-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
63e8817
commit 9e3679e
Showing
7 changed files
with
6 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| <!doctype html><html lang=en-us><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Categories · tedmdelacruz</title> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/categories/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><h1>Categories</h1><div class=catalogue><ul></ul></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.569272542 +0000 UTC m=+0.040712266">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/categories/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><h1>Categories</h1><div class=catalogue><ul></ul></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.776416148 +0000 UTC m=+0.040177820">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| <!doctype html><html lang=en-us><head><meta name=generator content="Hugo 0.123.8"><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content><title>tedmdelacruz</title> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><div class=catalogue><a href=https://tedmdelacruz.github.io/posts/strapi-rce-writeup/ class=catalogue-item><div><time datetime="2024-02-10 21:43:57 +0800 +0800" class=catalogue-time>February 10, 2024</time><h2 class=catalogue-title>Remote code execution in a billion-dollar publicly traded company</h2><div class=catalogue-line></div><p>There are 4 things that need to happen in order to find CVE-2023-22621 in the wild: | ||
| You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least 4.5.5 and below. No other hacker had somehow seen any of the three aforementioned scenarios first. The stars have aligned in my favor, and with this CVE, I managed to fully take over one of the websites of a billion-dollar company listed on the New York Stock Exchange.</p></div></a><a href=https://tedmdelacruz.github.io/posts/hello-world/ class=catalogue-item><div><time datetime="2022-05-12 13:06:39 +0800 +0800" class=catalogue-time>May 12, 2022</time><h2 class=catalogue-title>Hello World</h2><div class=catalogue-line></div><p>This is a new space for me to write about tech. Thanks to GitHub Pages and Hugo I’m able set to this up without spending a single dollar.</p></div></a></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.576402827 +0000 UTC m=+0.047842562">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least 4.5.5 and below. No other hacker had somehow seen any of the three aforementioned scenarios first. The stars have aligned in my favor, and with this CVE, I managed to fully take over one of the websites of a billion-dollar company listed on the New York Stock Exchange.</p></div></a><a href=https://tedmdelacruz.github.io/posts/hello-world/ class=catalogue-item><div><time datetime="2022-05-12 13:06:39 +0800 +0800" class=catalogue-time>May 12, 2022</time><h2 class=catalogue-title>Hello World</h2><div class=catalogue-line></div><p>This is a new space for me to write about tech. Thanks to GitHub Pages and Hugo I’m able set to this up without spending a single dollar.</p></div></a></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.780730718 +0000 UTC m=+0.044492390">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| <!doctype html><html lang=en-us><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Hello World · tedmdelacruz</title> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h2 class=nav-title>tedmdelacruz</h2></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><div class=post><div class=post-info><span>Written by</span> | ||
| ted<br><span>on </span><time datetime="2022-05-12 13:06:39 +0800 +0800">May 12, 2022</time></div><h1 class=post-title>Hello World</h1><div class=post-line></div><p>This is a new space for me to write about tech. Thanks to <a href=https://pages.github.com/>GitHub Pages</a> and <a href=https://gohugo.io/>Hugo</a> I’m able set to this up without spending a single dollar.</p><p>I’m working on so lots stuff – hunting security vulnerabilities (and hopefully get paid for it) on <a href=https://www.hackerone.com/>Hackerone</a> and <a href=https://www.bugcrowd.com/>Bugcrowd</a>, learning Go for my tooling, honing my shell scripting skillz, and modding my mechanical keyboards.</p><p>I’ll write about these soon!</p></div><div class=pagination><a href=/posts/strapi-rce-writeup/ class="right arrow">→</a> | ||
| <a href=# class=top>Top</a></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.570733696 +0000 UTC m=+0.042173430">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| <a href=# class=top>Top</a></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.776627546 +0000 UTC m=+0.040389219">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| <!doctype html><html lang=en-us><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Posts · tedmdelacruz</title> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/posts/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><div class=catalogue><a href=https://tedmdelacruz.github.io/posts/strapi-rce-writeup/ class=catalogue-item><div><time datetime="2024-02-10 21:43:57 +0800 +0800" class=catalogue-time>February 10, 2024</time><h2 class=catalogue-title>Remote code execution in a billion-dollar publicly traded company</h2><div class=catalogue-line></div><p>There are 4 things that need to happen in order to find CVE-2023-22621 in the wild: | ||
