Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Concrete is a Content Management platform similar to Wordpress.

User groups can have hierarchical structures and inherit permissions from each other. On the main endpoint simply dragging a lower privileged user into the admin group did nothing. However, they found another API that did had the group add but WITHOUT the permission check.

The authors found a piece of functionality that allowed for the downloading of a remote file; this is a clear SSRF bug waiting to happen. In order to make the exploitation harder, they decided to block the usage of AWS metadata endpoints and certain file extensions were blocked as well. How do we bypass this?

The extension denylist can be bypassed with a PHP trick. Some PHP engines will throw out extra parts of a URL path (/info.php/test.html) but still see the extension as HTML. Using this, a one shot GET exploit or a file disclosure bug is possible still.

They REALLY wanted the metadata though. So, they used the classic DNS rebinding technique causing a time of check vs. time of use problem (TOCTOU). Rebinder is a service for easily testing and using DNS rebinding in the wild.

The final vulnerability was link poisioning on a password reset link. The host header is commonly used for generating the password reset link when multiple hosts are used. However, this can be manipulated by an attacker. By sending a host header with an attacker controlled host, when a user clicks on the reset link, they will get the reset token.

My biggest takeaway from the easiness of the DNS rebinding with other tools! In the future, I may try this attack when SSRF IP denylists are being done. I have also seen hidden APIs not get updated properly with security functions.