Skip to main content

Posts

RCE in Hubspot with EL injection in HubL

This is the story of how I was able to get remote code execution on Hubspot's servers by exploiting a vulnerability in HubL expression language, which is used for creating templates and custom modules within the Hubspot CRM. I had absolutely no experience with these kinds of vulnerabilities before and it turned out to be a very interesting learning opportunity. In this post,  I go through the process I followed while researching and how little pieces were connected together to achieve a much bigger goal. 
Getting started While working on the Hubspot's bugbounty program, I came across a functionality which looked very interesting. Users can create custom designs for emails or blogs from the design manager and can use HubL expression language in their templates. Because HubL is a markup language, I began with the payload {{7*7}} and got a nice '49' back which means the server was treating anything within two curly brackets as HubL code. 

Bear in mind, at this point I didn…
Recent posts

Command Injection Without Spaces

I came across a nice little command injection vulnerability while doing a bug bounty recently. The only catch was that I couldn't use any spaces in the commands. Let me go into the details...

Note: I can't post any details about the application as it was a private bounty program.

It all began with the page providing an input box for doing 'nslookup' of a domain or IP entered by the user.
A page like this always excites a bug bounty hunter as the application has to pass user's input to underlying system command to perform nslookup and present the output of that command in the browser. If the developer has made any mistake in validating and sanitizing the input, they inadvertently open the doors to attackers misusing this feature to execute arbitrary commands on the server.

So, when I saw the input box I started to explore and try to force the application in executing arbitrary commands.
I began with simple input google.com

My next automatic try was to input google.com &am…

Curious case of Yammer XSS

Microsoft recently (finally!!) started with their bug bounty program for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.

To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. 

Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.

Apps can be created from https://www.yammer.com/client_applications.
When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to…

Facebook, Only Me... really??

In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. 

This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.

First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".

Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the …

Installing VMWare Player / Workstation on Kali Linux

This guide is for installing VMware Player or Workstation on Kali Linux. Although this is a simple task, I faced an issue with the kernel headers when launching VMware Player, hence this blog post.

I did these steps with VMware Player but same steps can be followed for Workstation.

1. First of all, download the VMware Player from https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0

2. Make the downloaded file executable by navigating to the directory where you downloaded the bundle and execute:
chmod +x VMware-Player-5.0.1-894247.x86_64.bundle

3. Open Terminal and install the packages needed by VMware Player
apt-get install build-essential linux-headers-`uname -r` This will install the kernel headers of your current Linux kernel version.

4.After packages are installed, start the VMware Player installer
./VMware-Player-5.0.1-894247.x86_64.bundle This is pretty much it.

5.Launch the VMware Player by navigating to it from the main menu.

At this stage, I got an error say…

Passively Monitoring Network Traffic On Wireless Networks

Many times, during penetration tests, we have to monitor the data flowing inside the network. Achieving this on an Ethernet network is simple as we can just connect a network cable and be a part of the target network.  But that makes us accountable and someone from the network can find out that someone is monitoring the traffic. In wireless networks, we have an advantage of monitoring the network traffic passively.  The packets are freely flowing over the air and we just need to be able to see them. To be able to monitor network traffic, we must put our wireless adapter in Monitor mode. airmon-ng start wlan0 This will start the monitor mode on a virtual interface such as “mon0” To start dumping data from the target network, we need to know following things:
BSSID – MAC address of the Access Point Channel on which the Access Point working To find out these things, we can run airodump on all the channels. This will list all available wireless networks with various pieces of information for each…

Collection of CTF writeups

Last month, I took part in a CTF competition of nullcon. It was great, it was fun, and it was my first CTF. I had practiced a little and was thinking "lets do this and win!!" But when I started playing, it became very clear that the practice you do in-house is far different that what is needed in the CTFs. I had no experience of playing a CTF whatsoever and that hurt. After the CTF ended, I started reading writeups of previous CTFs organised around the world in many conferences. It is really an enlightening read how creative you have to be at times to figure out how to solve a level. That is why I have collected writeups from various CTF winning teams. Who knows what trick might give you a WINning moment in the next CTF. I present here a few writeups from my collection. Do let me know if I have missed a good one through the comments. Hope you enjoy and learn from them! 
Nullcon 2012 HackIM challengePlaid Parliment of Pwning << Writeups by team 'ppp' from various…