TryHackme LFI Writeup

TryHackme LFI Writeup

How to find and exploit LFI Welcome back cool amazing hackers in this blog I’m gonna show you an interesting topic Local File Inclusion Tryhackme walkthrough. Without wasting time let’s get into the topic. After deploying the target machine I saw the target webpage. I got one endpoint ?file= from that, I came to...

How I hacked into one of India’s biggest online book stores(RCE and more)

How I hacked into one of India’s biggest online book stores(RCE and more)

Oswaal Books(oswaalbooks.com) This article is going to be about how I found my 1st RCE on one of India’s biggest e-commerce sites(+ a few more bugs). Oswaal Books is a very popular company among high schoolers in India and the ones studying for competitive exams like JEE, NEET etc. They make...

PECB Certified Lead Ethical Hacker: Take Your Career to the Next Level

PECB Certified Lead Ethical Hacker: Take Your Career to the Next Level

Cybercrime is increasing exponentially and presents devastating risks for most organizations. According to Cybercrime Magazine, global cybercrime damage is predicted to hit $10.5 trillion annually as of 2025. One of the more recent and increasingly popular forms of tackling such issues by identifying is ethical hacking. This method identifies potential...

New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers

New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers

Researchers have discovered a new Android banking malware that targets Brazil’s Itaú Unibanco with the help of lookalike Google Play Store pages to carry out fraudulent financial transactions on victim devices without their knowledge. “This application has a similar icon and name that could trick users into thinking it is...

Garrett Walk-Through Metal Detectors Can Be Hacked Remotely

Garrett Walk-Through Metal Detectors Can Be Hacked Remotely

A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices. "An attacker could manipulate this module to remotely monitor statistics on the...

‘Spider-Man: No Way Home’ Pirated Downloads Contain Crypto-Mining Malware

‘Spider-Man: No Way Home’ Pirated Downloads Contain Crypto-Mining Malware

Peter Parker might not be a mastermind cryptocurrency criminal, but the name Spiderman is quickly becoming more associated with the mining landscape. ReasonLabs, a leading provider of cybersecurity prevention and detection software, recently discovered a new form of malware hacking into customer computers in the guise of the latest Spiderman movie. ...

New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers

New Android Malware Targeting Brazil’s Itaú Unibanco Bank Customers

Researchers have discovered a new Android banking malware that targets Brazil’s Itaú Unibanco with the help of lookalike Google Play Store pages to carry out fraudulent financial transactions on victim devices without their knowledge. “This application has a similar icon and name that could trick users into thinking it is...

How Intrusion Prevention Systems (IPS) Work in Firewall

How Intrusion Prevention Systems (IPS) Work in Firewall

Intrusion prevention and the firewall are part of Network Threat Protection. Network Threat Protection and Memory Exploit Mitigation are part of Network and Host Exploit Mitigation. Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also detects and blocks browser attacks on supported browsers. Intrusion prevention...

Backdoor: HackTheBox Walkthrough

Backdoor: HackTheBox Walkthrough

Welcome back! Today we are going to solve another machine from HacktheBox. The box is listed as an easy box. Just add backdoor.htb in… Continue reading on InfoSec Write-ups »

Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security

Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security

Apple recently fixed a security vulnerability in the macOS operating system that could be potentially exploited by a threat actor to "trivially and reliably" bypass a "myriad of foundational macOS security mechanisms" and run arbitrary code. Security researcher Patrick Wardle detailed the discovery in a series of tweets on Thursday. Tracked as...

New Ransomware Variants Flourish Amid Law Enforcement Actions

New Ransomware Variants Flourish Amid Law Enforcement Actions

Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cybercrime gangs to prevent them from victimizing additional companies. "Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service]

New BLISTER Malware Using Code Signing Certificates to Evade Detection

New BLISTER Malware Using Code Signing Certificates to Evade Detection

Cybersecurity researchers have disclosed details of an evasive malware campaign that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems. The binary, a loader, has been dubbed "Blister" by...

SQL Injection JR. Pentester -TryHackMe Part 2

SQL Injection JR. Pentester -TryHackMe Part 2

Hi folks, welcome back to part 2 of SQL injection in JR. Pentester path. In this part, we are going to about Blind SQLi — Authentication Bypass, Blind SQLi — Boolean Based, Blind SQLi-Time Based, Out Of Scope Band SQLi, and remediation. So let's get started with Blind SQLi — Authentication Bypass. The most crucial method...

Identity Management Vulnerability Taxonomy v1.5

Identity Management Vulnerability Taxonomy v1.5

I really like the OWASP list of vulnerabilities because it mostly stays in an uniform level of abstraction. Some issues are fairly… Continue reading on InfoSec Write-ups »

CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities

CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities

Cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the U.K. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries. "These vulnerabilities, especially Log4Shell, are severe," the intelligence agencies said in the new guidance. "Sophisticated cyber threat actors

IoT SAFE — An Innovative Way to Secure IoT

IoT SAFE — An Innovative Way to Secure IoT

By the end of 2021, there will be 12 billion connected IoT devices, and by 2025, that number will rise to 27 billion. All these devices will be connected to the internet and will send useful data that will make industries, medicine, and cars more intelligent and more efficient. However,...

