No week 6, as I spent a long vacation with family.
3 hrs of hacking an SSRF to try and escalate a High to a Crit — will need to sit around for a good long while to see if they accept my escalation.
Started AWAE 30 day course, assuming this is going to eat up a lot of my time for the next month.
https://infosecwriteups.com/the-invincible-kid-7ac1ce2887c0 — Lol love these kind of bugs
2 hrs of hacking with nothing to show
2 hrs of hacking with nothing
2 hrs of hacking with nothing
How many times have you been testing out a new program on Hackerone just to see they use AWS WAF and then decide to move on to an easier target?
Low hanging fruit gatherers, like myself, can be discouraged to see a WAF protecting all the poorly coded endpoints that promise to pay off my mortgage.
When you see AWS WAF on your target, do not assume that it’s been properly configured! …
Couple hours of hunting for auth bugs
2 hrs of poking before bed and found a cool oracle bug to access secret data
Submitted as a crit, but waiting for triage to agree
1 hr of hunting for nothing
6 hrs of hunting for a single little auth bug
Triage disagreed vehemently with my oracle bug :(
Spend the morning reading all kinds of entropy documents to try and learn more about it.
Then company reopened, so its just going to be one of ‘those’ tickets
3 hrs hunting…
I’ve been a Web Sec Engineer for a year now and I’d like to start sharing some of the scripts and tools I’ve made for myself to help others in a similar position.
The first being a simple AW Route 53 Monitor
The script is based off the steps put together by Cloud Conformity:
We have several AWS environments to monitor and thousands of Route53 entries so this came as a necessity to maintain the environment and to, as Cloud Conformity states:
>Ensure that any dangling DNS records are deleted from your Amazon Route 53 public hosted zones in…
In cryptography there is only one method that has been mathematically proven to be 100% secure. This method is the one time pad (OTP).
A one time pad is a key that is the same length as the plaintext message that it is trying to encrypt.
Remember XORs? I’ll be using the ^ to denote the XOR symbol, since it is the same as C++’s.
Here is a quick demonstration.
message1 in ASCII:
message1 in hex:
That is 24 hex characters.
So for our key we will use this guy
Courtesy of random.org
message1 ^ key…
App has some Docx to PDF actions, looking into XXE attacks here.
I’ve never performed a MS Office XXE, so its a shot in the dark, but looking forward to the chance to learn.
4 hrs hacking for some business logic errors
3 hrs of hacking
4 hrs hacking for some auth issues and csrf
Weekly Wrap up
Again this week, really whiffed it on the reading. There was a lot going on at work, so I didn’t get to hack as much as I’d like, but some bounties…
Source code with annotations
File named wp-class.php
Is stored as such:
Encoded in a long encoded string, to help hide the contents.
This file is for maintaining access after a backdoor is found, containing a command interface for Windows and Unix, some GUI tools, and a some self preservation functionality.
The backdoor functionality is only available if you have a cookie with the correct password set.
$authpass = "7b24afc8bc80e548d66c4e7ff72171c5";
That password is an MD5 hash of the word 'toor' which is root backwards. …
Nikto is a, non-stealth, web vulnerability scanner. So don’t think the NSA doesn’t know you are using it. This tool is easy to get some quick results, so I especially recommend it to beginners.
The real charm of nikto is that most positive results come with the layman’s description and a link. (Read the contents of these links to become better at life.)
You can initiate your first scan with this command
nikto -h <IP or Host name>
Lets see what we get!
First line is a finger print of the server’s operating system. Sometimes you get very specific…
3 hrs of hunting, leading to IDOR and Auth bug
Found a new target to play with, big app with many features and settings to mess with. The program is very slow on paying, > 1 month, but the bounties are decent, so I’m hoping it will pay dividends in the long run.
4 hrs for Business Logic Errors
The site referencing a dead domain that I purchased was closed as a dupe for someone who reported it as a “potential takeover”
Pretty bummed out about it, but that’s the game.
4 hrs for Business…
Reformed Baptist Son Of A Shepard