Posts

Hey everyone, its been a while since I published anything. This time, I’ll be sharing how I bypassed Amazon WAF to get XSS on the target. If you’re into bugbounty, it will help you in creating a mindset to create payloads that can bypass WAFs. Otherwise, it will be a good read. I promise! For the unknown, a WAF (Web Application Firewall) is a firewall which is used to protect web applications from common attacks such as SQL injection, Cross-Site Scripting (XSS), etc....

Port Scanning TCP Add shibboleth.htb to /etc/hosts file. UDP Other ports found were in open|filtered STATE and I’m not including them here in the results. Web Server enumeration vHost scanning We will use ffufto perform vhost scanning. ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o ffuf-vhosts.out -u [http://shibboleth.htb](http://shibboleth.htb) -H -fw 18 Found vHosts: monitor monitoring zabbix All the three vhosts take us to the same page. It is a monitoring tool called Zabbix....

Hey everyone, hope you all are doing good. This will be a short walkthrough for the Command Injection-2282 Lab by Pentester Academy. Lab Link: https://attackdefense.pentesteracademy.com/challengedetails?cid=2282 Intro We are given a URL to a webapp https://cwlw44ht84.execute-api.ap-southeast-1.amazonaws.com/Prod. It allows us to upload files. Upload a file by drag and drop and intercept the request with a proxy such as Burpsuite. The file upload request & response looks like the following: Request POST /Prod/api/file/file....

Enumeration TCP Port Scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA) | 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA) |_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://devzat.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) 8000/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh-hostkey: |_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA) 1 service unrecognized despite returning data....

Difficulty: Medium Room Description: No logs, no crime… so says the lumberjack. Hey folks, here is the writeup for the Lumberjack Turtle room from TryHackme. Enumeration Nmap PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6a:a1:2d:13:6c:8f:3a:2d:e3:ed:84:f4:c7:bf:20:32 (RSA) | 256 1d:ac:5b:d6:7c:0c:7b:5b:d4:fe:e8:fc:a1:6a:df:7a (ECDSA) |_ 256 13:ee:51:78:41:7e:3f:54:3b:9a:24:9b:06:e2:d5:14 (ED25519) 80/tcp open nagios-nsca Nagios NSCA |_http-title: Site doesn't have a title (text/plain;charset=UTF-8). | http-methods: |_ Supported Methods: GET HEAD OPTIONS 22450/tcp filtered unknown 24740/tcp filtered unknown 25611/tcp filtered unknown 25974/tcp filtered unknown 30751/tcp filtered unknown 33989/tcp filtered unknown 36786/tcp filtered unknown 42724/tcp filtered unknown 50865/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Website (Port 80) Visiting any random non-existent page (/test) throws this error with 404 status code....

Jan 10, 2022 Source: www.wallpaperflare.com A brief intro Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application. Consider a web application that has login functionality. Users who have an account can access content/features in this web application only by logging in. Unauthenticated users are redirected to the login page for them to first log in and get an authenticated session....

Hello everyone, hope you all are doing great. I’m planning to write some blogs (you can call it a series of blogs) on Buffer Overflows. I will be posting all of them one by one in the coming weeks. Since we will be smashing the stack when doing buffer overflows in the upcoming blogs, it is crucial to first have some knowledge on some of the basics. So, let us begin with some introductory topics....

Hello all, today we be doing Zeno from TryHackMe. It is rated Medium and the description says “Do you have the same patience as the great stoic philosopher Zeno? Try it out!” Port scanning There was some problem with nmap and because of that it wasn’t able to show all the open ports. Rushi suggested to me that I use Rustscan. Thanks Rushi :D Found few more ports. So now I redid the nmap scan on these ports:...

Hi all, today we will take on the IDE room in TryHackMe. It is rated Easy and the room description says: “An easy box to polish your enumeration skills!” Enumeration Nmap So, in the nmap scan, we get four services: Nmap Output FTP server: Anonymous login is allowed according to the nmap scan. Login with the following creds: anonymous : anonymous. After logging in, we have to traverse to the ....

Hello everyone, this one is going to be the write-up for the Sweettooth Inc. room on TryHackMe. In this room, we’ll have to first enumerate a vulnerable database where we have to craft a JWT token to login into it and there we get the SSH credentials to the system. Once we get the foothold on the system, we see that that it’s a docker container with an exposed Docker Engine API....