Corben Leo Profile picture
I hack stuff (legally) | Co-founder @boringmattress
10 subscribers
Mar 3, 2024 12 tweets 2 min read
You can find easy critical vulnerabilities.

It just takes finding unique attack surfaces.

Here's an example of how you can, using a story of how I hacked a car company: 1/ I went to Shodan (or easy searching with )

Searched for my target with the filter:

> ssl.cert.subject\.cn:*.example[.]com

I found a server with a certificate for:

*.apps.███\.com

If I see wildcards, I think that the server is an ingress endpointcerts.io
Aug 24, 2023 13 tweets 3 min read
I've made $500k+ from SSRF vulnerabilities.

Here are my tricks: Image 1. Try other URL schemes:

• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!

You might be able to get file read.

Or send multi-line requests to gain additional impact

(Ex: gopher + redis = likely RCE)
Aug 21, 2023 12 tweets 4 min read
I hacked a car company.

Here's how I gained access to hundreds of their codebases. 1. This company ran a bug bounty program.

I came across a web server that responded with:

> 404 Not Found: Requested route ('example.apps.███.com')
Jan 27, 2023 15 tweets 5 min read
I hacked the military.

A system containing the information of military personnel.

Yet, the hack was done legally.

Here's how I did it and how it was done legally: 1. I came across an Army server running ASP .NET

The application was a Learning Management System (LMS).

If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.

This LMS allowed anonymous registration.

So I registered!
Jan 25, 2023 15 tweets 4 min read
I hacked a car company last year.

I found a way to steal every customer's

• Name
• Email address
• Phone number
• Address

Here's how I did it: 1. I started with reconnaisance:

- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online

$ subfinder -d example[dot]com | httpx -o target.httpx

I came across a webserver running IIS:

hxxps://installersupport.██████.com/
Jan 2, 2023 8 tweets 2 min read
I hacked a large company (70k+ employees) through social engineering. Legally of course.

• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.

I had access to their AWS console within 2 minutes.

And much more: 1/ I used Evilnginx2 to bypass MFA (Okta & Duo)

From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.

I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
Dec 31, 2022 12 tweets 3 min read
My favorite hacking stories of 2022: 1/ Hacking a Trans-Atlantic cable.

Nov 25, 2022 8 tweets 2 min read
I hacked a phone company earlier last year.

I found a stupidly simple way to view the call logs of 50M customers.

Here's how I did it: 1/ I've been in this bug bounty program for quite some time.

I previously bought a phone plan so I could login and test functionality as an authenticated user.

In the dashboard, there was a tab to view your call logs.
Sep 29, 2022 16 tweets 4 min read
I hacked a gaming company this year.

Here's how I did it: 1/ The scope of this program was *.███.com

With a wildcard, basic recon is:

Subdomain Enumeration + HTTP server probing:

$ subfinder -d example[dot]com | httpx -o example.httpx
Sep 16, 2022 7 tweets 2 min read
Uber was hacked.

The hacker social engineered an employee -> logged into the VPN and scanned their intranet. 👇 Apparently there was an internal network share that contained powershell scripts...

"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"
May 23, 2022 10 tweets 3 min read
Information is key.

What sort of information could be in an Airforce Database?

Who would get hurt by that data?

Who would it benefit?

5 years ago, 17-year-old me easily gained access to an Air Force database.

Legally, through hackerone.com/deptofdefense

Here's how I did it: 1/ Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP).

This time, I was looking at the Airforce subdomains.

I decided to look for sites running PHP.

To do this, I used Google.

So, if you use Google, you should know about
May 4, 2022 13 tweets 3 min read
The simplest observations can lead to finding huge vulnerabilities.

Here's how @Shlibness & I gained access to data of 25,233 employees: @Shlibness 1/ @Shlibness messaged me.

He had something for me to look at:

https://digitalcontrol.███/workday/workday_profiles_lookup

I'd never seen this endpoint.

But looked juicy!

Workday allows employees to check-in & out of work, get paid, etc.

