Home
Cancel

centered image

Who Am I?

Hello There ^_^ .
In few words. I’m Meshal AlMansour AlYami, A passionate RedTeam Operator who’s trying to improve his skills day by another. For me Cybersecurity isn’t just about a job or even an engagement to be done. It’s passion , happiness, enthusiasm, mentality and much more. Sometimes I wish my day was longer than 24hrs just to stay in front of my computer and do CyberSecurity stuff (Because simply this is the thing that I like). I believe that (The sky isn’t the limit for me. NOTHING IS). Scroll down to figure out some of my achievements that I’ve done within about 3 years of experience.

WORK EXPERIENCE:

  • VAPT Consultant @ Cyberani since - (Oct, 2023)
    • Building new services such as Source Code Review and Red Teaming services.
    • Implementing penetration testing and vulnerability assessment automation tools and processes.
    • Conducting web applications, network penetration tests for Cyberani Clients.
    • Performing vulnerability assessments for Cyberani Clients.
    • Organizing Cyberani CTF competitions for events such as LEAP
  • Penetration Tester @ Ministry of Communications and Information Technology of Saudi Arabia (Feb, 2022 - Oct, 2023)
    • Conducting web applications, network and mobile applications penetration tests
    • Research, evaluate, document and discuss findings with responsible teams including but not limited to [ITsec, System, PMO, infrastructure and network teams]
    • Following up and re-test(validate) any submitted reports in order to make sure that the countermeasures have been done properly.
    • Completing Essential Cybersecurity Controls (ECC) PT requirments
    • Simulating the adversary most recent attacks/techniques
    • Research, evaluate, document and discuss findings with responsible teams including but not limited to [ITsec, System, PMO, infrastructure and network teams]
    • Source Code Review
    • Review and provide a feedback for some GRC requests from a PT/VA perspective.
    • Keeping up to date with recent vulnerabilities and validate/report them to the responsible teams.
    • PT Training for MCIT cybersecurity department trainees
  • Penetration Tester @ Synack since (Synak RedTeam Member) - (Part Time)
    • Conducting web applications white/black box tests

COURSES & CERTIFICATIONS:

  • Offensive Security Web Expert (OSWE)
    Offensive Security
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
    SANS Institute
  • Exploit Researcher and Advanced Penetration Tester (GXPN CTF Coin - 1st place)
    SANS Institute
  • Web Application Penetration Testing eXtreme (eWPTXv2)
    eLearnSecurity
  • Offensive Security Certified Professional (OSCP)
    Offensive Security
  • Web Application Penetration Testing (eWPT)
    eLearnSecurity
  • TOEFL iBT Test
    ETS TOEFL (Score: 71)

CVEs

  • CVE-2023-4059:
    The function wppb_create_form_pages that’s being hooked to the admin_init action is accessible to un-authenticated end-users due to the lack of proper authorization checks which allow threat actors to create/publish [Register/Edit Profile/Log in]
    CVE-2023-4059
  • CVE-2021-3138:
    Discourse 2.7.0 - Rate limit Bypass which leads to 2FA Bypass
    CVE-2021-3138
  • CVE-2021-31760:
    Webmin 1.973 - Exploiting a Cross-site request forgery (CSRF) attack to get a Remote Command Execution (RCE) through the Webmin's running process feature
    CVE-2021-31760
  • CVE-2021-31761:
    Webmin 1.973 - Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Remote Command Execution (RCE) through the Webmin's running process feature
    CVE-2021-31761
  • CVE-2021-31762:
    Webmin 1.973 - Exploiting a Cross-site request forgery (CSRF) attack to create a privileged user through the Webmin's add users feature then getting a reverse shell through the Webmin's running process feature
    CVE-2021-31762

