Posts

Preface As an active user of generative AI in my work and personal life, I was excited to know of the launch of Gemini CLI. It meant I never had to leave the terminal to interact with AI agents. As someone who enjoys security research as a hobby, I also couldn’t pass up the chance to peek under the hood and see how the tool actually functions. Discovery While going through all the features available in Gemini CLI and checking the changelog of the latest release at that time, I came across a new feature # feat: Add Shell Command Execution to Custom Commands #4917. From the PR, the TLDR of this feature is described as follows: ...

Hey everyone, its been a while since I published anything. This time, I’ll be sharing how I bypassed Amazon WAF to get XSS on the target. If you’re into bugbounty, it will help you in creating a mindset to create payloads that can bypass WAFs. Otherwise, it will be a good read. I promise! For the unknown, a WAF (Web Application Firewall) is a firewall which is used to protect web applications from common attacks such as SQL injection, Cross-Site Scripting (XSS), etc., by filtering out malicious traffic. ...

Port Scanning TCP Add shibboleth.htb to /etc/hosts file. UDP Other ports found were in open|filtered STATE and I’m not including them here in the results. Web Server enumeration vHost scanning We will use ffufto perform vhost scanning. ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o ffuf-vhosts.out -u [http://shibboleth.htb](http://shibboleth.htb) -H -fw 18 Found vHosts: monitor monitoring zabbix All the three vhosts take us to the same page. It is a monitoring tool called Zabbix. There is an authentication bypass for the v5.0 of Zabbix but its not exploitable in the Zabbix application on the server. We are at a dead end. ...

Hey everyone, hope you all are doing good. This will be a short walkthrough for the Command Injection-2282 Lab by Pentester Academy. Lab Link: https://attackdefense.pentesteracademy.com/challengedetails?cid=2282 Intro We are given a URL to a webapp https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com/Prod. It allows us to upload files. Upload a file by drag and drop and intercept the request with a proxy such as Burpsuite. The file upload request & response looks like the following: Request POST /Prod/api/file/file.txt HTTP/2 Host: cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com/Prod Content-Type: image/svg+xml Origin: https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com Content-Length: 11 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Hello world Response HTTP/2 500 Internal Server Error Content-Type: application/json Content-Length: 83 Date: Sun, 24 Apr 2022 00:36:24 GMT X-Amzn-Requestid: d923b04a-fe3b-4ba7-a2b3-090b13b99a1a X-Amz-Apigw-Id: RD09TE5dSQ0FneA= X-Amzn-Trace-Id: Root=1-62649b88-6340e2b4699877f17f1bc9f7;Sampled=0 X-Cache: Error from cloudfront Via: 1.1 a8c89565e6a461b7f4de5fc565b8ea9c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CCU50-C1 X-Amz-Cf-Id: FEkfsynkmb95fLyND1UnGbQbTOEGR3v-w1aV-fCsQSDMo2F9xGqhLg== { "message":"Error putting object: temporary-public-image-store:2022-04-24-file.txt" } If you look closely enough, the request contains the file name in the path /Prod/api/file/file.txt where our file name is file.txt. ...

Enumeration TCP Port Scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA) | 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA) |_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://devzat.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) 8000/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh-hostkey: |_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.92%I=7%D=3/10%Time=622A1FFB%P=x86_64-pc-linux-gnu%r(NU SF:LL,C,"SSH-2\.0-Go\r\n"); Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Web server enumeration From the nmap output, we can see that the port 80 is redirecting to http://devzat.htb. We will need to add the hostname devzat.htb on our /etc/hosts file to be able to visit the website. ...

Difficulty: Medium Room Description: No logs, no crime… so says the lumberjack. Hey folks, here is the writeup for the Lumberjack Turtle room from TryHackme. Enumeration Nmap PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6a:a1:2d:13:6c:8f:3a:2d:e3:ed:84:f4:c7:bf:20:32 (RSA) | 256 1d:ac:5b:d6:7c:0c:7b:5b:d4:fe:e8:fc:a1:6a:df:7a (ECDSA) |_ 256 13:ee:51:78:41:7e:3f:54:3b:9a:24:9b:06:e2:d5:14 (ED25519) 80/tcp open nagios-nsca Nagios NSCA |_http-title: Site doesn't have a title (text/plain;charset=UTF-8). | http-methods: |_ Supported Methods: GET HEAD OPTIONS 22450/tcp filtered unknown 24740/tcp filtered unknown 25611/tcp filtered unknown 25974/tcp filtered unknown 30751/tcp filtered unknown 33989/tcp filtered unknown 36786/tcp filtered unknown 42724/tcp filtered unknown 50865/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Website (Port 80) Visiting any random non-existent page (/test) throws this error with 404 status code. ...

Jan 10, 2022 Source: www.wallpaperflare.com A brief intro Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application. Consider a web application that has login functionality. Users who have an account can access content/features in this web application only by logging in. Unauthenticated users are redirected to the login page for them to first log in and get an authenticated session. This is one of the many situations where the Execute After Redirect or EAR vulnerability may creep in. An EAR vulnerability arises in an improper implementation of code where the developer assumes that the execution stops after redirect. However, that is not true, and the remaining part of the page also gets executed. ...

Hello everyone, hope you all are doing great. I’m planning to write some blogs (you can call it a series of blogs) on Buffer Overflows. I will be posting all of them one by one in the coming weeks. Since we will be smashing the stack when doing buffer overflows in the upcoming blogs, it is crucial to first have some knowledge on some of the basics. So, let us begin with some introductory topics. We will be using 32-bit 8086 architecture during these blogs unless explicitly mentioned. ...

Hello all, today we be doing Zeno from TryHackMe. It is rated Medium and the description says “Do you have the same patience as the great stoic philosopher Zeno? Try it out!” Port scanning There was some problem with nmap and because of that it wasn’t able to show all the open ports. Rushi suggested to me that I use Rustscan. Thanks Rushi :D Found few more ports. So now I redid the nmap scan on these ports: ...

Hi all, today we will take on the IDE room in TryHackMe. It is rated Easy and the room description says: “An easy box to polish your enumeration skills!” Enumeration Nmap So, in the nmap scan, we get four services: Nmap Output FTP server: Anonymous login is allowed according to the nmap scan. Login with the following creds: anonymous : anonymous. After logging in, we have to traverse to the ... directory and then download the file named -. To download that file, simply use get ./- command. ...