I requested it &
May 3, 2022 4 tweets 2 min read
How you can learn to hack web3 (and protect millions of dollars): 1/
Become a dev (to break you must understand):

• Read "Mastering Ethereum" (It's on GitHub)
• Learn Solidity:
• CryptoZombies
• solidity-by-example[.]org
• Solidity Docs
• Learn how to use HardHat
• Familiarize yourself with widely used contracts (EIP 20)
Apr 29, 2022 13 tweets 3 min read
It's easy to find attack surfaces that others haven't.

You just need to think creatively.

"But Corben, I don't know how!"

That's what I'm here for.

I'll share some simple methodology that works.

(so you can find vulnerabilities...and make money)

A story: 1/ I went to Shodan.

Searched for my target with the SSL certificate name filter:

> ssl.cert.subject\.cn:*.example[.]com

I came across a server that had a certificate for:

"*.apps.███\.com"

Interesting.

When I see wildcards, I immediately think that the server
Apr 27, 2022 14 tweets 3 min read
Authorization.

Easy to understand. Critical if implemented incorrectly.

Want to see an example? (dumb question Corben, yes, why not)

Last month, I found an auth bypass that lead to a full account takeover.

Here's how I found it: 1/ I came across a subdomain.

I used cURL to check it out:

$ curl https://redacted.███\.com

> HTTP/1.1 200 OK
> X-Powered-By: Express
> Content-Type: text/html; charset=UTF-8
>
>--- snip ----
> <app-root></app-root>
> --- snip ----

Nice, AngularJS! Might be interesting. So
Apr 23, 2022 6 tweets 2 min read
Are you into web hacking?

If so, you must have technology-specific wordlists

If not, you're missing obvious vulnerabilities.

Don't believe me?

Let's look at an information disclosure in an ASP[.]NET Core site: 1/ First, let's talk background:

How does ASP[.]NET get its configuration settings? (Like database connections)

In the documentation:

By default, it's "configured to read from `appsettings.json`, environment variables" and more.

It gives an example that shows
Apr 15, 2022 12 tweets 3 min read
Who's your phone provider?

Well, there's a good chance that I've hacked them!

Last year, I breached a major telecom company (many times...)

This time, I stole the data of every employee.

(well, I didn't steal all of it, but I could've)...

Here's how I did it: 1/ I hacked on this company often.

Through their bug bounty program.

I performed recon to see what new assets were up.

I went to Shodan.

Searched by SSL certificate names:

> ssl.cert.subject.cn:*.example[.]com

Scrolled.

Ooooh!

A new host that I hadn't seen before:
Apr 12, 2022 10 tweets 2 min read
302 Military FTP servers.

Imagine you had access to 302 military FTP servers.

What data could possibly be on them?

Who would get hurt by that data?

Who would it benefit?

5 years ago,

A 17-year-old gained access to 300 military FTP servers.

Here's how I did it: 1/ Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP).

So, I was interested in U.S Army websites.

More specifically, sites that allowed me to register an account.

Why?

Because sites that have logins typically have lots of other functionality.
Apr 8, 2022 12 tweets 4 min read
In 2010, WikiLeaks released a classified document.

A list of infrastructure critical to U.S national security.

The government listed a Trans-Atlantic cable.

3 years ago,

19-year-old me gained ADMIN access to that cable (and another; shared codebase).

🧵Here's how I found it 1/ It began with a bug bounty program.

Of a telecommunications company (that I can't name publicly).

As some of you may know, I love recon.

I had already done subdomain enumeration.

The next step was to scan their IP ranges.

So,
Apr 4, 2022 8 tweets 2 min read
Have you found any ironic vulnerabilities?

I do. One comes to mind that I've never shared:

Access to a company's vulnerability reports.

All of them...Ever...

It will make you facepalm.

Here's how I managed it: 1/ I was invited to a "new" program.

It was a vulnerability disclosure program.

This meant no rewards.

However, their policy indicated they "might reward $ for criticals"

I was bored and intrigued enough.

Maybe some easy criticals?
Mar 30, 2022 11 tweets 3 min read
Hacking CAN be easy.

But, often it's not.

Let's develop your technical skills, they obviously matter.

A roadmap: 1/

- Learn Bash scripting & the command line

- Learn HTML & Javascript (CodeAcademy / W3 Schools)

- Learn Python (or Golang, Java, C#, or whatever).

- Learn some basic SQL.