Posts

TLDR After a few server crashes, I rebuilt the site with Hugo, recreate a CICD pipeline and deployed it on statically on AWS. Why am I doing this… Again? It had been a little more than a year ago since I made the site. When I first started building it, I wanted to have as much customisability as possible. I learnt a lot and had great fun doing it… but recently, it felt like I was using a chainsaw as my kitchen knife. ...

Link to an article that goes into great technical detail about the concept I stumble across in my experiment: https://www.orangecyberdefense.com/global/blog/cybersecurity/bypassing-edr-to-dump-lsa-secrets This article is written to record the first time I found something new by myself through diving deeper, trying harder and synthesizing ideas. This had led me to stumble across newest research and it had been extremely motivating for me. For those who know me, it’s no secret that I love digging into the fundamentals and avoid blackbox ideas as much as possible. As a Kinesthetic learner (learn the best through tinkering), I thrive on understanding the underlying mechanics and processes in detail. And when it comes to cybersecurity, my curiosity often leads me down many rabbit holes. ...

Escape is a Windows Machine. I utilise techniques such as MSSQL Relay Attack, plain-text credential search, misconfigured Active Directory Certificate Services exploit and pass-the-hash attack to gain root to this system. Initial Foothold The standard nmap scan reveals that this is another Domain Controller of an Active Directory. My methodology leads me to check the SMB network share. I quickly found that there is a folder named Public that contains a manual for the MSSQL server on the machine. ...

In this machine, I had to perform ASREPRoast, abuse WriteDACL privileges and finally gain root with the DCSync technique. Initial Foothold The nmap scan revealed a very standard Active Directory Domain Controller setup. Using the intuition I gained from previous machines, I started by drilling into SMB and LDAP. nmap 10.129.95.210 -sC -sV Both protocol returned some information about the AD but could not be exploited further. I extracted the user list from crackmapexec and used the sed command to only keep the usernames in a txt file for ease of use. ...

Welcome back to the new CTF blog where we take on Pandora — a Linux CTF box. In this episode, we will focus on the leveraging weak SNMP configuration, Pandora FMS system unauthenticated RCE vulnerability and path overriding to pawn the box. Initial Foothold Our journey begins with a nmap scan to gather more insight about the Pandora box. nmap 10.129.210.204 -sV -sC -oA pandora The box surprisingly returned nothing of interest. A thorough check on the port 80 website also suggests that there are nothing to be tinkering with. ...

This box was pretty rough for me. Enjoy the ride! Initial Foothold As usual, I started my recon with the usual nmap scan. The scan mistakenly states that the host is down. I added a -Pn flag following the nmap suggestion - the flag is an option that tells nmap to skip the discovery stage and do scanning as if the target IP is online. The starting Nmap scan clearly shows that the target this time is a Windows Active Directory box from the services available. ...

Windows and especially Active Directory(AD) is a big part of OSCP and no practice will be too much practice. Initial Foothold The target is a Windows Machine. I quickly did a Nmap scan to understand what services are available. nmap -sC -sV <ip-address> -oA active The open 3268 port and LDAP service suggest that I am dealing with an AD Domain Controller. Without any clue about credentials and users, I started by attempting an anonymous SMB login using enum4linux. ...

Welcome to my first CTF walkthrough write-up. This is going to be a series where I will be doing CTFs in preparation for OSCP. Initial Foothold Broker is a Linux machine. To better understand the machine, I did a Nmap scan for quick reconnaissance. nmap <ip-address> -sC -sV -oA broker The scan quickly reveals that the target is an ActiveMQ instance hosted with a nginx server. ActiveMQ is an open-source message broker (I see what you did there HTB) service written in Java to share data asynchronously between systems. In other words, one can think of it as a traffic system, but instead of cars, it regulates the flow of messages (data) between different applications. ...

TLDR: Novice learn about magic bytes for the first time and learn about the importance of understanding the mechanism behind implementations Thursday Night, an image file upload vulnerability in an attack box. I had a linear plan. Fuzz the file extension and use whatever got through for command injection. Reality hit me as I soon found out it was not so simple. My SVG XXE payload got through, but I could not say the same for my PHP payload. So, I use XXE to peek into the file type mechanism. ...

As a natural progression from learning more about markdown files, I moved on to the new hype in productivity tools - Obsidian to check out if it is any good. Obsidian is essentially a note-taking application that links markdown files together with backlinks. With these linked markdown files stored inside a vault folder, it can provide meaningful insight into how notes are connected similar to the way how human brains work. I started with some of the concepts I picked up on the way and immediately fell in love with them. I could’ve just stopped here and just let it stay a note-taking application. But as a CS enthusiast at heart, I immediately thought about how to customise it for my workflow. ...