Wordpress enable-latex plugin remote file include vulnerabilities

You can use our plugin, MalCare to set up a staging site, and test updates before installing them on your live site.

If you run multiple websites, the plugin enables you to manage and update them all from a centralized dashboard. This makes updates easier, faster, and hassle-free. Vulnerabilities frequently develop in poor quality themes and plugins.

This is why we suggest using only good quality themes and plugins. A good way to determine the quality of the software is to buy them from reputed marketplaces like Themeforest, CodeCanyon, Evanto, Mojo Marketplace, etc. Reputed marketplaces have strict policies and security protocols for developers to follow.

So products available on these platforms are created with care and maintained well. For some websites such as recruitment sites, this might not be an option. However, if the file upload function is not required on your website, we strongly suggest you retire it. This will remove the possibility of a file upload vulnerability altogether. Everything uploaded on your WordPress website is stored in the Uploads folder. Even if you have knowledge of WordPress, we strongly recommend taking complete website backups before making any changes.

The slightest misstep can cause your website to break. These are the 6 file upload vulnerability prevention measures. By taking these measures, your site will be protected against file upload vulnerabilities.

That brings us to the end of preventing file upload vulnerabilities on your WordPress site. Protecting your WordPress site against file upload vulnerabilities is a step towards ensuring that your website is safe and secure from hack attacks. However, hackers have many other ways of trying to break into your site. To prevent any kind of hack attempts on your website, we recommend the following —.

Always have a security plugin like MalCare installed on your site. The plugin comes with a security scanner that will scan and monitor your site daily. Its firewall will also prevent hackers from accessing your site. Updating your WordPress site regularly. Ensuring that you are using the latest version of the WordPress core and all plugins and themes installed on your website.

And finally, harden your WordPress site. Site hardening measures will ensure that your site is difficult for hackers to break into. Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face. Features Features. April 23, Table of Contents. Contents hide. Install a WordPress Security Plugin. Keep Your Website Updated. Posted in:. Sophia Lawrence,.

You may also like January 7, January 7, The root WordPress directory: all files should be writable only by your user account, except. Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process.

If you do not want to use the built-in theme editor, all files can be writable only by your user account. Permissions may vary. If you have shell access to your server, you can change file permissions recursively with the following command:. All files are set to and all directories are set to , and writable by only the user and readable by everyone else, including the web server.

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs. By revoking such privileges you are also improving the containment policies.

Note: Some plugins, themes and major WordPress updates might require to make database structural changes, such as add new tables or change the schema.

In such case, before installing the plugin or updating a software, you will need to temporarily allow the database user the required privileges. Thus, it is NOT recommended to revoke these privileges. If you do feel the need to do this for security reasons, then please make sure that you have a solid backup plan in place first, with regular whole database backups which you have tested are valid and that can be easily restored.

A failed database upgrade can usually be solved by restoring the database back to an old version, granting the proper permissions, and then letting WordPress try the database update again. Restoring the database will return it back to that old version and the WordPress administration screens will then detect the old version and allow you to run the necessary SQL commands on it.

Most WordPress upgrades do not change the schema, but some do. Only major point upgrades 3. Minor upgrades 3. Nevertheless, keep a regular backup. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots. A second layer of protection can be added where scripts are generally not intended to be accessed by any user.

WordPress can overwrite anything between these tags. Omitting that line will allow the code to work, but offers less security. You can move the wp-config. This means for a site installed in the root of your webspace, you can store wp-config. Note: Some people assert that moving wp-config. Others disagree. Note that wp-config. Also, make sure that only you and the web server can read this file it generally means a or permission.

If you use a server with. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.

This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks. First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.

There are many plugins and services that can act as a firewall for your website. Some of them work by modifying your. Some firewall plugins act at the WordPress level, like WordFence and Shield , and try to filter attacks as WordPress is loading, but before it is fully processed.

Besides plugins, you can also install a WAF web firewall at your web server to filter content before it is processed by WordPress. A website firewall can also be added as intermediary between the traffic from the internet and your hosting server. These services all function as reverse proxies, in which they accept the initial requests and reroute them to your server, stripping it of all malicious requests.

