HTB Synced

Today we return with a new of the very easy HTB boxes to try to finish them all. $ nmap -v -p- 10.129.228.37 –min-rate 5000 Rsync port is 873/tcpLet’s see which version rsync is using… $ nmap -v -p873 -sV 10.129.228.37 –min-rate 5000 Another option: $ nc -vn 10.129.228.37 873 Rsync protocol is version 31. From Linux, we can interact with rsync with the tool rsync. $ rsync –help $

reconFTW – Yet another new recon tool

According to its GitHub page, reconFTW is desdribed as: ReconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target. ReconFTW uses a lot of techniques (passive, bruteforce, permutations, certificate transparency, source code scraping, analytics, DNS records…) for subdomain enumeration which helps you to get the maximum and the most interesting subdomains so that

explainshell.com – A tool to learn what all the command-line argument means

Have you ever had any doubts about the meaning of the arguments of some command-line tools? https://explainshell.com is a tool where you write the command and it explains you in an easy way the meaning of each of the parameters. For example if you write: ssh -i keyfile -f -N -L 1234:www.google.com:80 host The output of the ths tool will be: Or maybe: cut -d ‘ ‘ -f 1 /var/log/apache2/access_logs

Katana: a new crawling and spidering tool

A new web crawler and spidering tool from ProjectDiscovery.io has been released. Install katana requires Go 1.18 to install successfully. go install github.com/projectdiscovery/katana/cmd/katana@latest Usage Input Crawling Mode According to Katana’s documentation: Standard Mode Standard crawling modality uses the standard go HTTP library under the hood to handle HTTP requests/responses. This modality is much faster as it doesn’t have the browser overhead. Still, it analyzes HTTP responses body as is, without any javascript

Fixed – [oh-my-zsh] Can’t update: not a git repository.

This week I upgraded my Macbook to the latest version and since the update, I realized that every time I opened a new terminal I had this warning issue from Oh-my-Zsh. [oh-my-zsh] Can’t update: not a git repository. If you search a bit, there are several messages explaining that this error may be due to the application folder has been messed up and the .git folder being lost. It wasn’t

Burp Suite Academy lab – Stored XSS into HTML context with nothing encoded

This lab contains a stored cross-site scripting vulnerability in the comment functionality.To solve this lab, submit a comment that calls the alert function when the blog post is viewed. Access to the lab https://0a7900e404a806d2c000170700c90074.web-security-academy.net Solution Click on View post button: https://0a7900e404a806d2c000170700c90074.web-security-academy.net/post?postId=6 At the bottom of the page, there is a comments section where you can add a message. We can try to use the comment system to place our payload. Now access again to

Burp Suite Academy lab – Reflected XSS into HTML context with nothing encoded

Today we start a new series of CTF lab solutions. In this case, we start to solve labs from the Burp Suite Academy from portswigger.net Objective: This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.To solve the lab, perform a cross-site scripting attack that calls the alert function. Solution: The lab’s URL is always a random series of characters followed by the domain web-security-academy.netIn this case,

What is my external ip?

This is a small script to know what is our external ip from the terminal.

HTB Mongod

This is another of the Very easy HTB Starting Point boxes. $ nmap -sV -p- 10.129.143.75 –min-rate 5000 As we can see in the Nmap results we hava a MongoDB version 3.6.8 MongoDB is a NoSQL database.You can find more information in their documentation here: https://www.mongodb.com/docs To be able to interact with the db, we need to install the MongoDB package into our Kali Linux. it is included in the

How to fix – Warning apt-key is deprecated

Last week I tried to install Ulauncher into a Linux Mint 21 freshly installed. After installing Ulauncher using: sudo add-apt-repository ppa:agornostal/ulauncher && sudo apt update && sudo apt install ulauncher I got this error: «Warning apt-key is deprecated«. After some Googling, I found this that help me to fix it. Fixing process: $ sudo apt-key list Now, we need to remember the last 8 Hexa digits (99503176) of the corresponding