Infosecinstitute CTF 2 - LEVEL 10

This will be solution for Level 10 Practical Web Hacking CTF #2. This level we have a browser game, the objective is to find a way to win the game wihout losing to much time. This level is very similar to level 1, in the way that nothing in the users side should be trusded, so here’s what we need to do. Tasks Find out how the game stores its scorres, and how it’s sync’d...… (Read More)

Infosecinstitute CTF 2 - LEVEL 3

This will be solution for Level 3 Practical Web Hacking CTF #2. In this level we are told to attept a privilege escalation, the objective is to register a user with an ADMIN role, and exploit a Data Validation. We are told that the information is saved in text file, from this information we can assume that the several fields are some home separated by different chars souch as $ # etc. We start by...… (Read More)

Infosecinstitute CTF 2 - LEVEL 2

This will be solution for Level 2 Practical Web Hacking CTF #2. In this level we have a simple web php calulator, the vulnerability type is A1 Injection and our objective is successfully execute code in order to get information about the server and PHP version. This is consistent with PHP eval statement, after first inspection we come to the conclusion that on the server site might be something like the flowing: <?php $operand1 =...… (Read More)

Infosecinstitute CTF 2 - LEVEL 1

This will be one of 13 posts about the aftermath of the Practical Web Hacking CTF #2. The first level is a simulation of link storage web application, with A3 Cross-Site_Scripting, this types of vulnerabilities exploit the interpreter in the browser to achieve client site code execution (Javascript). To target the Users that visit the vulnerable page, exploiting this vulnerability could allow an Attacker to accomplish the flowing: session hijacking Cross-Site Request Forgery But in...… (Read More)

Infosecinstitute CTF 2 - LEVEL 4

This will be solution for Level 4 Practical Web Hacking CTF #2. In this Level is about file inclusion vulnerabilities File include. The objective is to inject a php file, that we are told that it should be included form the root of a given domain (infosecinstitute.com), it also says that it should include the file even if it doen’t exist, as you will se from the description this types of bugs are very easy...… (Read More)

Enterprise Web Applications, Crack Once Hack Everywhere

Long time since i posted, Vulnerability hunting have kept me busy. FUN FUN :). Enterprise Web applications are old news, they are everywere. In this post i will talk about what seems to escape everyone, well not everyone… Web Applications One of the main reasons for the success of the web applications, is due to how easy they are to deploy. Fat client free workstations, allowed the illusion of simplicity, lower costs, and safety. but...… (Read More)

Slackware Minimal System

The objective of this post is to give a jump start, and establish a working base, although this is a Minimal system created to address a production systems needs, there are things that are left out, so its not production ready. Some of the security packages are not installed or not fully functional, that is a challenge i leave up to you. ;) Most of the information required to complete this task can be found...… (Read More)