We are an Australian based information security company offering a wide range of services including:
- Open-source Intelligence Engagements
- Operating System Hardening Assessments
- Penetration Testing
- Phishing Simulations
- Red Team Engagements
- Security Advisory
- Security Testing
- Social Engineering
- Threat Awareness Training
- Vulnerability Scanning and Testing
Our primary goal is to provide realistic and actionable results that will help secure your organisation against cyber threats.
Feel free to browse our website, read our informational posts and guides below, or email us at email@controlc.com.au if you’d like more information, would like to schedule a meeting, or have any questions.
ZAP: Grep extract in Fuzzer to detect username enumeration via subtly different responses
Posted on April 3, 2025
| 2 minutes
| 372 words
Introduction When testing for issues such as user enumeration, the response time and size may not always be ideal indicators as the response length may be the same but the content may differ only slightly.
To ensure this is not overlooked, the “Tag Creator” message processor in the Fuzzer (for OWASP ZAP) can be used to perform a grep match for text matching a given regular expression and then extract the application’s error text to help detect even subtle differences in the application response.
[Read More]
File upload testing with Fuxploider
Posted on April 1, 2025
| 4 minutes
| 675 words
Introduction Identifying vulnerabilities in file upload functionality is often a tedious and time-consuming task, and many potential issues may be overlooked without automation. Fortunately Fuxploider (available at https://github.com/almandin/fuxploider.git) significantly streamlines this process.
Fuxploider is an open-source penetration testing tool designed to automate the detection and exploitation of flaws in file upload forms. It identifies the allowed file types and determines the most effective technique for uploading web shells or other malicious files to the target web server.
[Read More]
A not so CeWL way to build a Wordlist
Posted on February 20, 2025
| 4 minutes
| 827 words
Introduction Whilst there are many useful tools for building tailored wordlists (such as CeWL - https://github.com/digininja/CeWL and CUPP - https://github.com/Mebus/cupp) saving words while browsing a website is often overlooked and can help create the ideal wordlist for file/directory discovery and further enumeration.
This post will cover a new Firefox extension we’ve created web2words that saves all words from websites as you browse.
Warning: This extension is currently in testing (be sure to read and understand the code prior to use) so you will need to use Firefox debugging to import.
[Read More]
Chashell - Reverse Shell over DNS
Posted on February 11, 2025
| 3 minutes
| 449 words
Introduction “Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks. It comes with a multi-client control server, named chaserv.” - https://github.com/sysdream/chashell
Domain name setup Purchase a domain name of your choice (ideally something cheap and non-suspect to your target) then set up your DNS records as follows (replace 444.111.222.333 with your VPS IP):
A Record chashell 444.111.222.333 5min NS Record c chashell.
[Read More]
Visual Studio's built-in malware execution functionality (EvilSln)
Posted on October 31, 2023
| 3 minutes
| 577 words
Visual Studio contains a serious security issue that could result in a complete compromise of your machine without you even knowing!
Full credit to cjm00nw & edwardzpeng (https://github.com/cjm00n) for discovering this issue.
Exploit Scenario You’ve found a free and open-source project on GitHub related to something you’re working on that could save you weeks worth of work!
Being cautious, you browse every folder and file, reviewing the code as you go.
[Read More]
Convert plaintext to QR code on Linux
Posted on September 21, 2023
| 3 minutes
| 451 words
If you ever need to quickly share plaintext from a computer to a mobile device, generating a QR code can often prove useful and be a more secure method of information transfer in certain situations.
In this post we will Install qrencode to generate QR codes on Debian Generate sample QR codes Create a quick bash script that can be executed whenever we need to generate a QR code from input plaintext (an easy way of sharing website URLs from your computer to mobile device) Useful resources and links Linux Magazine - Generating QR Codes in Linux - https://www.
[Read More]
Linux local storage access from Citrix Workspace Windows RDP via VeraCrypt
Posted on June 7, 2023
| 2 minutes
| 349 words
Using VeraCrypt it’s possible to share files from your local Linux machine to a Windows RDP host accessible using Citrix Workspace by following the steps below.
Step 1 - Install the Citrix Workspace Linux client Install the appropriate Linux client from the official Citrix website:
https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html
Step 2 - Ensure Citrix Workspace is fully functional Connect to your Citrix server and ensure everything is functional and you’re able to RDP into your target host.
[Read More]
Monero for privacy, safety and freedom
Posted on March 6, 2023
| 3 minutes
| 536 words
Monero Means Money Monero is a fast, private and secure way to perform transactions and exchange funds online.
Useful resources and links Dr. Daniel Kim: Sound Money, Safe Mode
https://www.youtube.com/watch?v=6ckWGZdSBHA Luke Smith on Monero’s Unique Self-Propelling Nature
https://www.youtube.com/watch?v=qIMw_cI4UsA Vanessa Harris on why Society Needs True Digital Cash
https://www.youtube.com/watch?v=ewpiJTgPb4Q Cake Wallet for Monero - https://cakewallet.com/ Monero Website - https://web.getmonero.org/ Why use Monero? Safer than credit cards Fred bought a new computer from company XYZ.
[Read More]
Orbot Tor VPN on Graphene OS
Posted on February 1, 2023
| 3 minutes
| 453 words
Protect your privacy and support the Tor network Orbot is a Tor based VPN for smartphones (Android and iOS) with inbuilt features such as relaying (allowing your device to be used as a Tor relay to support the Tor network), a full-device VPN setting (which can be used with the always-on VPN functionality to ensure all traffic is routed through Tor) and an ‘Open Proxy on All Interfaces’ setting (that allows devices connected to your phone via WiFi hotspot or tethering to route through the Orbot Tor VPN on your smartphone).
[Read More]
Briar Secure Messenger
Posted on January 21, 2023
| 3 minutes
| 473 words
Peer-to-peer secure messaging “Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. Unlike traditional messaging apps, Briar doesn’t rely on a central server - messages are synchronized directly between the users’ devices. If the internet’s down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the internet’s up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.
[Read More]