capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Meow Machine

Another day, another challenge…

In today’s post we’re going to solve the Appointment box from HackTheBox’s Starting Point Series.

The Appointment box explores the following concepts – Linux, Networking, and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Sequel Machine

Another day, another challenge…

In today’s post we’re going to solve the Appointment box from HackTheBox’s Starting Point Series.

The Sequel box explores the following concepts – Linux, SQL, MariaDB, and Weak Passwords.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Fawn Machine

Another day, another challenge…

In today’s post we’re going to solve the Fawn box from HackTheBox’s Starting Point Series.

The Appointment box explores the following concepts – Linux, FTP (File Transfer Protocol), and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Dancing Machine

Another day, another challenge…

In today’s post we’re going to solve the Dancing box from HackTheBox’s Starting Point Series.

The Appointment box explores the following concepts – Linux, Structured Query Language (SQL), Structured Query Language Injection (SQLi), and MariaDB which is a community supported fork of the MySQL database.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Appointment Machine

Another day, another challenge…

In today’s post we’re going to solve the Appointment box from HackTheBox’s Starting Point Series.

The Appointment box explores the following concepts – Linux, Networking, and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 5 – Pesky Elf Forum

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our fifth challenge, we’re presented with a scenario where the elves express their joy in a forum. Unfortunately for the elves, the Grinch has created an admin an account on the forum and has installed a bad plugin that changes Christmas to Buttmas *GASP*. We can’t have that for the kids and Santa!

The topic explored in this challenge was Cross-Site Scripting (XSS). We learned there are four flavors – Document Object Model (DOM), Reflected, Stored, and Blind, and why XSS is important. XSS in a nutshell is an injection attack where the input is not being validated or sanitized. Meaning the application allows ANY input from the user. This can be *hint, hint* HTML, JavaScript, etc. Of all the different flavors of XSS the most dangerous/catastrophic is Stored XSS. As the name implies it stores the payload into for instance a database. Meaning anyone that visit the website or invokes the particular database will be susceptible to that attack. We will use Stored XSS in this challenge.

Can we use the information we learned about XSS to remove the bad plugin in the forum?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 4 – Santa’s Running Behind

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our fourth challenge, we’re presented with a scenario where Santa is running behind! We also learned that Santa has been naughty and did not adhere/follow the password requirements. Christmas is in jeopardy, and we need to help Santa get back on track. In this challenge the topics explored are authentication which is used to verify who we are to a system. The most common way to do this is with a username and password, but another technique is to use biometrics which is something that is unique to a person such as their fingerprint and/or retina (eye) scan.

The next topic discussed is fuzzing which is the automated process of finding information. In our case, we’re going to use fuzzing to find Santa’s password to get into the system and view his calendar. With fuzzing, there’s a tool that’s going to be used an interception proxy which intercepts requests before they are sent to the server. Remember the HTTP protocol (which we’re using) relies on requests and responses to communicate.

Can we use the topics above to make sure Santa stays on schedule and deliver the presents on time?

Well… click the below video to find out!

P.S. We also need to have a serious talk with Santa on following the password requirements in the future, so this doesn’t happen again!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 3 – Christmas Blackout

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our third challenge, we’re presented with a scenario where there’s a Christmas blackout due to the email system and McSysAdmin losing access to their admin panel thanks to the Grinch nefarious activities! In this challenge we learn about content discovery. Content discovery is the process of looking for un-listed or un-related content online. This content is useful as it can be passwords, configuration files, etc. which can help us log into a website. Finally, we learn about default credentials and how it can help us gain access to a website.

Can we use the topics above to repair the email system and McSysAdmin to save Christmas?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007

capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 2 – Elf HR Problems #websecurity #infosec

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our second challenge, we’re presented with a scenario where there are HR problems due to the Grinch and his nefarious activities! In this challenge we learn about HTTP(S) – HyperText Transport Protocol (Secure) which uses a client-server model by sending requests and responses. The challenge also delves into cookies which can be used to store information about a user. We can use cookies to do authentication bypass which means we can log in as another user without their password.

Can we use the topics above to repair the HR system and continue to save Christmas?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –> http://buymeacoffee.com/thefluffy007