capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 4 – Santa’s Running Behind

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our fourth challenge, we’re presented with a scenario where Santa is running behind! We also learned that Santa has been naughty and did not adhere/follow the password requirements. Christmas is in jeopardy, and we need to help Santa get back on track. In this challenge the topics explored are authentication which is used to verify who we are to a system. The most common way to do this is with a username and password, but another technique is to use biometrics which is something that is unique to a person such as their fingerprint and/or retina (eye) scan.

The next topic discussed is fuzzing which is the automated process of finding information. In our case, we’re going to use fuzzing to find Santa’s password to get into the system and view his calendar. With fuzzing, there’s a tool that’s going to be used an interception proxy which intercepts requests before they are sent to the server. Remember the HTTP protocol (which we’re using) relies on requests and responses to communicate.

Can we use the topics above to make sure Santa stays on schedule and deliver the presents on time?

Well… click the below video to find out!

P.S. We also need to have a serious talk with Santa on following the password requirements in the future, so this doesn’t happen again!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 3 – Christmas Blackout

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our third challenge, we’re presented with a scenario where there’s a Christmas blackout due to the email system and McSysAdmin losing access to their admin panel thanks to the Grinch nefarious activities! In this challenge we learn about content discovery. Content discovery is the process of looking for un-listed or un-related content online. This content is useful as it can be passwords, configuration files, etc. which can help us log into a website. Finally, we learn about default credentials and how it can help us gain access to a website.

Can we use the topics above to repair the email system and McSysAdmin to save Christmas?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 2 – Elf HR Problems #websecurity #infosec

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our second challenge, we’re presented with a scenario where there are HR problems due to the Grinch and his nefarious activities! In this challenge we learn about HTTP(S) – HyperText Transport Protocol (Secure) which uses a client-server model by sending requests and responses. The challenge also delves into cookies which can be used to store information about a user. We can use cookies to do authentication bypass which means we can log in as another user without their password.

Can we use the topics above to repair the HR system and continue to save Christmas?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 1 – Save The Gifts #websecurity #infosec

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our first challenge, we’re presented with a scenario where the Grinch is trying to destroy Christmas by possibly using an IDOR (Insecure Direct Object Reference) vulnerability. IDORs are a vulnerability where sensitive information can be accessed without the proper authorization. These types of vulnerabilities can be found in real world applications and are good test cases for bug bounties… *hint, hint*

Can we save Christmas by solving the first challenge by stopping the grinch?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 13 – Solving IG Learner Level 7

Another day, another challenge.

In this post, we will solve IG Learner Level 7. This level has constructed an insecure content provider. In Android-land, A content provider is a data repository. In this case, the data repository is a database. The objective of the level is to find the password for our user, John Doe.

Can we find John Doe’s password? Check out the below video to find out.

Enjoy!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 11 – Solving IG Learner Level 4

Another day, another challenge.

In this video, we’re going to solve level 4 of the IG Learner app.

Topics explored: configuring mobile device to use a manual proxy to work with Burp. We’re using a interception proxy to capture and possibly modify traffic leaving the client – in this instance our mobile app to the server.

Without further ado, the video is below!

Like my content? Buy me a coffee – http://buymeacoffee.com/thefluffy007

hacking, mobile

#MobileSecMondays Video 8 – So You Want To Configure Burp for Android Devices?! #bugbounties #androidhacking #infosec

Another day, another post.

You, the reader, get a three for one. Three videos in one blog post.

The topics explored are configuring burp for Android Devices. Instead of making this one LONG video, I decided to break it into three videos.

1st video explores downloading the Certificate Authority (root) certificate for Burp

2nd video explores adding the root certificate to our Android emulator using ADB (Android Debug Bridge) and configuring the device and burp to intercept the traffic.

3rd video explores recapping from the beginning what we did to intercept traffic inside an Android device.

I hope you enjoy the content. If you do, please like, subscribe, and share the post and videos!

Without further ado – THE VIDEOS!

Like my content? Buy Me a Coffee! Link here –> https://buymeacoffee.com/thefluffy007