File Upload Restriction Bypass Checklist

Introduction

When enumerating web applications, we often find ourselves in front of a file upload file that allows us to potentially upload malicious files onto the application, such as a PHP or ASP shell, although these will often have certain restrictions that will only allow certain file types, extensions, file names or contents.

Through this checklist, I hope to cover most of the possible bypass methods that can be used to get past this restriction.

January 20, 2021 | by Stefano Lanaro | 2 Comments

Buffer Overflow, Guides, Stack Buffer Overflow

Stack Buffer Overflow – dostackbufferoverflowgood Guide

Introduction

I found this great material when preparing for my OSCP certification exam, I had already finished all of the exercises including the Buffer Overflow ones but I wanted to do some more practice as I wanted to be 100% ready on this subject to ensure I was getting the 25 points awarded for this machine.

January 19, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – SecNotes Walkthrough

Introduction

This was a very peculiar box, as it involved sending a password change link to a user from a web application in order to reset his password, uploading a PHP shell via SMB to gain remote code execution and therefore a shell, and using a password found in the underlying system’s bash history file to login as the administrator user

January 19, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – Jerry Walkthrough

Introduction

This was a very easy box, as it involved logging into the Tomcat Web Application Manager using default credentials, deploying a new application using a malicious .war Java reverse shell and gaining a reverse shell by navigating to it.

January 18, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, VulnHub

VulnHub – SickOS 1.2 Walkthrough

Introduction

This is a Linux box that involved exploiting the PUT http method to upload a PHP script through which a reverse shell can be obtained, and then using a known vulnerability in the chkrootkit program to escalate to root.

January 18, 2021 | by Stefano Lanaro | Leave a comment

Checklists, Resources

Windows Privilege Escalation Checklist

Introduction

Privilege escalation is a crucial step in the penetration testing lifecycle, through this checklist I intend to cover all the main vectors used in Windows privilege escalation, and some of my personal notes that I used in previous penetration tests.

January 18, 2021 | by Stefano Lanaro | Leave a comment

Reviews, Training Labs

Offensive Security Proving Grounds (Practice) Review

Introduction

I decided to subscribe to the Proving Grounds platform after failing my first OSCP exam attempt and after completing the virtual hacking labs platform, I was very intrigued by the fact that the machines in this platform were developed by Offensive Security and therefore I was sure the quality of the machines would live up to expectations.

Proving Grounds is a platform that allows you to practice your penetration testing skills in a HTB-like environment, you connect to the lab via OpenVPN and you have a control panel that allows you revert/stop/start machines and submit flags to achieve points and climb the leaderboard.

January 18, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – Arctic Walkthrough

Introduction

This was an easy Windows machine that involved exploiting a directory traversal vulnerability in the Adobe ColdFusion web application to obtain user hashes, cracking them with an online hash lookup tool and using a scheduled task to gain remote access. Privilege escalation was possible through a Windows Kernel Exploit.

January 18, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, TryHackMe

TryHackMe – Vulnversity Walkthrough

Introduction

This room is part of the TryHackMe’s Offensive Pentesting learning path, which is something a lot of people use when preparing for their OSCP exam. This was one of the first rooms and it involved attacking a web application exploiting a file upload functionality, bypassing file extension whitelisting, and exploiting a SUID binary to escalate privileges.

January 17, 2021 | by Stefano Lanaro | 2 Comments

CTF Walkthroughs, VulnHub

VulnHub – FristiLeaks 1.3 Walkthrough

Introduction

This was an intermediate box that involved decoding a base64-encoded password to access a file upload page, through which a PHP reverse shell can be uploaded to gain an initial access. From there, a password has to be de-ciphered using ROT13 in order to obtain root access to the machine.

January 16, 2021 | by Stefano Lanaro | Leave a comment