Eerily quiet
Hunting with the Synack Red Team has been eerily quiet. Very few "net new" targets, and anything new is exceedingly well tested by the legends/early access groups who get an 12+ hour head start, so it's either discounted vulns, or no vulns at all. Over…
Tales from the hunt: .env files
.env files are interesting as they can often contain information should be kept away from the public. In some cases they can contain valid credentials for external facing services that can be accessed by a hacker, as was the case in this finding. After doing some subdomain enumeration on one…
CVE-2024-25600 - WordPress - Bricks Theme - Unauthenticated RCE
I had totally missed this nasty bug when it came out earlier this year, and only became aware very recently after seeing this tweet on X. CVE-2024-25600 is an easy to exploit unauthenticated RCE that still affects installations of WordPress that have the Bricks Theme/Add-on installed with a version…
CVE-2023-42793 - TeamCity - Authentication bypass leads to remote command execution
CVE-2023-42793 was a big hitting CVE found in JetBrains TeamCity versions below 2023.05.4. It caused mild panic for many businesses as it is a particularly nasty vulnerability that requires minimal effort to exploit. The vulnerability is an an authentication bypass that leads to remote command execution. It'…
Tales from the hunt: Adminer in the wild
In an earlier post I walked through a cool SSRF vulnerability related to the ES plugin affecting later versions of Adminer. In much older versions it used to be possible to perform port scans using the standard MySQL plugin - and best of all it required no extra effort, everything…
CVE-2021-28940 - MagpieRSS - XSS, SSRF, and RCE
This bug is an oldie, but one that is still about if you know where to look. It holds a special place in my heart as it was the first RCE I'd found on Synack, the fact it got rejected for being a duplicate doesn't matter!…
CVE-2024-23897 - Jenkins - Arbitrary File Read
Earlier this year CVE-2024-23897 was disclosed, but I think I may have missed it during the new year and changing job. It was only when doing some hunting on Synack and doing some high level scanning that I found out about it, and when I had found it and tried…