Pages

Search

Bandit CTF – Level 13

Level 12 -> 13 bandit12@bandit:~$ ls bandit12@bandit:~$ mkdir /tmp/pepetbandit12@bandit:~$ cp data.txt /tmp/pepetbandit12@bandit:~$ cd /tmp/pepetbandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data.txt bandit12@bandit:/tmp/pepet$ xxd -r data.txt > data_xxd_1bandit12@bandit:/tmp/pepet$ file data_xxd_1 bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ zcat data_xxd_1 > data_zcat_1bandit12@bandit:/tmp/pepet$ file data_zcat_1 bandit12@bandit:/tmp/pepet$ bzip2 -d data_zcat_1 bandit12@bandit:/tmp/pepet$ file data_zcat_1.out bandit12@bandit:/tmp/pepet$ zcat data_zcat_1.out > data_zcat_2bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data_zcat_2 bandit12@bandit:/tmp/pepet$ tar xvf data_zcat_2 bandit12@bandit:/tmp/pepet$ file data5.bin bandit12@bandit:/tmp/pepet$ tar xvf data5.bin bandit12@bandit:/tmp/pepet$ file data6.bin bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ bzip2 data6.bin.bz2

EVABS Challenge 8

EVABS{nev3r_st0re_s3ns!tiv3_data_1n_7h3_s0urcec0de}

HTB TheNotebook

$ nmap 10.10.10.230 -A -p- -T4 -v http://10.10.10.230/ http://10.10.10.230/register So, a user test exists.What would be the password? test??? Do we have an admin user? http://10.10.10.230/login We can try to log in with our test user. Test notes After login in, we can observe that there is an AUTH Token. We observe that it is a JWT Token. We can decode it using https://jwt.io/  Here we can observe several things: RS256

EVABS Challenge 7

$ adb shell am start -n com.revo.evabs/com.revo.evabs.ExportedActivity EVABS{exp0rted_activities_ar3_harmful}

EVABS Challenge 6

$adb shellvbox86p:/data/data/com.revo.evabs/databases # ls $adb pull /data/data/com.revo.evabs/databases/MAINFRAME_ACCESS . $ ls $ file MAINFRAME_ACCESS EVABS{sqlite_is_not_safe}

EVABS Challenge 5

$ adb shellvbox86p:/data/data/com.revo.evabs # ls vbox86p:/data/data/com.revo.evabs # cd shared_prefsvbox86p:/data/data/com.revo.evabs/shared_prefs # ls vbox86p:/data/data/com.revo.evabs/shared_prefs # cat DETAILS.xml EVABS{shar3d_pr3fs_c0uld_be_c0mpromiz3ds}

EVABS Challenge 4

EVABS{th!s_plac3_is_n0t_as_s3cur3_as_it_l00ks}

HTB BountyHunter

$ nmap -A 10.10.11.100 -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) http://10.10.11.100/ http://10.10.11.100/resources/README.txt http://10.10.11.100/portal.php http://10.10.11.100/log_submit.php As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef (https://gchq.github.io) on https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

EVABS Challenge 3

HTB Love

$ nmap -A -p- 10.10.10.239 -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd