Bruteforce vs Permutation Introduction In this article, we’ll compare which is more interesting between bruteforce or permutation generation. But also, if it’s always worth. For the analysis, it doesn’t matter which domain is used, we’ll call it domain.tld. I chose this scope because it’s a program I’m fairly familiar with, and so it was easier for me to compare the results obtained. Before getting to the heart of the matter, I’d like to point out that for each step requiring DNS resolution, I used a different VPS for each tool in order to be on the soundest possible footing for each test ..read more

Description For a recent need I wish to make a return on the implementation of the binary search in Go on a large file Definition : Binary Search is a search algorithm for finding the position of an element in a sorted array. The principle is as follows: compare the element with the value of the cell in the middle of the table; if the values are equal, the task is completed, otherwise we start again in the relevant half of the table ..read more

This week on a BugBounty program which I left aside I found my first SSRF, here is my writeup. Recon The scope is restricted to the website and its API, rather basic it allows to register as a simple user and has only a few features. The program has been open for several months already, I approached the site thinking I probably won’t find much. However from the first hours I already had several P2 (IDOR ..read more

Recently on a BugBounty program I came across my first XXE, blind what’s more, as I found this case interesting I wanted to share it here. Recon The recognition phase is quite basic, the scope is composed of a single URL with 2 distinct backends (administrators and users). For each of these backends the users’ view is limited according to the rights they have. https://domain.tld/admin => URL for admin backend https://domain ..read more

Recently on a BugBounty program I came across my first RCE, discovered and exploited rather quickly on a solution with a vulnerability that I don’t master at all : Java Deserialization Recon Currently improving my recognition tool AutoRecon, originally intended to help me with subdomain enumeration, I also want to perform some recognition tasks that are quite annoying when you have to do it many times. The scope in question is like ..read more

My bounty infrastructure with Docker [31/12/2020] : Updated the post for Rengine to v0.5 and a clearer / cleaner configuration of Traefik as well as the removal of Portainer. After some problems with Rengine for certificate management and a new service that I want to use, I switched to a full docker infrastructure on my server, apart from the use of a few containers it’s my first experience with Docker but after some difficulties I find it rather practical and modular ..read more

I originally wanted to name this article “The RCE that everyone missed”, but since it was too “clickbait”, this is the title you see now. Why “The RCE that everyone missed”? That’s what we’ll see here. This article won’t be very long and since there are no technical details, I’d rather focus on why I stumbled upon this RCE. The story It’s been many months now that I’m not very active in bugbounty, I haven’t given up but in fact I devote my free time to the development of my own recon framework ..read more

The Story [EDIT 26/04/22] - I added a note on my personal conclusion about Amass with a note from a conversation with Caffix about why Amass is slower than the others Hi everyone, I recently came across this tweet which immediately intrigued me because I also observed that I was losing valid domains with PureDNS. I had done some tests (not very thorough) 8 months ago on different tools and I had concluded at that time that PureDNS was the best solution ..read more

For the 3rd and I think last episode of the series, we’re going to continue with the same target as the episode 2, that I recommend you to go and see at first to put you a bit more in the context : Basic recon to RCE II The Story So, after this first RCE discovered on the application, I wanted to continue to dig, especially because this debug mode displays a POST method on the endpoint /convertdoctopdf ..read more