Tales from the hunt: The Chatbot

During the test of a large scope target, I came across an endpoint I could get to unauthenticated with a POST request that was found after reading the JS on the site. The endpoint gave information on a specific area of the business that was aimed for the businesses employees.…

CVE-2024-45241 - Path Traversal in CentralSquare's CryWolf

A path traversal vulnerability in the CryWolf (False Alarm Management) application allows unauthenticated attackers to read files outside of the working web directory leading to the disclosure of sensitive information. By sending a traversal payload to the endpoint GeneralDocs.aspx in the rpt parameter, it is then possible to access…

End of the Synack Recognition Year (23/24)

This year I ended up in the top 50 (31st I think), maintained Envoy (mentor) & Hero status. I was also included in the Circle of Trust which is a nice touch. I also came top of the UK leaderboard! It was a pretty productive year in a very difficult…

Tales from the hunt: .env files

.env files are interesting as they can often contain information should be kept away from the public. In some cases they can contain valid credentials for external facing services that can be accessed by a hacker, as was the case in this finding. After doing some subdomain enumeration on one…

CVE-2024-25600 - WordPress - Bricks Theme - Unauthenticated RCE

I had totally missed this nasty bug when it came out earlier this year, and only became aware very recently after seeing this tweet on X. CVE-2024-25600 is an easy to exploit unauthenticated RCE that still affects installations of WordPress that have the Bricks Theme/Add-on installed with a version…

Tales from the hunt: Adminer in the wild

In an earlier post I walked through a cool SSRF vulnerability related to the ES plugin affecting later versions of Adminer. In much older versions it used to be possible to perform port scans using the standard MySQL plugin - and best of all it required no extra effort, everything…