Sign in

Hello everyone , in this post I will be sharing my writeup for HTB schooled machine which was a medium linux machine that involved two ports ssh and http , on port 80 there was an apache server where a html template page was hosted. We found a domain name on that page and after that we did some subdomain enumeration and found moodle subdomain , after that if we visit courses there we’ll see an announcement telling that the teacher will look our MoodleNet profile so if we try to test for XSS we get a success so we…


Hello everyone , in this post I will be sharing Offsec playground’s easy machine called Funboxrookie ,which had ftp,ssh and http ports open , on http ,apache web server was running which had nothing except the default page while ftp had some zip files password protected , one of them got cracked and gave us the ssh key which we can login and get a shell. But there was restricted bash which we could by pass easily and viewing mysql history revealed us the user’s password which we can use to get root.

NMAP

PORT   STATE SERVICE REASON         VERSION21/tcp open…

Hello everyone , hope you are doing well , in this post I will be sharing my writeup for THM’s Fortress room which was a medium linux based . This room was a little challenging in a way that the foothold require some researching and thinking out of the box , there were 3 ports open on the machine ssh , ftp , telnet and http. Through ftp we can get a python 2.7 byte file compiled that we can de-compile by looking around for script that can do that which will present us a python file having username and…


Hello everyone , in this post I will be sharing my writeup for HTB Unobtanium machine which was a hard linux box , after doing an nmap scan on the box many ports can been seen , Kubernetes API port was running on 8443 which tells us from the ssl certificate. Visiting the web page gives us an option to download a debian packge which we can install which is an electron application for displaying messages , on unpacking the app.asar which archives the source code we can see how the application is working and where it’s making the request…


Hello everyone , in this post I will be sharing my writeup for HTB Knife machine which was an easy linux machine but was a bit tricky to find the foothold as the web page didn’t had anything except for a static html page , so looking at the response headers it revealed the PHP version which was 8.1.0-dev …


Hello everyone , in this post I will be sharing my writeup for HTB Love machine , which is an easy level windows box. It involved a web page which was having an open source PHP voting system application which required admin user credentials which we got from the subdomain we found from SSL certificate ,on that domain there was file scanner application which was vulnerable to SSRF (Server Side Request Forgery) through that we can access what was running on other http port (port 5000) , through that we got the credential of admin user and logged in. After…


Hello everyone , in this post I will be sharing my walk through for Portswigger’s OS Command Injection , which was really an easy lab in which you would have to find a point where you could chain OS commands to gather with parameters being passed to shell.

OS command injection, simple case

This lab is about the Operating System Command Injection , in which if a web application is running a OS script or taking some arguments we can try to include system commands that could compromise the server.

From the description of the lab it says that command injection vulnerability exists in product…


Hello everyone , in this post I will be sharing my writeup for HTB Notebook machine which is a medium linux box having 2 ports open http and ssh. On the web server we would see an application which involved having to register on the application. After signing up we can see that the application uses JWT for authentication so after analyzing the JWT cookie we can see that it’s grabbing the kid Key ID from the localhost , so we can change it by generating our pair of key and adding our IP address so it reaches on our…


Hello everyone , in this post I will be sharing my solution for the Portswigger XSS Lab 1 , which is a very simple lab in which we have to trigger the reflected xss by popping an alert dialog box.

Reflected XSS into HTML context with nothing encoded

In this lab we have to perform reflected cross site scripting (XSS) , first of all XSS is a vulnerability in web applications that is used to allow attackers to run javascript code on the application which can lead to running any malicious script generally they use this to steal cookies. …


Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for an easy level HTB machine called Armageddon , the machine 2 ports open http which was running drupal 7 on apache server and ssh , the foothold involve exploiting a vulnerability in druapl called Drupalgeddon that allowed us to get remote code execution and get a reverse shell as a low level user (apache) through that we enumerated the users and found brucetherealadmin was user we also found mysql creds but the issue was we didn’t have a stabilized shell…

ARZ101

BS CS undergraduate | CTF Player

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store