h1-ctf: [h1-2006 2020] Writeup h12006 CTF

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Impact...

h1-ctf: [h1-2006 2020] CTF Walkthrough

h1-2006-ctf Writeup June 2020 https://hackerone.com/h1-ctf/ The Competition Begins! The tweet announces the CTF challenge. Looks like we will need to find a way to process some payments. F863442 Initial Exploring Reading up on the extended description at https://hackerone.com/h1-ctf/ reveals that...

h1-ctf: [H1-2006] CTF Writeup

H1-2006 CTF Writeup I am fairly new to CTFs - this is just my second CTF after H1-415 CTF, at which I didn't get far at all. I think the most valuable thing I can do for anyone who comes across this writeup, is to describe exactly what I was thinking at each step along the way, including all my...

h1-ctf: [h1-2006 2020] Write up for H1-2006 CTF

I huffed and puffed my way up a flight of stairs into a dimly lit, dusty room, looking for Sherlock. As I made way through scattered books, I exclaimed, "Sherlock, wake up! It’s that time of the year. h1-ctf, a chance to get an invitation to hackerone’s live hacking event. “zer0ttl, of course! Yo...

Nintendo: [3DS][SSL] Use of uninitialized class member leads to RCE in eShop movie player

Affected Systems - Platform : New Nintendo 3DS - Region: ALL - System version: 11.13 latest at the time of writing Description The eShop video player does not initialize pointers to some decoder objects when creating a video player object. With a specific audio codec this induces the use of...

Nextcloud: Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers

In two Nextclouds A and B, in settings/admin/sharing, these settings are enabled: Restrict users to only share with users in their groups Restrict username autocompletion to users within the same groups Add server automatically once a federated share was created successfully Some user on A now...

Ruby on Rails: Rack parses encoded cookie names allowing an attacker to send malicious `__Host-` and `__Secure-` prefixed cookies

The rack cookie parser parses the cookie string using unescape. This allows a malicious attacker to set a second cookie with the name being percent encoded. Typically it would be expected that we cannot trust cookies and in most cases that's true. However in a couple of cases certain expectations...

h1-ctf: [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments

Hi, First things first, the flag of the CTF challenge. F863095 Write-Up I've published my write-up at https://kapytein.nl/texts/2020-06-10-h1-2006-ctf-writeup-2cf34abd3ed/, in order to avoid a lengthy report 😅. TL;DR 1 2FA bypass as we control both values on the comparison. 2 SSRF to...

GSA Bounty: Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint

Summary: Due to improper routes handling multiple malicious actions are possible. Attacker is able to call Class/Function/Param1/Param2 directly from source code. this may lead to call function that should be not accessible from GUI. Any Class from...

h1-ctf: [h1-2006 2020] Chained vulnerabilities lead to account takeover

Summary Mårten Mickos lost his account for BountyPay, the new service HackerOne is using to pay bug bounties. In this report I explain how I accessed a customer's account using a log file and bypassed its 2FA validation. I then leverage an open redirect bug to gain access to an internal server an...

h1-ctf: [H1-2006 2020] How I solved my first H1 CTF

Introduction: Hello! My name is @cr33pbp0y and I going to tell you how I resolved my first HackerOne CTF. Prelude One day, I was reading some tweets about some new vulnerabilities and new hunters adquisitions when the Great H tweeted: F861267 I thought: "WoW, a new virtual event!! It could be...

Mail.ru: Grafana SSRF in grafana.instamart.ru

non-blind SSRF in grafana.instamart.ru...

h1-ctf: [H1-2006 2020] Multiple vulnerabilities allow to leak sensitive information

Summary: --------------------- Hello team! This report is detailed write-up for chain of vulnerabilities that ended up with leaking sensitive information - a flag. CTF itself was really fun and I've enjoyed it. Hope you find my report valid and useful. Steps To Reproduce: ---------------------...

h1-ctf: [H1-2006 2020] Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or using a custom API attack tool

H1-2006 CTF Writeup F859938 Summary: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of...

h1-ctf: [H1-2006 2020] Exploiting multiple vulnerabilities to get hacker's payment ensured

Last week, Hackerone’s CEO Marten lost his credentials for BountyPay. A tweet from hackerone’s official twitter account asked for help from ethical hackers and bounty hunters to help the CEO recover his credentials and insure May’s payments. As an active bug hunter on Hackerone, I decided to take...

