Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The VMWare cloud had a weird password reset implementation. They used the current password for the entropy on the reset token. Password reset tokens are supposed to be completely random!
- So, what is the issue? If you know the password, then there is no reason for the password reset implementation. Well, there was a disabled backdoor user that had a hard coded password.
- By using this disabled user (with the known reset link from the known password), the user became enabled! And, the best part, we knew the password.
- The auth bypass was the main issue. However, there were other issues in the system that eventually led to compromise, such as a SQLi, file inclusion and directory traversal.