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

A security flaw has been unearthed in Microsoft's Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017. The vulnerability, codenamed "NotLegit," was reported to the tech giant by Wiz...

Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software

Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software

Microsoft said it won't be fixing or is pushing patches to a later date for three of the four security flaws uncovered in its Teams business communication platform earlier this March. The disclosure comes from Berlin-based cybersecurity firm Positive Security, which found that the implementation of the link preview feature was susceptible...

How “assertions” can get you Hacked !!

How “assertions” can get you Hacked !!

How “assertions” can get you Hacked !! A deep dive into the assert() function and ways to exploit it! Hello Fellow Hackers and developers, It’s been a while since I posted any blog here. Today I will be discussing Coding+Hacking, especially about a feature present in almost every High-Level Language known as...

How I found the Authentication Bypass bug and Earn $$$$

How I found the Authentication Bypass bug and Earn $$$$

Hi all, I am @shadow_CLAY from VietNam. Today I am going to write about a rather interesting bug that I found. This is also my favorite bug bounty program on @Hackerone ? Summary: This is an application that specializes in online news, media and entertainment. There are two options when logging...

How I Found My First XSS Bug and Earn $$$

How I Found My First XSS Bug and Earn $$$

Hi everyone, I am @shadow_CLAY from VietNam. Today I am going to talk about the process I found my first XSS bug at @Bugcrowd. Summary: The story happens when I receive a private invitation for a program (Assuming: redacted.com). This program is affiliated with Atlassian and for testing on this...

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government

China's internet regulator, the Ministry of Industry and Information Technology (MIIT), has suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months for failing to promptly report a critical security vulnerability affecting the broadly used Log4j logging library. The development was reported...

Account takeover by tampering the Signup verification token .

Account takeover by tampering the Signup verification token .

Account takeover by tampering the Signup verification token. Hello People, I am Faeeq Jalali from Belgaum, Karnataka. Just thought of sharing a strange bug which I had found recently. So let's get started. As I am not allowed to disclose the company name let's consider it as “xyz.com”. So first I...

New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw

New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware. "The attachments represent an escalation of the attacker's abuse of...

Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers

Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers

Microsoft is urging customers to patch two security vulnerabilities in Active Directory domain controllers that it addressed in November following the availability of a proof-of-concept (PoC) tool on December 12. The two vulnerabilities — tracked as CVE-2021-42278 and CVE-2021-42287 — have a severity rating of 7.5 out of a maximum of 10 and concern a privilege...

Tackling CVE-2021–41277 Using a Vulnerability Database

Tackling CVE-2021–41277 Using a Vulnerability Database

Photo by Shahadat Rahman on Unsplash In this article, I’ll talk about a security vulnerability (CVE-2021–41277), which has been popular in the InfoSec committee recently. I’ll also talk about a popular security vulnerability database, the WhiteSource Vulnerability Database. So let’s get started! Last month, a post on Twitter caught my attention. It...

Log4j Vulnerability Explanation In Details

Log4j Vulnerability Explanation In Details

Everything you need to know about log4j vulnerability as a hacker ! Introduction Hey everyone, My name is Surendra and in this blog, we will describe log4j vulnerability. So without wasting time let’s learn about log4j vulnerability. Table of content - 1. What is Log4j?2. What is Log4j vulnerability?3. How to exploit...

Bypassing OTP Verification for Changing PIN in Registered Mobile Banking Account.

Bypassing OTP Verification for Changing PIN in Registered Mobile Banking Account.

Assalamu’alaikum (Peace be upon you) Okay, this is my second post, reading the title is very interesting right? I started with the mechanism of this application. My mobile number was registered in this mobile banking application and I was set up my PIN for login. My user profile config was encrypted in...

Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector

Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector

Transportation industry and government agencies related to the sector are the victims of an ongoing campaign since July 2020 by a sophisticated and well-equipped cyberespionage group in what appears to be yet another uptick in malicious activities that are "just the tip of the iceberg." "The group tried to access...

Top 7 common Cybersecurity Myths — Busted

Top 7 common Cybersecurity Myths — Busted

Even with the growing awareness about cybersecurity, many myths about it are prevalent. These misconceptions can be a barrier to effective security.  The first step to ensure the security of your business is to separate the false information, myths, and rumors from the truth. Here, we're busting some common cybersecurity...

Secret Backdoors Found in German-made Auerswald VoIP System

Secret Backdoors Found in German-made Auerswald VoIP System

Multiple backdoors have been discovered during a penetration test in the firmware of a widely used voice over Internet Protocol (VoIP) appliance from Auerswald, a German telecommunications hardware manufacturer, that could be abused to gain full administrative access to the devices. "Two backdoor passwords were found in the firmware of...

