Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Monsta FTP is a web-based FTP client that let's users manage and transfer files on remote servers through the web browser. A vulnerability was found in it - making it an N-day, that they decided to review. Once of these was an arbitrary file upload that leads to RCE. An SSRF and RCE weren't initially fixed, although reported in the CVE database. After going through lots of lots of versions, they found some input validation functions that were trying to prevent path traversal. Hurray, they found the patch!

The SSRF vulnerability that was reported still worked... so, was the RCE bug patched? Maybe the developers didn't understand what/where to patch. They were curious if the patch was sufficient. After looking at a large switch statement, they realized that DownloadFile didn't have any checks on it for directory traversal. By spinning up a malicious SFTP server that exploited the directory traversal, it allowed them to write the file to anywhere on the server.

They don't mention an authentication bypass... but, they claim this leads to an unauthenticated RCE on Monsta FTP. For me, there are two takeaways. First, not all patches are sufficient. Second, many of the time there are other variants of vulnerabilities lurking if you check those out. Overall, a good blog post on finding security issues once issues are already known.