Acknowledgments

  • King Fahd University of Petroleum and Minerals:
    KFUPM

Researches/Articles

  • CVE-2024-25600 PoC:
    0 click Pre-auth RCE in Bricks theme for WordPress [used by +25,000 websites]
    CVE-2024-25600 PoC
  • CVE-2023-3124 PoC:
    0 click auth-RCE in Elemntor-Pro Plugin for WordPress [used by millions of websites]
    CVE-2021-3138 PoC
  • The story behind CVE-2023-4059:
    The function wppb_create_form_pages that’s being hooked to the admin_init action is accessible to un-authenticated end-users due to the lack of proper authorization checks which allow threat actors to create/publish [Register/Edit Profile/Log in].
    The story behind CVE-2023-4059
  • Dependency Confusion:
    In this Article I illustrated how we could done a supply chain attack through what's called Dependency Confusion attack [Dependencies, Package Manageers, Private/Public registries, DNS Exfiltration]
    Dependency Confusion
  • Debugging JS Based Web Apps Locally:
    In this Article I introduced how debugging could be done using VSCode by debugging a basic NodeJS based app to illustriate different featers of VSCode
    Debugging JS Based Web Apps Locally
  • Auth Stored XSS Affects ALL Drupal Core Versions:
    In this Article I demonestrated my latest finding in Drupal [Authenticated Stored XSS Affects All Drupal Core Versions] then [1-Triggering the vulnerability (Basic POC), 2-Uploading SVG File Using Python, 3-XSS to Bypaass the Anti-CSRF Token Using XMLHttpRequest (XHR), 4-Escalating Our Privilage to Administrator Using XMLHttpRequest (XHR)]
    Auth Stored XSS Affects ALL Drupal Core Versions
  • JSON Web Key Sets Spoofing (JWKS Spoofing):
    In this Article I described [ What's JWK & JWKS?, jku Header, JWKS Spoofing Attack (Blackbox Approach), Challenge (Whitebox Approach).
    JSON Web Key Sets Spoofing (JWKS Spoofing)
  • Detailed Static/Dynamic analysis for(CVE-2022-21661):
    In this Article my team and I approached the discovering/exploiting for the SQLi in the core of Wordpress (CVE-2022-21661) Statically/Dynamically using VS Code. We also wrote a custome plugin to do the 2nd part
    Detailed Static/Dynamic analysis for(CVE-2022-21661)
  • Infiltrating CS Beacon throughout different mediums [SMTP Server’s Banner, HTTP Response Header and DNS TxT Record]:
    In this Article my team and I took a step towards an Infiltration technique that would make it a bit more complex to be detected.
    Infiltrating CS Beacon throughout different mediums
  • Out Of Band technique - DNS Exfiltration:
    In this Article I illustrated [ Blind Command Injection ( White Box ), Blind Command Injection ( Black Box ), Out Of Band technique, DNS Exfiltration, Burb Collaborator, AWS ( EC2 , inbound rules ) +Godaddy, Tcpdump, Responder.py and Bind9 DNS Server ]
    Out Of Band technique - DNS Exfiltration
  • The journey from (.apk) to Account TakeOver:
    In this Article I stated my jouney that endup with getting full acount TakeOver in android's app [ SSL Pinning Bypass > Network Traffic Analysis > Basic Dynamic Analysis(Genymotion, adb, Frida, Objection) > Basic Static Analysis( Jadx-GUI ) > Weak Encryption Algorithm > Password Generator(Crunch + Cusom Java script) > Account TakeOver ]
    The journey from (.apk) to Account TakeOver
  • Referrer Header Bypass > CSRF > Running Process endpoint > RCE > 0days > 3 CVEs > Webmin HOF:
    In this Article we illustrated how did we approach our findings in Webmin
    Webmin's Write-up
  • Recon > Code Review > 0day > CVE-2021–3138 > Apple HOF:
    In this Article I illustrated how did I approach my finding in Apple
    Apple's Write-up
  • Broken Links Hijacking ( BLH ):
    In this topic I talked about chaining Sub domain TakeOver with External File Hijacking ( BLH attack ) to get XSS
    Broken Links Hijacking
  • DNS A record’s Subdomain TakeOver:
    I saw alot of misconceptions about Sub-domains TakeOver and it's only about CNAME dns record so in this topic I did a POC in DNS A record’s Subdomain TakeOver
    DNS A record’s Subdomain TakeOver
  • How one researcher got 37500 RS from Facebook:
    I described here how one researcher was acknowledged by Facebook for finding SSRF
    SSRF in Facebook
  • Local Route Poisoning:
    Jmes Kittle introduced one type of host header injections which's Local Route Poisoning so What's Local Route Poisoning ? and how we can use it to bypass security checks such as Forbidden
    Local Route Poisoning

