Najam Ul Saqib's Blog

I am back with another walkthrough to one of the  HackerOne 's CTF Petshop Pro . Let's look at the interface of this web page.

Bug bounty platforms are rapidly gaining popularity among ethical hackers and penetration testers, they provide crowdsource solutions to different companies, hackers look for security loopholes in the websites and in turn they get paid for a valid submission. But as such platforms are gaining popularity and more and more people are finding security bugs in public programs resulting in lesser vulnerabilities to be found left, private invitations are a better choice in this scenario, as the word "Private" explains the story, not everyone is allowed to hack on the private program like public ones. Only selected hackers based on their skill set and achievements are invited to private programs. Hence, I got invited to one of the private programs, it is pretty confusing for newbies to know that how they can be invited to a private program but don't worry I'll make it clear & concise for you.  HackerOne  is a famous and probably number one bug bounty platfor

I did the Mr. Robot CTF today from www.tryhackme.com, I thought it would be better to share the lessons I learned from Mr. Robot's CTF rather than writing a walkthrough (as there are tons of walkthroughs available online on Mr. Robot) GoBuster is better than DirBuster: I ran gobuster on the machine for quite some time but it didn't capture some pages which also included robots.txt, robots.txt is an important page and it carried some useful information, GoBuster detected robots.txt so in this case GoBuster performed better If its "Wordpress", go nowhere but "WPScan": If the target is wordpress-based then WPScan is your go-to tool for enumeration and bruteforcing, I tried different tools for bruteforcing credentials on the machine like Burp Intruder, Hydra, MetaSploit etc but they all took a lot of time whereas bruteforcing performed by WPScan (using XML-RPC which I'll explain next) was fast and very efficient. XML-RPC in Wordpress: WPS

Well, this was my first machine on THM and I pulled my hairs on not getting the shell when I was doing all the stuff just right. It was Mr.Robot's CTF, I tried literally everything to get the shell, I tried PHP reverse shell, meterpreter session, metasploit's wp_admin module, malicious Wordpress plugins but of no avail. I turned to TryHackMe's discord server to check what am I doing wrong, what came out was very funny and frustrating at the same time 😅 Lets take an example of PHP Reverse Shell, when you submit the PHP shell code in 404.php page, you have to configure two things, one is your IP(LHOST) and other is your Port. I was putting my eth0/wlan0's IP address into the LHOST and I was never getting anything back on netcat. As TryHackMe uses OpenVPN proxy to connect to their server so your eth0/wlan0's IP is not your LHOST, after connecting to OpenVPN, run IP address  command and use the tun0  IP address, this is your listening host aka LHOS