Web Application

From Discovery to Disclosure: ReCrystallize Server Vulnerabilities

22 March 2024 ~8 min By Paul van der Haas
Exploit Vulnerability Webapps Cve-2024-26331 Cve-2024-28269 Web Application
TL&DR – While on an assessment, I found an instance of ReCrystallize Server. It had many problems, some of which had to do with insufficient hardening on the client’s side while others were new vulnerabilities I found that when chained together, achieve Remote Code Execution (RCE). These vulnerabilities were disclosed to ReCrystallize Software and MITRE. Besides the disclosed vulnerabilities, some “features” were also used for malicious purposes. The replication and validation of the findings were done on my own test environment.

Being Stubborn Pays Off pt. 1 – CVE-2018-19204

18 April 2019 ~10 min By Javier Jimenez
Cve Exploit Development Internals Webapps 0day Cve-2018-19204 Exploit Prtg Network Monitor Web Application
Intro During an internal assessment, I came across monitoring software that had default credentials configured. This monitoring software allowed for the creation of sensors, but, none of which would allow for code execution or any other things that could compromise an underlying system. Turns out, it was a vulnerable version based on a publicly known CVE, but there was no public exploit code. Join me in this quest on building an exploit!