Home

ReadME! Before you continue to read this blog, there are few things i want you to understand, the thoughts and ideas presented in this blog are solely based on my experience and more importantly the kind of people i interacted with, within the firm. It does not represent any particular employer, but rather experiences that any new comer faces, ...

A skill to kill, a skill to save. Background Story I was recently on a trip, when i got a message from Madhav Shah on LinkedIn about one of his friend getting scammed for 30k from a phishing website. At that time i could not look into it, since i had no access to my machine, in the meanwhile Madhav went ahead and did some really good recon on ...

Three months ago, i made a post on LinkedIn on how i got unauthorised access to an account on Skill Nation Website maintained by Jatin Shah, if you don’t know him, he’s one of the guy whose Ad run on your Youtube videos, where he talks about integrating AI with Microsoft Office and save your ass from the AI revolution. How it began ? Fast Forw...

Type juggling is one of the feature of php, that automatically detects the datatype of a given value, this blog dicusses the hows and whys of type juggling and how hackers can abuse this feature to juggle past the admin login. Introduction In PHP, when defining variables, we don’t have to specific the data type, PHP itself decides the datatype...

If you think adding some random characters in the user-agent header gives you a shell is magic, it’s time for you to understand the trick. Introduction Shellshock, also known as bash bug is a vulnerability in bash shell that exists due to how the bash shell processes environment variables when they are passed to a child process. When we refer ...

The screenshots in this blog have been intentionally edited to maintain the identity of the company and keep it confidential. Backstory Few days ago, i got a call from one of my relative who got to know about my work. They were very fascinated by it and wanted to get an assessment done for their hospital. We discussed multiple types of assess...

The target company has been informed multiple times about the vulnerability through various mediums, to which they have promptly replied with nothing. The only thing that’s left is to visit the physical office, but ehh, i am too lazy for that. But let’s not ruin a good story, right? Here’s how I hacked the salon next door. The Haircut After a ...

This is an ongoing effort to shut down people, evil people. I won’t really call it a typical investigation, but a simple effort to hack someone evil. Backstory Yesterday I received a forwarded SMS from one of my friends, the SMS asked the receiver to verify their WhatsApp account in 24 hours and if the user fails to do so, their account would ...