TryHackMe IDE

A short write-up of the TryHackMe IDE room

XXE to AWS metadata disclosure

I recently found a critical vulnerability on a private program on HackerOne that allowed me to get their Amazon Web Services root keys. Because of this, the vulnerability was rated as a 10.0 critical, the highest possible. After having been unable to hack for several months due to a family emergency, I finally got home …

XXE to AWS metadata disclosure Read More »

Subdomain Takeovers: Heroku

Heroku subdomain takeovers are possible for CNAMEs, and can be identified by the ‘No such app’ page: And a CNAME in dig that points to This is an indication that the company has a dangling CNAME record pointing to an unclaimed Heroku app which we might be able to take over. To manually …

Subdomain Takeovers: Heroku Read More »

H1-2006 CTF Write-up

HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. While my write-up of this CTF is now public and can be seen here, this is a different kind of write-up where I will be more open and go into the areas where I had a lot of trouble. I’m …

H1-2006 CTF Write-up Read More »

OWASP Juice Shop Cracking

Today I’m going to write how to get the answers to the security answers for the lost password functionality in OWASP Juice Shop. While there’s no achievement for this, it is a very good exercise that teaches both SQL injection, code diving and cracking. In order to reset a user’s password, 2 things are required: …

OWASP Juice Shop Cracking Read More »

OWASP Juice Shop SQLi

The OWASP Juice Shop is a vulnerable web application to train web application hacking on, much like OWASP WebGoat which I’ve already covered on this blog. Without spoiling too much, the login form is vulnerable to SQL injection, and it is possible to dump the database from here. I’ll cover the detection of the vulnerability …

OWASP Juice Shop SQLi Read More »


The WebGoat XXE (XML External Entity) section has 3 exercises. The first 2 are pretty easy, the last one quite difficult. So without further ado, let’s get to it! Exercise 3 In this exercise you are asked to list the contents of the root file system directly in a comment using XXE. For this, you …

OWASP WebGoat XXE Read More »

OWASP WebGoat SQL advanced lesson 5

Last week I wrote about the OWASP WebGoat XSS lessons. Today I’d like to write a few pointers on how to solve the SQL injection (advanced) lesson 5. The goal is simple: you are presented with a login box and given a username; log in as that user. The usual username’ OR ‘1’=’1 — unfortunately doesn’t …

OWASP WebGoat SQL advanced lesson 5 Read More »

OWASP WebGoat XSS lessons

I recently installed WebGoat, a deliberately vulnerable web app with built-in lessons. While some of the lessons are very easy, they quickly rise to a much higher difficulty. Even though the app does explain the basic concepts, the explanations are nowhere good enough to solve the exercises provided. In this post I’ll focus on the Cross-Site …

OWASP WebGoat XSS lessons Read More »