They accomplish this by modifying your DNS records, via an A record or full DNS swap, allowing all traffic to pass through the new network first. This causes all traffic to be filtered by the firewall before reaching your site. A few companies offer such service, like CloudFlare , Sucuri and Incapsula. Users rated Unattended much harder than the Medium rating it was released under. So the trick was knowing when to continue looking and identify the NGINX vulnerability to leak the source code.

From there, it was injecting into some commands being taken from the database to move to the next user. And in the final step, examining an initrd file to get the root password. Helpline was a really difficult box, and it was an even more difficult writeup. It has so many paths, and yet all were difficult in some way. It was also one that really required Windows as an attack platform to do the intended way.

I got lucky in that this was the box I had chosen to try out Commando VM. But it is still a great box. Fortune was a different kind of insane box, focused on taking advantage things like authpf and nfs. Instead of just using the php functions to find the certificate and key needed to read the private members https page, Alamot uses Chankro to bypass the disabled execution functions and run arbitrary code anyway.

I had to try it. LaCasaDePapel was a fun easy box that required quite a few steps for a 20 point box, but none of which were too difficult. The file is not writable and owned by root, but sits in a directory my current user owns, which allows me to delete the file and then create a new one.

CTF was hard in a much more straight-forward way than some of the recent insane boxes. It had steps that were difficult to pull off, and not even that many. But it was still quite challenging. Once I do, I can run commands, and find a user password in the php pages. FriendZone was a relatively easy box, but as far as easy boxes go, it had a lot of enumeration and garbage trolls to sort through.

By far. Without question. I remember vividly working on this box with all my free time, and being the 5th to root it 7th root counting the two box authors in the 6th day. This interface gives up some domain names for fake phishing sites on the same host, which I can use to find an admin interface which I can abuse to get file system access via log poisoning. I can however upload reGeorge and use it to tunnel a connection to WinRM, where I can use some creds I find in a config file.

And I found Darwin. The host presents the full file system over anonymous FTP, which is enough to grab the user flag. Querier was a fun medium box that involved some simple document forensices, mssql access, responder, and some very basic Windows Privesc steps.

I can use that limited access to get a Net-NTLMv2 hash with responder, which provides enough database access to run commands. For privesc, running PowerUp. FluJab was a long and difficult box, with several complicated steps which require multiple pieces working together and careful enumeration. Information in the database credentials and new subdomain, where I can access an instance of Ajenti server admin panel.

That allows me to identify weak ssh keys, and to add my host to an ssh TCP Wrapper whitelist. Then I can ssh in with the weak private key. Help was an easy box with some neat challenges. As far as I can tell, most people took the unintended route which allowed for skipping the initial section. Alternatively, I can use an unauthenticated upload bypass in HelpDeskZ to upload a webshell and get a shell from there.

I loved Sizzle. It was just a really tough box that reinforced Windows concepts that I hear about from pentesters in the real world. From there I can create a certificate for the user and then authenticate over WinRM. Choas provided a couple interesting aspects that I had not worked with before.

After some web enumeration and password guessing, I found myself with webmail credentials, which I could use on a webmail domain or over IMAP to get access to the mailbox. In the mailbox was an encrypted message, that once broken, directed me to a secret url where I could exploit an instance of pdfTeX to get a shell.

After pulling apart an Emotet phishing doc in the previous post , I wanted to see if I could find similar docs from the same phishing campaign, and perhaps even different docs from previous phishing campaigns based on artifacts in the seed document. With access to a paid VirusTotal account, this is not difficult to do.

I decided to do some VT roulette and check out some recent phishing docs in VT. I searched for documents with only few detections, and the top item was an Emotet word doc. The Emotet group continues to tweak their strategy to avoid AV. In this doc, they use TextBox objects to hold both the base64 encoded PowerShell and the PowerShell command line itself, in a way that actually makes it hard to follow with olevba.

It actually blows my mind that it only took 7 hours for user first blood, but then an additional Lightweight was relatively easy for a medium box. The biggest trick was figuring out that you needed to capture ldap traffic on localhost to get credentials, and getting that traffic to generate.