PERSONAL PROJECTS:

  • Sub Search v1.0
    A tool that automates the process of Getting all levels of subdomains that have A dns record by brute-forcing forward DNS lookup (recursively)
  • Sub_Analyser v1.0
    A tool that automates the process of testing web applications against Sub-Domain TakeOver vulnerabilities based on the CNAME DNS record
  • Shell Escaper v1.0
    A tool that automates the process of extracting the Shell Escape Sequences for Binaries with Setuid bit and Sudo out of GTFOBins with three different ways both locally and remotely
  • Redirecter v1.0
    A tool that automates the process of testing web applications against Open Redirection vulnerabilities
  • JS Scrapper v1.0
    A tool that automates the process of extracting JS files out of each URL provided within the provided urls list
  • SQLi_Checker v1.1
    A tool to automate the process of testing web applications against different SQLi types > Get method > based on (known) payloads list with more features than SQLi_Checker v1.0 such as (Testing By IP , dork or collected urls ) & 4 Types of Blind SQLi
  • SQLi_Checker v1.0
    A tool to automate the process of testing web applications against different SQLi types > Get method > based on (known) payloads list

Competitions:

  • First place ( 1st ) in Saudi Aramco CyberSecurity Chair 2021 with my team ( Potato )
    Saudi Aramco CyberSecurity Chair CTF was to all cybersecurity students and recent graduates in SaudiArabia where 170 teams have participated from 41 different universities with a total of 807 compititors
  • First place ( 1st ) in CyberTalents Saudi Arabia National CTF in Finals with my team ( PeakyBlinders ) - 2021
    Got qualified for the Arab and Africa Regional CTF ( among more than 25 countries)
  • First place ( 1st ) in Watad CTF 2021 ( PeakyBlinders )
    Watad's CTF was to all cybersecurity engineers & pentesters in SaudiArabia where 42 teams have participated with a total of 100+ compititors
  • First place ( 1st ) in CyberTalents Saudi Arabia National CTF Qualification round 2020
    Individually
  • First place ( 1st ) in Cyber Hub universities CTF 2020 with my team ( BloodHunters )
    Among ( more than 35 universities , 2000 students and 480 teams )
  • First place ( 1st ) in Cyber Hub universities CTF 2021 with my team ( BloodHunters )
    2nd version
  • First place ( 1st ) in CyberTalents Saudi Arabia National CTF in Finals with my team (k$a)
    Got qualified for the Arab and Africa Regional CTF ( among more than 20 countries )

POCs & Automation

Accounts


Images

eWPTXv2
Apples's HOF
CVE-2021-3138
CVE-2021-31760
CVE-2021-31761
CVE-2021-31762
Webmin HOF.png
General_Electric HOF
Ministry of National Guard
KFUPM
Shell
Shell
eWPT
Python
Principles of Project Management
CyberHub2020-BloodHunters team
CyberHub2021-BloodHunters team
Watad's CTF
CyberTalents's CTF 2021
Saudi Aramco Chair's CTF 2021
CyberTalents(1st)-individually
CyberTalents(1st)-k$a team
Sub_Search
JS_Scrapper_Output
Shell_Escaper-Output
Sub_Analyser_Output
SQLi_Checker1.1_Output
SQLi_Checker1.0_Output
My Twitter account
My GitHub Page
My Exploit-db Page
My YouTube Channel