Initial Foothold: As usual the first thing to do when starting on a new box is to run a scan and see what we have to work with. As you can see from the image above we have two ports open. Port 22 and Port 80. Lets take a look what port 80 has to offer. Looks like a webpage without any links. My next step was to check the source code of the page. From this we can take away that there is a backdoor left open and that the hacker name is Xh4H. So google here I come. Google led me to a twitter post which led me…
-
-
Blunder Writeup – Hack The Box
Initial Foothold: Hello everyone. Today we are going to work on Blunder. As always the first step is Recon! Time to see what ports do we have open on that box. In the picture bellow you can see the nmap command I used. Well we have only one open port and that is port 80. This scan shows us also the server version and some headers. Usually when I am on a box with open port 80 I like to visit the page and see what it contains. OK … that is what we have. A page with articles. My clicking on the links we just go to more detail…
-
Protection ByPass and Brute Force attack – Bludit v. 3.9.2
So this post will describe a how to bypass protection in Bludit CMS v. 3.9.2 that is if you have a username. After managing to find the password I will discuss what metasploit module can help you to get a reverse shell. So, lets begin. If we check the documentation that Bludit provides we can see how they are preventing brute force attacks. Here is a screenshot and the link if you want to read through the whole documentation. https://docs.bludit.com/en/security/brute-force-protection After some googling I found a script that I just edited. I will post the script here and the link to the original article. https://rastating.github.io/bludit-brute-force-mitigation-bypass/ What you will need to…
-
Reverse Shell vs Bind Shell
Reverse Shell Hello guys and girls. This post will just explain the difference between this two types of shell. In a later post I will provide a demo, that you can follow along. This shell is initiated from the target host to the attacker’s machine. The attackers machine should be into listening state to be able to pick up the shell connection. Why use reverse shell and not bind shell? Well reverse shells solve several issues that can be encountered. With reverse shells there is no need of a listener on the target machine. This type of shells can use commonly used and open ports like 80 or 443 –…
-
Catalias – #Virseccon2020
This was a fun challenge, just because I didn’t pay attention in the beginning. To start log in with the provided credentials. After logging of course I used “ls” to see what I have in the current directory. Oh … the flag is here. That looks to easy, but lets use “cat” to see what is the content in the file. Shit…. nothing is happening. How can I view the file. Now … when doing CTFs usually there is a clue in the name of the challenge. This one is called Catalias – “cat”, “alias”. Lets list the alias to see what we work with. As you can see from…
-
Hidden – #Virseccon2020
This was an interesting small challenge. We have been given the password to ssh in to the machine. After we do of course we would like to run a “sl” or sl -al” commands to see what we have in the current directory. Oh wow a directory with a name secret. Lets cd in to that folder. Opps we can’t! This command tells us something important. We are working on “restricted bash”. Please see the image bellow. Now it is a matter of knowing how to escape that. A simple google search can give you the result. As always I will post a link in the end of the article.…
-
PHPJuggler – #Virseccon2020
For this challenge, the initial start is pretty obvious, or at least i think so. The first thing we see when we upload the webpage is the image that you see above, which contains two pieces of code. Thats our first clue. The second clue is the name of the challenge. So let the research start. I will not go into detail and will just show you the solution, however I will post links in the end of this post so you can read by yourself and, understand what and how it works. When I do a web challenges I like to examine the page. As I mentioned above we…
-
Magician – #Virseccon2020
Wow lets do some magic! For this challenge we are presented with an input field a submit button and some kind of comparison in the button. I will go through my thought process instead of going directly to the solution because I think some of the things I did can be used in enumeration in the future. First I took a look what 0e953532678923638053842468642408 is. I used Hash Analyzer provided by https://www.tunnelsup.com/hash-analyzer/ The result was that this hash is an MD5 or MD4. Because we see the ‘ == ‘ that means that some comparison will be done. After playing with the input I discovered that there is a function…
-
HotAccess – #Virseccon2020
We are greeted with page talking about modules. The recon part was clicking the two provided links and checking what changes. Then I noticed this. My first though was can I get somewhere else in the dir? Yes I can. I used the Repeater in Burp again to explore this. Can we view the password file in /etc ? Yes we can! That means I can traverse directories from the url and that is awesome! After some trail and error I find the correct file to be checking (.htaccess). Oh look what do we have here in the response! Lets put that directory in the URL and see what happens.…
-
Countdown – #Virseccon2020
By the name of the challenge we can guess that the solution will involve some kind of time. We don’t have so much to go with in the beginning. We have a webpage with a button on it. When we click the button we are send to another page that say the thing has exploded. How did I approach this. Use Burp Suite to intercept the get request. If we examine this screen we can see that the name of the cookie is pretty specific (“detonate_time) , and as I mentioned in the beginning in my head the solution had something to do with timing. If we click on the…