The box actually starts off with creating an ssh account for me when I visit the webpage. From there I can capture plaintext creds from ldap to escalate to the first user.

BigHead required you to earn your 50 points. The enumeration was a ton. There was an really fun but challenging buffer overflow to get initial access. Then some pivoting across the same host using SSH and the a php vulnerability. And then finding a hidden KeePass database with a keyfile in an ADS stream which gave me the root flag. The primary factor that takes this above something like a basic jmp esp is the space I have to write to is small. I got to learn a new technique, Egg Hunter, which is a small amount of code that will look for a marker I drop into memory earlier and run the shellcode after it.

Irked was another beginner level box from HackTheBox that provided an opportunity to do some simple exploitation without too much enumeration. First blood for user fell in minutes, and root in That password gets me access as the user. Teacher was point box despite the yellow avatar.

At the start, it required enumerating a website and finding a png file that was actually a text file that revealed most of a password. I was pleasantly surprised with how much I liked it. In fact, only once on this box did I need to fire up my Kali workstation. Because the target was Windows, there we parts that were made easier and in one case made possible!

RedCross was a maze, with a lot to look at and multiple paths at each stage. This post is focused on getting up and running. I suspect additional posts on how it works out will follow. Vault was a a really neat box in that it required pivoting from a host into various VMs to get to the vault, at least the intended way. This was another really easy box, that required some simple web enumeration to find a python panel that would run python commands, and display the output.

From there, I could get a shell and the first flag. Then, more enumeration to find a python script in a hidden directory that contained the root password. With that, I can escalate to root. Curling was a solid box easy box that provides a chance to practice some basic enumeration to find a password, using that password to get access to a Joomla instance, and using the access to get a shell.

It happens that I can control that file, and use it to get the root flag and a root shell. October was interesting because it paired a very straight-forward initial access with a simple buffer overflow for privesc. Frolic was more a string of challenges and puzzles than the more typical HTB experiences.

Enumeration takes me through a series of puzzles that eventually unlock the credentials to a PlaySMS web interface. With that access, I can exploit the service to get execution and a shell. Carrier was awesome, not because it super hard, but because it provided an opportunity to do something that I hear about all the time in the media, but have never been actually tasked with doing - BGP Hijacking. On of the challenges in Ethereal was having to use a shell comprised of two OpenSSL connections over different ports.

And each time I wanted to exploit some user action, I had to set my trap in place, kill my shell, start two listeners, and wait. Things would have been a lot better if I could have just gotten a shell to connect back to me over one of the two open ports, but AppLocker made that nearly impossible. I wanted to play with it myself, and get some notes down in the form of this post.

Bastard was the 7th box on HTB, and it presented a Drupal instance with a known vulnerability at the time it was released. The privesc was very similar to other early Windows challenges, as the box is unpatched, and vulnerable to kernel exploits. Ethereal was quite difficult, and up until a few weeks ago, potentially the hardest on HTB.

Still, it was hard in a fun way. The path through the box was relatively clear, and yet, each step presented a technical challenge to figure out what was going on and how I could use it to get what I wanted. These were associated with a program called PasswordBox, which was an early password manager program.

But what if I had needed to brute force it? The program was not friendly to taking input from stdin, or from running inside python. So I downloaded the source code, installed the FreeBasic compiler, and started hacking at the source until it ran in a way that I could brute force test passwords in 5 seconds. It would have been possible to get through the initial enumeration of Ethereal with just Burp Repeater and tcpdump, or using responder to read the DNS requests.

But writing a shell is much more fun and good coding practice. Another one of the first boxes on HTB, and another simple beginner Windows target. I can upload a webshell, and use it to get execution and then a shell on the machine.

There was a box from HackTheBox. Zipper was a pretty straight-forward box, especially compared to some of the more recent 40 point boxes. The main challenge involved using the API for a product called Zabbix, used to manage and inventory computers in an environment. I had an opportunity to check out Wizard Labs recently. The box called Dummy recently retired from their system, so I can safely give it a walk-through.

