Sign in

Photo by Dima Pechurin on Unsplash

In Attack-Defense CTF, leaving backdoors is an important part of maintaining access on the target system. As a result, learning some of the backdoor techniques is essential, not only for attackers but also for defenders.

Backdoors, what is it?

Well, I’m not going to go into as much detail as Wikipedia, but here’s:

A backdoor is a hidden piece of code, script, or a program that is placed on a system for persistence purposes, with that you don’t have to exploit the same system twice. It simply gives you quicker and instant access to the system.

Now that we know what a backdoor is…


After using Kali 2019.4 for almost 2 years, I finally upgraded my Kali to 2021.2. I wanted to try Parrot or build a weaponized version of Ubuntu , but because I like simplicity, I decided to use Kali again 😄 //slap.

In this post, I’d like to share my Kali Linux setup for playing HackTheBox. I guess it is applicable for TryHackMe, VulnHub or other boot2root platform, too (I hope).

Display IP Address in Prompt

Adding IP address in your prompt would be really helpful as it lets you copy the IP faster for reverse shell. To do so, we’ll modify the .zshrc file. …


Recently, I’ve been building my own blog at https://fahmifj.github.io/ and it has been up for three months now. To build it, I used a static site generator called Hugo. Hugo is a great tool for creating static websites in my opinion.

In this post, I’d like to share how to create your own and I’ll also cover the deployment/hosting steps using GitHub Pages!

Goals

Our main goals:

  • Installing Hugo
  • Using Hugo theme
  • Deploying Hugo site with Github

Prerequisites

And there are some prerequisites needed to accomplish these goals:


DC-9

DC-9 from VulnHub features a website that is vulnerable to SQL injection. I’m able to dump a bunch of users’ credentials by leveraging the SQLi and gain a foothold on the system after spraying these credentials on SSH. One of the users has a sudo privileges on a custom binary which allows me to perform an arbitrary file write with root access.

Actually, there is a port knocking rule in this machine to open the SSH port, but when I first solved this machine, my full nmap scan broke that rule.

Even though I gained a foothold by skipping the…


Photo by Kaur Kristjan on Unsplash

In this post, I woud like to share a quick tutorial (I guess) on how to setup a VulnHub machine in your local network.

And I’ll assume that you are already familiar with software installation, know what Host OS-Guest OS is, and probably a basic networking. If you don’t, just follow along 😀!

What is VulnHub?

VulnHub is a website that provides vulnerable virtual machines (VMs) for those who wants to gain a practical experience in penetration testing. It similar with Hack The Box and TryHackMe, but with VulnHub you can practice locally. …


DC-6 starts off by enumerating usernames from a WordPress website. I’m able to gain a set of credentials to log into the admin panel with a brute-force attack. There is a WP Plugin which can be leveraged to gain a foothold on the system. A to-do note containing the user’s credentials is discovered while enumerating the home directory. For the root part, there is a sudo privileges on a writable backup script and nmap which allows me to escalate to other users then straight to root.

Reconnaissance

Host Discovery — arpscan

Because 192.168.2.1 and 192.168.2.2


GoHTB

Delivery from HackTheBox is all about exploiting a logic flaw called TicketTrick which was discovered by Inti De Ceukelaire.

The original article is linked below:

On this machine, there is a helpdesk ticketing system that gives an unauthenticated user a temporary email with a legitimate company domain. Using that email, I’m able to register at Mattermost and gain access to the company private communication channel. The conversation in the channel leaks a set of SSH credentials and a password in which its variant is being used in the system. There is a set of database credentials in the Mattermost configuration…


Ready is a medium difficulty Linux machine from Hack The Box that features a self-hosted GitLab instance which is vulnerable to a remote code execution by chaining two CVEs. And that allows me to gain a foothold on a container. Enumerating inside the container finds a password that is reused by the container root account. The container is found to be running in privileged mode, and this can be exploited by mounting the host’s drive (the Linux filesystem) to the container.

Raw notes available on my GitHub.

Reconnaissance

Nmap

All ports scan with nmap discovers two open ports: SSH on port 22…


Time is a medium difficulty Linux machine that features a web application which provides JSON beautifier and validator services. Testing some invalid inputs exposes an unhandled error message, indicating the app is backed with Jackson library. Searching for the error message on Google leads to a research blog about deserialization on Jackson. After reproducing the steps from the blog, I’m able to gain a foothold on the box. Enumerating the files discovers a timer script that is executed by the root user every 10 seconds. …


Passage is a medium difficulty Linux machine that features a news management software called CuteNews. The software is known to be vulnerable to a remote code execution, allowing an attacker to gain a foothold on the system via the avatar upload feature. Looking into the source files of the software discovers a few password hashes that can be recovered using a dictionary attack. One of the recovered passwords can be used to escalate to the first user, and it turns out that this user is using the same SSH key as the second user. …

Fahmi J

Always curious to learn how things work, especially in digital world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store