HTB Writeups

I participated as a member of team CibersecUNI. This time i managed to solve all 6/6 challenges in the web category. Whispers of the Moonbeam Observando las funciones, nos dan una pista que se puede inyectar comandos con ;. Usando el comando gossip, puedo listar los archivos, se visualiza el archivo flag.txt, y con un simple ; puedo concatenar el comando cat para leer la flag. gossip; cat flag.txt Obtenemos la flag. 🎉 HTB{Sh4d0w_3x3cut10n_1n_Th3_M00nb34m_T4v3rn_78cb9b70be3bf077e608865b967b5ab1} ...

I participated as a member of team CibersecUNI. In the web category we solved 6/9 challenges as a team. In this writeup I will go through the ones that I have solved: Testimonial Labyrinth Linguist TimeKORP Locktalk Testimonial As the leader of the Revivalists you are determined to take down the KORP, you and the best of your faction’s hackers have set out to deface the official KORP website to send them a message that the revolution is closing in. ...

Cross-site scripting known as XSS is a web vulnerability in which malicious scripts are injected int benign and trusted websites. XSS occur when an attacker send malicious code in any user input fields in a browser to a different end-user. Mechanisms In an XSS attack the attacker inject script in HTML code so you’ll have to know javascript and HTML syntax, wbe uses scripts to control client-side application logic and make the website interactive, for example this script generates Hello! pop-up on the web page: ...

Kryptos Support Checking the web page of this challenge gives a form to send an issue and an admin will review that issue. So its interesting, maybe the admin will click in that issue and we can inject some kind of payload, like an stored xss, these approach is similar to the bankrobber box in htb. So we can craft the payload to steal the cookie of the admin or the user who will review out ticket. ...

Machine IP: 10.10.10.143 Reconocimiento Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes Nmap Como vemos tiene el puerto 80 abierto, que es el http, veremos en el navegador de que se trata y analizaremos la web. Wappalyzer Usando la extensión wappalizer para identificar las tecnologías usadas en la web, encontramos que la web está usando phpmyadmin version 4.8 Al hacer un poco de research encontramos la siguiente vulnerabilidad phpMyAdmin 4.8.1 - Remote Code Execution (RCE) , que se aprovecha del ejecutar comandos a traves de parametros sql. ...