Seems popular to start a service with a Windows SMB vulnerability. This was a Windows 7 box, vulnerable to MS The top of the list was legacy, a box that seems like it was one of the first released on HTB. I thought Giddy was a ton of fun. It was a relateively straight forward box, but I learned two really neat things working it each of which inspired other posts. The box starts with some enumeration that leads to a site that gives inventory. A local privilege escalation exploit against a vulnerability in the snapd server on Ubuntu was released today by Shenanigans Labs under the name Dirty Sock.

The entire thing was about protocols that operate on any environment. There I find an SSH key that gets me a user shell. Dab had some really neat elements, with a few trolls thrown in. After cracking twelve of them, one gives me ssh access to the box. That beautiful feeling of shell on a box is such a high. But once you realize that you need to pivot through that host deeper into the network, it can take you a bit out of your comfort zone.

Reddish is one of my favorite boxes on HTB. Reddish was initially released as a medium difficulty 30 point box, and after the initial user blood took 9.

Later, it was upped again to insane SecNotes is a bit different to write about, since I built it. The goal was to make an easy Windows box that, though the HTB team decided to release it as a medium Windows box. It was the first box I ever submitted to HackTheBox, and overall, it was a great experience.

Either way, after gaining SMB credentials, it allowed the attacker to upload a webshell, and get a shell on the host. Privesc involved diving into the Linux Subsystem for Windows, finding the history file, and getting the admin creds from there. The Sans Holiday Hack is one of the events I most look forward to each year.

This conference even has a bunch of talks , some quite useful for completing the challenge, but others that as just interesting as on their own.

If can get a Windows machine to engage my machine with one of these requests, I can perform an offline cracking to attempt to retrieve their password.

In some cases, I could also do a relay attack to authenticate directly to some other server in the network. Oz was long. There was a bunch of enumeration at the front, but once you get going, it presented a relatively straight forward yet technically interesting path through two websites, a Server-Side Template Injection, using a database to access an SSH key, and then using the key to get access to the main host.

The first is another method to get around the fact the su was blocked on the host using PolicyKit with the root password. The second was to take advantage of a kernel bug that was publicly released in November, well after Mischief went live. From there, I can use those creds to log in and get more creds. The other creds work on a website hosted only on IPv6.

That site has command injection, which gives me code execution, a shell as www-data, and creds for loki. Hackvent is a great CTF, where a different challenge is presented each day, and the techniques necessary to solve each challenge vary widely.

Like Advent of Code, I only made it through the first half before a combination of increased difficulty, travel for the holidays, and Holiday Hack and, of course, winning NetWars TOC all led to my stopping Hackvent mid-way.

Still, even the first 12 challenges has some neat stuff, and were interesting enough to write up. And if you want to become a full on jq wizard, all the better. Advent of Code is a fun CTF because it forces you to program, and to think about data structures and efficiency. It starts off easy enough, and gets really hard by the end.

After the first 20 people solve and the leaderboard is full, people start to post answers on reddit on other places, and you can see how others solved it, or help yourself when you get stuck. Active was an example of an easy box that still provided a lot of opportunity to learn. The box was centered around common vulnerabilities associated with Active Directory.

Adding it to the original post. Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares.

Hawk was a pretty easy box, that provided the challenge to decrypt a file with openssl, then use those credentials to get admin access to a Drupal website. Credential reuse by the daniel user allows me to escalate to that user.

It starts with an instance of shenfeng tiny-web-server running on port There was so much to write about for Smasher, it seemed that the buffer overflow in tiny deserved its own post. In fact, it was rooted in just over 6 minutes! I wanted to take a minute and look under the hood of the phishing documents I generated to gain access to Reel in HTB, to understand what they are doing. Reel was an awesome box because it presents challenges rarely seen in CTF environments, phishing and Active Directory.

Most people are aware of the. But did you know that the PowerShell equivalent is enabled by default starting in PowerShell v5 on Windows 10? This means this file will become more present over time as systems upgrade. Dropzone was unique in many ways. Right off the bat, an initial nmap scan shows no TCP ports open.

