XposedAPI – Offsec Proving Ground Writeup

XposedAPI This is one box that I found the official walkthrough is a little bit ambiguous after I finished it. The guess work on the request method to trigger the payload is too much of a guess work (maybe just for me :D). So I present my own write up to clear things up a…

WordPress 5.7.2 Classic Editor Potential XSS Vulnerability

I was doing a write up of XposedAPI from offsec proving ground, where I pasted some source code gathered during the process. And the code contains javascript code. The code kinda like this (I have to manually replace < with &gt otherwise it executes…). &ltscript> function restart(){ if(confirm(“Do you really want to restart the app?”)){…

Dev Log – Don’t Miss a Thing (DMaT)

Background It’s getting messy when the warehouse is separated to another location. We used to pack all the products right at the store. So when the sales assistants need to communicate with the delivery staff. The Problem Phone Calls and Voice Messages So, each time a sales assistant’s got some information to inform the delivery…

Pentest – Case Studies

Boxes HackTheBox Bounty Hunter Overview JS code, used XML as post parameter to retrieve data from some source. It used .val() attribute to get the value of user input. No sanitation was applied, thus highly vulnerable to XXE injection. Web Vulnerable Code function returnSecret(data) { return Promise.resolve($.ajax({ type: "POST", data: {"data":data}, url: "tracker_diRbPr00f314.php" })); }…

Pentest/CTF Take-aways(search refs to change all broken refs)

Windows Active Directory Port 88 (kerberos), 389 (ldap), 636 (ldap), 3268 (ldap) SYSVOL content found If SYSVOL content found. And if GPP (Group Policy Preferences) is applied, there will be a Groups.xml file that contains credentials in Policies directory somewhere. Find it use: find . -iname "groups.xml" GPP Password Hash found Use gpp-decrypt tools to…

HackTheBox – Armageddon

Overview Pretty simple box. Learn about Drupal exploits, ssh brute force, and snap privilege escalation. Solution Recon Nmap FIrst nmap the target. Got port 22 and 80 open. Try SSH to the box. SSH banner reveals no useful information. Websiite Checkout the website. I tried to use single quote in the login form to test…

Road to Pentest – INE Lab – Black Box 3

Lab Intro You have been engaged in a Black-box Penetration Test (172.16.37.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag. Some machines are exploitable instantly but some might require exploiting…

Road to Pentester – INE Lab – Black Box 2

Lab Intro You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag. Some machines are exploitable instantly but some might require exploiting…

Road to Pentester – INE Lab – Black Box 1

Lab Intro You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag. Some machines are exploitable instantly but some might require exploiting…