In January, I set my self the task of taking the CREST CRT examination. I am glad to say I passed the exam (woohoo). I would say this was a greater challenge than OSCP, or at least versus how I remember the OSCP. Back when I took took the OSCP…
As 2024 is now over, I am glad that I managed to beat my targets set for earnings by a significant amount after all bugs were triaged and paid. Synack Red Team has no year wrapped to share, but... $ target achieved and then some. No more $ targets as it'…
The below CVEs affect Automatic Systems Maintenance - SlimLane - 29565_d74ecce0c1081d50546db573a499941b10799fb7. CVE-2024-48822 - Privilege escalation in Automatic Systems Maintenance at FtpConfig.php It is possible to force browse to FtpConfig.php. This allows an attacker to to both get and set the FTP configuration details, as well as use…
DATAGERRY v2.2 lacks access control in the REST API for the following endpoints: - /rest/users/<id>/settings/ (GET, POST) - /rest/users/<id>/settings/<setting> (DELETE, PUT) This allows an attacker to read settings, create settings, delete settings, and update settings of…
During the test of a large scope target, I came across an endpoint I could get to unauthenticated with a POST request that was found after reading the JS on the site. The endpoint gave information on a specific area of the business that was aimed for the businesses employees.…
A path traversal vulnerability in the CryWolf (False Alarm Management) application allows unauthenticated attackers to read files outside of the working web directory leading to the disclosure of sensitive information. By sending a traversal payload to the endpoint GeneralDocs.aspx in the rpt parameter, it is then possible to access…
This year I ended up in the top 50 (31st I think), maintained Envoy (mentor) & Hero status. I was also included in the Circle of Trust which is a nice touch. I also came top of the UK leaderboard! It was a pretty productive year in a very difficult…
.env files are interesting as they can often contain information should be kept away from the public. In some cases they can contain valid credentials for external facing services that can be accessed by a hacker, as was the case in this finding. After doing some subdomain enumeration on one…