Initial shell provides access as an unprivileged user on a relatively unpatched host, vulnerable to several kernel exploits, as well as a token privilege attack. First, the issue of a bash if statement, and how it evaluates on exit status.

Next, how Linux handles permissions and ownership between hosts and in and out of archives. TartarSauce was a box with lots of steps, and an interesting focus around two themes: trolling us, and the tar binary. Moving files to and from a compromised Linux machine is, in general, pretty easy. Windows, is another issue all together. This may be less realistic in an environment where you have to connect from a victim machine back to your attacker box over the public internet where SMB could be blocked , but for environments like PWK labs and HTB where you are vpned into the same LAN as your targets, it works great.

Sunday is definitely one of the easier boxes on HackTheBox. It had a lot of fun concepts, but on a crowded server, they step on each other. We start by using finger to brute-force enumerate users, though once once person logs in, the answer is given to anyone working that host.

Olympus was, for the most part, a really fun box, where we got to bounce around between different containers, and a clear path of challenges was presented to us. The creator did a great job of getting interesting challenges such as dns and wifi cracking into a HTB format.

Canape is one of my favorite boxes on HTB. There is a flask website with a pickle deserialization bug. I find that bug by taking advantage of an exposed git repo on the site. I went down several rabbit holes trying to get code execution through couchdb, succeeding with EMPD, succeeding with one config change as root for CVE, and failing with CVE Someone on an InfoSec group I participate in asked for help looking at a potentially malicious word doc.

I took a quick look, and when I sent back the command line that came out, he asked if I could share how I was able to de-obfuscate quickly. The file makes no effort at showing any real cover, and could even be a test upload from the malicious actor.

The file writes a vbs script which downloads the next stage, and then runs the script and then the resulting binary. The stage two is still up, so I got a copy, which I was able to identify as nanocore, and do some basic dynamic analysis of that as well. Poison was one of the first boxes I attempted on HTB. The discovery of a relatively obvious local file include vulnerability drives us towards a web shell via log poisoning. From there, we can find a users password out in the clear, albeit lightly obfuscated, and use that to get ssh access.

With our ssh access, we find VNC listening as root on localhost, and. Stratosphere is a super fun box, with an Apache Struts vulnerability that we can exploit to get single command execution, but not a legit full shell. However, we actually have to exploit the script, to get a root shell. I was aiming for an easy 20 pt Windows box, but it released as a medium 30 pt box.

First blood for user just fell, 1 hour and 9 minutes in. Still waiting on root. I hope people enjoy, and if you do the box, please reach out to me on the forums or direct message and let me know what you thought of it, and how you solved it. Celestial is a fairly easy box that gives us a chance to play with deserialization vulnerabilities in Node. On first finding this sample, I was excited to think that I had found something interesting, rarely detected, and definitely malicious so close to when it was potentially used in a phishing attack.

The more analysis I did, the more it became clear this was more likely a testing document, used by a security team evaluating their employees or an endpoint product. Still, it was an interesting sample to play with, and understand how it does interesting things like C2 protocol detection and Sandbox detection.

This seems to be effective, given the VT dection ratio. In fact, I came across this sample in conversation with someone who worked for one of the few products that was catching this sample.

Unfortunately, since the DNS record is no longer present. I had been on the lookout for PDFs that try to run code to play with, so this seemed like a good place to dive in. After the struggle of getting the tools installed and learning the ins and outs of using them, we can take advantage of this database to upload a webshell to the box. Then with the webshell, we can get a powershell shell access as a low-priv user. While brute forcing the domains only results in some potentially financial key words, the stage 2 domain acts as a pivot to find an original phish email in VT, which shows this was quite targeted after all.

Valentine was one of the first hosts I solved on hack the box. The box is very much on the easier side for HTB. The class is one of the newer SANS offerings, and so I suspect it will be changing and updating rapidly.

