🧵NEW THREAD🧵
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program 1. I was invited in the morning to a private program at H1 and the program updated the scope in the evening, So I decided to take a look to see if there is something to hack

🧵NEW Thread🧵

Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking

1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope. 2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS

Here is how I chained two bugs to exploit a UUID based IDOR and gained access to admin panel.

🧵THREAD🧵
1. How I knew that the target uses the same panel for both (normal users and admins)?! This is because of two things, the first one is through subdomain enumeration The second one is from the JS files.
After enumerating the subdomains, no admin panel was found for the main app.
But when reading the main JS file of the target, there was some keywords like is_admin or administration or anything related to the super users privileges.

Here is short writeup on how I found some hardcoded credentials inside of an exe file and got paid 2000$ even the asset was OUT OF SCOPE!

📌THREAD📌

1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app 3. I tried to find the executable for the In scope app just to understand what the app will looks like when installed in the machine