XXE to AWS metadata disclosure

I recently found a critical vulnerability on a private program on HackerOne that allowed me to get their Amazon Web Services root keys. Because of this, the vulnerability was rated as a 10.0 critical, the highest possible. After having been unable to hack for several months due to a family emergency, I finally got home

XXE to AWS metadata disclosure Read More »

Subdomain Takeovers: Heroku

Heroku subdomain takeovers are possible for herokuapp.com CNAMEs, and can be identified by the ‘No such app’ page: And a CNAME in dig that points to .herokuapp.com: This is an indication that the company has a dangling CNAME record pointing to an unclaimed Heroku app which we might be able to take over. To manually

Subdomain Takeovers: Heroku Read More »

How to find your first bug

I often get asked ‘how do I find my first bug’ on the Hacker101 Discord channel. This article is an answer to that question. At this point I assume you’ve been studying the basics of ethical hacking. If you have no background in IT I would recommend reading “The Web Application Hacker’s Handbook”; though those

How to find your first bug Read More »

H1-2006 CTF Write-up

HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. While my write-up of this CTF is now public and can be seen here, this is a different kind of write-up where I will be more open and go into the areas where I had a lot of trouble. I’m

H1-2006 CTF Write-up Read More »

HackTheBox Traverxec

Traverxec is rated as an easy box on HackTheBox. User As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1.9.6, a simple HTTP server also called nhttpd. While searching for some information on nostromo, pretty much the first search result was about a known

HackTheBox Traverxec Read More »

Nahamsec CTF write-up

Nahamsec recently created a CTF when he reached 30k Twitter followers. The only information he gave was here, so there wasn’t really much to go on. This is my write-up; I decided to send my write-up like a bug report. This style of course does not tell the time wasted looking in all the wrong

Nahamsec CTF write-up Read More »

HackTheBox Bitlab

Bitlab is rated as a medium box on HackTheBox. User As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open. Going to the web server on port 80 and looking around, I found an interesting link under ‘help’ that wouldn’t open. Turned out the link was this

HackTheBox Bitlab Read More »

HackTheBox Heist

Heist is an easy Windows box on HackTheBox, however since I have very little experience with Windows, I found it rather difficult. User The usual nmap scan reveals the following ports are open: Port 80 presents a login page and a forgotten password link (/issues.php), which actually goes to a forum post with an attached

HackTheBox Heist Read More »