YoKo Kho

Category: Bug Report

Collection of Bug Hunting Activity

From Recon via Censys and DNSdumpster, to Getting P1 by Login Using Weak Password – “password”

A simple story when Allah allowed me to get P1 by combining several issues, one of which was related to “weak credentials”. In the name of...

March 14, 2022

Bug Report / Web Apps / Write-Up

Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data

A story when Allah willed me to tried to optimize my findings in the Points-Only program to be able to get 6 paid P1 issues in...

November 15, 2020

Bug Report / Web Apps / Write-Up

From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration

A story about how I Finally could use an AD account that unenrolled to MFA, by using an EWS Misconfiguration to Access Email Inbox and (Having...

June 19, 2020

Intercept Server Responses Feature on Burpsuite

Bug Report / Web Apps / Write-Up

From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response

A story about how I got several simple bugs (1 P2, 1 P3, and 2 P4s) on a target (that just allow Specific Country Code to...

June 6, 2020

Bug Report / Web Apps / Write-Up

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

How I Finally could Got into an Internal Network (and could accessing all of their internal assets) at One of the Biggest ICT company in the...

February 19, 2020

Bug Report / Desktop Apps / Write-Up

5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)

CVE-2019–18653 & CVE-2019–18654: The story when Reflected XSS was triggered from the SSID Name (It also affected AVG AntiVirus because basically the product codes were mostly...

October 29, 2019

Bug Report / Mobile Apps / Write-Up

CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)

The story of when you download a file that looks “legitimate”, but changes when you run the file. In the name of Allah, the Most Gracious,...

October 26, 2019

Bug Report / Web Apps / Write-Up

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

In the name of Allah, the Most Gracious, the Most Merciful. – Part I from (hopefully) IV Parts – Update I: Added a “Reference” Section. Update...

September 14, 2019

Bug Report / Desktop Apps / Random Things

Adobe Photoshop CC 2019 v. 20.0.0 (for OS X) Expired Subscription Bypass – Bypass Trial Expired

In the name of Allah, the Most Gracious, the Most Merciful. Description: The expired subscription pop-up could be bypassed by opening the .pdf document at the...

January 2, 2019

Bug Report / Web Apps / Write-Up

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] IDOR...

April 17, 2018

Latest Tweets

Retweet on Twitter YoKo Kho Retweeted

Hacking Articles @hackinarticles·

May 16, 2022

MITRE ATT&CK Mind Maps

Credit https://www.jaiminton.com/mitreatt&ck#

#infosec #cybersecurity #cybersecuritytips #pentesting #oscp #redteam #informationsecurity #cissp #CyberSec #networking #networksecurity #CheatSheet #infosecurity #bugbountytips

Twitter 1526106003413995520

Retweet on Twitter YoKo Kho Retweeted

Hacking Articles @hackinarticles·

May 15, 2022

Active Directory Privilege Escalation Hardening

#infosec #cybersecurity #cybersecuritytips #pentesting #oscp #redteam #informationsecurity #cissp #CyberSec #networking #networksecurity #CheatSheet #infosecurity #bugbountytips

Twitter 1525924256168542208

Retweet on Twitter YoKo Kho Retweeted

Rakesh Jain @devops_tech·

May 15, 2022

A picture to understand Linux File Permissions. 👇

Twitter 1525708053487570944

Retweet on Twitter YoKo Kho Retweeted

Cybergibbons @cybergibbons·

May 15, 2022

A friend's father had his PC taken over by scammers.... just doing a bit of forensics on it to work out what happened.

First sign is a download of amazon_security.exe which is actually Supremo Remote Desktop. https://www.supremocontrol.com/

Twitter 1525799615962185729

Retweet on Twitter YoKo Kho Retweeted

GodFather Orwa @GodfatherOrwa·

May 14, 2022

Check Now , Read , And Start Sending Some Reports

[Its Not Common Vulnerability And Exposure (CVE) It Is New Vulnerability]
Thanks Also For @XHackerx007

https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac

#BugBounty #bugbountytips #bugbountytip
#infosec https://twitter.com/GodfatherOrwa/status/1519358088918278145

Twitter 1525499153345830916

Category: Bug Report

From Recon via Censys and DNSdumpster, to Getting P1 by Login Using Weak Password – “password”

Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data

From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration

From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)

CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

Adobe Photoshop CC 2019 v. 20.0.0 (for OS X) Expired Subscription Bypass – Bypass Trial Expired

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

Search

Recent Posts

Categories

Latest Tweets