<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Medium on Myles Nieman — Blog</title><link>https://blog.msnieman.com/difficulties/medium/</link><description>Recent content in Medium on Myles Nieman — Blog</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Thu, 02 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.msnieman.com/difficulties/medium/index.xml" rel="self" type="application/rss+xml"/><item><title>Bucket</title><link>https://blog.msnieman.com/writeups/bucket/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/bucket/</guid><description>A web application backed by a locally exposed S3-compatible bucket allows unauthenticated file uploads; uploading a PHP web shell through the bucket endpoint gives remote code execution on the server.</description></item><item><title>Infosek</title><link>https://blog.msnieman.com/writeups/infosek/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/infosek/</guid><description>Exposed WordPress credentials in a public location grant admin panel access; a webshell upload reveals database credentials for the ryder account, and a Meterpreter port-forward through MySQL leads to privilege escalation.</description></item><item><title>Logging</title><link>https://blog.msnieman.com/writeups/logging/</link><pubDate>Thu, 23 Apr 2026 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/logging/</guid><description>Readable SMB log share leaks an svc_recovery password (with a year-increment pattern), Generic Write on MSA_HEALTH$ enables shadow credential abuse for WinRM access, and a DLL-hijacking scheduled task running as jaylee.clifton combined with a rogue WSUS server (ESC17) delivers a SYSTEM shell.</description></item><item><title>Deputy</title><link>https://blog.msnieman.com/writeups/deputy/</link><pubDate>Sun, 12 Apr 2026 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/deputy/</guid><description>A exposed .git directory leaks Terraform IAM ARNs; a case-sensitivity bug in the event-role API lets those ARNs cross account boundaries, eventually reading a DynamoDB record that contains credentials — which chain through the app to a root password.</description></item><item><title>Interpreter</title><link>https://blog.msnieman.com/writeups/interpreter/</link><pubDate>Sun, 22 Feb 2026 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/interpreter/</guid><description>Mirth Connect 4.4.0 is vulnerable to CVE-2023-43208 (unauthenticated RCE); database credentials in mirth.properties lead to a PBKDF2-hashed password for the sedric user, and a root-owned Flask service using eval() on attacker-controlled f-strings enables arbitrary command execution as root.</description></item><item><title>Rainbow</title><link>https://blog.msnieman.com/writeups/rainbow/</link><pubDate>Thu, 25 Dec 2025 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/rainbow/</guid><description>Anonymous FTP access combined with a custom web service on port 8080 leads to a stack-based buffer overflow that overwrites ECX; exploiting the crash yields remote code execution on this Windows medium box.</description></item><item><title>VulnCicada</title><link>https://blog.msnieman.com/writeups/vulncicada/</link><pubDate>Tue, 16 Dec 2025 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/vulncicada/</guid><description>An exposed NFS share leaks domain usernames and a credential hidden inside an image file; the password belongs to Rosie.Powell, whose account is used to exploit ESC8 via Kerberos relay and coercion, yielding a DC certificate that produces the Administrator NTLM hash for a full domain takeover.</description></item><item><title>Printer</title><link>https://blog.msnieman.com/writeups/printer/</link><pubDate>Fri, 29 Aug 2025 00:00:00 +0000</pubDate><guid>https://blog.msnieman.com/writeups/printer/</guid><description>A printer management web app leaks LDAP credentials to a Responder listener; Invoke-Pester in a constrained WinRM environment executes an arbitrary PowerShell script via SMB share, and an unattend.xml found by WinPEAS reveals local admin credentials for a DSC account — while an optional constrained delegation path demonstrates full domain compromise via Rubeus S4U2Proxy.</description></item></channel></rss>