Writeup

Disclaimer This blog post is shared for educational and academic purposes only. All issues described here were responsibly reported to the affected company and have since been verified. The intention of this write-up is to raise awareness, improve security practices, and share lessons learned with the community. Since I was back in Korea and looking for my next role, I decided to spend this month fully focused on bug bounties again. It’s always a mix of frustration and small breakthroughs. One of the simple but surprisingly interesting bugs I uncovered was this cross-domain redirect flaw in a bank’s merchant administration flow. ...

Disclaimer This blog post is shared for educational and academic purposes only. All issues described here were responsibly reported to the affected company and have since been fixed and verified. Permission to publish was granted by the company. The intention of this write-up is to raise awareness, improve security practices, and share lessons learned with the community. Act I — The Setup It all started on a lazy evening in April. I wasn’t trying to hack anything major, just poking around a movie ticketing site which I’m client of with DevTools open. As I added a ticket to my cart, something odd caught my eye: a POST request carrying a mysterious parameter named encInfo. ...

I participated as a member of team CibersecUNI. This time i managed to solve all 6/6 challenges in the web category. Whispers of the Moonbeam Observando las funciones, nos dan una pista que se puede inyectar comandos con ;. Usando el comando gossip, puedo listar los archivos, se visualiza el archivo flag.txt, y con un simple ; puedo concatenar el comando cat para leer la flag. gossip; cat flag.txt Obtenemos la flag. 🎉 HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_78cb9b70be3bf077e608865b967b5ab1} ...

Templated Dificulty: easy Description: Can you exploit this simple mistake? Solution First we visit the site and see that uses jinja2, this template is susceptible to SSTI attacks. We see that the directory searched is rendered in the page with 25, so its vulnerable to SSTI. We use the payload that will allow us to RCE on the server to read the file flag.txt, we extract it from PayloadsAllTheThings. ...