Inclusion TryHackme

Inclusion TryHackme

Hi, amazing hackers I today came another interesting topic which is local file inclusion. Local File Inclusion is part of OWASP's top 10 vulnerabilities. LFI flaws allow an attacker to read (and occasionally execute) files on the victim machine. This can be extremely dangerous because the hacker may gain access...

Hacking Microservices For Fun and Bounty

Hacking Microservices For Fun and Bounty

Understand How Microservices Work and Ways to hack it. Microservices are catching a lot of heat these days, they are on the verge of going mainstream, according to a recent survey from Nginx, 36 percent of enterprises surveyed are currently using microservices, with another 26 percent in the research phase. But...

Meta Sues Hackers Behind Facebook, WhatsApp and Instagram Phishing Attacks

Meta Sues Hackers Behind Facebook, WhatsApp and Instagram Phishing Attacks

Facebook's parent company Meta Platforms on Monday said it has filed a federal lawsuit in the U.S. state of California against bad actors who operated more than 39,000 phishing websites that impersonated its digital properties to mislead unsuspecting users into divulging their login credentials. The social engineering scheme involved the...

Hacked Google-Meet…??!

Hacked Google-Meet…??!

15th June 2021Let’s bounce back a few months 🙂 Hello, infosec community ✋Today I’m here to reveal an occurrence in my life which happened in June 2021. If you’re a complete beginner, leet, or off folk in infosec, whatever, it doesn’t matter. This write-up is for every individual who has a vigorous...

Log4J vulnerability in detail

Log4J vulnerability in detail

It’s a sad day for the Java community If You are looking for an easy explanation of this vulnerability in Hindi then I recommend first watching this video and then reading this blog for better understanding. video link — https://www.youtube.com/watch?v=0Dz6pZtMrAk CVE-2021–44228 is a very hot number string today. Search it everywhere, it...

BluePrint Walkthrough[❌Metasploit ❌]

BluePrint Walkthrough[❌Metasploit ❌]

Solving A Windows Machine On TryHackMe without Metasploit. Blueprint Machine Description BluePrint is an easy-level Windows Machine on TryhackMe. The machine is a Windows 7 machine that hosts a web server on port 8080. That web server is running an outdated version of OsCommerce. This outdated Version has an arbitrary...

New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G

New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G

Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment. The "vulnerabilities in the handover procedure are not limited to one handover case only but they impact all...

How to see if cybersecurity of your organization is in check for the New Year

How to see if cybersecurity of your organization is in check for the New Year

The last several years have seen an ever-increasing number of cyber-attacks, and while the frequency of such attacks has increased, so too has the resulting damage. One needs only to look at CISA's list of significant cyber incidents to appreciate the magnitude of the problem. In May of 2021, for example, a...

An Interesting Account Takeover!

An Interesting Account Takeover!

An Interesting Account Takeover!! IDOR and weak encryption led to a Full account takeover. Hello, my fellow hackers. I am Mayank Pandey, a Bug Hunter, and an Aspiring Red Teamer. This is my first ever write-up for any Bug so if I make any mistake then ignore it. Now coming straight...

Experts Discover Backdoor Deployed on the U.S. Federal Agency’s Network

Experts Discover Backdoor Deployed on the U.S. Federal Agency’s Network

A U.S. federal government commission associated with international rights has been targeted by a backdoor that reportedly compromised its internal network in what the researchers described as a "classic APT-type operation."  "This attack could have given total visibility of the network and complete control of a system and thus could...

Tryhackme pickle rick walkthrough

Tryhackme pickle rick walkthrough

Written by Mukilan B This walkthrough is about the CTF challenge we have to find the flag by exploiting the target. So let's dive into the Tryhackme challenge. After I started the machine I saw a webpage it looks Then I further dig into a website I got a username through the...

RazorBlack-Walkthrough [THM]

RazorBlack-Walkthrough [THM]

Learn How to attack Windows Active Directory through a CTF Description RazorBlack is a Medium Level Room on TryHackMe. It has a rather very interesting Description “These guys call themselves hackers. Can you show them who's the boss ?? ” The goal of this Challenge is to make you familiar with Active Directory...

Information Gathering in Penetration Testing

Information Gathering in Penetration Testing

Hello guys, Ayush this side today in this article we are gonna learn about some information gathering techniques about any target. First of all , What’s Information Gathering ? Information gathering is the first phase of penetration testing in which we collect publicly available information or internal information about target while performing active...

Subdomain Enumeration TryHackme Writeup

Subdomain Enumeration TryHackme Writeup

The Art of finding subdomains Welcome back great hackers once again I came up with fabulous content which is based on finding valid subdomains which will be useful on web application security or bug hunting. This is one of the recon methodologies for hunting bugs in the large scope of the...

Facts to clear about Log4J for “Bug Bounty Hunters”

Facts to clear about Log4J for “Bug Bounty Hunters”

Hello everyone, In my 1st Blog, I’ve mentioned that I’ll post a blog about my each and every finding. I also got DMs that asked for Details/methods of my recent P1 findings. As I am in the final year of my undergrad and I am doing full-time bug bounty hunting,...

Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store

Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store

A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users' contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge. The latest Joker malware was found in a...