Eerily quiet

By Daly in Bug Bounty on

Hunting with the Synack Red Team has been eerily quiet. Very few "net new" targets, and anything new is exceedingly well tested by the legends/early access groups who get an 12+ hour head start, so it's either discounted vulns, or no vulns at all. Over…

Tales from the hunt: .env files

By Daly in Bug Bounty on

.env files are interesting as they can often contain information should be kept away from the public. In some cases they can contain valid credentials for external facing services that can be accessed by a hacker, as was the case in this finding. After doing some subdomain enumeration on one…

CVE-2024-25600 - WordPress - Bricks Theme - Unauthenticated RCE

By Daly in CVE on

I had totally missed this nasty bug when it came out earlier this year, and only became aware very recently after seeing this tweet on X. CVE-2024-25600 is an easy to exploit unauthenticated RCE that still affects installations of WordPress that have the Bricks Theme/Add-on installed with a version…

Tales from the hunt: Adminer in the wild

By Daly in Bug Bounty on

In an earlier post I walked through a cool SSRF vulnerability related to the ES plugin affecting later versions of Adminer. In much older versions it used to be possible to perform port scans using the standard MySQL plugin - and best of all it required no extra effort, everything…

CVE-2021-28940 - MagpieRSS - XSS, SSRF, and RCE

By Daly in CVE on

This bug is an oldie, but one that is still about if you know where to look. It holds a special place in my heart as it was the first RCE I'd found on Synack, the fact it got rejected for being a duplicate doesn't matter!…

CVE-2024-23897 - Jenkins - Arbitrary File Read

By Daly in CVE on

Earlier this year CVE-2024-23897 was disclosed, but I think I may have missed it during the new year and changing job. It was only when doing some hunting on Synack and doing some high level scanning that I found out about it, and when I had found it and tried…