Aragog provided a chance to play with XML External Entity XXE vulnerabilities, as well as a chance to modify a running website to capture user credentials. Bart starts simple enough, only listening on port The privesc is relateively simple, yet I ran into an interesting issue that caused me to miss it at first. Overall, a fun box with lots to play with. Nightmare just retired, and it was a insanely difficult box. Rather than do a full walkthrough, I wanted to focus on a write-up of the second-order SQL injection necessary as a first step for this host.

I spent some time looking at this javascript sample from VT. Nibbles is one of the easier boxes on HTB. It hosts a vulnerable instance of nibbleblog. The privesc involves abusing sudo on a file that is world-writable. Falafel is one of the best put together boxes on HTB. And there are hints distributed to us along the way. Chatterbox is one of the easier rated boxes on HTB. Overall, this box was both easy and frustrating, as there was really only one exploit to get all the way to system, but yet there were many annoyances along the way.

I came across a situation on a htb box today where I needed IE to get a really slow, older, OWA page to fully function and do what I needed to do. I had a Windows vm around, but it was relatively isolated, and no able to talk directly to my kali vm. SSH tunneling turned out to be the easiest solution here, and since I get questions about SSH tunneling all the time, I figured it would be good to write up a short description.

In my analysis of an emotet sample , I came across PSDecode , and, after some back and forth with the author and a couple updates, got it working on this sample. The tool is very cool. What follows is analysis of a different emotet phishing document similar to the other one I was looking at, as well as PSDecode output for the previous sample.

This is one of my favorite boxes on HTB. We can RE that mod to get root on the system. Probably my least favorite box on HTB, largely because it involved a lot of guessing. I did enjoy looking for privesc without having a shell on the host. Bashed retired from hackthebox. These notes are from a couple months ago, and they are a bit raw, but posting here anyway.

Posts Jan 10, HTB: NodeBlog ctf htb-nodeblog hackthebox youtube python nmap feroxbuster nodejs nosql-injection payloadsallthethings xxe node-serialize deserialization json-deserialization mongo mongodump bsondump This UHC qualifier box was a neat take on some common NodeJS vulnerabilities.

Jan 1, Hackvent ctf hackvent python git gitdumper obfuscation brainfuck polyglot jsfuck de4js pil reverse-engineering pcap wireshark nmap content-length ignore-content-length cistercian-numerals code-golf type-juggling ghidra clara-io stl youtube kotlin race-condition p eliptic-curve signing crypto This year I was only able to complete 14 of the 24 days of challenges, but it was still a good time.

Dec 18, HTB: Static ctf htb-static hackthebox nmap feroxbuster vpn openvpn otp totp fixgz oathtool ntp ntpdate route xdebug dbgpClient htb-olympus tunnel socks filter cve webshell format-string htb-rope gdb aslr socat pspy path-hijack easy-rsa Static was a really great hard box. Dec 11, HTB: Writer hackthebox ctf htb-writer nmap feroxbuster sqli injection auth-bypass ffuf sqlmap burp repeater apache flask django command-injection hashcat postfix swaks apt Writer was really hard for a medium box.

Dec 4, HTB: Pikaboo ctf htb-pikaboo hackthebox nmap debian feroxbuster off-by-slash lfi log-poisoning perl-diamond-injection perl ldap ldapsearch Pikaboo required a lot of enumeration and putting together different pieces to get through each step.

Nov 27, HTB: Intelligence ctf htb-intelligence hackthebox nmap windows crackmapexec smbmap smbclient smb dns dnsenum ldapsearch exiftool feroxbuster kerbrute python password-spray bloodhound bloodhound-py dnstool responder hashcat readgmsapassword gmsa gmsadumper silver-ticket wmiexec Intelligence was a great box for Windows and Active Directory enumeration and exploitation.

Nov 22, HTB: Union ctf htb-union hackthebox nmap sqli filter waf feroxbuster burp repeater sqli-file credentials injection command-injection sudo iptables The November Ultimate Hacking Championship qualifier box is Union.

