Grey Zone

Extract变量覆盖源码如下： https://www.php.net/manual/zh/function.extract.php extract function will import variables from an array into the current symbol table. “Warning: Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).“ This is because extract function can cover the original variable. So here, we can use ?shiyan=&flag= to get the flag. strcmp比较字符串 To analyze this section, we need to consider that: strcmp function has four different outputs: 0, >0, <0 and NULL. S ...

General InformationThis is an easy Windows machine: https://www.hackthebox.eu/home/machines/profile/229 It is an CVE based machine, relatively harder than other Windows machines. Reconnmap: PORT STATE SERVICE VERSION53/tcp open domain?| fingerprint-strings:| DNSVersionBindReqTCP:| version|_ bind80/tcp open http Microsoft IIS httpd 10.0| http-methods:| Supported Methods: OPTIONS TRACE GET HEAD POST|_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/10.0|_http-title: Egotistical ...

MagicThis is an interesting box as it involves all sections of the hacking: CVE, customized exploit, CTF, real life. ReconNmap information shows port 80 is the only option: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio No exact OS matches for host (If you kn ...

url: https://staging.scantist.io/login api doc: https://api-staging.scantist.io/docs (I thought that I need to fuzz the whole API. Luckily I found the doc after the first few minutes of fuzzing through wfuzz). For the attacks, you may directly go to section 3. 1. Reconip lookup: Amazon CloudFront Singapore Server, ip 54.192.151.100 nmap result: PORT STATE SERVICE VERSION80/tcp open http Amazon CloudFront httpd| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: CloudFr ...

Reconnmap 21/tcp open ftp Microsoft ftpd|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst:|_ SYST: Windows_NT80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)| http-methods:|_ Supported Methods: GET HEAD POST|_http-title: Home - Acme Widgets111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100003 2,3 2049/ud ...

For some reason, I am extremely sure that nodejs will be tested in the OSWE exam (lol). In this case, I would like to practice some nodejs exploits. I notice that the box “Holiday” contains some nodejs code injection exploits, so I just wrap my sleeves and get started. The target machine is Holiday (10.10.10.25), which is a very hard box with 5.0 score. I’m not expecting myself to resolve this box individually, and the goal of working on this box is to learn nodejs in the process.

Key abbr. for review:Service Level Agreement (SLA), PII, A. Contribute to Personnel Security PoliciesJob description is important. Concepts behind: Separation of Duties; Job Responsibilities; Job Rotation (knowledge redundancy, reduce risk of fraud); Employment Candidate Screening; Employment Agreements and Policies; Employment Termination Process; Vendor, Consultant, and Contractor Controls Service Level Agreement: often cover: system uptime, maximum consecutive downtime, peak load, average loa ...

（小插曲：在群中了解到muddery的开发进度后，我不由佩服群主的耐性和毅力。安装并测试muddery后，我发现它的有些功能更适合一个网页游戏（或手机端游戏）而并非传统的mud。最重要的是，用户失去了自由输入指令的权力。因此我仍决定使用evennia Python3版本进行开发） 接上回，我决定先完成完成基本的属性工作。梦幻西游的基本属性可以在这里找到：https://zhidao.baidu.com/question/7455123.html?qbl=relate_question_4 在此我就不在赘述。我将以流水账记叙文的方式将属性，装备和status update的内容记录到这篇博客中 2020/3/25根据百度知道中的数据在world.races中录入相关变量。添加CmdStatusUpdate测试属性相关内容 2020/4/26添加装备class。在本游戏中，道具应通过prototype创建。测试prototype指令非常重要。

Key abbr. for review:CIA, IAAA, COBIT, STRIDE, DREAD A. Understand and apply the concept of CIA triad(1) Confidentiality - include some aspects: sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, isolation; Integrity; Availability; CIA priority are different in different organizations. (2) Concept of Identification - Authentication - Authorization - Auditing (recording the log of events) - Accounting (view the log files to check for compliance and violations). (3) P ...

In the previous post, http://172.245.118.43/index.php/2020/03/19/oswe-blind-sql-injection-without-sqlmap/ , I discussed the possible techniques on blind sql injection (boolean based) without the usage of sqlmap through an example from hacker101. I get one of three flags on that machine, and when I try to continue, I discover something more interesting, which is related to code review (so it is helpful for my OSWE exam preparation). Therefore, I decided to continue on the machine. Initial Vulnera ...