HTB challenge: LoveTok (php addslashes restricted quotes bypass)

The challenge

On a recent hackthebox challenge the following code required to be exploited to get the flag:
<?php
class TimeModel
{
public function __construct($format)
{ 
$this->format = addslashes($format);

[ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ];
$this->prediction = "+${d} day +${h} hour +${m} minute +${s} second";
}

public function getTime()
{
eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');
return isset($time) ? $time : 'Something went terribly wrong';
}
}
Continue reading “HTB challenge: LoveTok (php addslashes restricted quotes bypass)”

HTB: Networked walkthrough

“Networked” Info Card  
Slight hint(s): Unrestricted file upload, bypass image upload restriction, bypass mimetype restriction
Slight hint(s) (PE): shell command injection, unescaped variable command injection
Continue reading “HTB: Networked walkthrough”

Haystack – hackthebox.eu walkthrough

This is a walkthrough on the machine called Haystack on hackthebox.eu, which most users found frustrating and/or annoying. Personally I would describe it more as a kind of annoying box, and although rated as easy my personal opinion is at least the Privilege Escalation part should be falling a bit more into the intermediate category. cat >> /etc/hosts <<<“10.10.10.115 haystack.htb”
Continue reading “Haystack – hackthebox.eu walkthrough”

OSCP – the road from failing to 105

Introduction to my OSCP Journey

Although this post is mentioned to be an overall overview and resource on how to prepare for OSCP, it is kind of targeted to those who didn’t manage to pass on their first attempt. As I am one of those guys too, and that made me make the necessary adjustments in my learning process. There are tons of reviews on OSCP regarding someone getting the certification after their first exam, and I am not one of them. Yes, I failed it. And do I regret it? Hell no. I dedicated to it and learned tons of stuff since my first exam attempt, and this post will be pointed towards those who failed their OSCP exam attempts and what to stress on when preparing how to successfully achieve the requirements for the OSCP certification.
Continue reading “OSCP – the road from failing to 105”

CTF: Jarbas 1 – vulnhub CTF walkthrough

VM: Jarbas 1
Author: Tiago Tavares (vulnhub) @tiagotvrs (twitter)
Series: Jarbas
Difficulty: Beginner/Intermediate
Privilege Escalation: Beginner/Intermediate*
Target IP: 192.168.1.112

This is a walkthrough on the CTF called Jarbas uploaded to vulnhub. *I’m not sure whether this is to be classified as Intermediate or beginner but it has its own twist on the way of getting a shell due to the lack of nc on the target (probably it’s a bit more into the beginner category).
Continue reading “CTF: Jarbas 1 – vulnhub CTF walkthrough”

DNS Cache Posionning and things to remember

As I stumbled on several occasions where DNS Cache Poisoning is properly done but not working out as expected I’m writing the present short article as a reminder for anyone wondering why DNS Cache Poisoning is not working (and for my own reference as well, it’s always great to keep a jewelry box with some small details that could sink a great ship). Continue reading “DNS Cache Posionning and things to remember”

CTF: Pinky’s Palace v2 (HARD) – vulnhub CTF walkthrough

VM: Pinky’s Palace v2
Author: Pink_Panther (vulnhub) @Pink_P4nther​​ (twitter)
Series: Pinky’s Palace
Difficulty: Beginner/Intermediate
Privilege Escalation: Intermediate/Highly Advanced*
Target IP: 10.0.0.5
Target host: pinkydb

* requires reverse engineering techniques to escalate privileges
Continue reading “CTF: Pinky’s Palace v2 (HARD) – vulnhub CTF walkthrough”

CTF: Brainpan 1 CTF walkthrough – Introduction to exploit development (Part II)

Part I: Brainpan 1 CTF walkthrough – Introduction to exploit development

Phase #5: Getting a stable shell

As it can be seen from the screenshot, an unexpected event has happened – we are actually provided a windows prompt, however the overall file structure seems to be linux-like: Continue reading “CTF: Brainpan 1 CTF walkthrough – Introduction to exploit development (Part II)”