Walkthru
A. https://prasannakumar.in/infosec/vulnhub-ctf-usv-2017-writeup/ [javascript Obfuscated which is currently one of the best methods for protecting JavaScript code from reverse engineering. The "var _0xbb15=" gives us a hint . It’s in the obfuscated way. Deobfuscating using JS Beautifier, vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request, LFI or local file inclusion , curl to read /etc/passwd due to LFI,
wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting '--no-directories’ options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure ,aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql injection worked if we see output and when con content is shows means it is false or didn't work or doesnt exist , possible firewall blocking union based statements,
B. http://snhconsultingltd.com/2018/01/08/pentesting-write-upusv-2017/ [binwalk,exiftool ]
Notes:
A. https://prasannakumar.in/infosec/vulnhub-ctf-usv-2017-writeup/ [javascript Obfuscated which is currently one of the best methods for protecting JavaScript code from reverse engineering. The "var _0xbb15=" gives us a hint . It’s in the obfuscated way. Deobfuscating using JS Beautifier, vulnerability with https: site, decode or reverse engineer the math manually, curl to download an html page using --data (POST) request, LFI or local file inclusion , curl to read /etc/passwd due to LFI,
wfuzz to fuzz/customize the dir structure to download, one can use wget to download the files from door and vault folders by selecting '--no-directories’ options so it doesn't create ten thousand directories but wget didnt stop automatically, it kept on going , may be does multiple iteration not sure ,aircrack-ng, looks like a blind sql injection and we are not getting response from the SQL injection error or select statement in that case we know the sql injection worked if we see output and when con content is shows means it is false or didn't work or doesnt exist , possible firewall blocking union based statements,
limit SQL function, SQL union queries]B. http://snhconsultingltd.com/2018/01/08/pentesting-write-upusv-2017/ [binwalk,exiftool ]
Notes:
Comments
Post a Comment