Skip to content

Bergee's Stories on Bug Hunting

hacking, cyber security and programming

Menu
  • Blog
  • About Me
  • Contact
  • Resources
Menu

“Hacking” the hotel room TV

2023-09-14

Hello everyone It’s been a while since my last post. Holiday time :). And it will be some hacking experience from that time. I was living in a hotel in sunny Portugal and after a long day of tripping, I decided to watch another episode of the “The Dropout” series. So I connected my Amazon…

Read more

Broken links hijacking and CDN takeover

2023-02-282023-03-01

Hello again This time I want to tell you about the broken links hijacking technique which I decided to give a chance after reading some blog posts about it. The whole process consists of grabbing all the external links from the site and checking if they point to either non-existent (NXDOMAIN) or to some domain…

Read more

How I found multiple critical bugs in Red Bull

2022-12-262023-07-26

Auth misconfiguration One afternoon I decided to try my luck on the Red Bull VDP program. I gathered the subdomains and looked at interesting ones in the browser. I opened one of them let’s call it subdomain.redbull.com and I saw some web interface. Which looks like this: I tried Local login and some default credentials…

Read more

Chaining multiple vulnerabilities for credential stealing

2022-10-252023-07-13

Once upon a time in far, far hackalaxy…. there was a login form built with angular. This story is about how I managed to steal credentials using Angular template injection, post-based XSS, and CSRF protection bypass. I can’t disclose the real target so I call our target redacted.com. Angular template injection I’ve visited https://subdomain.redacted.com and…

Read more

Blind account takeover

2022-09-252022-09-25

In this story, I’m gonna tell you how I was able to take over an account due to a lack of server-side email verification. To register an account, the user had to enter an email and then got the activation link. This functionality was available on the main site. I entered the email, got the…

Read more

Turning cookie based XSS into account takeover

2022-09-062022-09-07

The cookie-based XSS One evening I started hunting on the Terrahost Bug Bounty program. I was testing the terrahost.no main domain. There was a functionality where I could choose the service, then register an account and place an order. So I did that. I chose Virtual Hosting and put all the data – username, address,…

Read more

Blind os command injection

2022-08-212022-09-07

Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…

Read more

Five-minute hunting for hidden XSS

2022-08-152022-09-07

One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin/admin,…

Read more

URL filter bypass, RFI and XSS

2022-08-142022-09-07

In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can’t reveal the target let’s call it redacted.com. Using waybackurls on the target I found the following URL: http://emp.redacted.com/embed.html?playlist=https://playlists.redacted.com/sport/0/football/34232917A/playlist.sxml The playlist parameter was the…

Read more

The forgotten API and XSS filter bypass

2022-08-142022-09-07

On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double…

Read more
  • 1
  • 2
  • Next
  • “Hacking” the hotel room TV
  • Broken links hijacking and CDN takeover
  • How I found multiple critical bugs in Red Bull
  • Chaining multiple vulnerabilities for credential stealing
  • Blind account takeover
  • Turning cookie based XSS into account takeover
  • Blind os command injection
  • Five-minute hunting for hidden XSS
  • URL filter bypass, RFI and XSS
  • The forgotten API and XSS filter bypass
  • XSS via Angular Template Injection
  • Breaking things legally for fun and profit
© 2023 Bergee's Stories on Bug Hunting