A story about how I Finally could use an AD account that unenrolled to MFA, by using an EWS Misconfiguration to Access Email Inbox and (Having...
- Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data
- From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration
- From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response
- From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World
- If Allah willed it, will be back soon!
- 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)
- CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)
Blog: Sign over Your Hashes - Stealing NetNTLM Hashes via Outlook Signatures - https://research.nccgroup.com/2021/01/15/sign-over-your-hashes-stealing-netntlm-hashes-via-outlook-signatures/ by @johnnyspandex , @Jstorr and @buffaloverflow
I and @rootxharsh found and exploited a 0Day RCE in Apple's Travel Portal and were rewarded with $50K. Here's the write-up for that:
Since it's 2021 I'd like to go ahead and disclose some bugs I wasn't able to talk about in 2020. These were issues that either got NDA'd or had long remediation timelines.
The following are quick summaries and proof of concepts for some of the simpler bugs:
@nnwakelam @Rhynorater @thedawgyg @marcioalm Struts, JBoss, UDDIExplorer (WebLogic), Redis, Memcache: https://blog.safebuff.com/2016/07/03/SSRF-Tips/
Cool way to password spray O365 now that their detection mechanisms are improving:
1) Set up 10 or so free-tier AWS machines with a SSH key pair
2) Use https://github.com/blacklanternsecurity/TREVORspray
3) Profit - pic below for syntax
Full credit goes to @thor_sec for teaching me this