Newrouge CTF

Forge HTB Machine(10.10.11.111) Recon: Let's add Machine IP into our /etc/hosts file 10.10.11.111 forge.htb . Starting with rustscan port scan we can find only 2 open ports, i.e. 22,80 Let's scan these ports with nmap, nmap -A -p22,80 -T4 10.10.11.111 . PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Gallery Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel Let's also do directory fuzzing in background and we found upload and uploads . Upload is that feature and uploads will probably be that directory where all file goes. There is no directory listing enabled. Let's also fuzz for vhosts on server. ffuf -u http://forge.htb/ -w /<path>/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.forge.htb" -fc 302 and we found admin instantly...

1. Flask-Unsign: A tool to forge flask session cookies Tool Github Link: https://github.com/Paradoxis/Flask-Unsign Author's official blog: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce While reading this blog , i had a callback that while solving a HTB box i have seen this before but never tried it. So here it is. This tool can be used to manipulate stateless cookies, like FLask's session management and JWTs are not encrypted rather they are signed which means they are are easily readable and manipulable as long as secret is somehow known . Server accepts the data hash it with a secret and verify the signature it recevied against the signature it produced by hashing.If they match server allows the user to perform action, else not. flask-unsign one such tool which can get the cookie and try to guess the secret which have been used to sign the cookie using a wordlist. You can use either your own wordlist or creator's common se...

  This was a Easy Linux machine on HackTheBox. Let's Dive into it. Name: Previse IP: 10.10.11.104 First step first, let's search for open portsusing rustscan rustscan -a 10.10.11.104 -u 5000 . Only 2 ports open 80 & 22. Nmap scan: nmap -A -p22,80 -T4 10.10.11.104 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: Previse Login |_Requested resource was login.php Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel SSH is running on port 22 and Apache webserver on port 80 with PHP. Nothing seems much interesti...

  Hello security enthusiasts, this Christmas i played “Yogosha CTF 2021” challenge as i got a mail from their team on 28th December, and i quickly signed up for it. Although i couldn’t complete all challenges but i learned new things i.e. Hash Length Extension Attack. PHP file_get_contents() LFI vuln. & PHP’s weird behaviours. Whole CTF was based on naruto theme. First challenge : It was an easy OSINT challenge, which was about tracking down a user on flickr where he posted a image. Metadata of image contained flag and link for next challenge. Let’s focus on that. Second Challenge (Uchiha or Evil): Challenge URL: http://3.141.159.106 Description: I heard something important is stored in /secret.txt Let’s try to load /secret.txt file on webserver. But it is not found(404). Then i asked the yogosha admin is it intended. Answer was : Yes it is a file in root directory and we have to get access to that *. After little enumeration we can read /robots.txt file. U...