Nov 20, HTB: BountyHunter ctf htb-bountyhunter hackthebox nmap xxe feroxbuster decoder python credentials shared-password python-eval command-injection BountyHunter has a really nice simple XXE vulnerability in a webpage that provides access to files on the host. Nov 6, HTB: PivotAPI ctf hackthebox htb-pivotapi nmap windows active-directory exiftool as-rep-roast getuserspns hashcat mssql mssqlclient bloodhound smbmap smbclient mbox mutt msgconvert reverse-engineering procmon vbs api-monitor crackmapexec mssql-shell mssqlproxy evil-winrm keepass genericall powersploit powerview tunnel dotnet dnspy forcechangepassword laps winpeas powershell-run-as cyberchef seimpersonate printspoofer htb-safe PivotAPI had so many steps.

Nov 1, Flare-On known flare-on ctf flare-on-known reverse-engineering youtube crypto ghidra python known presented a ransomware file decrypter, as well as a handful of encrypted files. Oct 29, Flare-On myaquaticlife flare-on ctf flare-on-myaquaticlife reverse-engineering upx multimedia-builder mmunbuilder x64dbg ghidra python brute-force myaquaticlife was a Windows exe built on a really old multimedia framework, Multimedia Builder.

Oct 28, Flare-On beelogin flare-on ctf flare-on-beelogin reverse-engineering javascript jsfuck de4js python bruteforce deobfuscation beelogin starts with a simple HTML page with five input fields. Oct 27, Flare-On flarelinuxvm flare-on ctf flare-on-flarelinuxvm reverse-engineering vm cyberchef encoding crypto ghidra ransomware youtube Flare Linux VM starts with a VM and some ransomware encrypted files.

Oct 26, HTB: Spooktrol htb-spooktrol ctf hackthebox nmap api fastapi python feroxbuster reverse-engineering wireshark ghidra burp burp-proxy upload sqlite uhc spooktrol is another UHC championship box created by IppSec. Oct 25, Flare-On spel flare-on ctf flare-on-spel reverse-engineering ghidra unpack shellcode dll x64dbg anti-debug spel was a Russian nesting doll of binaries.

Oct 24, Flare-On antioch flare-on ctf flare-on-antioch reverse-engineering docker docker-tar python ghidra hackvent antioch was a challenge based on the old movie, Monty Python and the Holy Grail.

Oct 23, HTB: Spider hackthebox htb-spider ctf nmap flask python flask-cookie payloadsallthethings ssti jinja2 injection sqli sqlmap sqlmap-eval ssti-blind waf filter tunnel xxe Spider was all about classic attacks in unusual places. Oct 22, Flare-On wizardcult flare-on ctf flare-on-wizardcult reverse-engineering go python youtube crypto ghidra irc inspircd c2 The last challenge in Flare-On 8 was probably not harder than the ninth one, but it might have been the one I had the most fun attacking.

Oct 22, Flare-On credchecker flare-on ctf flare-on-credchecker reverse-engineering html javascript python youtube Flare-On 8 got off to an easy start with an HTML page and a login form. Oct 16, HTB: Dynstr hackthebox ctf htb-dynstr nmap dynamic-dns no-ip feroxbuster dnsenum command-injection injection cyberchef scriptreplay dns nsupdate authorized-keys wildcard php bash Dynstr was a super neat concept based around a dynamic DNS provider.

Oct 9, HTB: Monitors ctf htb-monitors hackthebox nmap vhost wordpress wpscan wp-with-spritz sqli injection exploitdb password-reuse lfi apache-config cacti cve python systemd crontab docker feroxbuster solr cve ysoserial docker-escape kernel-module Monitors starts off with a WordPress blog that is vulnerable to a local file include vulnerability that allows me to read files from system.

Oct 2, HTB: Cap htb-cap hackthebox ctf nmap pcap idor feroxbuster wireshark credentials capabilities linpeas Cap provided a chance to exploit two simple yet interesting capabilities. Sep 27, HTB: Jarmis ctf hackthebox htb-jarmis ja3 ja3s jarm tls nmap vhost ncat feroxbuster fastapi ssrf wfuzz jq metasploit msf-custom-module iptables omigod cve python flask gopher code-review htb-laser htb-travel uhc My favorite part about Jarmis was that it is centered around this really neat technology used to fingerprint and identify TLS servers.

