Bandit CTF – Level 13

Level 12 -> 13 bandit12@bandit:~$ ls bandit12@bandit:~$ mkdir /tmp/pepetbandit12@bandit:~$ cp data.txt /tmp/pepetbandit12@bandit:~$ cd /tmp/pepetbandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data.txt bandit12@bandit:/tmp/pepet$ xxd -r data.txt > data_xxd_1bandit12@bandit:/tmp/pepet$ file data_xxd_1 bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ zcat data_xxd_1 > data_zcat_1bandit12@bandit:/tmp/pepet$ file data_zcat_1 bandit12@bandit:/tmp/pepet$ bzip2 -d data_zcat_1 bandit12@bandit:/tmp/pepet$ file data_zcat_1.out bandit12@bandit:/tmp/pepet$ zcat data_zcat_1.out > data_zcat_2bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data_zcat_2 bandit12@bandit:/tmp/pepet$ tar xvf data_zcat_2 bandit12@bandit:/tmp/pepet$ file data5.bin bandit12@bandit:/tmp/pepet$ tar xvf data5.bin bandit12@bandit:/tmp/pepet$ file data6.bin bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ bzip2 data6.bin.bz2

EVABS Challenge 8


HTB TheNotebook

$ nmap -A -p- -T4 -v So, a user test exists.What would be the password? test??? Do we have an admin user? We can try to log in with our test user. Test notes After login in, we can observe that there is an AUTH Token. We observe that it is a JWT Token. We can decode it using  Here we can observe several things: RS256

EVABS Challenge 7

$ adb shell am start -n com.revo.evabs/com.revo.evabs.ExportedActivity EVABS{exp0rted_activities_ar3_harmful}

EVABS Challenge 6

$adb shellvbox86p:/data/data/com.revo.evabs/databases # ls $adb pull /data/data/com.revo.evabs/databases/MAINFRAME_ACCESS . $ ls $ file MAINFRAME_ACCESS EVABS{sqlite_is_not_safe}

EVABS Challenge 5

$ adb shellvbox86p:/data/data/com.revo.evabs # ls vbox86p:/data/data/com.revo.evabs # cd shared_prefsvbox86p:/data/data/com.revo.evabs/shared_prefs # ls vbox86p:/data/data/com.revo.evabs/shared_prefs # cat DETAILS.xml EVABS{shar3d_pr3fs_c0uld_be_c0mpromiz3ds}

EVABS Challenge 4


HTB BountyHunter

$ nmap -A -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef ( on we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

EVABS Challenge 3

HTB Love

$ nmap -A -p- -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd