Getting Admin Access to an Uber Network Operations System

Hello, fellow humans. This post explains the steps I took to get admin access to a server owned by Uber running the Aruba Airwave software for network management, along with some python scripting tips to easily automate the discovery of such issues based by doing some basic analysis of HTTP responses. To summarize, the main […]

Traversing the Path to RCE

This post will detail the steps I took to find a path traversal vulnerability, and how I paired the vulnerability with the logic of the application to achieve Remote Code Execution through a shell upload. I found this while testing a mobile application that has a feature allowing users to upload and encrypt documents to […]

Gaining Filesystem Access via Blind OOB XXE

Today, I’d like to share my methodology behind how I found a blind, out of band xml external entities attack in a private bug bounty program. I have redacted the necessary information to hide the program’s identity. As with the beginning of any hunter’s quest, thorough recon is necessary to identify as many in-scope assets […]

Yahoo! RCE via Spring Engine SSTI

This is write up in which I’ll explain a vulnerability I recently found, and reported through Yahoo’s bug bounty program. When testing the security of web applications, doing reconnaissance is an important part of finding potentially vulnerable web assets, as you can discover subdomains, directories, and other assets, that could increase the surface of attack. […]

Using SSRF to extract AWS metadata in Google Acquisition

A few months ago when I was first learning about ssrf vulnerabilities, I came across a few blogs and hackerone reports explaining different scenarios in which ssrf vulnerabilities can be leveraged to escalate the impact. I was able to apply this knowledge when looking through Google’s acquisition “Apigee”. This vulnerability was found on a test […]

First Blog POST

Why does this blog exist?