https://noobintheshell.com/ Recent content on noobintheshell :: blog Hugo -- gohugo.io en {year}, Some Rights Reserved - Sat, 07 Jan 2023 00:00:00 +0000 daily https://noobintheshell.com/posts/kringlecon5/ Sat, 07 Jan 2023 00:00:00 +0000 Sat, 07 Jan 2023 00:00:00 +0000 https://noobintheshell.com/posts/kringlecon5/ The SANS Holiday Hack Challenge is back! And with it, the long awaited fifth edition of KringleCon! This year challenges were covering logs and PCAP analysis, CI/CD vulnerabilities, a container escape, webapp hacking (XXE, CSP bypass), an introduction to AWS CLI for cloud discovery and an introduction to smart contracts. KringleCon is as well an online security conference and you can find all the talks on KringleCon’s Youtube channel. The same Discord channel as last year was available to interact with the community. noobintheshell featured image kringlecon holidayhack ctf holidayhack https://noobintheshell.com/posts/kringlecon4/ Sat, 08 Jan 2022 00:00:00 +0000 Sat, 08 Jan 2022 00:00:00 +0000 https://noobintheshell.com/posts/kringlecon4/ The SANS Holiday Hack Challenge is back! And with it, the fourth edition of KringleCon and Jack Frost! The fourth edition of Kringlecon was a blast! This year challenges were covering webapp hacking (SQLi, SSRF, business logic issues), binary analysis, digital forensics (logs and network capture analysis), Active Directory attacks, learning Python and shellcoding, some encryption attack, analyzing an IMDS service and FPGA programming. Two challenges on Log4Shell were added as well during the challenge. noobintheshell featured image kringlecon holidayhack ctf holidayhack https://noobintheshell.com/posts/mcafee_ctf_2021/ Sat, 20 Feb 2021 00:00:00 +0000 Sat, 20 Feb 2021 00:00:00 +0000 https://noobintheshell.com/posts/mcafee_ctf_2021/ This was the first CTF organized by McAfee Advanced Threat Research Team. It was held from February 5th, 2021 to February 18th, 2021 and was initially made for their internal employees. I was able to complete all but one challenge (the crypto One Time Only!) and finished at the 9th place: scoreboard Here is my write-up… WEB 100 - A DNS query to rule them all! The web server that hosts this webpage has a flag on it. noobintheshell featured image cmd_injection apk heap shellcode squashfs ham sstv aes-cbc ctf https://noobintheshell.com/posts/kringlecon3/ Tue, 12 Jan 2021 00:00:00 +0000 Tue, 12 Jan 2021 00:00:00 +0000 https://noobintheshell.com/posts/kringlecon3/ The SANS Holiday Hack Challenge is back! And with it, the third edition of KringleCon! This year’s challenges were a good mix of defensive and offensive skills. Topics varied from webapp hacking, crypto, log analysis, binary analysis to improving JS, regex and network skills. There were as well some simulated hardware challenges. The most challenging part was the analysis and recovery of a custom blockchain’s block that was stealthily altered. noobintheshell featured image kringlecon holidayhack ctf holidayhack https://noobintheshell.com/posts/htb_book/ Sat, 11 Jul 2020 00:00:00 +0000 Sat, 11 Jul 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_book/ Book is a Medium Linux box created by MrR3boot. It was released on February 22nd, 2020 and retired on July 11th, 2020. The users rated the difficulty 6.2/10 and gave an appreciation score of 4.1/5. Book Info Card TL;DR We access a virtual library where we can download, upload and comment books. The account registration flow contains a vulnerability that allows overwriting any user’s password. We overwrite the admin’s and to access the admin panel. noobintheshell featured image arbitrary_file_read server-side_xss dynamic_pdf logrotate race_condition pentest htb_box https://noobintheshell.com/posts/htb_forwardslash/ Sat, 04 Jul 2020 00:00:00 +0000 Sat, 04 Jul 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_forwardslash/ ForwardSlash is a Hard Linux box created by InfoSecJack and chivato. It was released on April 4th, 2020 and retired on July 4th, 2020. The users rated the difficulty 6.3/10 and gave an appreciation score of 3.8/5. ForwardSlash Info Card TL;DR We access a website defaced by a hacker group. Checking for VHOSTs, we find a backup website with a login page. We can register and log in. noobintheshell featured image lfi xxe xss luks pentest htb_box https://noobintheshell.com/posts/htb_playertwo/ Sat, 27 Jun 2020 00:00:00 +0000 Sat, 27 Jun 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_playertwo/ PlayerTwo is an Insane Linux box created by MrR3boot and b14ckh34rt. It was released on December 14th, 2019 and was retired on June 27th, 2020. The users rated the difficulty 7.7/10 and gave the box an appreciation score of 4.4/5. PlayerTwo Info Card TL;DR We start by enumerating a VHOST on port 80 that gives us access to a login page. We discover as well an API endpoint totp. noobintheshell featured image triwp protobuf totp firmware_injection mqtt mosquitto heap pwn tcache_poisoning libc2.29 double_free null_byte_overflow pentest htb_box https://noobintheshell.com/posts/htb_servmon/ Sat, 20 Jun 2020 00:00:00 +0000 Sat, 20 Jun 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_servmon/ ServMon is an Easy Windows box created by dmw0ng. It was released on April 11th, 2020 and retired on June 20th, 2020. The users rated the difficulty 4.1/10 and gave an appreciation score of 2.1/5. ServMon Info Card TL;DR We access an FTP server anonymously to retrieve some information about a password file in nathan