Nithissh

Hacker • AppSec Enthusiast • Bugbounty

Featured

• Account takeover through login with OTP - Mars Bugbounty Program

  Published:Dec 13, 2023 |  at 12:00 AM

  How I was able to do an ATO on Mars Bugbounty Program through Login with OTP functionality

• SSTI leads to RCE - US dept of Defence

  Updated:Nov 25, 2022 |  at 12:00 AM

  Uncovers a critical Server-side Template Injection (SSTI) vulnerability (CVE-2022-22954) in VMware Workspace One and Identity Manager used by the US Department of Defense. Attackers can exploit this flaw to execute remote code. The article details the vulnerability's discovery, a proof of concept shared on Twitter, and the exploitation of US Department of Defense servers. The payload, including a base64-encoded command, triggers unauthorized code execution, highlighting the need for swift mitigation and responsible disclosure practices.

• Journey from an Unidentified Port to an OS Command Injection on TCL

  Published:Jul 15, 2019 |  at 12:00 AM

  Discovers an OS Command Injection vulnerability during the TCL bug bounty program on an unusual port—3000. Utilizing subdomain enumeration tools like amass and subfinder, he identifies a server misinterpreted as API documentation. Registering as a user, Nithissh explores the dashboard and exploits a screenplay functionality to execute JavaScript code, revealing system information.

Recent Posts

• Gandalf Lakera AI - Grandma, Grandson, and Prompt Injection Unveiled!

  Published:May 4, 2024 |  at 12:00 AM

  Gandalf - Lakera AI Prompt Injection Lab - Unveiling Passwords Through Roleplay! Learn prompt engineering and vulnerability with prompt injection techniques. Solve levels using roleplay scenarios to reveal passwords, advancing through challenges to uncover secrets and passwords.

• Reveal Hidden Files in Google Cloud Storage - Pwnedlabs walkthrough

  Published:Apr 23, 2024 |  at 12:00 AM

  This is exact replica of s3 bucket misconfiguration but in this scenario it happens in google cloud storage and you will learn gsutils, gcloud cli and alot more sometimes it feels like ctf may be

• Code Injection Vulnerability on Private BBP

  Published:Apr 11, 2024 |  at 12:00 AM

  From Finding a Foothold through a github and all the way goes to code injection vulnerability

• SSRF to Pwned - Pwnedlabs walkthrough

  Published:Feb 28, 2024 |  at 12:00 AM

  In this Blog, we will go enumeration process and also understand how we exploited this simple SSRF vulnerability