So you want to start to pwn, don’t you? Well, I did too! Those are my notes on the past year of binary exploitation.

I recently installed once again Archlinux on a laptop. Let me explain how to do so.

TL;DR Bypass PHP redirect to access restricted page, create low priv web account, get website backup. Audit code and find OS command injection + MySQL creds, get reverse shell and dump database, get password hash and crack it to SSH. Privesc via path injection. Footholds nmap gives us only ports 22 and 80. We first get this website: Nothing we can deal with here, no SQL injection :( For more info I used dirsearch to fuzz the web pages, and it found the following:

Cool box, not too CTF-like and real-life applicable, my first FreeBSD 😄 But root part was too quick. TL;DR XSS to steal Moodle creds of teacher, privesc as manager and then RCE. Get MySQL in config file, dump users and get password hash. Break the hash with john to ssh as user. Common pkg install exploit for root. Footholds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # Nmap 7.

⚠️ writeup wrote months after root so informations are not accurate. TL;DR JS source code disclosure to forge internal requests, leak PHP source code with XXE in custom request, get DB credentials. Privesc with code injection in custom code without input validation. Recon Only HTTP and SSH, nothing special. Footholds We have here a simple web server, with custom SJ script to send bounty tickets. The portal tells us to go to /log_submit.

Pretty interesting box, first time seeing Android in HTB. TL;DR Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB. Footholds With nmap we get the following: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 # Nmap 7.91 scan initiated Wed Jul 28 14:49:28 2021 as: nmap -A -p- -o nmap.out explore.htb Nmap scan report for explore.

Simple easy box, perfect to warmup before the FIC 2021 and get more confidence in 1337 h4ck1n9 TL;DR Find PCAP file on server, get SSH credentials, execute code as root with Python. Footholds I did not even use nmap here, as we had a web server serving on port tcp:80. This website looked like this: It seems to be a security dashboard for a server, we don’t have any info about that.