Writeups

HackTheBox 04 December 2020

Windows boxes seem to be more intimidating than linux boxes to me, this one is no different. This machine however is quite straightforward which makes the process supposedly straightforward. There are a lot of failed attempts I didn’t write here, but if we look at the big picture, it’s quite similar to linux. Exploit a public facing service to get a foothold, do some lateral movement (this box doesn’t have that), and escalate privileges by exploiting a service only available locally. It’s CVE all the way just like in other easy rated linux boxes, this box teaches you more on how to get things working when we’re attacking on a windows environment.

HackTheBox 01 December 2020

This is a pretty interesting box, some say it’s super CTF-like, some say it’s super realistic, the point is that this machine is quite different. The big difference is that there are scripts that act as humans. In the foothold stage you have to learn the basics of phishing emails in a technical way. The user is also quite fun as you have to make your own python package and get code execution upon installation of your malicious package. Root is pretty dissapointing not gonna lie but foothold and user is already jam packed so it’s alright.

HackTheBox 12 November 2020

Tabby starts off with what looks like a simple default page of a service, but then you have to learn a bit about the administration of this service. User can be pretty tricky, you need to get curious yet still stick with the fundamentals. Root is also really new, start off with a simple red flag from your enumeration script of choice, and then google away.

HackTheBox 18 October 2020

Blunder is quite an interesting box because it’s got a bit of “mindgames” in it, maybe it was just for me as this was one of my first boxes on htb. In the foothold stage, there was a step where you had to either guess, or just know what to look for since it’s a bit of a trend on easy boxes, for the user part it’s the usual scrounging for database passwords, there are screenshots involved here too, they were hinting at 2 different exploits, one of them being the way to root, and the other I’m guessing is a rabbit hole.

HackTheBox 11 October 2020

Cache is a nice practice on enumerating and chaining multiple exploits together, it’s one of those boxes where getting a foothold is the toughest part so you really have enumerate properly. User is quite common, it’s a bad habit of password recycling, for exploiting root, I learned how to talk to a service called memcached, which feels like you’re talking to a web API but in a much simpler way, and then you basically enumerate the data this service has, and then you’ll get another user’s password which then you can use to gtfo.

HackTheBox 28 September 2020

Admirer starts off looking like an easy box, some say it is, some say it’s supposed to be medium, I just say it forces you to properly fuzz webapps. Then it also ends with a privesc vector that isn’t just a straight up CVE, forces you to properly read manuals and think of flaws in certain configurations.

HackTheBox 19 September 2020

My first windows box. Getting foothold was about enumerating a NFS mount containing a backup of the webapp being ran and looking for more than just config files. User was found from enumerating software version, finding a CVE, then running it. Root is about finding CVEs again, but not directly into code execution, but rather we just get credentials, and then we stuff those credentials. I learned a ton of new things during the privesc part as there was a lot of difference from linux machines.

Compfest 12 August 2020

First off is to google about graphql and learn the basics about it, and after that, we can try to give it a simple “introspection query”, which acts like a...

Compfest 10 August 2020

Let’s decode the jwt to see what’s in it, I used jwt.io. Now we have some targets payload to tamper, we obviously want is_admin set to true, username we can...

HackToday 09 August 2020

We tried to give random stuff to both pages preview.php and submit.php preview.php just previews the message, as expected submit.php gives us a hint that an admin will view the...

HackToday 09 August 2020

After doing it a couple more times, it turns out that the answer is always the same depending on the capital letter. Like in the example, letter N will always...

HackToday 09 August 2020

From the source we know we have a time limit of 10 secs our winning chance for every bet is about 56% we get 1k money upfront for free we...

HackTheBox 31 March 2020

Protected post, you may read this post if you have the flag. Sorry about that

Unity (UNY) 15 March 2020

Looking at the source doesn’t tell us anything. So I googled “static webpage ctf wu”, after reading through it a bit I read this line: checked all the requests So...

Unity (UNY) 15 March 2020

I accessed the file in the hint immediately, and found some filters. Don’t know what that’s about so let’s get back to main page and click something (Warning: weeb )....

Unity (UNY) 13 March 2020

We have to get through the 4 filters: if(strlen($p) > 15) 14 chars max if(preg_match('/\s/', $p)) no whitespaces if(preg_match('/[\'"]/', $p)) no ' and " if(preg_match('/(sys|exec|file|pass)/i', $p)) must not contain sys,...

overTheWire 09 March 2020

No source this time, but I think it’s another session id brute force. So let’s take a look at the request in burp. We can see that we’re always given...

overTheWire 06 March 2020

Let’s look at the “source” (btw I prettified it a bit because it was so hard to look at and was causing errors). <? $maxid = 640; // 640 should...

overTheWire 06 March 2020

Let’s see if the source code is the same as well. <? /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */ if(array_key_exists("username", $_REQUEST)) {...

overTheWire 05 March 2020

Let’s look at what’s filtered. <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { if(preg_match('/[;|&`\'"]/',$key)) { print "Input contains an illegal character!"; } else...

overTheWire 04 March 2020

Let’s look at the source. <? /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */ if(array_key_exists("username", $_REQUEST)) { $link = mysql_connect('localhost', 'natas15', '<censored>'); mysql_select_db('natas15',...

overTheWire 29 February 2020

Actually I’m just gonna guess this is basic SQL injection and it actually is, so inputting " or 1# in the username immediately gives you the flag. But that’s no...

overTheWire 28 February 2020

Let’s look at the source (which is pretty similar to the previous level). <? function genRandomString() { $length = 10; $characters = "0123456789abcdefghijklmnopqrstuvwxyz"; $string = ""; for ($p = 0;...

