CORS - PortSwigger
All Cross-origin resource sharing (CORS) labs of PortSwigger.
Recent Posts
CORS - PortSwigger
DOM-Based Vulnerabilites - PortSwigger
All DOM-Based Vulnerabilites labs of PortSwigger.
Remote Code Execution via Unsafe YAML Deserialization with Token Bypass - DOJO 43
The challenge code performs unsafe YAML deserialization (yaml.load) on user-controlled input without proper validation or sandboxing, allowing remote code execution (RCE) via crafted payloads. A token-based access control is implemented comparing a guest token with a generated root token, but the check is flawed or bypassable, enabling an attacker to pass the authentication and reach the vulnerable YAML deserialization code. However, an attacker can bypass or control these tokens (e.g., via predictable token generation using the current time as seed), allowing access to the deserialization block where yaml.load is called with yaml.Loader. This allows arbitrary command execution via the !!python/object/apply:os.system YAML tag or similar techniques.
CSRF - PortSwigger
All Cross-site request forgery labs of PortSwigger.
XSS - PortSwigger
All Cross-site Scripting labs of PortSwigger with additional CheetSheet.
Instagram - DoS via Unbounded Parameter
Denial of Service vulnerability in Instagram causing a specific message thread to become unusable. Out of scope for Meta’s bug bounty program due to available self-mitigation (e.g., deleting the thread).
Validation - Hack The Box
Validation is another box HTB made for the UHC competition. It is a qualifier box, meant to be easy and help select the top ten to compete later this month. Once it was done on UHC, HTB makes it available. In this box, I’ll exploit a second-order SQL injection, write a script to automate the enumeration, and identify the SQL user has FILE permissions. I’ll use that to write a webshell, and get execution. For root, it’s simple password reuse from the database. In Beyond Root, I’ll look at how this box started and ended in a container.
SQLI - PortSwigger
All SQL Injection labs of PortSwigger with additional CheetSheet.
Active - Hack The Box
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Forest - Hack The Box
Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.