Introduction Reconnaissance is the backbone of any successful penetration test or red team engagement. Yet, it’s often a tedious and repetitive process: run a bunch of tools, parse messy output, figure out what’s important, and decide the next steps. What if…

Search all files within the squashfs filesystem for the string ‘default_config.xml’. Inspecting libcmm.so After decompiling with Ghidra and searching for the string ‘default_config.xml,’ I cross-referenced and inspected the function calls, eventually identifying a function, dm_decryptFile, which uses a hardcoded key in…

This guide walks through the process of compiling and deploying a statically linked OpenSSH server for a MIPS-based router using `musl-cross-make`. It includes all necessary dependencies and ends with running a working SSH server on the device. 🎯 Motivation The primary…

Task: Get session token for admin, using reflective XSS. Approach: I first try to understand the blacklisted characters/tags. Try to find a working payload that bypasses the blacklist and executes a script to reflect with the cookie. Step #1: Identifying the…

Can you find a treasure? Task: In this challenge, we had to find the flag using LFI. Triage: Findings from source code review: Approach: I first attempt to bypass the character blacklisting. After successfully bypassing the WAF, I try to find…

Triage: The website allows users to upload results from a ski race, which are stored in a database and rendered for viewing. Users can report race information to publish it for admin review. Below are the key functionalities of the website:…