Vighnesh Raje

Hello guys! hope you all are doing good. In this blog post, I would like to explain my methodology that I used for pwning the Armageddon box. I hope this would add some educational value for someone who is just starting up with penetration testing. (I am just a wanna be penetration tester. Feel free to point out my mistakes 😜 ) 1.1 Methodology - Information Gathering Lets begin by running a Nmap scan. The nmap scan shows that a web application is running on port 80. On checking the CMS technology in use and its version, I could find that the application is built on Drupal 7. 1.2 Methodology - Initial Foothold Vulnerability Exploited: Drupal 7 CVE-2018-7600.  Vulnerability Explanation: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.  Severity: Highly Critical Ref: https://github.com/d...

After participating in Zh3r0 CTF last year(2020), I thought the CTF had some really cool challenges and so thought of looking at few of the challenges this year too. So, lets just jump straight  into the technical write-up. In this blog, I would be describing my methodology for sparta - 100, which was an easy challenge in web category. The challenge provided with source code along with a Dockerfile for hosting the web application locally. Looking at the source file, it was clear that express/node js was used at the back-end. Looking at the server code, one could see that there is a check to see if "guest" token is passed in cookie. If so, the value of guest token is passed to unserialize() of node-serialize module. That's it! we are talking about a node de-serialization vulnerability here. If the guest token is not part of the cookie, the application would take username, country and city values from the request body and will create a base64 encoded json object. This is...