Hacking Write-Ups

Security WarGame By PAC Security  So first of all I opened the link and it have the zip file I downloaded it and then try to open it.  It was password encrypted so I use john to decrypt it. So here we can see that the password of the zip was password itself Now I opened it . It was containing a “pac.apk” file so first I ran the file command  Using file it is confirm that it is not a apk file so I use “cat” to print the output and I see a text with ==  so I rush to used base 64 but it was not base 64 so I google the cipher which gives the output with ‘=='  and I found blowfish cipher there so I googled the decoder of blowfish cipher and bingo I got the result that is:- I picked up from ‘o+7...’ because there is a space between them and the site name was revealed. I opened it I found this page so first thing is that I use dirb on this page and I got the result as follows URL /~adm URL /~404 And...

  What this could be? This is the file we got after visiting the link. The only hint we know is “Special Characters” This looks like some esoteric programming language which is written  using some special characters. After searching we got to know that it is an esoteric programming language “JSfuck”. Now let’s go and decrypt this using an online JSfuck decoder.      After decrypting we got the flag: "flag{5uch_j4v4_5crip7_much_w0w}"     Author: Somya Agrawal

This walkthrough will demonstrate the simple challenge based on command injection Calculat3 M3 This is the challenge page we got after visiting the given link. I provided random input in this calculator and intercepted the request with BurpSuite I got one parameter "expression" taking the values  Tried for command injection with ";ls" Forwarding the above request finally Got the Flag