mpz

I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl, ssl.cert.subject.cn, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic.  Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in https://www.shodan.io/host/<ip> BUT shodan's raw data (https://www.shodan.io/host/<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage

The CTF is designed to pwn an imaginary organization Thawang Shield Security. The only information given to us is their domain - thawang.live Starting with the domain thawang.live, usual recon - directory bruteforcing, port scanning,  subdomain enumeration, etc. was done. It didn't give much information to proceed ahead so I started some OSINT on the org. Looking at the "Teams" section of the website thawang.live, we can find three users. Flag #1 Checking the Facebook profile of Ojasini Shrees, a picture was found which we downloaded, checked its strings and the first flag was obtained. bugv_ctf{MjVFRXNDNWJWeVBBRW} Flag #2 After obtaining flag #1, there's also a link to the discord server https://discord.gg/JwXD7g2f5a. The discord server has a bot that is vulnerable to simple SQL injection. Using the payload $get 1'or 1=1-- as an input for the bot, the flag is returned. bugv_ctf{M0Tlo1MkNBcWRwR1ND} Flag #3 While checking Github of Dexa Singh, a repo "for inte

I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i

Intro I signed up for the course with 60 Days of lab time on 27th Nov 2018 to start my labs from 9th Dec. During this period of  ~10 days, I also got VIP subscription of HackTheBox  to pwn some retired machines, solved a dozen of boot2root machines from vulnhub, read many privesc writeups and HTB walkthroughs, watched almost every video of ippsec  and prepared myself for the labs. Lab Days and the journey of learning I got the study materials (PDF + videos + lab connection) early in the morning and I was really excited about it so I just read about the network structure of the lab, watched some intro videos, and directly jumped into the lab. I was expecting the lab environment to be something like HTB with difficulty level, OS info, etc. but nothing was there. Only a list of IP addresses. At this point, I had to go back to pdf, watch more videos, read others' reviews to get some knowledge of how to get an initial foothold on the first subnet. I spent like 4 days more to go

I already got root on DC-1 machine  like 1 month ago, it was a nice box but I didn't had enough time to write about it so I thought of doing DC-2 machine by same author and write about it too :D . Though DC-2 is not available on vulnhub yet but you can download it from here . This machine has 5 flags in total and below is my walkthrough on how I found them :) As usual, I started the box by doing a quick nmap scan and it revealed port 80 only. Only port 80 open? This sounded fishy to me so I hit up arrow key, added -p option to previous command for full tcp port scan and now we can see port 7744 is also open. Since this port is used for SSH and no creds were provided, I went for HTTP service on port 80. On directly opening the ip address of the machine, I got redirected to dc-2/ so I quickly added an entry to /etc/hosts file with machine's ip address and its corresponding hostname. On opening dc-2/ on browser, an wordpress site was found. Welcome, what we