in‑house tool, combines passive enumeration with intelligent fingerprinting. It scrapes certificate transparency logs, DNS records, web archives, and then correlates everything with IP space to build a complete map of the target.&lt;/p&gt;</description></item><item><title>Advanced Linux Kernel Exploitation Techniques</title><link>https://blog.kernelstub.dev/posts/advanced-linux-kernel-exploitation-techniques/</link><pubDate>Thu, 27 Mar 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/advanced-linux-kernel-exploitation-techniques/</guid><description>&lt;h2 id="introduction-to-linux-kernel-exploitation"&gt;Introduction to Linux Kernel Exploitation&lt;/h2&gt;
&lt;p&gt;Kernel exploitation sits at the top of the difficulty curve in offensive security, and for good reason. Userspace bugs get you code execution as some unprivileged process, but the kernel runs at Ring 0 (or EL1, if you&amp;rsquo;re on ARM) with unrestricted access to physical memory, every process&amp;rsquo;s address space, and every privilege check on the system. Pop a bug in the kernel and you&amp;rsquo;re not just compromising an application, you&amp;rsquo;re compromising the thing that enforces the rules for every application on the box. That&amp;rsquo;s why a single kernel LPE (local privilege escalation) bug is often worth more on the exploit market than a browser RCE: it&amp;rsquo;s the last mile between &amp;ldquo;I have a foothold&amp;rdquo; and &amp;ldquo;I own the machine.&amp;rdquo;&lt;/p&gt;</description></item></channel></rss>