How I got intrigued to hack Crypto Ground when I failed to enter into college competition

Image for post
Image for post

Date — 12/25/2018

So It all started yesterday, I saw I was added to a group after I filled a form. It was a college competition over cryptos. Everybody loves cryptos, right?

It all happened at night while I was watching Mr. Robot — Season 2 while a message arrived that I was added to a group. My head was banging in full swing after watching Ep 3. So I took a little nap and then tried to enter the competition at 2 AM. Good excuse? okay, I am sometimes excessive lethargic.

By the way, Season 2 and 3 are…


Patience is indeed* a virtue — bug bounty

Image for post
Image for post

I found a race condition flaw which caused browser to preserve the address bar and to load the content from the spoofed page. Address bar spoofing allows for attacks where a malicious page can spoof the identify of another site.

Summary

During my testing, it was observed that the browser allowed JavaScript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar…


Hacking Medium #1: Exported Android Activity Fiasco

Image for post
Image for post
Medium Hacking Stories by Piyush Raj ~ Rex (0x48piraj)

As we all know exposing activities can lead to various attack scenarios. If you don’t know what is an Android activity, listen to Google explaining it briefly —

“The Activity class is a crucial component of any Android app, and the way activities are launched and put together is a fundamental part of the platform’s application model” — developer.android.com

If that was a bit complicated,

Everything that you see in an android app is kind of being done via an activity. For example, say you click on the Facebook app icon in your phone, it will show a window with…


Catching a low-hanging juicy fruit through Options Bleed

Image for post
Image for post

Date reported — 02–07–2019

# Vulnerable Software — Apache
# CVE: CVE-2017–9798 / USN-3425–1 “OptionsBleed”
# Type — P1:Sensitive Data Exposure + P5:Fingerprinting/Banner Grabbing
# Domain Affected — *.unesco.org
# Tested — https://en.unesco.org (193.242.192.49)

Summary

Options Bleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests which helped in seeking the direct leak of sensitive data through a misconfigured server-status module, mod_status which Apache web server exposes for displaying metrics.

Reproducibility

Due to its nature the bug doesn’t appear deterministically. It only seemed to appear on busy…


…and the idiocy that followed

Image for post
Image for post

Date reported — 2019–08–29

Summary

Firefox Lite 1.9.2 for Android and earlier suffer from exhaustive Address Bar Spoofing, allowing attackers to potentially trick a victim into visiting a malicious domain for legitimate domain name. Firefox Lite is almost installed on more than 10M devices.

Impact

URL Address Bar spoofing is the worst kind of phishing attack possible because it’s the only way to identify the site which the user is visiting for a non-technical user. URL address bar is the only way to trust a website and if this indicator is hijacked, the whole security of any normal user will be compromised.

Explanation


Image for post
Image for post
Res-block Attack

This attack can be used to detect if victim is using incognito mode in latest version of Chrome (77.0.3865.90) by the time of discovery by me exactly a year ago in Sept 2019 by abusing web_accessible_resources. The research can be find over 0x48piraj/PwnHouse.

Anatomy of res-block attack

Sometimes developers share package resources of their Chrome extension, for example, images, HTML, CSS, or JavaScript and make them available to web pages. They do this via utilizing web_accessible_resources.

As per Chrome’s documentation,

An array of strings specifying the paths of packaged resources that are expected to be usable in the context of a web page. These…


Another Classic From “Hacking Colleges For Fun” Series

Image for post
Image for post

Back Story

COVID-19. College closed. Everything Quarantined. How to take tests? Voila. Online. Okay, but how? Tadaa.

We were sent an email regarding a new platform which was indigenously built just for us, the students for carrying out the quizzes. Soon enough, I was bombarded to do something about that. I was busy at the time so I showed no interest and shooed everyone away. But soon enough, professors started to rub it in our faces by forcing us to do programming assignments OFFLINE. Yes, writing code in a paper, taking photos, using editing skills to create a PDF out of it…


Hacking user-base of 1,214,000+ including Sony, Dell, Cisco, DHL, Yale, University of Phoenix

Original timeline: August 2018 — September 2020

I remember last year (2018) getting all frustrated by those idiotic subjects which don’t made any sense to what I was interested in and thus, I loved making final year projects, completing company recruitment challenges and solving quizzes of seniors. If interested, you can visit my personal blog where I publish those mushy blogs, one of them is “Relating Every Subject To Computer Science In My Freshmen Year”. I named my blog, Tinkernel — Tinkering the kernel. Dope, right?

Let’s continue, shall we?

Anyways, soon, I got to know our university uses a…


Write-up of all the TJCTF-2018 challenges

I deleted all my repositories on walk-through over CTF challenges and now am blogging them away.

Image for post
Image for post
Repository no longer available.

TJCTF 2018

TJCTF is a Capture the Flag (CTF) competition hosted by TJHSST’s Computer Security Club. It is an online, jeopardy-style competition targeted at high schoolers interested in Computer Science and Cybersecurity.

Problem List

Table of Content

  • Blank (5 points)
  • Trippy (5 points)
  • Weird Logo (5 points)
  • Discord! (5 points)
  • Cookie Monster (10 points)
  • Central Savings Account (10 points)
  • Vinegar (15 points)
  • Interference (15 points)
  • Math Whiz (20 points)
  • Nothing but Everything (20 points)
  • Caesar’s Complication (20 points)
  • Huuuuuge (25 points)
  • Learn My Flag (30 points)
  • Request Me (30 points)
  • Validator…

Using Jiraffe security tool to find low-hanging fruits

Image for post
Image for post

Introduction

Months ago I discovered a flaw hackers can use to access Samsung’s and LG Electronics internal bug tracking and project management instances running on Jira. The flaw only takes a couple of commands to potentially access intranets, cause XSS and anything that SSRF can cause, including something such as,

https://public.example.com/proxy?url=admin-panel.example.com

Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store