For those who are only interested in the final payload here you go (I won’t judge). For the ones interested in why it works, please bear with me.

Snippet 1: final payload

First of all, I would like to point out that this article and the bypass described here are heavily based on Michał Bentkowski (@SecurityMB) research. The original article and previous bypass who made it possible for me to find this new vector are available here. The article also contains all of the required foundations the reader may need to properly understand how and why the bypass described here…


I took some of my Christmas break time to solve as many challenges as I could in HackerOne’s CTF. Out of the remaining challenges I still had to solve, there was a couple of named Model E1337 — Rolling Code Lock and Model E1337 v2 — Hardened Rolling Code Lock. Both of the challenges had Math listed as a required skill, so I decided to put my brain to the test and give them a try.

SPOILER ALERT

This write-up actually contains valid working ways of solving the before mentioned challenges. If you are only looking for tips and would like to…


On November 4th BugPoc published a new challenge on their official Twitter account. The challenge objective was simple, using Google Chrome, find an XSS vulnerability, and pop-up a message box by calling alert(origin).

First steps

Navigating to the challenge page hosted at https://wacky.buggywebsite.com/, the challenger was given a “simple” single input page. By entering text in the provided textarea element and clicking on the Make Whacky! button, the application provided the user with a funny looking version of the very same entered text.

Image for post
Image for post
Figure 1: Challenge page basic usage

By using Google Chrome’s developer tools Sources tab, one could verify that the page loaded a javascript file named…


In my last post, I described how it is (was?) possible to use the OpenVAS Download an EXE package for Microsoft Windows feature to extract username and passwords stored as credentials in the open-source vulnerability scanner. What I did not tell last time is that this same feature also can be used as a privilege escalation vector if the stars are properly aligned.

Imagine you are an OpenVAS administrator and you want to use the before mentioned feature to deploy a credential that will be used to scan your Windows servers. Despite the solution you choose to deploy the package…


A couple of weeks ago I helped a friend with a penetration test for a company that used the OpenVAS vulnerability scanner (https://www.openvas.org/). OpenVAS, as most vulnerability scanners, uses pre-configured credentials in order to perform its scans. Putting your hands in one of these credentials during a pentest usually means gaining a wide range of access to the environment. Most of the time system administrators will use a small set of accounts with administrative privileges for vulnerability scanning, as configuring lots of different credentials for different assets is not efficient.

We got access to the tool web interface by finding…


During times of pandemic one needs to find interesting things to keep its mind sharp. Because of that, I decided to conduct a security assessment on my home wifi router. After working for a week I could find some stored XSS (CVEs pending) in the router’s web UI but that was not the interesting part. During the tests, I noticed the router’s SSH service was enabled and that is was running an old version of the Dropbear SSH daemon. However, trying to open any kind of SSH channel other than “forwarded-tcpip” and “direct-tcpip” failed, which meant that no type of…

Daniel Santos

Security researcher and penetration tester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store