A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Lessons Learned from Pwning my University Aaron Thomas - Aaron Thomas Bloomcon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Lessons Learned from Pwning my University Aaron Thomas
Aaron Thomas

Bloomcon 2017

I found a shell injection vulnerability in an obscure page on my University's website. The shell only had read access so I was mostly limited to getting confidential data. I found a textfile of bad words that you aren't allowed to use in names of some things. After I noticed some fliers on bulletin boards around campus that contained QR codes. Many of these bulletin boards people walk by frequently but sometimes there's nobody around to see if someone is stealing a flyer and then puting one up with a different QR code. This is a really easy to execute social engerring attack, users will trust a QR code on a flier that looks 'legit' and can be difficult to detect. Some uses include rickrolling people, taking them to the wrong website, taking them to a redirect page that executes malicious javascript in the browser and then redirecting.. etc.poking my head around for a little I reported the bug. Because it was the ethical thing to do, not because all of my connections were over the school's wifi logged in as me from my MAC address.

Back to Bloomcon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast