Discovered subdomains:
web.cdu9xbn8bapxzssooudpig.exam.ns.agency
srv.cdu9xbn8bapxzssooudpig.exam.ns.agency
scm1.cdu9xbn8bapxzssooudpig.exam.ns.agency
site.scm.cdu9xbn8bapxzssooudpig.exam.ns.agency
scm.cdu9xbn8bapxzssooudpig.exam.ns.agency
kawing-ho
/ r3s0urc3s.md
Last active
April 23, 2020 17:12
For quick access to slides / other links :)
Intro
(no 6843 lecture)
Break 1: *.nsnagency (Solution)
Target: https://ssrfsquared.ns.agency/
- Intercept the requests made between the front and back end of the site during the initial load
- Notice that there is a request for
https://ssrfsquared.ns.agency/static?r=http%3A%2F%2F127.0.0.1%3A9447%2Fstyles.css, which can also be confirmed by viewing the source of the page - This becomes an entry point for an attacker to probe the internal network
- Some files return the same content when accessed externally or internally such as
index.htmlorstyles.css - When viewing
https://ssrfsquared.ns.agency/static?r=http://127.0.0.1:9447/styles.cssthere is a hint that something else is on the server
Target: https://smartcontracts.dev1-x.ns.agency/contract.php
A user is able to access local files present on the server without any access controls, enabling them to view sensitive information such as the /etc/passwd file
- Enter
file:///etc/passwdinto the search bar - the
/etc/passwdfile will then be returned, a comment at the bottom can be found stating that the flag is at/flag
kawing-ho
/ EasyCTF2018 - FlagTime.md
Last active
April 5, 2018 13:19
Files : https://github.com/EasyCTF/easyctf-iv-problems/tree/master/flagtime
This problem is so easy, it can be solved in a matter of seconds. Connect to c1.easyctf.com:12482.
So the moment I read the title and description I knew it was something like a Time-Based Blind SQL Injection
I began experimenting with different values to see if I could find a pattern ...
- It seems that when the character is wrong, the time taken for the reply is short
kawing-ho
/ natas15.md
Last active
April 5, 2018 13:19
This is NOT a write-up, I did not solve the challenge by myself but in terms of understanding the technicals required to solve it I would say that I've solved it. This gist is about highlighting my thought process and how I can improve it to avoid making the same mistake I did here ...
- As said in the description, this is NOT a write-up, there are many online that get straight to the point (what is required to solve the challenge) which unfortunately this gist is not 📚
- I didn't solve the challenge mainly because I got ahead of myself and missed a crucial detail in one of the many approcahes I took, in a sense I dived too deep down a rabbit hole which closed me off from the real answer, while I was digging deeper for one that simply wasn't there
- natas15 is a
Blind SQL Injectionchallenge, which I did not have knowledge of before (but I do now), in fact the only SQLi I knew of before this was the simple auto bypass method (basically' OR 1=1; --), so I'm actually glad I did this challenge til the very end because I ended up learning a lot !
- It's basically an SQL Injection but under the circumstances where the results aren't returned directly to you
- More often than not you will only get responses along the
kawing-ho
/ HackIT CTF 2017 - USB Ducker.md
Last active
April 5, 2018 13:19
This was a 100 point Forensics challenge, I spent a total of 4-5 hours on it which was probably more than necessary but at least I got it in the end :)
NewerOlder