Search by Tag
GPN
04 June 2024A Full Solves What Im Thinking Of
- ldd executes custom interpreter set on a binary which reads the flag
tags: ldd patchelfGPN
04 June 2024Even More Flags
- site provides functionality to upload link, which is visited by a bot
- use this to access endpoint serving flag (is servable only to connections from localhost)
tags: ssrf ngrokGPN
04 June 2024Future Of Pwning 1
- write a simple program to retrieve file contents and print them in forwardcom language
tags: forwardcomGPN
04 June 2024GPN
tags:GPN
04 June 2024Inspect Element
- use CVE in chrome debugger to read arbitrary files
tags: chome_debugger metasploitGPN
04 June 2024Never Gonna Give You Ub
- x64 ret2win with no protection (ASLR, PIE, canaries)
tags: ret2win_64bitGPN
04 June 2024Never Gonna Let You Crypto
- simple XOR cipher with known start of plaintext
- recover short key and decode the message
tags: XORGPN
04 June 2024Never Gonna Run Around And Reverse You
- reverse engineer a custom XOR cipher in C
tags: XORGPN
04 June 2024Never Gonna Tell A Lie And Type You
- simple authentication bypass in client-side with PHP type juggling
tags: authentication php_jugglingGPN
04 June 2024Refined Notes
- stealing admin cookies containing flag with stored XSS
tags: XSSGPN
04 June 2024So Many Flags
- website allows uploads of HTML files, where we can include XSS to fetch flag file, since the browser is launched with option to read data from files
tags: XSSGPN
04 June 2024Todo Hard
tags:GPN
04 June 2024Todo
tags:PatriotCTF
22 November 2024Giraffe Notes
- add specific HTTP header (X-Forwarded-For) to the request to get the flag
tags: x_forwarded_forPatriotCTF
22 November 2024Impersonate
- flask session cookie forging based on leaked secret key
tags: flask_sessionPatriotCTF
22 November 2024Not So Shrimple Is It
- 64bit ret2win with strncat (stops after null byte)
tags: ret2win_64bitPatriotCTF
22 November 2024Open Sesame
- use XSS in endpoint to redirect admin bot to visit filtered endpoint with command injection vulnerability to send flag to webhook
tags: comman_injection xss endpoint_filter_bypassPatriotCTF
22 November 2024Pancakes
- program custom python script to repeat the same process 1000 times
tags:PatriotCTF
22 November 2024Idk Cipher
tags:PatriotCTF
22 November 2024PatriotCTF
tags:srdnlen
19 January 2025Average Http3 Enjoyer
- http/3 website accessed with curl, bypassing haproxy ACL with HTTP pseudo header :path
tags: http3 http_pseudo_header haproxyextended-tags: curl
srdnlen
19 January 2025Ben10
- flask jwt tokens with leaked key leading to creating false admin session cookie
tags: flask_unsign flask_sessionsrdnlen
19 January 2025Focus Speed I Am Speed
- NoSQL injection in the /redeem endpoint and a race condition in the gift card redemption process, allowing multiple redemptions and enabling the purchase of a item containing the flag
tags: nosql_injection race_conditionextended-tags: hbs mongodb burp_parallel
KnightCTF
21 January 2025Exceedingknight
- abuse debug traceback from exception generated by user to read the .env file containing the flag
tags: information_disclosureextended-tags: laravel
KnightCTF
21 January 2025Knightconnect
- abuse the endpoint for logging with link to log in as user, as the authentication is based on inputs from the user with no interaction with the database
tags: authorizationextended-tags: laravel
KnightCTF
21 January 2025KnightCTF
tags:srdnlen
21 January 2025srdnlen
tags:TUCTF
27 January 2025Haunted Game
- extract assets from unity game to find images and audio files paired together
- follow hints to create the flag
tags: unity asset_ripper spectral_analysisTUCTF
27 January 2025Shopping Time
- IDOR vulnerability to search for items with first 3 bytes of hash of their name
tags: IDORTUCTF
27 January 2025Silly Cloud
- use LFI to retrieve token and certificate for Kubernetes
- enumerate Kubernetes cluster with kubectl to find hidden resource containing the flag
tags: kubernetes kubectlTUCTF
27 January 2025TUCTF
tags:Nullcon
03 February 2025Bfail
- application leaks source code, revealing part of admins password and its hash
- can bruteforce remaining part of the password
tags: bruteforce bcryptNullcon
03 February 2025Numberizer
- integer overflow in PHP causes bypass of condition leading to recovering the flag
tags: php integer_overflowNullcon
03 February 2025Paginator v2
- UNION injection to recover table names, table columns and flag needed to bypass using commas in query
tags: SQLi php SQLi_unionNullcon
03 February 2025Paginator
- simple OR SQL injection leads to recovering the flag
tags: SQLi php SQLi_orNullcon
03 February 2025Sess.io
- page creates session cookies via mt_rand and uses parts of flag for seeding
- recovering session cookies and running them through PHP rand cracker recovers the flag
tags: php mt_srand mr_randNullcon
03 February 2025Temptation
- the app uses vulnerable web.template where we can exploit SSTI to send the flag to our endpoint
tags: SSTI web_templateNullcon
03 February 2025Nullcon
tags:BITSCTF
10 February 2025Baby Web
- JWT algorithm confusion with known public key to forge a session token for administrator