home directory. A directory traversal/arbitrary file read vulnerability on a NVMS-1000 instance allows us to read this file and get nadine password. noobintheshell featured image arbitrary_file_read nvms-1000 nsclient++ pentest htb_box https://noobintheshell.com/posts/htb_monteverde/ Sat, 13 Jun 2020 00:00:00 +0000 Sat, 13 Jun 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_monteverde/ Monteverde is a Medium Windows box created by egre55. It was released on January 11th, 2020 and retired on June 13th, 2020. The users rated the difficulty 4.8/10 and gave an appreciation score of 4.3/5. Monteverde Info Card TL;DR We can anonymously bind to an Active Directory to retrieve the list of users and service accounts. The service account SABatchJobs password is the same as the username. noobintheshell featured image ldap_anonymous_bind default_password azure_ad_connect pentest htb_box https://noobintheshell.com/posts/htb_nest/ Sat, 06 Jun 2020 00:00:00 +0000 Sat, 06 Jun 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_nest/ Nest is an Easy Windows box created by VbScrub. It was released on January 25th, 2020 and retired on June 5th, 2020. The users rated the difficulty 5.2/10 and gave an appreciation score of 4/5. Nest Info Card TL;DR We access some SMB shares anonymously and retrieve an HR email template containing a temporary user password. We have more accesses with that user and can read a bunch of XML configuration files in the IT share. noobintheshell featured image xattr ads vb.net aes-cbc pbkdf2 pentest htb_box https://noobintheshell.com/posts/htb_resolute/ Sat, 30 May 2020 00:00:00 +0000 Sat, 30 May 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_resolute/ Resolute is a Medium Windows box created by egre55. It was released on December 7th, 2019 and retired on May 30th, 2020. The users rated the difficulty of this box 4.8/10 and gave it an appreciation score of 4.7/5. Resolute Info Card TL;DR We can bind anonymously to a Windows 2016 Active Directory where we find a comment in a user object that contains the default password used when creating new users. noobintheshell featured image ldap_anonymous_bind powershell_transcript dnsplugin_dll_injection pentest htb_box https://noobintheshell.com/posts/htb_rope/ Sat, 23 May 2020 00:00:00 +0000 Sat, 23 May 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_rope/ Rope is an Insane Linux box created by R4J. It was released on August 3rd, 2019 and retired on May 23rd, 2020. The users rated the box difficulty 7.9/10 and gave it an appreciation score of 4.6/5. Rope info card TL;DR We access a dummy HTML page that contains an Arbitrary File Read vulnerability that we use to retrieve the web server binary. It happens to be a modified version of tiny-web-server. noobintheshell featured image arbitrary_file_read fmtstr selfmaps bof canary rop ret2libc kern.log pentest htb_box https://noobintheshell.com/posts/htb_patents/ Sat, 16 May 2020 00:00:00 +0000 Sat, 16 May 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_patents/ Patents is a Hard Linux box created by gbyolo. It was released on January 18th, 2020 and was retired on May 16th, 2020. The users rated the difficulty 7.8/10 and gave an overall score of 4/5 to the box. Patents Info Card TL;DR We have access to a website that manages patents. The main feature is a file upload to convert DOCX to PDF. We find a hidden release note that mentions that entity parsing is enabled in DOCX custom folders. noobintheshell featured image docx xxe lfi rce pwn bof rop ret2libc pentest htb_box https://noobintheshell.com/posts/htb_obscurity/ Sat, 09 May 2020 00:00:00 +0000 Sat, 09 May 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_obscurity/ Obscurity is a Medium Linux box created by clubby789. It was released on November 30th, 2019 and retired on May 9th, 2020. The users rated the difficulty 4.8/10 and gave an overall score of 4/5 to the box. Obscurity Info Card TL;DR We discover the Python source code of the custom web server in a hidden folder of the website it hosts. After analysis, we find out that the server is vulnerable to RCE through the URI. noobintheshell featured image custom_httpd custom_encryption custom_sshd rce pentest htb_box https://noobintheshell.com/posts/htb_openadmin/ Sat, 02 May 2020 00:00:00 +0000 Sat, 02 May 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_openadmin/ OpenAdmin is an Easy Linux box created by dmw0ng. It was released on January 4th, 2020 and retired on May 2nd, 2020. The users rated the difficulty 4.4/10 and gave an overall score of 4.5/5 to this box. OpenAdmin Info Card TL;DR We discover a website that contains a broken login page link that gives access to an OpenNetAdmin instance. The installed version has a known RCE vulnerability that we exploit to get jimmy password. noobintheshell featured image opennetadmin nano pentest htb_box https://noobintheshell.com/posts/htb_control/ Sat, 25 Apr 2020 00:00:00 +0000 Sat, 25 Apr 2020 00:00:00 +0000 https://noobintheshell.com/posts/htb_control/ Control is a Hard Windows box created by TRX. It was released on November 23rd, 2019 and was retired on April 25th, 2020. The users rated the difficulty 6.4/10 and gave an overall score of 4.5/5 to this box. Control Info Card TL;DR The admin portal of a website is not protected and is supposed to be accessed only through a proxy. This is bypassed using the X-Forwarded-For HTTP header. noobintheshell featured image x-forwarded-for sqli registry_acl pentest htb_box