Posts

HSCTF 2021 | PWN Use After Freedom TL;DR Vulnerability: use after free Exploit steps: Leak glibc address by freeing a chunk into unsorted bins Perform partial unlink (unsorted bin attack) to overwrite global_max_fast Free a 0x3940 sized chunk to overwrite __free_hook with the address of 0x3940 sized chunk Use write after free to change the fd of 0x3940 sized chunk with system Allocate a 0x3940 sized chunk so _free_hook becomes system Call free(/bin/sh) Exploit #!

addslashes sanitization bypass through the abuse of vsprintf functionality

As usual we start with a nmap scan to find open ports and services on the server. ┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Worker] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.203 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.

Academy Walkthrough Enumeration running nmap scan we find two ports (22, 80) are open and the machine also leaks a hostname as academy.htb # Nmap 7.91 scan initiated Sun Jan 10 12:56:59 2021 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.

Initial Recon Running a nmap scan on the server to look for open ports and services. ┌──(codacker㉿kali)-[~/Workspace/HTB/boxes/Time] └─$ sudo nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.214 we find that port 22 (SSH) and port 80 (Apache) are open on the server.

Recon we start with a nmap scan to look for open ports and services on the server. # Nmap 7.91 scan initiated Wed Oct 14 21:14:03 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.

We start with a nmap scan to look for open ports and services running on the server. PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.

Initial Recon We start the initial recon with a nmap scan to look for open ports are services running on them. PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.

Nmap Scan # Nmap 7.80 scan initiated Fri Oct 2 13:54:21 2020 as: nmap -sC -sV -oA nmap/tcp-initial -vv 10.10.10.192 Nmap scan report for 10.10.10.192 Host is up, received echo-reply ttl 127 (0.

Admirer Writeup we start the recon with a nmap scan to look for open ports and services running on them PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.