Nintendo: [3DS][SSL] Improper certificate validation allows an attacker to perform MitM attacks

Affected Systems - Platform: New Nintendo 3DS - Region: ALL - System version: = 11.13 Description The SSL system module does not properly validate the x509 certificates when establishing an SSL/TLS connection. Actually, the SSL system module does not check the signatures when validating a...

Open-Xchange: XSS on opening malicious OpenOffice presentation document

Title Opening a malicious OpenOffice presentation document may lead to cross site scripting XSS attacks Description When generating HTML content for drawings present in odp file, a div is generated by Drawing.java. The attribute target of this div is directly constructed from the field target...

Open-Xchange: XSS on opening malicious OpenOffice presentation document

Title Opening a malicious OpenOffice presentation document may lead to cross site scripting XSS attacks Description When generating HTML content for a master slides present in odp file, a div is generated by Container.java. The attribute data-container-id of this div is directly constructed from...

Open-Xchange: XSS on opening a malicious OpenOffice text document

Title Opening a malicious OpenOffice text document may lead to cross site scripting XSS attacks Description When generating HTML content for a comment present in text file, a placeholder div is generated by CommentPlaceHolder.java. The attribute data-container-id of this div is directly construct...

BlockDev Sp. Z o.o: Email HTML injection

Email HTML injection...

Nextcloud: XSS through image upload of contacts using svg file

This is a bypass of report 808287 Upload the attached file for the image of a contact, right click "Open image in new tab" and you will see the xss. Impact The person viewing the image of a contact can be victim of XSS...

GitHub Security Lab: CodeQL query to detect Server-Side Template Injections (JavaScript)

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query for unsafe TLS versions

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: CodeQL query for MVEL injections

This bug was reported directly to GitHub Security Lab...

h1-ctf: [H1-2006 2020] From multiple vulnerabilities to complete ATO on any customer account and staff admin

First of all, thanks for the awesome CTF. I enjoyed it very much : Summary The CTF was about helping HackerOne's beloved CEO, @martenmickos, to approve May bug bounty payments after he has lost his login details for BountyPay. It all started with this tweet: F860982 And as you all know, I had to...

Mail.ru: Subdomain takeover on tilda.geekbrains.ru and fl-change.geekbrains.ru

Few unused subdomains of geekbrains.ru were delegated to tilda.cc and were not claimed...

h1-ctf: @shakedko H1-2006 CTF writeup

TL;DR Flag is: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. Thank you for this awesome challenge! Introduction I have participated in this CTF as I wanted to see how far I'd be able to get considering the fact that I'm doing bug bounty for a relatively short time. Coming from the software...

h1-ctf: [H1-2006 2020] CTF write-up

Summary: Hello HackerOne team! I finally managed to solve this long but really nice CTF! Here is the flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$. You can access my writeup at https://diego95root.github.io/posts/H1-2006-CTF/. It's password protected, the password is the flag. Thank you so...

GitLab: An attacker can run pipeline jobs as arbitrary user

Summary An attacker can run arbitrary pipeline jobs as a victim user. This means the attacker can access the user private repositories, member only repositories, registry, etc... by using the victim CIJOBTOKEN token. This is only my recent research and I wanted to report it as soon as possible. I...

Shopify: xss on polaris.shopify.com/demo using postMessage

Description it's possible to run arbitrary js code using https://polaris.shopify.com/demo + postMessage following codes are from this file which formatted using prettier Demo component line 381 uses addEventListener to listen for message events line 401: js componentDidMount...

Open-Xchange: Null dereference in mcht_relational_validate ext-relational-common.c:136

To reproduce, run test suite on following input : require "vnd.dovecot.testsuite"; require "relational"; require "comparator-i;ascii-numeric"; require "body"; / / testset "message" text: From: Whomever To: Someone Date: Sat, 10 Oct 2009 00:30:04 +0200 Subject: whatever . ; / RFC5173, Section 5.2:...

Mail.ru: Subdomain Takeover at blog.instamart.ru

It was possible to claim unused instamart.ru subdomain delegated to external cloud service...

Razer: [api.easy2pay.co] SQL Injection in cashcard via card_no parameter ⭐️Bypassing IP whitelist⭐️

The tester discovered a Razer Thailand server suffered from a SQL injection vulnerability due to input sanitization failure. Razer thanks the tester for his diligence and clear report...

Razer: [api.easy2pay.co] SQL Injection at fortumo via TransID parameter [Bypassing Signature Validation🔥]

The tester discovered the api.easy2pay.co suffered from a SQL injection vulnerability, affecting Razer Gold Thailand. Razer thanks the tester for his report and diligence...