Sep 25, HTB: Pit ctf htb-pit hackthebox centos nmap udp snmp feroxbuster snmpwalk seeddms cve exploitdb webshell upload selinux cockpit htb-sneaky Pit used SNMP in two different ways.

Sep 18, HTB: Sink htb-sink hackthebox ctf nmap gitea haproxy gunicorn request-smuggling localstack aws aws-secretsmanager aws-kms iptables htb-bucket htb-gobox git Sink was an amazing box touching on two major exploitation concepts.

Sep 14, HTB: Validation ctf htb-validation hackthebox uhc nmap cookies feroxbuster burp repeater sqli injection second-order-sqli python python-cmd sqli-file webshell password-reuse credential Validation is another box HTB made for the UHC competition.

Sep 11, HTB: Schooled ctf htb-schooled hackthebox nmap moodle feroxbuster wfuzz vhost cve cve moodle-plugin webshell password-reuse credentials hashcat pkg freebsd package Schooled starts with a string of exploits to gain more and more privilege in a Moodle instance, eventually leading to a malicious plugin upload that provides a webshell. Sep 4, HTB: Unobtainium hackthebox ctf htb-unobtainium nmap kubernetes deb package electron nodejs lfi prototype-pollution command-injection injection asar sans-holiday-hack htb-onetwoseven source-code Unobtainium was the first box on HackTheBox to play with Kubernetes, a technology for deploying and managing containers.

Aug 30, HTB: Gobox hackthebox htb-gobox ctf uhc nmap ubuntu go ssti feroxbuster youtube python python-cmd aws awscli docker s3 webshell upload nginx-module backdoor nginxexecute HackTheBox made Gobox to be used in the Hacking Esports UHC competition on Aug 29, Aug 28, HTB: Knife ctf hackthebox htb-knife nmap php-backdoor feroxbuster php Aug 27, Pivoting off Phishing Domain forensics threat-intel phishing riskiq maltego youtube John Hammond YouTube channel is full of neat stuff, from CTF solutions to real malware analysis.

Aug 21, HTB: Proper ctf htb-proper hackthebox nmap windows iis gobuster ajax sqlmap sqli keyed-hash sqli-orderby sqlmap-eval hashcat lfi rfi time-of-check-time-of-use inotifywait go ida ghidra arbitrary-write reverse-engineering arbitrary-read wertrigger pipe-monitor powershell named-pipe cve htb-hackback htb-scriptkiddie Proper was a fascinating Windows box with three fascinating stages.

Aug 14, HTB: CrossFitTwo hackthebox ctf htb-crossfittwo nmap openbsd feroxbuster burp websocket sqli injection vhosts unbound python python-cmd flask sqlmap relayd api wfuzz cors phishing socket-io javascript nodejs node-modules yubikey changelist ykgenerate Much like CrossFit, CrossFitTwo was just a monster of a box.

Aug 7, HTB: Love hackthebox ctf htb-love nmap vhosts voting-system searchsploit feroxbuster ssrf burp webshell upload winpeas alwaysinstallelevated msi htb-ethereal msfvenom Love was a solid easy-difficulty Windows box, with three stages.

Jul 24, HTB: Armageddon hackthebox htb-armageddon ctf nmap ubuntu drupal drupalgeddon2 searchsploit webshell upload hashcat mysql sudo snap snapcraft burp Argageddon was a box targeted at beginners. Jul 17, HTB: Breadcrumbs ctf htb-breadcrumbs hackthebox nmap gobuster burp python cookies jwt upload webshell defender password-reuse tunnel stickynotes sqlite ghidra chisel sqli injection cyberchef aes crypto Breadcrumbs starts with a fair amount of web enumeration and working to get little bits of additional access.

Jul 10, HTB: Atom ctf htb-atom hackthebox nmap xampp redis reverse-engineering portable-kanban smbmap smbclient crackmapexec feroxbuster asar nodejs electron wireshark msfvenom cyberchef printnightmare invoke-nightmare cve Atom was a box that involved insecure permissions on an update server, which allowed me to write a malicious payload to that server and get execution when an Electron App tried to update from my host.