TryHackMe IDE
A short write-up of the TryHackMe IDE room
InfoSec
XXE to AWS metadata disclosure
I recently found a critical vulnerability on a private program on HackerOne that allowed me to get their Amazon Web Services root keys. Because of this, the vulnerability was rated as a 10.0 critical, the highest possible. After having been unable to hack for several months due to a family emergency, I finally got home …
Subdomain Takeovers: Heroku
Heroku subdomain takeovers are possible for herokuapp.com CNAMEs, and can be identified by the ‘No such app’ page: And a CNAME in dig that points to .herokuapp.com: This is an indication that the company has a dangling CNAME record pointing to an unclaimed Heroku app which we might be able to take over. To manually …
How to find your first bug
I often get asked ‘how do I find my first bug’ on the Hacker101 Discord channel. This article is an answer to that question. At this point I assume you’ve been studying the basics of ethical hacking. If you have no background in IT I would recommend reading “The Web Application Hacker’s Handbook”; though those …
H1-2006 CTF Write-up
HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. While my write-up of this CTF is now public and can be seen here, this is a different kind of write-up where I will be more open and go into the areas where I had a lot of trouble. I’m …
HackTheBox Traverxec
Traverxec is rated as an easy box on HackTheBox. User As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1.9.6, a simple HTTP server also called nhttpd. While searching for some information on nostromo, pretty much the first search result was about a known …
HackTheBox Bitlab
Bitlab is rated as a medium box on HackTheBox. User As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open. Going to the web server on port 80 and looking around, I found an interesting link under ‘help’ that wouldn’t open. Turned out the link was this …
HackTheBox Heist
Heist is an easy Windows box on HackTheBox, however since I have very little experience with Windows, I found it rather difficult. User The usual nmap scan reveals the following ports are open: Port 80 presents a login page and a forgotten password link (/issues.php), which actually goes to a forum post with an attached …
HackTheBox Networked
‘Networked’ is rated as an easy machine on HackTheBox User The usual nmap scan revealed the following open ports: Running gobuster on port 80 revealed a few endpoints, the most interesting one being /backup which had a tarred backup file which included all the PHP files the server was running on port 80. Running those …
HackTheBox Haystack
‘Haystack’ is rated as an easy machine on HackTheBox. USER Running nmap on the machine showed that only a few ports were open, with http running on both port 80 and 9200. Visiting port 80 revealed a very simple page with an image and nothing else. Gobuster didn’t reveal any other endpoints on this port, …