OpenKeyS
· β 4 min read · βοΈ M4t35Z
Writeup for OpenKeyS, a medium OpenBSD box. Web enum --> source --> auth bypass cve --> cookie --> id_rsa --> authroot cve --> root
Sneaky Mailer
· β 10 min read · βοΈ M4t35Z
Subdomain enum --> smtp --> phishing --> creds --> imap --> more creds --> ftp(upload a revshell) --> pypi privesc --> user.txt --> gtfobins --> root.txt
Buff
· β 5 min read · βοΈ M4t35Z
Buff writeup, ENUMERATE EVERYTHING. At the start the box was slow as hell like the majority of windows boxes lmao. Btw here's the process: Website enum --> cve --> Local enum --> cve --> root
Fuse
· β 8 min read · βοΈ M4t35Z
Fuse writeup. http --> crawl --> cme --> passreset --> rpc --> printerpass --> winrm --> groups --> Admin
iDrive
· β 4 min read · βοΈ M4t35Z
Union-Based SQL injection in a file download functionality leads to arbitrary file read
LaunchR
· β 4 min read · βοΈ M4t35Z
IDOR discloses userid of other users. SSTI discloses SECRET_KEY which was same as the jwt secret. With this, I changed my userid to admin.
Secret Token
· β 4 min read · βοΈ M4t35Z
URL parser regex whitelist bypass with \ (This challenge was based on a real bug in google's main library which was found by a hungarian researcher David SchΓΌtz)
Blunder
· β 6 min read · βοΈ M4t35Z
Rooting Blunder
Quick
· β 16 min read · βοΈ M4t35Z
My writeup for a hard linux box.
Traceback
· β 5 min read · βοΈ M4t35Z
Traceback was a very enjoyable box. I used a little OSINT in the first part after I got in I used only manual enumeration techinques in order to get to the root user.
