web
zorses awareness - ā
Entering the challenge via a virtual desktop in the browser, I was greeted with a web page. Right-clicking and attempting to View page source resulted in getting an error message stating that āYour organization doesnāt allow you to view this siteā. Luckily you can still Inspect.
Clicking the admin login link in the top-right of the home page, then inspecting the login page shows the username and password in the HTML via comments:
financial data breach!
A financial report was revealed early on accident. Checking the previous financial reports via the siteās source code, they link to download a .pdf version with a predictable filename (essentially quarter_3_report.pdf). Changing this name to quarter_4_report.pdf reveals the leaked report.
glitchtrack
The bug tracker performs a POST request using JS to authenticate the users. Removing the password from it allows a successful request, and you can just one of the usernames of the bug creators from the siteās front page.
A network request to an API reveals the admin:
And it looks like he has something special in his secure notes:
password cracking
password cracking - 5
Luckily CrackStation had it š š¤.
ai + tools
ai tool abuse - intro
things to do to be ready for next time
- Have password cracking tools setup with examples / cheatsheets ready.
- I havenāt cracked passwords in a while, and didnāt have any password wordlists on my laptop. Nor did I have johntheripper, hashcat, keepass2john, ansible2john, etc. setup.
- Create some Go-based scripts that automate web searches for it.
- Crackstation, Google, IntelX, etcā¦ Probably worth it to look for some more sources.
- Be ready to crack:
- Keepass (both old and new vault formats)
- Ansible Vault
- Look over and get familiar with the other conversion scripts that might be utilized here.
- Passwords with salts
- Have a better work around than using Guacamole in the browser for web challenges.
- Get more used to going up against LLMs that have access to tools and different sanitizers, from both input and output sanitization.
- Dreadnode / Crucible challenges would be a good practice ground.
- Look into Jenkins, Dune, and OCaml exploitation.
This is a collection of my cybersecurity notes & projects.
I graduated from Dakota State University with a MS in Cyber Defense & BS in Cyber Operations. Since then I've worked as a Malware Analyst with the U.S. Army Cyber Command, and am now a Web Application Security Consultant.
I'm a big fan of open security standards for applications and workflow automation when it comes to security testing. The easier it is to identify and replicate, the more secure everyone's apps can be! My other writings and projects are scattered across the web, but can be found in the links page.
Contact me: