HackingWPML Multilingual CMS Authenticated Contributor+ Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI)tldr; Server-Side Template Injection (SSTI) is one of my favorite vulnerabilities, but rarely do I see it outside of CTF competitions… The WPML Multilingual CMS Plugin for WordPress used by over 1 million sites is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template injection.
HackingIntigriti August 2024 CTF Defcon Challenge: Safe Notestldr; This challenge was fun and engaging, blending CSPT with an open redirect flaw to ultimately pull off a successful XSS attack and grab the flag!
HackingSplashing around in the shallow end: My adventure into Bug Bounty Huntingtldr; Reported ~300 vulns in WordPress plugins and themes, made about ~$27k. Have made some of my write-ups public and am working on a WordPress hacking workshop as an introduction to bug bounty.
CTFIntigriti July 2024 CTF Challenge: MemoThis fun little challenge was to get reflected cross-site scripting (XSS) on a simple web app that is protected by a content security policy (CSP) and DOMPurify. The solution involves DOM clobbering, relative path abuse and a CSP bypass via HTML base tag injection.
CTFNahamCon CTF 2024: My Shop DisasterSolution for the WooCommerce WordPress plugin challenge that PatchStack submitted to the NahamCon 2024 CTF.
HackingUnauthenticated RCE in Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin CVE-2024-22144Unauthenticated Remote Code Execution (RCE) by chaining multiple vulnerabilities in the Anti-Malware Security and Brute-Force Firewall GOTMLS WordPress Plugin
HackingCVE-2024-0685 Ninja Contact Forms Data Export SQLiThe Ninja Forms Contact Form Plugin for WordPress is susceptible to an SQL injection vulnerability when processing data export requests.
HackingCVE-2022-39841 Medusa's leaky WebSocketA critical vulnerability in Medusa allows for information leakage, including plaintext credentials, by attaching to an unauthenticated WebSocket and waiting for a user to make a configuration change.
HackingCVE-2021-31607 SaltStack Minion Privledge Escaltion in Snapper ModuleI discovered a command injection vulnerability in SaltStack’s Salt that allows privilege escalation using malicious filenames on a minion when the master calls snapper.diff. But… I was too slow!
HackingCVE-2020-28243 (2) SaltStack Minion Denial of Service via Argument InjectionRecently I disclosed a local privilege escalation, CVE-2020-28243, in SaltStack’s Salt via specially crafted process names. However, due to an incomplete fix, argument injection leading to a low impact denial of service is still possible.
HackingCVE-2020-28243 SaltStack Minion Local Privilege EscalationI discovered a command injection vulnerability in SaltStack’s Salt that allows privilege escalation via specially crafted process names on a minion when the master calls restartcheck.
MetasploitNew Metasploit Module: docker_privileged_container_escapeI wrote a new metasploit module, docker_privileged_container_escape, that escapes from a docker container with access to the docker sock obtaining a root shell on the host operating system.
SoftwareDocker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)I developed a container enumeration script. Think of it like linpeas/linenum but for containers.
HackingPython UUEncode Vulnerabilitytl;dr Found a vuln in some old and mostly unused data format in python, spoke to Guido van Rossum (inventor of Python), and submitted a PR with a fix. I had a look at the Python source code for and discovered a vulnerability in the UUEncode methods in Python.