Fork me on GitHub

Basic Pentesting 1 Walkthrough

WARNING: There will be spoilers to Basic Pentesting 1 VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

 The Basic Pentesting 1 VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/basic-pentesting-1,216/

Here's the basic description:

This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

Bob 1.0.1 Walthrough

Bob Vulnhub VM
WARNING: There will be spoilers to Bob 1.0.1 VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

 The Bob 1.0.1 VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/bob-101,226/

The creator of this VM is c0rruptedb1t

Here's the basic description:

Difficulty: Beginner/Intermediate


Bob is my first CTF VM that I have ever made so be easy on me if it's not perfect.

The Milburg Highschool Server has just been attacked, the IT staff have taken down their windows server and are now setting up a linux server running Debian. Could there a few weak points in the new unfinished server?


Your Goal is to get the flag in /

Hints: Remember to look for hidden info/files

BSides Vancouver: 2018 (Workshop) Walkthrough

BSides Vancouver: 2018 (Workshop)
WARNING: There will be spoilers to BSides Vancouver: 2018 (Workshop) VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

 The BSides Vancouver: 2018 (Workshop) VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/

The creator of this VM is abatchy

Here's the basic description:

Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target.

This workshop will provide you with a custom-made VM where the goal is to obtain root level access on it.

This is a great chance for people who want to get into pentesting but don’t know where to start. *

Pinky's Palace v1 Walkthrough

pinky's palace
WARNING: There will be spoilers to Pinky's Palace v1 VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.
General disclaimer: I am by no means an expert penetration tester nor do I have a lot of experience doing penetration testing. This walkthrough is from the perspective of an amateur whom is trying to become better. The goal is for me to eventially take the OCSP. That being said, I had a bit of help from some colleagues from my company getting started but they by no means gave me the answers. I will be posting some of my hardships from a beginner perspective.

 The Pinky's Palace VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/pinkys-palace-v1,225/

Wire App: Bot Service Registration

The following URL is the one required to register a new Wire App Bot provider: https://prod-nginz-https.wire.com/provider/services

When crafting your API call to register a new bot service, you should be using the POST method. This is not to be confused with registering a provider.

For the headers use the following key:value pair:

Content-Type: application/json

The Body of the request should be the following:

{"name": "Name of the bot. Should be same as the Bot Provider Name", "description": "Description about the bot, can be same as bot provider description", "summary": "Can be same as description", "base_url": "https://INSERT_URL_OR_IP_ADDRESS:8050", "public_key": "-----BEGIN PUBLIC KEY----- INSERT YOUR KEY HERE -----END PUBLIC KEY-----", "tags": ["insert,your,tags"]}

Once you submit your API call, check your email for a registration verification link. 

Wire App: Bot Authentication

The following URL is the one required to register a new Wire App Bot provider: https://prod-nginz-https.wire.com/provider/login

When crafting your API call to register a new bot provider, you should be using the POST method.

For the headers use the following key:value pair:

Content-Type: application/json

The Body of the request should be the following:

{"email": "The email you registered the provider with", "password": "The password you received after registering as a bot provider"}

I used Postman, a piece of software, that makes API development easier. It can be obtained here: https://www.getpostman.com/

If you prefer to use cURL, the command would be as follows:

Wire App: Bot Provider Registration

The following URL is the one required to register a new Wire App Bot provider: https://prod-nginz-https.wire.com/provider/register

When crafting your API call to register a new bot provider, you should be using the POST method.

For the headers use the following key:value pair:

Content-Type: application/json

The Body of the request should be the following:

{"name": "Name of the Bot", "email": "Email to register the bot under", "url": "enter your website or just use https://","description": "Description about your bot"}

Once you submit your API call, check your email for a registration verification link. 

I used Postman, a piece of software, that makes API development easier. It can be obtained here: https://www.getpostman.com/

If you prefer to use cURL, the command would be as follows:

Wire App:Bot SDK API Calls

These are the API calls I've found which are required to register a new bot for the Wire secure messaging application:

Bot API Calls

Bot/Account Provider Registration: https://prod-nginz-https.wire.com/provider/register
Bot Authentication: https://prod-nginz-https.wire.com/provider/login
Bot Service Registration: https://prod-nginz-https.wire.com/providers/services

User API Calls

User Authentication: https://prod-nginz-https.wire.com/login
List Conversations: https://prod-nginz-https.wire.com/conversations 
Add Bot to Conversation: https://prod-nginz-https.wire.com/conversations/{convoID}/bots

Brisingr: Fortnite Tracker

I wanted to add a new module into Brisingr for anyone that wanted to pull their Fortnite stats. Started off with some Google searches to see if there was anything out there for an official API or one to call. I found an API through the Tracker Network, however, it appeared to be broken based on the API call responses I received.

There had to be some where where the Tracker Network was getting their stats from and I went search further.

I found in the Fortnite logs the following URLs which I have labeled as to what they appear to call and respond with data wise:

JIS-CTF Walkthrough

JIS-CTF
WARNING: There will be spoilers to obtaining the 5 keys on JIS-CTF VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.
General disclaimer: I am by no means an expert penetration tester nor do I have a lot of experience doing penetration testing. This walkthrough is from the perspective of an amateur whom is trying to become better. The goal is for me to eventially take the OCSP. That being said, I had a bit of help from some colleagues from my company getting started but they by no means gave me the answers. I will be posting some of my hardships from a beginner perspective.

 The JIS-CTF VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/