XXE to AWS metadata disclosure

I recently found a critical vulnerability on a private program on HackerOne that allowed me to get their Amazon Web Services root keys. Because of this, the vulnerability was rated as a 10.0 critical, the highest possible. After having been unable to hack for several months due to a family emergency, I finally got home

XXE to AWS metadata disclosure Read More »

Subdomain Takeovers: Heroku

Heroku subdomain takeovers are possible for CNAMEs, and can be identified by the ‘No such app’ page: And a CNAME in dig that points to This is an indication that the company has a dangling CNAME record pointing to an unclaimed Heroku app which we might be able to take over. To manually

Subdomain Takeovers: Heroku Read More »

How to find your first bug

I often get asked ‘how do I find my first bug’ on the Hacker101 Discord channel. This article is an answer to that question. At this point I assume you’ve been studying the basics of ethical hacking. If you have no background in IT I would recommend reading “The Web Application Hacker’s Handbook”; though those

How to find your first bug Read More »

H1-2006 CTF Write-up

HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. While my write-up of this CTF is now public and can be seen here, this is a different kind of write-up where I will be more open and go into the areas where I had a lot of trouble. I’m

H1-2006 CTF Write-up Read More »

HackTheBox Traverxec

Traverxec is rated as an easy box on HackTheBox. User As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1.9.6, a simple HTTP server also called nhttpd. While searching for some information on nostromo, pretty much the first search result was about a known

HackTheBox Traverxec Read More »

HackTheBox Bitlab

Bitlab is rated as a medium box on HackTheBox. User As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open. Going to the web server on port 80 and looking around, I found an interesting link under ‘help’ that wouldn’t open. Turned out the link was this

HackTheBox Bitlab Read More »

HackTheBox Heist

Heist is an easy Windows box on HackTheBox, however since I have very little experience with Windows, I found it rather difficult. User The usual nmap scan reveals the following ports are open: Port 80 presents a login page and a forgotten password link (/issues.php), which actually goes to a forum post with an attached

HackTheBox Heist Read More »

HackTheBox Networked

‘Networked’ is rated as an easy machine on HackTheBox User The usual nmap scan revealed the following open ports: Running gobuster on port 80 revealed a few endpoints, the most interesting one being /backup which had a tarred backup file which included all the PHP files the server was running on port 80. Running those

HackTheBox Networked Read More »

HackTheBox Haystack

‘Haystack’ is rated as an easy machine on HackTheBox. USER Running nmap on the machine showed that only a few ports were open, with http running on both port 80 and 9200. Visiting port 80 revealed a very simple page with an image and nothing else. Gobuster didn’t reveal any other endpoints on this port,

HackTheBox Haystack Read More »