Node.js third-party modules: Arbitrary code execution via untrusted schemas in is-my-json-valid

I would like to report an arbitrary code execution vulnerability in is-my-json-valid. It allows to execute arbitrary code if an attacker-controlled schema is passed to is-my-json-valid. The module Readme doesn't say anything about the risks of untrusted schemas, so I by default assume that this i...

h1-ctf: [H1-2006 2020] Includes 1 free content discovery

Summary Got it! Thanks guys for going through the trouble to make these. Best regards @nahamsec @adamtlangley @B3nac for hosting and @hackingfish @zonkism and @clos for peer support to make it. Writeup to follow, but let's have the flag first! F859962 Impact Participating in CTFs can cause...

h1-ctf: [H1-2006 2020] In-depth resolution of the h1-2006 CTF

H1-2006 Write-up bountypay.h1ctf.com First of all, huge thanks to the creators for this CTF, it was really fun and got me to improve a lot ! It was my first h1 ctf, and it for sure won't be my last ! For this report, I'll try to define for each step : an abstract of what was the bug the real life...

h1-ctf: [H1-2006 2020] Writeup

^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ Prologue The CTF was announced in a Hacker0x01 tweet. The goal is to make payments from Marten Mickos' account on BountyPayHQ. The announcement tweet was followed shortly by a retweet of BountypayHQ, an account made for the event. BountypayHQ has one...

h1-ctf: [h1-2006 CTF] Payments for May have been processed!

Hi : First off thanks for a great CTF! It had its ups and downs mainly due to my mistakes but here is the final flag: ^FLAG^736c635d8842751b8aafa556154eb9f3$FLAG$ My write up can be found at https://devcraft.io/bountypay-h1-2006-ctf.html unpublished detailing the process, tools, and mistakes I ma...

h1-ctf: h1-ctf writeup , finally paid the payments by chaining multiple bugs

Summary: Ultimate aim is to pay the payments of hackerone using bounty pay with no use privileges at starting. Given scope is : .bountypay.h1ctf.com Enumerated subdomains are : 1. www.bountypay.h1ctf.com 2. app.bountypay.h1ctf.com 3. staff.bountypay.h1ctf.com 4. api.bountypay.h1ctf.com 5...

U.S. Dept Of Defense: Sensitive information about a ██████

Summary: https://████████/ is an U.S. Government USG Information System IS that is provided for USG-authorized use only.Due to some reason a document which contains the information about a special ███ for the ████ █████ which possibly is ███████or █████.The pdf file is located at...

Internet Bug Bounty: IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136

Many machines 150K-180K on the internet accept and route IP over IP by default. IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of...

Mail.ru: Blind SSRF in horizon-heat

Blind SSRF to internal services via Horizon external YAML template resource definition in Mail.ru cloud computing service...

Mail.ru: Users information leak at sbermarket.ru

sbermarket.ru application could disclosure personal information from another request due to invalid caching settings...

h1-ctf: [H1-2006 2020] CTF Writeup

Summary: The CTF's objective could be found in the following Twitter post: F858468 As outlined on https://hackerone.com/h1-ctf, all subdomains of bountypay.h1ctf.com are in scope. Doing subdomain enumeration revealed the following subdomains: api.bountypay.h1ctf.com app.bountypay.h1ctf.com...

Mail.ru: Web cache information leakage at sbermarket.ru

Due to invalid caching settings, attacker could obtain profile related data from the web cache by forcing victim to request vulnerable endpoint...

h1-ctf: [H1-2006 2020] CTF Writeup

Summary: Multiple Vulnerabilities leading to full account takeover and access to restricted functions 1. Information Disclosure 2. Login 2FA Bypass 3. SSRF 4. Hardcoded validation 5. Sensitive information disclosure 6. Privilege Escalation 7. Payments 2FA Bypass through SSRF Steps To Reproduce: 0...

Zivver: Cross-Site Scripting thorough XSSJacking/PasteJacking Technique

The documentation website you found is a static website and the only way to inject the payload is by pasting it in the search box. There is no way to compose a url that you can send to someone else that would then also trigger the attack. Even with a successful attack, there is no user data on th...

8x8: 2FA Disable With Wrong Password - Response Tampering.

The application contained a business logic flaw that resulted in missing validation when removing 2FA on the authenticated account...

Mail.ru: Blindy Replace User's Session with Attacker's Session

Login CSRF via OAuth code in lootdog.io...