This box is created by egre55 and mrb3n. It takes us through exploiting a simple IDOR in a web application to escalate our privileges and accessing a task list which reveals a virtual host for development & testing purposes. We then exploit an Unserialize RCE in PHP Laravel framework and receive a reverse shell. We then use enumerate in the machine to find credentials, sensitive files and use misconfigured permissions on /usr/bin/composer to escalate to root in the machine.
Feline is a super fun box created by MinatoTW and MrR3boot, two hackers I admire a lot for their work. Give them a follow on their twitter profiles! This box takes us through exploiting a java deserialization in a custom web application hosted on an Apache Tomcat server to exploiting an RCE in SaltStack to gain a shell inside a docker container, and finally getting root on host by exploiting an exposed docker.sock file.
This blog will teach you how content security policies work and prevent attacks such as XSS, clickjacking. We will also cover some scenarios with CSP misconfigurations to understand how an attacker can leverage it to his own benefit and ways to prevent that. After reading this blog, you should get a better understanding of how CSP works and you will be able to analyze CSP headers and detect misconfigurations in the wild.
This box is created by polarbearer. It takes us through exploiting a deserialization vulnerability in “Ruby on Rails” to achieve remote code execution as a regular user and running commands as root through cracking a disclosed user hash from an SQL file and using Google Authenticator to get through the 2FA verification in the Linux box.
This article will cover the mechanisms of Base64 encoding. If you’re into cybersecurity or programming then you might have come across Base64. These days it’s used in a huge number of applications for easy data transmission, encoding, etc. We see a bunch of random letters with equals sign at the end and the next moment we try to decode it. Ever thought how those bunch of letters store data?