Julian Catrambone

Research & Tradecraft

OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys

TL;DR OneLogin was found to have security vulnerabilities in its AD Connector service that exposed authentication credentials and enabled account…

Research & Tradecraft

Attacking FreeIPA — Part IV: CVE-2020–10747

I was informed on Wednesday June 17th 2020 that CVE 2020–10747 was revoked after it had been initially issued on…

Research & Tradecraft

Attacking FreeIPA — Part III: Finding A Path

This post is Part III in a series about my experiences attacking FreeIPA. In Part I of this series, we…

Research & Tradecraft

Building a FreeIPA Lab

Recently I started a series of blog posts detailing some of the lessons I learned about FreeIPA, how it works,…

Research & Tradecraft

Attacking FreeIPA — Part II Enumeration

In Part I of this series, we reviewed some of the background and underlying technologies utilized by FreeIPA. We also…

Research & Tradecraft

Attacking FreeIPA — Part I Authentication

Recently I had the opportunity to operate inside of an environment managed by FreeIPA. I wanted to take the time…