Posts

Basic recon to RCE III

For the 3rd and I think last episode of the series, we’re going to continue with the same target as the episode 2, that I recommend you to go and see at first to put you a bit more in the context : Basic recon to RCE II The Story So, after this first RCE discovered on the application, I wanted to continue to dig, especially because this debug mode displays a POST method on the endpoint /convertdoctopdf.

October 18, 2022 Read

DNS Tools Comparison

The Story [EDIT 26/04/22] - I added a note on my personal conclusion about Amass with a note from a conversation with Caffix about why Amass is slower than the others Hi everyone, I recently came across this tweet which immediately intrigued me because I also observed that I was losing valid domains with PureDNS. I had done some tests (not very thorough) 8 months ago on different tools and I had concluded at that time that PureDNS was the best solution.

April 26, 2022 Read

Basic recon to RCE II

I originally wanted to name this article “The RCE that everyone missed”, but since it was too “clickbait”, this is the title you see now. Why “The RCE that everyone missed”? That’s what we’ll see here. This article won’t be very long and since there are no technical details, I’d rather focus on why I stumbled upon this RCE. The story It’s been many months now that I’m not very active in bugbounty, I haven’t given up but in fact I devote my free time to the development of my own recon framework.

March 22, 2022 Read

My bounty infrastructure

My bounty infrastructure with Docker [31/12/2020] : Updated the post for Rengine to v0.5 and a clearer / cleaner configuration of Traefik as well as the removal of Portainer. After some problems with Rengine for certificate management and a new service that I want to use, I switched to a full docker infrastructure on my server, apart from the use of a few containers it’s my first experience with Docker but after some difficulties I find it rather practical and modular.

May 21, 2021 Read

Basic recon to RCE

Recently on a BugBounty program I came across my first RCE, discovered and exploited rather quickly on a solution with a vulnerability that I don’t master at all : Java Deserialization Recon Currently improving my recognition tool AutoRecon, originally intended to help me with subdomain enumeration, I also want to perform some recognition tasks that are quite annoying when you have to do it many times. The scope in question is like *.

May 2, 2021 Read

SSRF Through PDF Generation

This week on a BugBounty program which I left aside I found my first SSRF, here is my writeup. Recon The scope is restricted to the website and its API, rather basic it allows to register as a simple user and has only a few features. The program has been open for several months already, I approached the site thinking I probably won’t find much. However from the first hours I already had several P2 (IDOR).

May 1, 2021 Read

My first OOB XXE exploitation

Recently on a BugBounty program I came across my first XXE, blind what’s more, as I found this case interesting I wanted to share it here. Recon The recognition phase is quite basic, the scope is composed of a single URL with 2 distinct backends (administrators and users). For each of these backends the users’ view is limited according to the rights they have. https://domain.tld/admin => URL for admin backend https://domain.

April 30, 2021 Read

Binary search in Golang on large files

Description For a recent need I wish to make a return on the implementation of the binary search in Go on a large file Definition : Binary Search is a search algorithm for finding the position of an element in a sorted array. The principle is as follows: compare the element with the value of the cell in the middle of the table; if the values are equal, the task is completed, otherwise we start again in the relevant half of the table.

April 29, 2021 Read