eWPTv2 Review 2023

I recently passed the eWPTv2 exam that was released in October this year. This was an enhanced version of the v1 exam which included some old & obsolete topics, mostly not relevant in today’s scenario. In this article I will share my views on the exam, course material and if you should take it or not.

Read more...

Pilgrimage

Pilgrimage is an easy machine from hackthebox which involved finding a git directory leading to a arbitrary file read vulnerability in ImageMagick. Using that read the databse file and got credentials of emily user. Found a folder named binwalk in emily’s directory and the binary version was vulnerable to rce. One of the script malwarescan.sh was running as root user and the malicious png file generated from binwalk exploit was to be placed under the mentioned directory in this script to get shell as root user.

Read more...

Sau

Sau is an easy machine from hackthebox which involved exploiting a SSRF vulnerability leading to another service disclosure Maltrail. This service was vulnerable to command injection upon exploiting gave us shell as puma user. Upon further enumeration, systemctl can be run by puma user with root permissions.

Read more...

Cozyhosting

Cozyhosting is an easy machine from hackthebox which involved injection a session cookie redirecting to admin page. PLaying with the username field, got an error disclosing ssh command usage in the backend. After trying various bypassing methods sent the command without spaces and got back a shell as app user. Found credentials of postgres user in a jar file and dumped the hashes from the database. Cracked them using jtr and got access to josh user. Further enumerating, ssh can be run by josh user with root permissions.

Read more...
1 of 1