mpz

Intro I signed up for the course with 60 Days of lab time on 27th Nov 2018 to start my labs from 9th Dec. During this period of  ~10 days, I also got VIP subscription of HackTheBox  to pwn some retired machines, solved a dozen of boot2root machines from vulnhub, read many privesc writeups and HTB walkthroughs, watched almost every video of ippsec  and prepared myself for the labs. Lab Days and the journey of learning I got the study materials (PDF + videos + lab connection) early in the morning and I was really excited about it so I just read about the network structure of the lab, watched some intro videos, and directly jumped into the lab. I was expecting the lab environment to be something like HTB with difficulty level, OS info, etc. but nothing was there. Only a list of IP addresses. At this point, I had to go back to pdf, watch more videos, read others' reviews to get some knowledge of how to get an initial foothold on the first subnet. I spent like 4 days m...

I already got root on DC-1 machine  like 1 month ago, it was a nice box but I didn't had enough time to write about it so I thought of doing DC-2 machine by same author and write about it too :D . Though DC-2 is not available on vulnhub yet but you can download it from here . This machine has 5 flags in total and below is my walkthrough on how I found them :) As usual, I started the box by doing a quick nmap scan and it revealed port 80 only. Only port 80 open? This sounded fishy to me so I hit up arrow key, added -p option to previous command for full tcp port scan and now we can see port 7744 is also open. Since this port is used for SSH and no creds were provided, I went for HTTP service on port 80. On directly opening the ip address of the machine, I got redirected to dc-2/ so I quickly added an entry to /etc/hosts file with machine's ip address and its corresponding hostname. On opening dc-2/ on browser, an wordpress site was found. Welcome, what we ...

So it's been a long time since I published any walkthroughs and also vulnhub started publishing new machines from yesterday so I thought why not solve and write about them. The first machine I did is this one -  W34kn3ss  and below is my walkthrough for the same. The target machine's IP address is 192.168.0.122 so I did a quick nmap scan on it. In the above screenshot we can see some open ports like 22, 80 and 443. Nmap's default script scan on port 443 also revealed a domain name "weakness.jth" so I added this domain name on my /etc/hosts and checked the web service running on that domain.  Nothing really interesting here except that ASCII art of a rabbit and text "n30". Maybe n30 is an username which maybe used later? So, I saved it in my notes and started bruting files/dirs with dirsearch. Dirsearch revealed this interesting directory /private so I visited this dir on browser and found two files; mykey.pub and notes.txt. ...

Because of some privacy reasons, identity of page members (admins/mods/analysts) is kept secret by facebook and normal page visitors cannot find the details about these members. But back in July 2018, when I was hunting for bugs in Facebook, I found multiple ways to disclose members of a facebook page. Disclosing post creators with 'Get Messages' feature This feature named “Get Messages” is available on Facebook pages when uploading posts and stuff. Get Messages feature Mainly e-commerce and online shopping websites use this feature with one of their product so whenever a visitor wants to know more about that particular product, they can simply click on the “Send message” button. A post with this feature enabled looks something like the below screenshot. A post with “Get messages” feature enabled The bug here is, if we click on this “Send message button”, profile ID of the creator is leaked in one of the responses coming from host https://x-edge-chat.facebook.com which i...

~ Spoiler Alert ~ Recently I did  Jarbas  from Vulnhub and below is my walkthrough for this machine. Firstly, to obtain the IP address of the target machine, I used netdiscover. My kali machine booted later than the target machine, so obviously Jarbas machine's IP is 192.168.16.134 A quick port scan on the IP address revealed some open ports like 22 (SSH), 80 & 8080 (HTTP), 3306 (mysql). No SSH creds were initially provided and mysql also didn't allow to access remotely so I skipped port 22 and 3306 and moved towards the port 80. Homepage for port 80 looks something like below. In the machine's description, the author has mentioned that this machine (Jarbas) is a tribute to a Brazilian Search engine of the 90's. The homepage of the machine also displays a static page copied from wayback machine of the same search engine jarbas.com.br. Since it's a static page directly copied from wayback machine, there's nothing interesting so I moved to port 80...