Challenge on s4yhii's blog https://blog.s4yhii.com/tags/challenge/ Recent content in Challenge on s4yhii's blog s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Fri, 01 Jul 2022 12:00:00 -0400 HackTheBox Web Challenges https://blog.s4yhii.com/posts/2022-07-01-web-challenges-htb/ Fri, 01 Jul 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-07-01-web-challenges-htb/ <h1 id="templated">Templated</h1> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch0.jpg"></p> <ul> <li>Dificulty: easy</li> <li>Description: Can you exploit this simple mistake?</li> </ul> <h2 id="solution">Solution</h2> <p>First we visit the site and see that uses jinja2, this template is susceptible to <code>SSTI attacks</code>.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch1.jpg"></p> <p>We see that the directory searched is rendered in the page with 25, so its vulnerable to SSTI.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch2.jpg"></p> <p>We use the payload that will allow us to <code>RCE</code> on the server to read the file <code>flag.txt</code>, we extract it from <a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---remote-code-execution">PayloadsAllTheThings</a>.</p> Cloud Resume Challenge https://blog.s4yhii.com/posts/2022-01-10-aws-cloud-resume-challenge/ Mon, 10 Jan 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-01-10-aws-cloud-resume-challenge/ <h1 id="cloud-resume-challenge">Cloud Resume Challenge</h1> <h2 id="setup-aws">Setup AWS</h2> <p>Create your aws account</p> <p>Setup MFA for your roor account</p> <p>Create an IAM user</p> <p>Assign permission (Principle of Least privilege)</p> <p>Setup Vault (<a href="https://github.com/99designs/aws-vault">https://github.com/99designs/aws-vault</a>)</p> <p>aws-vault add myuser ( ex: aws-vault add dev)</p> <p>aws-vault exex myuser — aws s3 ls</p> <h2 id="setup-s3">Setup S3</h2> <p>What is s3: file service useful for storing files usually for host a website</p> <p>What is AWS SAM: server less application model</p> <p>we will create an AWS Lambda (we ignore this for now)</p>