overTheWire 28 February 2020

Let’s look at the PHP source of the page. <? function genRandomString() { $length = 10; $characters = "0123456789abcdefghijklmnopqrstuvwxyz"; $string = ""; for ($p = 0; $p < $length; $p++)...

overTheWire 28 February 2020

Let’s take a look at the source (no screenshot this time because it doesn’t fit). <? $defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff"); function xor_encrypt($in) { $key = '<censored>'; $text = $in;...

overTheWire 28 February 2020

Let’s take a look at the source. Full PHP Code Snippet <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { if(preg_match('/[;|&]/',$key)) { print "Input...

overTheWire 27 February 2020

Let’s take a look at the source code. Full PHP Code Snippet <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { passthru("grep -i $key...

overTheWire 27 February 2020

Let’s take a look at the source code. Full PHP Code Snippet <? $encodedSecret = "3d3d516343746d4d6d6c315669563362"; function encodeSecret($secret) { return bin2hex(strrev(base64_encode($secret))); } if(array_key_exists("submit", $_POST)) { if(encodeSecret($_POST['secret']) == $encodedSecret) { print...

overTheWire 26 February 2020

Upon clicking on one of the links, we notice that we’re not moving to another file, instead we just sort of include another file into the current file. Notice in...

overTheWire 26 February 2020

If you put a random string in, it just says “Wrong secret”, so let’s look at the source. Full PHP Code Snippet <? include "includes/secret.inc"; if(array_key_exists("submit", $_POST)) { if($secret ==...

overTheWire 25 February 2020

If you’ve coded some basic website that has a login feature, you’d know that the question “are we logged in?” is answered by our cookies, which we can edit freely....

overTheWire 25 February 2020

Let’s take a look at the page. We see a link to /index.php let’s follow it. Now the text on the webpage changes. It says we’re visiting from http://natas4.natas.labs.overthewire.org/index.php, so...

overTheWire 25 February 2020

This is more of a “theory” kind of challenge, we got a hint when we inspect the page. We have to know how google does it’s job of indexing webs,...

overTheWire 25 February 2020

First we inspect the page. Turns out there is something in the page, we see that there’s an image file located at <website>/files/ named pixel.png, if we take a look...

overTheWire 25 February 2020

No its not. If it is, then we can use the “view source” shortcut which is ctrl+u, or the “inspect” shortcut which is F12

overTheWire 25 February 2020

We can right click, then “inspect” the page or “view source” and the flag is in a comment html tag.

overTheWire 17 February 2020

Connect with ssh with the ssh command. ssh bandit0@bandit.labs.overthewire.org -p 2220 Input password bandit0 then cat the readme file

petircysec 15 February 2020

Let’s try and “translate” this asm into a high level language, I’m going to use python. First we look at the asmathic: section and see what it does, looks like...

picoCTF 2019 14 February 2020

First let’s see if we do strings on the file. Well, not the flag, but could be something, now let’s open it up in wireshark. We look at “Statistics >...

picoCTF 2019 13 February 2020

There are 2 ways I found to solve this problem. First one, open up the image in stegsolve.jar (can be found here), scroll through some color planes and you’ll see...

picoCTF 2019 12 February 2020

First we ssh into the server and run gdb to find out where the flag() function is located in the stack: (gdb) x flag 0x80485e6 <flag>: 0x53e58955 Back to our...

picoCTF 2019 12 February 2020

The key is to not overthink it, I googled a bit and found this, now we have a shellcode written as a string. \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80 If we try and feed it...

Exploit.Education 11 February 2020

Since all we need to do is to change the modified variable, we can input 65 chars to fill up the buffer[64] variable, then we will have 1 char leftover...

Exploit.Education 10 February 2020

Remember the first technique in stack6 ? The one where you “return twice” ? Turns out that is actually ret2.text which is what is needed to solve this problem, as...

Exploit.Education 09 February 2020

We first find try to trigger SIGSEGV, let’s run the program in gdb and give it our alphabet, let’s make the alphabet. user@protostar:~$ echo "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ" > alphabet.txt Now we feed...

Exploit.Education 08 February 2020

We will first find where the pushed eip is located (find the offset), let’s use our alphabet string again: (gdb) r Starting program: /opt/protostar/bin/stack5 AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ Program received signal SIGSEGV, Segmentation...

Exploit.Education 07 February 2020

This solution will consist of 2 parts: failed attempt successful attempt due to information gained after the failed attempt First I went into gdb to find out where win() is...

Exploit.Education 06 February 2020

I learned how to redirect a file as “input from stdin” to a program opened in gdb and find the location of a function in the stack after watching this...

Exploit.Education 05 February 2020

I managed to solve this after watching this video (highly recommended that you watch this first) a couple times, I will be using the gdb debugging technique as demonstrated in...

Exploit.Education 04 February 2020

We already know that we can overwrite the value of modified by filling up buffer[64], so by looking at the source, it shows that we have to change the value...

Exploit.Education 03 February 2020

Since all we need to do is to change the modified variable, we can input 65 chars to fill up the buffer[64] variable, then we will have 1 char leftover...

picoCTF 2019 30 January 2020

Looking at the source, we see the buf[128] variable, this will be the variable that we overflow. So we run the program with an argv[1] bigger than 128. Here I...

picoCTF 2019 17 January 2020

We have a jpg file, given the hint, let’s try hexdump to dump the hex of the file. hexdump -v garden.jpg ... 00230540 ee ef 53 ae 86 20 31...

picoCTF 2019 17 January 2020

We have a set of numbers with a { and } among them. Seems to be the flag but in integer form. Since the hint is that the chars are...