PyUs3r

PyUs3r

Pentester, CTF player

Recent Posts

Remote Code Execution via Unsafe YAML Deserialization with Token Bypass - DOJO 43

The challenge code performs unsafe YAML deserialization (yaml.load) on user-controlled input without proper validation or sandboxing, allowing remote code execution (RCE) via crafted payloads. A token-based access control is implemented comparing a guest token with a generated root token, but the check is flawed or bypassable, enabling an attacker to pass the authentication and reach the vulnerable YAML deserialization code. However, an attacker can bypass or control these tokens (e.g., via predictable token generation using the current time as seed), allowing access to the deserialization block where yaml.load is called with yaml.Loader. This allows arbitrary command execution via the !!python/object/apply:os.system YAML tag or similar techniques.

Instagram - DoS via Unbounded Parameter

Denial of Service vulnerability in Instagram causing a specific message thread to become unusable. Out of scope for Meta’s bug bounty program due to available self-mitigation (e.g., deleting the thread).

Validation - Hack The Box

Validation is another box HTB made for the UHC competition. It is a qualifier box, meant to be easy and help select the top ten to compete later this month. Once it was done on UHC, HTB makes it available. In this box, I’ll exploit a second-order SQL injection, write a script to automate the enumeration, and identify the SQL user has FILE permissions. I’ll use that to write a webshell, and get execution. For root, it’s simple password reuse from the database. In Beyond Root, I’ll look at how this box started and ended in a container.