tags: jwt jwt_algorithm_confusionBITSCTF
10 February 2025Get Into My Cute Small Planner
- DOMPurify bypass using Unicode overflow to inject a `` element
- bypassed CSP by leveraging the `/redirect` endpoint (and CSP not matching paths) to load AngularJS and execute JavaScript via sandbox escape
- extracted the flag by retrieving the admin’s note ID and exfiltrating its contents
tags: XSS CSP unicode_overflowextended-tags: DOMPurify angular
BITSCTF
10 February 2025BITSCTF
tags:KashiCTF
24 February 2025Corporate Life 1
- react framework leaks hidden API, which contains OR SQL injection to retrieve all the users
tags: SQLi_or reactKashiCTF
24 February 2025Corporate Life 2
- union SQLi to retrieve hidden table name, columns and finally contents
tags: SQLi_union sqliteKashiCTF
24 February 2025Mmdlx
- figure out that the provided file is encrypted using caesar cipher and then base64 encoded multiple times
tags: caesar base64KashiCTF
24 February 2025KashiCTF
tags:LACTF
24 February 2025Cache It To Win It
- abuse database truncating trailing whitespaces to generate new cache keys for each request
tags: cache flaskLACTF
24 February 2025LACTF
tags:HackTheBox - Easy
05 January 2025Alert
- exploiting XSS in a Markdown viewer tricks the admin, leading to LFI and retrieval of configuration files with credentials
- credentials enable access, revealing an additional HTTP server on the machine
- creating a reverse shell on the HTTP server allows root login and retrieval of the final flag
tags: XSS LFI reverse_shellextended-tags: nmap ffuf burpsuite_macro
HackTheBox - Easy
05 January 2025Chemistry
- exploiting a CIF processing library CVE reveals configuration files with a username and hash
- cracking the hash grants access, leading to discovery of a hidden HTTP server on port 8080
- exploiting an outdated AioHTTP library via a CVE allows reading the root flag
tags: CIF_CVE AioHTTP_CVE reverse_shellextended-tags: nmap whatweb
HackTheBox - Easy
05 January 2025Linkvortex
- enumeration reveals a hidden subdomain with an admin password in a Git repository, allowing access via a Ghost CMS CVE
- access to the machine enables discovery of a script executable as root
- exploiting a symlink chain leads to reading the root flag
tags: Ghost_CVE git symlinkHackTheBox - Easy
05 January 2025Underpass
- network enumeration and SNMP information gathering reveal an HTTP service running daloRADIUS with default credentials
- credentials extracted from daloRADIUS allow further system access
- exploiting a misconfigured mosh server grants root access
tags: SNMP moshextended-tags: nmap nmap_udp snmpwalk daloradius
HackTheBox - Medium
05 January 2025Instant
- reverse engineering an APK reveals subdomains and API endpoints, with LFI exploited to retrieve the SSH private key
- SSH access enables further enumeration, uncovering an encrypted SolarPuTTY session backup file
- decrypting the backup using a SolarPuTTY CVE exploit reveals the root password for full system control
tags: LFI APK SolarPuttyextended-tags: nmap apktool smali authorization
HackTheBox - Medium
29 January 2025Monitorsthree
- using SQLi to exfiltrate admin password to Cacti service running in subdomain, which is vulnerable to CVE that leads to getting access to the box
- enumeration of config file reveals cacti database users, cracking hashes recovers user password
- finding Dupliciati service running on the box, we can use to restore malicious crontab file leading to root access
tags: SQLi sqlmapextended-tags: Cacti crontab nmap ffuf mysql Duplicati
HackTheBox - Medium
30 January 2025Backfire
- enumerate and find that the server is running Havoc without WSS, which is vulnerable to SSRF as well as RCE
- combine two exploits to get a reverse shell as one of the users
- find another C2 framework with public CVE to chain authentication bypass and RCE, access this user (pivot)
- enumerate and find sudo access to iptables, use comments with newlines to dump public key into root ssh authorized keys
tags: Havoc websockets iptablesextended-tags: Hard2Hat nmap
HackTheBox - Easy
13 February 2025Cap
- discover webserver running on port 80, which has IDOR vulnerability to access sensitive PCAP file with password
- find that python has cap_setuid capability to create root shell
tags: IDOR PCAP setuidHackTheBox - Easy
17 February 2025Titanic
- discover path traversal on website to recover user flag and gitea database
- recover user password from gitea database to gain access to box
- use CVE for ImageMagick in a script running periodically as root to read root flag
tags: gitea path_traversal ImageMagickextended-tags: nmap hashcat sqlite3
Easy
17 February 2025Easy
tags:HackTheBox - Medium
24 February 2025Cat
- enumerate the page to find hidden `.git` directory where you can review the source code of the application
- find XSS to get the admin token and SQLi to get username and password for the first user of the box
- the user is in special group and can read logs, use this to leak the other user password
- find that Gitea is running internally, which has another XSS vulnerability to leak root password
tags: SQLi XSS giteaextended-tags: log adm