Hacking WPML Multilingual CMS Authenticated Contributor+ Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI) tldr; Server-Side Template Injection (SSTI) is one of my favorite vulnerabilities, but rarely do I see it outside of CTF competitions... The WPML Multilingual CMS Plugin for WordPress used by over 1 million sites is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template
Hacking Intigriti August 2024 CTF Defcon Challenge: Safe Notes tldr; This challenge was fun and engaging, blending CSPT with an open redirect flaw to ultimately pull off a successful XSS attack and grab the flag!
Hacking Splashing around in the shallow end: My adventure into Bug Bounty Hunting tldr; Reported ~300 vulns in WordPress plugins and themes, made about ~$27k. Have made some of my write-ups public and am working on a WordPress hacking workshop as an introduction to bug bounty.
CTF Intigriti July 2024 CTF Challenge: Memo This fun little challenge was to get reflected cross-site scripting (XSS) on a simple web app that is protected by a content security policy (CSP) and DOMPurify. The solution involves DOM clobbering, relative path abuse and a CSP bypass via HTML base tag injection.
CTF NahamCon CTF 2024: My Shop Disaster Solution for the WooCommerce WordPress plugin challenge that PatchStack submitted to the NahamCon 2024 CTF.
Hacking Unauthenticated RCE in Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin CVE-2024-22144 Unauthenticated Remote Code Execution (RCE) by chaining multiple vulnerabilities in the Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin
Hacking CVE-2024-0685 Ninja Contact Forms Data Export SQLi The Ninja Forms Contact Form Plugin for WordPress is susceptible to an SQL injection vulnerability when processing data export requests.
Hacking CVE-2022-39841 Medusa's leaky WebSocket A critical vulnerability in Medusa allows for information leakage, including plaintext credentials, by attaching to an unauthenticated WebSocket and waiting for a user to make a configuration change.
Hacking CVE-2021-31607 SaltStack Minion Privledge Escaltion in Snapper Module I discovered a command injection vulnerability in SaltStack's Salt that allows privilege escalation using malicious filenames on a minion when the master calls snapper.diff. But... I was too slow!
Hacking CVE-2020-28243 (2) SaltStack Minion Denial of Service via Argument Injection Recently I disclosed a local privilege escalation, CVE-2020-28243, in SaltStack's Salt via specially crafted process names. However, due to an incomplete fix, argument injection leading to a low impact denial of service is still possible.
Hacking Featured CVE-2020-28243 SaltStack Minion Local Privilege Escalation I discovered a command injection vulnerability in SaltStack's Salt that allows privilege escalation via specially crafted process names on a minion when the master calls restartcheck.
Metasploit New Metasploit Module: docker_privileged_container_escape I wrote a new metasploit module, docker_privileged_container_escape, that escapes from a docker container with access to the docker sock obtaining a root shell on the host operating system.
Software Featured Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) I developed a container enumeration script. Think of it like linpeas/linenum but for containers.
Hacking Python UUEncode Vulnerability tl;dr Found a vuln in some old and mostly unused data format in python, spoke to Guido van Rossum (inventor of Python), and submitted a PR with a fix. I had a look at the Python source code for and discovered a vulnerability in the UUEncode methods in Python.