Golden Ticket Attacks
Active Directory (AD) is ubiquitous in enterprise networks, acting as the keystone for authentication and access. As with any system, AD isn’t immune to vulnerabilities. The Golden Ticket attack exemplifies a critical AD weakness, promising attackers unparalleled access once exploited. This article provides a granular, hands-on guide to Golden Ticket attacks for Capture The Flag […]
Pass the Ticket: An AD Attack Method
Pass-the-Ticket (PtT) is a popular method of attack in AD environments, capitalizing on Kerberos tickets to gain unauthorized access. This guide breaks down PtT for the active CTF player, offering actionable code and clear steps to execute under time pressure. PtT Basics In Kerberos authentication, tickets, rather than passwords, grant access to resources. If an […]
DDoS Attacks: How to Take Down a Server
Distributed Denial of service [DDOS] attacks are popular cyber-attacks that focus on taking down a system’s availability by denying resources to legitimate connections. DDOS attacks can be found in many forms, commonly as an attack that heavily congests a network to the point of being unusable. Furthermore, DDoS attacks crash or even destroy resources depending […]
Steganography for CTF
Using Steganography Tools in CTFs: Extracting Hidden Flags with Steghide Capture The Flag (CTF) competitions often require participants to solve a variety of challenges, and one common type involves steganography, the art of concealing data within seemingly innocuous files, such as images. In this blog, we will explore how to use steghide a popular steganography […]
Kerberoasting: An Offensive Playbook
Active Directory, a cornerstone of many networks, is riddled with complexities and nuances. It is these intricacies that give birth to vulnerabilities like Kerberoasting. This article aims to provide a detailed, hands-on guide to Kerberoasting for Capture The Flag (CTF) enthusiasts. Let it serve as a touchstone during your challenges. Kerberos and SPNs Kerberos A […]
Heartbleed for Attacking OpenSSL
HeartBleed is a bug in the OpenSSL library that allows users to access restricted memory addresses on a server. This enables unprivileged users to reach data to which they wouldn’t usually have access. This data includes confidential information such as usernames and passwords, along with a server’s private key. Preface Let’s quickly define a few […]
HTML Injection – Platform for Phishing Users
HTML Injection is a type of attack that allows a malicious user to inject arbitrary HTML content into a site’s webpage. HTML injection is comparable to a limited XSS attack where malicious users can only enter HTML tags. When a web application does not properly handle user input, attackers can supply valid HTML code, adding […]
Exploitation Cheat Sheet
This page serves as a cheat sheet for quickly launching commands for identified vulnerabilities. Use it as a reference guide or for syntax help. SQL Injection Manual SQLi Error-Based # Generic’ OR ‘1’=’1′– ‘# ‘– -# Login Formsadmin’–admin’– – Boolean-Based Blind True: ‘ AND ‘1’=’1False: ‘ AND ‘1’=’2# ‘ AND 1=1–‘ OR 1=1–‘ OR ‘a’=’a’ […]