In late September I reported an unauthenticated SSRF I’d found on Office.net to MSRC, only to receive a response that said I had included no reproduction steps, and therefore the report was invalid and would be closed. Obviously, the report had reproduction steps. So I replied, directing them to the report (which included reproduction steps), and was met with the same response. The report was closed, and I was pretty miffed.

Had a few questions lately at work about recon– what it looks like, how people do “discovery”, and what that entails. There’s some awesome posts like this one and this one which have great resources, so I usually send these over to people along with various tips and tricks. Through the years though, some of my favorite resources haven’t stood test of time and 404 or timeout. So, I’ll now add to the information vacuum.

CVE-2023-34360 - Stored XSS in Custom UserIcons Whenever I get really bored I just turn back to my little Asus routers and say “buggo create-o” and invariably I find some sort of issue. Today I’m writing about some stored XSS I came across, receiving CVE-2023-34360 I stumbled across some functionality recently that I didn’t realize was functionality– after clicking around a bit I clicked one of the little device icons and was surprised to find a file upload form:

ARM… wait no, an arm! For the last 15 years I’ve identified myself as a climber– a boulderer at heart. I’ve spent a significant amount of my life pebble wrestling, with a good bit of sport climbing mixed in. Things changed this past September when I hit a not-so-rad jump on my mountain bike and got a grade 5 AC separation– oops. This could be considered a catastrophic injury for a person such as myself to face.

vsftpd Fuzzing Placeholder for some vsftpd fuzzing notes

This post is just a collection of my notes and experiences reversing, compiling and emulating Asus proprietary and Asuswrt-Merlin software, on an Ubuntu 20.04 box. It’s a bit of a pain really, I thought it would be pretty easy but everything’s been an issue, which is also what makes it sorta fun.

Worked primarily with https://github.com/RMerl/asuswrt-merlin.ng for the RT-AX88U router, but some binaries are just closed-source :/

Below are my old blog posts for the SLAE32 ‘certification’. Task 1: ASM TCP Bind Shell Requirements: Binds to a port Executes a shell on incoming connection Port should be ’easily’ configurable I wrote a C bind shell based off of other posts in order to better understand the requirements. In actuality, I wrote multiple as I found better ways of writing the same code, as one does. My final C file is below:

Walkthrough Walkthrough of a CTF hosted by DC207 back in April 2020. It was a blast and I won! Fun Fun Fun Fun #1 If only it were that easy Solve the puzzle for the solution: yetz{lhfxpaxkxhoxkmaxvbiaxk} It’s a caesar cipher! ROT[ate]7! flag{somewhereoverthecipher} #2 Horse Meatballs Attached is the clue. Decode the message, the flag is the name of the source of the content: notavirus.wav Hmm, well, since it’s not a virus I downloaded the file and opened it.