C R E A T E & D E S T R O Y

Photobomb | Hack The Box

Our initial results, we get domain (photobomb.htb) and an open SSH port. The web server gives us this – it displays whatever URI you enter, it may be vulnerable – we’ll test while we enumerate directories and vhosts. While browsing with burp we see a few .js files we can enumerate and inside find some […]

hoax

February 6, 2023

Bash, CTF, HackTheBox, Writeup

relative path, ruby, setenv

Metatwo | Hack The Box

Port 21 is interesting, nmap thinks it’s an FTP service but we can’t get anything back from it, so will try to look at the web app. It’s quickly evident that it’s a Word Press website and WPScan reveals that it’s quite out of date. A link on the home page takes us to /events/ […]

hoax

February 6, 2023

CTF, HackTheBox, Writeup

cve, enumeration, wordpress, xxe

Ambassador | Hack The Box

Straight off the bat we get a username from the web server. We see from the website source it’s running Hugo 0.94.2, “a static HTML and CSS website generator written in Go”. There’s no immediately obvious CVE so will carry on. There’s not a lot else obvious here, so next we look at port 3000 […]

hoax

February 6, 2023

CTF, HackTheBox, Writeup

chisel, consul, enumeration, sql

UpDown | Hack The Box

A common theme, not much to go off from the first scan. We’ll poke at the web app while we do an all ports scan. We find a website checker, which does attempt to connect out – that’ll be something to dig into. Debug mode also dispalys whatever is on the page; sadly only displays […]

hoax

February 6, 2023

Uncategorized

Basic ELF Shell | PwnTools

While doing the HTB Fortress JET I am required to overflow a vulnerable binary named leak. With limited BOF experience (strictly to Immunity Debugger) I decided this is a good time to learn how to use PwnTools. Every time we run the binary, it gives us a different memory location. We see here with a […]

hoax

November 18, 2022

Python

bufferoverflow, pwntools

VulnNet: Endgame | TryHackMe

The end of the VulnNet series. Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts. Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging. We discover that blog.vulnnet.thm is running Typo3 CMS. There appear to […]

hoax

November 4, 2022

CTF, TryHackMe, Writeup

openssl, sqli, Typo3

VulnNet dotjar | TryHackMe

Straight off the bat it appears the server will be vulnerable to GhostCat (Tomcat 9.0.30) so we’ll hop into Metasploit and see if there’s a module we can use. We get some creds for Tomcat manager, so let’s see if we can log in. We can’t, however using this creds we can log into the […]

hoax

October 23, 2022

CTF, TryHackMe, Writeup

ghostcat, metasploit, tomcat

Late | Hack The Box

Out of the blocks we don’t really have a lot to go off, so straight to the web app to see if we can break something. We’re given a subdomain (images.late.htb) from the landing page so we’ll have a look. If we try to bypass the filter by renaming a php.jpg we get the following […]

hoax

October 21, 2022

CTF, HackTheBox, Writeup

chattr, ocr, ssti

VulnNet: dotpy | TryHackMe

Well, there’s only one place to start… Straight in with a login, we’re allowed to create a user and log in to view the dashboard for StarAdmin. After browsing around and finding the server likes to block certain characters, we find it’s vulnerable to SSTI We discover there is a filter in place to block […]

hoax

October 8, 2022

CTF, Python, TryHackMe, Writeup

jinja2, setenv, ssti

VulnNet | TryHackMe

Initial nmap results, let’s head to the web server… In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there. We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what […]

hoax

October 5, 2022

CTF, TryHackMe, Writeup

lfi, php, tar, wildcards