Sharing writeups of CTF challenges and Machines
Enumeration There is a web server. Add it to the hosts file and check the web page. There’s an upload page. Maybe I can do something here. I found out when I click the preview button after inputting URL, the value in bookurl becomes something like UUID. It doesn’t do any interesting things further. I … Read More “OSCP series – Editorial write-up” »
nmap Add the domain name to the hosts file. Also, port 9091 is open. It is worth checking it. Enumeration When I accessed the web page, the home page looked like the image below. There’s nothing to see on the main page. I ran dirbuster to find directories. There’s one hit. User flag And I … Read More “OSCP series – Soccer writeup” »
nmap The nmap scanning shows ports 22 and 55555 are open. I checked the web page. I found the version of request-baskets is 1.2.1 from the web page. I googled if it has any vulnerabilities, then I found SSRF vulnerability: CVE-2023-27163 Exploitation I downloaded a PoC of the vulnerability from this github page. I proxied … Read More “OSCP series – Sau writeup” »
Nmap 22, 80, and 3000 ports are open. Web pages Port 3000 is uncommon. Checked the page. The web page displays a message like json. This kind of thing is called graphql. I referred to the documentation to learn how to use it. I managed to find out the user credentials using the query below. … Read More “OSCP series – Help write-up” »
Enumeration Start with nmap scan. Check ssh and a web server are running. It failed to redirect to http://searcher.htb, so add it to /etc/hosts file. If nmap again after adding it to the /etc/hosts file, I got a different result. Here, I can see it is using Werkzeug 2.1.2 version. My first thought was to … Read More “OSCP series – Busqueda write-up” »
Enumeration nmap Nmap result is as below. Check FTP and SSH ports are open. Also, FTP allows anonymous login. Therefore, login as anonymous. Download all the files and enumerate the directories and files. We can see the users in passwd. netadmin. checked. In the config directory, we can find wireless information. There is the password! … Read More “Hack the box – Wifinetic – writeup” »
