Latest

In this post, I demonstrate how to identify a data validation vulnerability in an image upload plugin, and bypass content filters to execute malicious code and gain access to the remote system. Enumeration I run a standard nmap scan on the host to find ports 22 (SSH) and 80 (HTTP)

Patching your operating system isn’t enough. You need to patch your third-party applications too as they can contain vulnerabilities such as buffer overflows that allow a system to be exploited. Enumeration First step as always, is to see what we can discover with an nmap scan root@kali:~/htb/

Jeeves demonstrates the seriousness of securing access to applications, and the importance of practising good password hygiene. First, I take advantage of broken access controls on a Jenkins installation to obtain remote code execution (RCE) and gain a foothold on the system. Next, I locate a KeePass database and due

Bashed highlights the importance of having a separate environment for development and production. In this challenge, a developer creating a new web application uses a production web server for the development environment. I demonstrate abusing the artifacts left behind by the developer in order to compromise the system. Enumeration Starting

This challenge demonstrates that it’s not just servers that are vulnerable to attack. Firewalls and other internet facing appliances can also provide an avenue for an attacker to exploit and gain a foothold on your network. Enumeration Starting with a basic nmap scan, I uncover a web server listening

This IoT themed HackTheBox challenge shines a light on the problems associated with a rapid explosion of internet connected devices. As cheap mini-computers such as the RaspberryPi become easily accessible to consumers, it’s clear that securing these devices can be easily overlooked. This challenge was pretty simple and straightforward