Posts

This blog provides an in-depth analysis of the exploitation process for an unauthenticated XXE vulnerability in Ivanti Endpoint Manager, identified as CVE-2024-37397.

This blog post contains a thorough analysis of Server Side Template Injection vulnerability in a commercial Managed File Transfer product named CrushFTP.

EggHunting, if simply put, is a technique in exploit development which is used to search for a specific keyword in an application memory space to further aid in the exploit if there is a length restriction.

Writeup for HackTheBox’s Only4You machine. only4you.htb seemed like a static site with the contact functionality where we had some input fields, directory busting did not reveal anything interestin:

Writeup for HackTheBox’s Mailroom machine. Starting off with the nmap scan, we can see that port 80 and 22 is open:

Writeup for HackTheBox Busqueda Machine Starting off with the nmap scan, we see that it has HTTP and SSH, as expected.

Writeup for HackTheBox’s Inject machine. We have an upload functionality in the web app and it accepts PNG files, although there are some bypasses but they didn’t lead anywhere.