Henrik Falk July 03, 2025
Abusing Chrome Remote Desktop on Red Team Operations: A Practical Guide
In this post, we’ll be exploring a practical technique for abusing Chrome Remote Desktop (also known as Google Remote Desktop) within a Red Team operation. I sometimes find myself needing to use legitimate software to achieve my goals, due to client restrictions or other preventive measures. This post is just meant to highlight how to actually use Chrome Remote Desktop on operations.
trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide
How I Chained Directory Traversal and CSV Parser Abuse for RCE in a Django App
While testing a web application as part of a bug bounty program, I uncovered a critical RCE vulnerability by chaining directory traversal with a subtle CSV parsing abuse. The exploit chain involved a combination of directory traversal and subtle abuse of how the application used the pandas CSV parser, ultimately allowing me to overwrite the wsgi.py file and execute arbitrary code server-side.
jineeshak.github.io/posts/Chaining-Directory-Traversal-and-CSV-Parser-Abuse-for-RCE-in-Django
Offensive on the Source Engine Network Protocol - Part 1: InfoLeak
This post starts a series of a few dedicated to my work on exploiting the Source Engine 1 - back in 2022-2023. At the time, CS2 was not out yet, hence, the primary target was still CS:GO. In the course of these posts, I’ll talk about the few bugs that I found and how I exploited them to get remote code execution - particularly targeting CS:GO. Especially, I’ll be focusing on the network protocol of the engine, and dwelve into its internals.
mrnbayoh.github.io/blog/source-engine/2025/06/30/offensive-on-the-source-engine-network-protocol-part-1.html
