User Flag Ater adding the target machine in /etc/hosts we conducted a NMAP scan. While accessing the IP over browser we got the following URL. After adding this URL in the /etc/hosts file we tried to access the URL. We tried to brute force the credentials manually and the following credential set worked. root:password UponContinue reading “HackTheBox – Keeper”
Author Archives: Aayush Goel
HackTheBox – Photobomb
NMAP Scanning Added address in /etc/hosts and open the web page Upon clicking the link it asks for credentials. As we do not have any credentials I got the page below. I tried to view the source code and found the photobomb.js file. After opening that file I got the credentials. Username: pH0t0 Password: b0Mb!Continue reading “HackTheBox – Photobomb”
HackTheBox – Precious
NMAP Scanning Add website to hosts file: Open the web service This website takes a web page URL and converts it into PDF. On examining the pdf, it shows that it is using pdfkit v0.8.6 version On searching we found vulnerability for mentioned version On studying the POC it looks like the URL parameter isContinue reading “HackTheBox – Precious”
Domain 2: Asset Security
Asset Types Asset Classification Asset Storage Apply appropriate controls based on classification Data is more valuable than the media Asset Security Data Classification Type of Data Data Stakeholders Data Remanence Data left over after a removal and deletion process Data Destruction Scoping Portion of standards that will be applicable for organization Tailoring Customizing standards asContinue reading “Domain 2: Asset Security”
Domain 1: Security and Risk Management
CIA Triad: IAAA: Accounting: The action owner logs are reviewed for violations Non-repudiation: The action owner cannot deny his/her actions Governance(Not us): Management(Us): Principle: There are 2 types of principles: Standards and Frameworks There are many security frameworks and standards available for security implementation and guidance for any organization. A few examples are Protection MethodsContinue reading “Domain 1: Security and Risk Management”
Common Linux Privilege Escalation
Used room: https://tryhackme.com/room/commonlinuxprivesc Privilege Escalation is a practice. It mainly depends upon configuration done in the system that acts as a weakness to escalate the privileges. These configurations can be of many types. For e.g.: So, today or tonight we will see various methods to do privilege escalation in Linux. Step 1: Enumerate the machineContinue reading “Common Linux Privilege Escalation”
Net Sec Challenge
What is the highest port number being open less than 10,000? 8080 There is an open port outside the common 1000 ports; it is above 10,000. What is it? 10021 How many TCP ports are open? 6 What is the flag hidden in the HTTP server header? THM{web_server_25352} What is the flag hidden in theContinue reading “Net Sec Challenge”
Risk Assessment and Audit Charter
Risk Assessment The whole CISA exam works around the concepts of risk assessment methodology. ISACA expects aspirants to have deep knowledge of terms in risk assessment. What is risk? A probability or threat of damage, injury, liability, loss or any other negative occurrence that is caused by external or internal vulnerabilities and that may beContinue reading “Risk Assessment and Audit Charter”
AWS Messaging and Integration Services
Simple Queue Service (SQS) SQS is a message queuing service that allows you to build loosely coupled systems. Features: Allows component-to-component communication using messages. Messages are processed in an asynchronous manner. Multiple components can add messages to the queue. Helps to improve performance and scalability. Important for the exam: Queues are processed in FIFO order.Continue reading “AWS Messaging and Integration Services”
AWS Infrastructure as Code (IaC)
IaC allows you to write a script to provision AWS resources. The benefit is that you provision resources in a reproducible manner that saves time. CloudFormation CloudFormation allows you to provision AWS resources using IaC. Features: Provides a repeatable process for provisioning resources. Works with most AWS services. Create templates for the resources you wantContinue reading “AWS Infrastructure as Code (IaC)”
