CVE-2020-28707 – XSS in Stockdio Historical Chart plugin for WordPress before version 2.8.1
This is a short explanation of an postMessage() based XSS that I have found in the Stockdio Historical Chart Wordpress plugin that can be found here. The plugin has over 1.000 active installs and a quick Google search reveals a multitude of vulnerable websites. The...
Practical GraphQL attack vectors
On a recent engagement, we found an instance of GraphQL on a server and I noticed that there are not many articles describing the different ways to attack GraphQL instances even though these are used by a lot of big names in the industry including Facebook, GitHub,...
DCTF2019 – Secret
This is the second PWN challenge of the DefCamp CTF 2019 Qualification round. This challenge involved an ASLR, DEP, and Stack Canary bypass using a format string vulnerability and a buffer overflow vulnerability. We are supplied a binary and an IP and port. We start...
HTB – Help Writeup
HackTheBox Dificulty RatingLinux2019 Jan 2018This box was fairly straight forward. The user part has to do with an unauthenticated file upload found when submitting a ticket on the web application. The tricky part is making a python script found on searchsploit to...
PlaidCTF – Everland
I really enjoyed this challenge during Plaid CTF even though we didn’t end up getting the flag because of a minor mistake as I will explain below. I spent a few precious hours on this challenge and did everything (well, mostly) right the first time and all indications...
HTB – Frolic Writeup
HackTheBox Dificulty RatingLinux2013 Oct 2018Even though the user part was very CTF like, having to decode multiple esoteric languages and being directed this way and that through the application filesystem, the privesc ended up being a really nice and straight...
HTB – Carrier Writeup
HackTheBox Dificulty RatingLinux3022 Sep 2018This was just an amazing box and probably my favorite one so far. For the user part we had to log in to a web application by finding a directory listing with some clues on what the box is about and an error list page that...
Getting Remote Code Execution on a PostgreSQL version later than 8.2
On a recent pentest I found myself being able to read the web configuration file in which there was the database username and password for a PostgreSQL version 9.4 service. That is good but now I needed to get a reverse shell connection so that I can have access to...
HTB – Zipper Writeup
HackTheBox Dificulty RatingLinux402o Oct 2018This was a pretty cool box, even if I had a bit of a problem when trying to get a stable reverse shell that made me leave the box alone for a few months until coming back to it and cursing myself for not trying something...