Breaking the Competition (Bug Bounty Write-up)

Sun, 08 Mar 2020 02:35:28 GMT

In this post, I’ll be describing how I found 5 bugs on a private HackerOne program. The website that I attacked was a new CTF hosting provider, and I had actually participated in a CTF using this provider prior to being invited to their private program. Please note that as the program is private, I can’t show the exact pages exploited, or show any of the exact code that I used to exploit them. Out of all bugs submitted, I believe that this had the highest severity.

Read more...


BLK_BOX Challenge Write-up

Sun, 16 Feb 2020 15:50:19 GMT

Around 6 months ago, HMGCC released a challenge and offered a challenge coin to anyone who completed it. I started pretty late on, but managed to get it done in time. This consisted of 7 stages, ranging from reverse engineering to traffic analysis. At the time of writing, you can still have a go yourself here Once on the dashboard, I was presented with the following: I downloaded the image, and spent a while trying every possible steganographic method of finding & extracting data on my site This unfortunately didn’t lead anywhere.

Read more...


Sunshine CTF 2019 Write-up

Mon, 15 Apr 2019 20:47:42 GMT

At the end of March this year, [email protected] released a CTF in collaboration with BSides Orlando 2019. Our team ended up coming 13th, narrowly missing out on a top 10 spot. You can find the homepage for this CTF here In this write-up, I’m only going to go over the challenges that I solved during the competition, going from what I found to be the easiest to the hardest. I made a deal with Hulch Hogan (Hulk Hogan's brother) for a treasure map can you get the treaure for me? In this challenge, we were given a text file with the following contents: CMM72222+22 CQC52222+22 CH9J2222+22 9H9M2222+22 8PQ42222+22 9P4G2222+22 8Q572222+22 After a quick bit of Googling, I found that these were plus codes However, they all pointed to different oceans/deserts with little other information: Google Maps results for each plus code.

Read more...


StegOnline: A New Steganography Tool

Fri, 05 Apr 2019 01:01:17 GMT

Over the last couple of months, I have been developing an online image Steganography tool designed to combine and enhance the features of other separate tools. It’s open-source and due to the nature of Angular, it’s easy to add to. Usage First navigate to the site below: StegOnline Once there, upload your image: You’ll then be redirected to the image homepage. From here, you are presented with the available options.

Read more...


Secnotes Write-up (HTB)

Sun, 20 Jan 2019 15:43:41 GMT

TL;DR: SQLi & WSL Escape | I did this box a few months ago, so the commentary on it may be a little rusty. It’s clear that it was popular, since it wasn’t voted out for so long. The main attack vectors in this were SQL Injection through the login field, and then escaping through cleartext passwords in the Windows Subsystem for Linux. PART ONE: USER Let’s begin with an nmap scan: nmap -sV -sC -oN nmap.log 10.10.10.97 It seems like there are only two services running on this box: HTTP & SMB We can also see that the webserver is running Microsoft IIS, which is definitely important to note.

Read more...


Waldo Write-up (HTB)

Sat, 15 Dec 2018 17:44:48 GMT

As opposed to the more generic two-stage boxes, Waldo was unique in that there were three challenges to overcome, and each had completely different methods needed to do so. Whilst the third stage was a little tedious and hard to explain, I learnt about some small Linux functions that I never knew existed before. PART ONE: USER The usual nmap scan reveals three open ports: Click here to view a breakdown of this command. Seeing as the SSH protocol is fairly up-to-date (and there are very few sun-answerbook enumeration tools), we can assume that this will be a web application attack.

Read more...


Bounty Write-up (HTB)

Sat, 27 Oct 2018 18:03:31 GMT

TL;DR:config webshell & Metasploit Privesc. | In this box, I wasted a lot of time trying to get an initial foothold, since it’s rare to have to perform so many different dirb scans in order to find anything useful. However, once I worked out what I had to do, the box was both fun and interesting. Since I don’t know much about Microsoft Server security, Windows boxes are always a challenge to complete.

Read more...


Union SQLi Challenges (Zixem Write-up)

Sun, 21 Oct 2018 14:24:02 GMT

I’ve always avoided learning more about SQL Injections, since they’ve always seemed like quite a daunting part of Infosec. Because of this, I finally decided to put in some time to an SQLi-focused wargame in order to sharpen my skills a little. You can find the challenges at the website below: Zixem SQLi There are only a few rules: Find the username (user()) and version (version()) of the site. Use Union statements for all.

Read more...


DevOops Write-up (HTB)

Sat, 13 Oct 2018 20:02:13 GMT

TL;DR: XXE & Git Reverts. | While DevOops is known to be fairly easy, it was still good practice and fun to do. While I have seen both the same user and root methods in other CTFs before, they were both presented well, and overall the box was very well-structured. PART ONE: USER Our initial nmap scan reveals only two ports: SSH and HTTP: nmap -sV -sC -oN nmap.log 10.10.10.91 When opening the HTTP page in Firefox, we are presented with the following: A page that is “under construction”.

Read more...


Read the rest over on medium.