Hello there πŸ‘‹

Welcome to my blog, I will post things about cybersecurity, development and Linux. For more info check my about page and my socials:

πŸš€ TL;DR - Git

You want to know how to use Git as a chad developper?

October 17, 2021 Β· 2 min Β· 0xNinja

πŸͺ› Build your own mechanical keyboard

A simple and quick summary on how to build a mechnical keyboard on your own from scratch.

October 2, 2021 Β· 2 min Β· 0xNinja

You want to start to `pwn`?

So you want to start to pwn, don’t you? Well, I did too! Those are my notes on the past year of binary exploitation.

September 1, 2021 Β· 1 min Β· 0xNinja

How to install Archlinux

I recently installed once again Archlinux on a laptop. Let me explain how to do so.

August 18, 2021 Β· 6 min Β· 0xNinja

πŸ“¦ HTB - Previse

TL;DR Bypass PHP redirect to access restricted page, create low priv web account, get website backup. Audit code and find OS command injection + MySQL creds, get reverse shell and dump database, get password hash and crack it to SSH. Privesc via path injection. Footholds nmap gives us only ports 22 and 80. We first get this website: Nothing we can deal with here, no SQL injection :( For more info I used dirsearch to fuzz the web pages, and it found the following:...

August 11, 2021 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Schooled

Cool box, not too CTF-like and real-life applicable, my first FreeBSD πŸ˜„ But root part was too quick. TL;DR XSS to steal Moodle creds of teacher, privesc as manager and then RCE. Get MySQL in config file, dump users and get password hash. Break the hash with john to ssh as user. Common pkg install exploit for root. Footholds # Nmap 7.91 scan initiated Mon Aug 2 22:40:05 2021 as: nmap -A -p- -T4 -o nmap....

August 4, 2021 Β· 4 min Β· 0xNinja

πŸ“¦ HTB - BountyHunter

⚠️ writeup wrote months after root so informations are not accurate. TL;DR JS source code disclosure to forge internal requests, leak PHP source code with XXE in custom request, get DB credentials. Privesc with code injection in custom code without input validation. Recon Only HTTP and SSH, nothing special. Footholds We have here a simple web server, with custom SJ script to send bounty tickets. The portal tells us to go to /log_submit....

July 29, 2021 Β· 1 min Β· 0xNinja

πŸ“¦ HTB - Explore

Pretty interesting box, first time seeing Android in HTB. TL;DR Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB. Footholds With nmap we get the following: # Nmap 7.91 scan initiated Wed Jul 28 14:49:28 2021 as: nmap -A -p- -o nmap.out explore.htb Nmap scan report for explore.htb ( Host is up (0.043s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2....

July 29, 2021 Β· 2 min Β· 0xNinja