Newsletter 23/05/2023

Precious-image

Precious

Hack The Box. Linux. Easy machine

8 minutes to read

This machine contains a web application that uses a tool to create PDF documents which is vulnerable to command injection, which leads to Remote Code Execution (RCE). Then, we can find plaintext credentials to switch to another user. And this user has sudo permissions to run a Ruby script that is vulnerable to insecure deserialization in YAML, which can be used to execute commands as root

web-image

AbuseHumanDB

Hack The Box. Challenges. Web

6 minutes to read

Cross-Site Search. Bypass Same-Origin Policy for exfiltration

forensics-image

Automation

Hack The Box. Challenges. Forensics

4 minutes to read

HTTP and DNS traffic analysis. PowerShell. AES cipher

mobile-image

Manager

Hack The Box. Challenges. Mobile

2 minutes to read

Android dynamic analysis. HTTP traffic. IDOR

mobile-image

Pinned

Hack The Box. Challenges. Mobile

1 minute to read

Android. Certificate pinning. API Monitor

cryptography-image

I know Mag1k

Hack The Box. Challenges. Crypto

7 minutes to read

DES. Padding Oracle Attack

cryptography-image

BFD56

Hack The Box. Challenges. Crypto

5 minutes to read

CBC Bifid cipher

cryptography-image

Homomurphy's Law

Hack The Box. Challenges. Crypto

13 minutes to read

Homomorphic encryption. XOR cipher. AES cipher. Brute force

misc-image

Pickle Panic

Hack The Box. Challenges. Misc

9 minutes to read

pickle internals. Python jail