HackingWPML Multilingual CMS Authenticated Contributor+ Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI)tldr; Server-Side Template Injection (SSTI) is one of my favorite vulnerabilities, but rarely do I see it outside of CTF competitions… The WPML Multilingual CMS Plugin for WordPress used by over 1 million sites is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template injection.
HackingIntigriti August 2024 CTF Defcon Challenge: Safe Notestldr; This challenge was fun and engaging, blending CSPT with an open redirect flaw to ultimately pull off a successful XSS attack and grab the flag!
HackingSplashing around in the shallow end: My adventure into Bug Bounty Huntingtldr; Reported ~300 vulns in WordPress plugins and themes, made about ~$27k. Have made some of my write-ups public and am working on a WordPress hacking workshop as an introduction to bug bounty.
CTFIntigriti July 2024 CTF Challenge: MemoThis fun little challenge was to get reflected cross-site scripting (XSS) on a simple web app that is protected by a content security policy (CSP) and DOMPurify. The solution involves DOM clobbering, relative path abuse and a CSP bypass via HTML base tag injection.
CTFNahamCon CTF 2024: My Shop DisasterSolution for the WooCommerce WordPress plugin challenge that PatchStack submitted to the NahamCon 2024 CTF.
HackingUnauthenticated RCE in Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin CVE-2024-22144Unauthenticated Remote Code Execution (RCE) by chaining multiple vulnerabilities in the Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin
CTFIntigriti February CTF Challenge: Love Letter Storagetl;dr: Solved an awesome Valentine’s Day challenge by @goatsniff from Intigriti. I gained valuable insights into using character conversions to bypass XSS protections and learned about data exfiltration through the manipulation of cookie paths.
HackingCVE-2024-0685 Ninja Contact Forms Data Export SQLiThe Ninja Forms Contact Form Plugin for WordPress is susceptible to an SQL injection vulnerability when processing data export requests.
Intigriti December CTF Challenge: Smarty PantsI decided to dust off my hacking hat and delve back into CTF challenges with the Intigriti December challenge. Here’s my write-up on the journey I had with this interesting puzzle, teaching me new tricks and reinforcing old skills.
HackingCVE-2022-39841 Medusa's leaky WebSocketA critical vulnerability in Medusa allows for information leakage, including plaintext credentials, by attaching to an unauthenticated WebSocket and waiting for a user to make a configuration change.
CTFdCTF - Just Take Your TimeOver the weekend I participated in dCTF by DragonSec SI along with some friends. There were some really interesting and unique challenges in this CTF.
HackingCVE-2021-31607 SaltStack Minion Privledge Escaltion in Snapper ModuleI discovered a command injection vulnerability in SaltStack’s Salt that allows privilege escalation using malicious filenames on a minion when the master calls snapper.diff. But… I was too slow!
HackingCVE-2020-28243 (2) SaltStack Minion Denial of Service via Argument InjectionRecently I disclosed a local privilege escalation, CVE-2020-28243, in SaltStack’s Salt via specially crafted process names. However, due to an incomplete fix, argument injection leading to a low impact denial of service is still possible.
HackingCVE-2020-28243 SaltStack Minion Local Privilege EscalationI discovered a command injection vulnerability in SaltStack’s Salt that allows privilege escalation via specially crafted process names on a minion when the master calls restartcheck.
CTFHTB CTF Write-up: GunshipThe HTB x Uni CTF 2020 - Qualifiers have just finished and I wanted write-up some of the more interesting challenges that we completed.
CTFHTB CTF Write-up: Cargo DeliveryCargo Delivery was a Python command line application that uses AES CBC encryption and is vulnerable to a padding oracle attack.
CTFHTB CTF Write-up: Cached WebThe HTB x Uni CTF 2020 - Qualifiers have just finished and I wanted to write-up some of the more interesting challenges that we completed.
CTFMetasploit Community CTF 2020 (Dec) Write-up: 5-of-clubs (port 8101)Summary The 5-of-clubs challenge was to write a Metasploit module that is uploaded and run on a computer to which you do not have direct access. The module is uploaded along with a resource file that is used to automate Metasploit, the output is logged and can be viewed following execution.
CTFMetasploit Community CTF 2020 (Dec) Write-up: 7-of-spades (port 8888)Summary The 7-of-spades challenge is a basic Python web application that lists information about Metasploit modules. It uses a pickle saved in base64 to a cookie that can be modified to get remote code execution.
CTFMetasploit Community CTF 2020 (Dec) Write-up: 9-of-clubs (port 1337)This fun little challenge was solved by our binary exploitation expert: benything.
CTFMetasploit Community CTF 2020 (Dec) Write-up: ace-of-clubs (port 9009)Summary The ace-of-clubs challenge presented a SSH server on port 9009 that had an easy to guess login. This is followed by a privilege escalation to root in a custom binary using a file overwrite exploit.
CTFMetasploit Community CTF 2020 (Dec) Write-up: queen-of-hearts (port 9008 & 9010)Summary The queen-of-hearts challenge was on two ports, 9010 which contained a downloadable Java .jar file and 9008 which was the service that you needed to interact with. Initially it appeared that it was an insecure deserialisation exploit, and while it is likely that that was also present, the flag could be obtained using a simple logic flaw as the application was relying on a client-side check for authentication status.
CTFMetasploit Community CTF 2020 (Dec)Metasploit ran another community CTF this year, and we decided to put forward a team. The team ended up bigger than all other teams I’ve been part of before and hence PrettyBeefy team was born.
SoftwareNew Metasploit Module: enum_containersI wrote a new metasploit module, enum_containers, that enumerates a target post exploit and detects container platforms and lists any containers that are actively running on them.
MetasploitNew Metasploit Module: docker_privileged_container_escapeI wrote a new metasploit module, docker_privileged_container_escape, that escapes from a docker container with access to the docker sock obtaining a root shell on the host operating system.
SoftwareDocker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)I developed a container enumeration script. Think of it like linpeas/linenum but for containers.
SoftwarePortdroid - Network Analysis Kit & Port ScannerPortDroid is a Network Analysis Application that helps Network Administrators, Penetration Testers and Hackers with several useful networking tools.
SoftwareRootBeer - Root Detection Library for AndroidA tasty root checker library and sample app. We’ve scoured the internets for different methods of answering that age old question… Has this device got root?
HackingPython UUEncode Vulnerabilitytl;dr Found a vuln in some old and mostly unused data format in python, spoke to Guido van Rossum (inventor of Python), and submitted a PR with a fix. I had a look at the Python source code for and discovered a vulnerability in the UUEncode methods in Python.