Show more

: Day 19 : release day. Worked on Precious an "easy" linux box. Pretty straightforward.

: Day 17 : Where I was going to go with the crypto challenge is not the path I took. @[email protected] gave me some advice and I managed to sort it out. Compared to other crypto challenges I've worked on, I'm happy to have gotten to a solution. I've not seen one like this before.

: Day 16 : Still banging at the crypto challenge. I've gotten a big push, by the implementation is still escaping me. I've focusing on the decimal values of the ASCII char set. Maybe tomorrow I try with hex values and see if that leads to a breakthrough.

: Day 15 : Looks like matactf.com's Thanksgiving CTF is only the five challenges. I'm hit and miss with crypto. I've managed to work out part of the plaintext. Gonna keep noodling on it.

: Day 14 : Took a crack at metactf.com's Thanksgiving CTF. It's multiple days. Today there are six challenges. I've gotten 5.

: Day 13 : Today was a little weaksauce. Researched kit to bolt onto a Raspberry Pi 3 to make a wifi hacking rig.

: Day 12 : Poked around at JuiceShop again. Worked with a group on derailed on and got user. Don’t have foothold, yet. Got some mentoring on the next step and will work on it tomorrow.

: Day 11 : More JuiceShop. Explored business logic. Managed to break the server a couple of times. Error checking and handling is hard.

: Day 10 : Watched a twitch stream of an attack on a box. Lots of malding, lol. Also poked at JuiceShop some more.

: Day 9 : Analysing main.js from juice shop. Finding endpoints on the server to explore and “endpoints” on the local app to explore. Router is a magic word. Need to do more poking and prodding to ascertain what kind of magic word “selector” is.

: Day 8: Spun up Juice Shop and started in. Used ZAP to spider. Found an auth bypass. Found a dir from robots.txt with some goodies. Recalled a hint from PWST to reap the goodies. Need to look at hacking a Keepass file. I'm sure I've seen that in a CTF or three. Need to attack the business logic in the app. Look at API enumeration. Time to kick off a directory brute-force and go to bed.

: Day 7 : Finished sections 8 and 9 of PWST. Next up, hack Juice Shop.

: Day 5 : Took a crack at new release, Forgot. Learned some stuff, so that's good. I'm still slow, but eventually got root. I think some of it was more CTF than real life, but I look forward to seeing the reviews from the old hands.

: Day4 : A good chunk of time in Release Arena. Banged on Flight, a hard Windows box. I've gotten user with some nudges from a Discord group I worked with. Still working on root. Been a while since taking a crack at a Windows box.

: Day3 : More time working on PWST, sections 4-8 through 4-13. Videos were short, so don't too excited. There a 'more practice' video left in section 4, so plan is to spend some time on that tomorrow.

: Day2 : Tuned in to @Alh4zr3d@twitter's twitch (twitch.tv/alh4zr3d). He streamed pwning the Tricky box. Watched @mttaggart's _Practical Webapp Security and Testing_ (academy.tcm-sec.com) (henceforth, PWST), sections 4-6 and 4-7. Need to spend some more time on 4-7 and the javascript trickiness.

: Day 1: Picked back up "Practical Webapp Security and Testing" by @[email protected]. Knocked out section 4-5, which is about sqli. Played around with ZAP Active Scan, tried out some different files for fuzzing and detecting sqli--fuzzdb, SecLists, and one I compiled from a couple of books. Will continue tinkering with manually enumerating the db before bed. Maybe see about getting mysql/mariadb table enum into my home-grown list.

Show more

ath0

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.