BSidesCBR 2017 CTF Write-Up: Derpchat May 7, 2017 Hey there, Following my serie of write-ups for the BSidesCBR challs, I will discuss the DerpChat one. The instructions for this challenge were: This web-based challenge was worth 275 points. Run docker-compose up and then browse to https://web.shell.dance:4443/. After browsing to https://web.shell.dance:4443/, I arrived on a registration/login page. I registered the account test/test and I finally got a page with two inputs: – One too search some messages I suppose – And one in the middle of the page stating: “Hello, could you please send me the link I was after? ...
BSidesCBR 2017 CTF Write-Up: Needleinahaystack May 6, 2017 Hello everyone! Such a long time since I didn’t post any article. Here is a quick write-up for the BSidesCBR Cryto challenge for “needleinahaystack”. Before diving in the challenge, huge props to all the organizers and OJ for making those challs available to everyone with Docker containers and stuff (more write-ups coming soon). If you guys want to give it a shot, here you go, all challs are available here. The challenge we will discuss in this post (needleinahaystack) is located here. ...
Running SSLScan on 5k servers taken from Alexa's top 10k Jun 7, 2015 After analyzing the HTTP Security Headers from the top 10k Alexa websites, I decided looking at the SSL Ciphers used on those websites. These results are coming from a scan on port 443 for all those domains. Only 4715 servers replied. The OpenSSL version installed on my server did not support SSLv2 so SSLv2 ciphers have not been detected. Here are the results:
Experiments with UPnP Jul 3, 2014 This post deals with recent observations regarding UPnP (Universal Plug and Play) protocol & Routers. In few words, thanks to this protocol, devices (such as file sharing services, games, ..) can be easily connected/deployed. First, I started to do research on my box to find relevant UPnP functionalities by hand, found some but I had trouble to exploit them. Few days ago, David Middlehurst released a tool called “UPnP Pentest Toolkit”. ...
Kioptrix 3 Write-up Jun 12, 2014 This has been some long time I haven't written another write-up. This one's for Kioptrix 3 that you can find here. Host Discovery $ nmap -sP 192.168.56.1/24 and we got the IP address : 192.168.56.101. As it was explained, you need to add 192.168.56.101 kioptrix3.com in your /etc/hosts. Fingerprinting Then, let's find what kind of services are running on the host machine. $ nmap 192.168.56.101 -sV -A Starting Nmap 6.46 ( http://nmap. ...
Diving into XSS googles game Jun 2, 2014 Hi there, this post deals with the game released by Google few days ago about XSS vulnerabilities that you can find here. I'll enumerate some of the solution I found on the Internet which were (in my opnion) interesting/fun. This post contains the solutions for all levels. Big spoil. Level 1: Hello, world of XSS Well, this one was obvious: <script>alert(1);</script> Level 2: Persistence is key For this one, you had different options: ...
Bobby Write-up May 15, 2014 Hi there, Quick blog post on the VM “Bobby” which is once of the nicest VM I did so far. Discovery The first step is always the same: discovering the machine on the network. To do so: $ nmap -sV 192.168.1.1/24 I managed to retrieve the IP address: 192.168.1.11. Let's start to fingerprint the different services to exploit it. Fingerprinting Then, I used Nmap to retrieve the services running: $ nmap -sV 192. ...
HTTP Security Headers on top 10k Alexa websites May 13, 2014 EDIT: Added statistics of max-age option. Hi there, This blog post deals with HTTP Security Headers on top 10k Alexa websites. Based on this discussion on netsec, I decided to do some statistics on Alexa ranking. To do this study, I did a GET HTTP Request and saved the headers in the HTTP response. This has been done using Python. First of all, I scanned 10000 hosts. 555 hosts didn't respond so those statistics are based on 9445 hosts. ...
Blind HQL Injection in REST API using H2 DMBS May 5, 2014 This post deals with some research I just did regarding (Blind) HQL injections with H2 as the DataBase Management System. First, you should read this post which gives some really useful information regarding HQL injections in general: HQL for pentesters. During the assessment, I checked the API calls by using Burp as a proxy and one call was: http://application/API/Users/?req=id=1 The output was a JSON response, such as: [{user: "admin", id: "1", firstName:"Admin"}] If you changed the id with the numeric value 2, and so on. ...
BSides Slides - CSRFT Apr 29, 2014 Hey, Just a quick post to give you the link to my slides for BSides London today: Here Don't hesitate if you have any feedback, or any good feature. You can reach me either on Github and Twitter Just few words about the conference which was absolutely amazing. Some really great people were here, good atmosphere and people were really helpful. For sure, I'll attend it next year. Cheers,