Bug Bounty Challenge (final): Day 9–29/04/2024

If you haven’t already, I recommend you read one of the blog posts I came across today during research, “Click here to read it”. I think this report sums up my view toward programs, it doesn’t matter how big and secure they seem, hack and confirm it’s “unhackable” on your own, do not be intimidated, and because of this, I’ve decided that in “Stage 2” of the challenge, the perfect program for my collaboration is HackerOne! It’s challenging, intimidating, and yet, exciting. That “Hacking Hackers” badge doesn’t look bad :D

Do you remember the report I sent, the 1 out 9 vulnerabilities I found, yeah, I got an update, It is not a duplicate!! And now we wait for the team to give their final ruling.

Another blog post I’d like to recommend to you is “Web Cache Deception Attack”.

I began hunting for “CVE-2024–4040” on the CrushFTP endpoints I’ve recently come across. Fortunately for the program, these endpoints were secure. I then decided to carry out this vulnerability detection on a massive scale, I wrote a small script that scans my data gathers possible endpoints for the scan, and then carries out the scan. This took a while, from the coding to the script’s execution, but in the end, I got my results — every endpoint was “secure” against the SSTI which surprised me, It was multiple programs and domains, not even a single one was vulnerable. As you can see below, instead of returning the hostname injection’s result, it returns “hostname”, like a sanitized XSS payload.

I kept poking at one of the servers and while I was in the process of doing all of that, the server was taken offline, lol. If you’d like to learn more about this vulnerability, “click here”.

As I was left with 40–30 or so minutes, I decided to check out one of the programs I got invited to, I intended to take a look and see if I’d find anything interesting, and what I found was an exposed Redis instance(interesting), wrote the report, and submitted it.