| You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least 4.5.5 and below. No other hacker had somehow seen any of the three aforementioned scenarios first. The stars have aligned in my favor, and with this CVE, I managed to fully take over one of the websites of a billion-dollar company listed on the New York Stock Exchange.</p></div></a><a href=https://tedmdelacruz.github.io/posts/hello-world/ class=catalogue-item><div><time datetime="2022-05-12 13:06:39 +0800 +0800" class=catalogue-time>May 12, 2022</time><h2 class=catalogue-title>Hello World</h2><div class=catalogue-line></div><p>This is a new space for me to write about tech. Thanks to GitHub Pages and Hugo I’m able set to this up without spending a single dollar.</p></div></a></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.576414548 +0000 UTC m=+0.047854282">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least 4.5.5 and below. No other hacker had somehow seen any of the three aforementioned scenarios first. The stars have aligned in my favor, and with this CVE, I managed to fully take over one of the websites of a billion-dollar company listed on the New York Stock Exchange.</p></div></a><a href=https://tedmdelacruz.github.io/posts/hello-world/ class=catalogue-item><div><time datetime="2022-05-12 13:06:39 +0800 +0800" class=catalogue-time>May 12, 2022</time><h2 class=catalogue-title>Hello World</h2><div class=catalogue-line></div><p>This is a new space for me to write about tech. Thanks to GitHub Pages and Hugo I’m able set to this up without spending a single dollar.</p></div></a></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.780718357 +0000 UTC m=+0.044480029">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,4 +12,4 @@ | |
| </span></span></code></pre></div><p>In order to prove the RCE, I left an inconspicuous text file in the server at <code>/root/tedminfosec.txt</code>:</p><div class=highlight><pre tabindex=0 style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-sh data-lang=sh><span style=display:flex><span>root@<span style=color:#f92672>[</span>redacted<span style=color:#f92672>]</span>:/home/<span style=color:#f92672>[</span>redacted<span style=color:#f92672>]</span>/project/strapi# cat /root/tedminfosec.txt | ||
| </span></span><span style=display:flex><span>hello from [email protected] | ||
| </span></span></code></pre></div><h1 id=impact>Impact</h1><p>Without disclosing too much about the compromised server, it contains highly sensitive keys and secrets that could have allowed a malicious actor to pivot to other, more sensitive assets in the company’s internal network.</p><p>The malicious actor could have done more than just defacing a website or use it to launch phishing campaigns.</p><p>Since privilege escalation at this point would break the <em>rules of engagement</em>, I decided to stop testing from there.</p><h1 id=responsible-disclosure>Responsible disclosure</h1><p>Once that’s done, I took my time to write a detailed vulnerability report and submitted it to the bug bounty program. It was triaged as <strong>Critical</strong>:</p><p><img src=/strapi-rce-triage.jpg alt="Strapi RCE triage"></p><p>Now that’s how I compromised a server of a company worth more than a billion dollars.</p></div><div class=pagination><a href=/posts/hello-world/ class="left arrow">←</a> | ||
| <a href=# class=top>Top</a></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.576169697 +0000 UTC m=+0.047609421">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| <a href=# class=top>Top</a></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.7804098 +0000 UTC m=+0.044171472">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| <!doctype html><html lang=en-us><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Tags · tedmdelacruz</title> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/tags/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><h1>Tags</h1><div class=catalogue><ul></ul></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:14:27.57324935 +0000 UTC m=+0.044689084">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> | ||
| <link rel=stylesheet href=/css/style.css><link rel=stylesheet href=/css/fonts.css><link rel=stylesheet href=/styles.css><link rel=icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/images/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/images/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/images/apple-touch-icon.png><link href=/tags/index.xml rel=alternate type=application/rss+xml title=tedmdelacruz><script src=/js/darkmode.js></script></head><body><nav class=nav><div class=nav-container><a href=/><h1 class=nav-title>tedmdelacruz</h1></a><ul></ul></div></nav><div id=darkModeToggle onclick=toggleDarkMode()>◐</div><main><h1>Tags</h1><div class=catalogue><ul></ul></div><div class=pagination><span>1</span></div></main><footer><span>© <time datetime="2024-03-13 13:17:30.778496615 +0000 UTC m=+0.042258287">2024</time> . Made with <a href=https://gohugo.io>Hugo</a> using the <a href=https://github.com/EmielH/tale-hugo/>Tale</a> theme.</span></footer></body></html> |