Ho,ho, ho Merry Christmas everyone 🙂 Xmas is coming, and I am bringing the write-up on the RCE I found in Zip upload functionality. I tested the company that sells domains and hosting. One of the hosting type is simple static hosting, which allows uploading zip files, and this zip file is automatically extracted in…
Author: bergee
Why do you need the VPS for bug bounty
When I started doing bug bounty I’ve been using my home computer for all. Recon, host scanning, domain bruteforcing, port scanning, subdomains enumeration, screenshoting websites. All was good until the first problems arise. While scanning, some pages blocked me, this way me or my girlfriend coudn’t use the website. There was also problems with VOD…
WAF bypass and credential theft with XSS and Google Analytics
Hello In this post, I will tell you how I was able to escalate the bug from HTML injection to stealing credentials via Google Analytics… well, almost 😉 I was testing the website and inserted “><u>aaa</u> into the main search bar without big expectations. I was really surprised when I saw aaa. Next step was…
How two dollars and one zip file let me read the server files
Hi there There was an app which allowed me to buy domains and offered different types of hosting. First I was testing the free features of the app and found really cool XSS bug but it is the different story :). Then I decided to invest some money and bought the domain, let’s call it…
Subdomain takeover – easy $150 for five minutes of work
Hello The title might have been clickbait but it is not. I started from recon and discovered as many subdomains as possible of the target.com company. Then I used dnsx tool to check all NXDOMAINS which have CNAME records. Among them I found the subdomain pointing to cloudapp.azure.com domain, which looked like this: dev.target.com 600…
How I hacked XXXX for fun and !profit
I am a little bit late but Happy New Year 🙂 In the beginning of the year I decided to hack one company, let’s call it XXX as I can’t give the real name. The company is running VDP program and offers only letters of appreciacion. So I wanted to get one. I started my…
Accessing admin panel with fuzzing, digging and guessing
Hello folks This time I want to tell you the story how I gained access to some admin functionalities and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let’s call the target “redacted.com”. I started fuzzing the target with FUFF and found an /admin endpoint https://redacted.com/app/admin which displayed: “Sorry you’re…
From AngularJS CSTI to credentials theft
Hello again This time I will tell you about the easy way of credentials theft. I was doing some recon on some sites. I stumbled upon a site with the login form. I checked Wappalyzer and saw the site is using Angular 1.1.3. I immediately put {{7*7}} payload in the login form and pressed the…
The story of exposed service, SSRF, CSP bypass and credentials stealing via XSS
Hello there Another day, another bug 🙂 I started looking at the portal at redacted.com. The portal was written with PHP so I started fuzzing it a bit with fuff. Due to rate limiting this took some time. I found the endpoind called /resize. When I entered it I saw just: [img] Must set src-attribute….
“Hacking” the hotel room TV
Hello everyone It’s been a while since my last post. Holiday time :). And it will be some hacking experience from that time. I was living in a hotel in sunny Portugal and after a long day of tripping, I decided to watch another episode of the “The Dropout” series. So I connected my Amazon…