-
Basic ELF Shell | PwnTools
While doing the HTB Fortress JET I am required to overflow a vulnerable binary named leak. With limited BOF experience (strictly to Immunity Debugger) I decided this is a good time to learn how to use PwnTools. Every time we run the binary, it gives us a different memory location. We see here with a […]
-
VulnNet: Endgame | TryHackMe
The end of the VulnNet series. Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts. Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging. We discover that blog.vulnnet.thm is running Typo3 CMS. There appear to […]
-
Late | Hack The Box
Out of the blocks we don’t really have a lot to go off, so straight to the web app to see if we can break something. We’re given a subdomain (images.late.htb) from the landing page so we’ll have a look. If we try to bypass the filter by renaming a php.jpg we get the following […]
-
VulnNet: dotpy | TryHackMe
Well, there’s only one place to start… Straight in with a login, we’re allowed to create a user and log in to view the dashboard for StarAdmin. After browsing around and finding the server likes to block certain characters, we find it’s vulnerable to SSTI We discover there is a filter in place to block […]
-
VulnNet | TryHackMe
Initial nmap results, let’s head to the web server… In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there. We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what […]
-
Open Source | Hack The Box
We’ll be starting with the web server then… Immediately we’re given an option to “Download the Source Code” which appears to be a docker image, and to test the upload functionality. There’s a .git so git branch shows us dev and public. Looking thorugh git log dev we can see the commits and when comparing […]
-
Support | Hack The Box
Initial nmap results and looks like we’ve got a domain controller. We get nothing we don’t already know from the DNS server and it’s not vulnerable to anything I know of so on to enumerate SMB. At this stage the only folder we can get into as anonymous user is support-tools which contains a handy […]
-
RedPanda | Hack The Box
First nmap results, not a lot to go at other than to investigate the web app. If we hit search without anything in we get a bit of info about potential usernames. We can also quickly discover the search bar is vulnerable to SSTI: After following the HackTricks cheat sheet and googling the resulting error […]
-
Shoppy | Hack The Box
A few ports open, we’ll start with the web server. Nothing immediately interesting but a quick directory enumeration takes us to a login page. While fuzzing for subdomains I find mattermost.shoppy.htb but I am convinced it’s a rabbit hole so will leave it for now and return to the main index After spending quite some […]