- UAF in chess game, overwrite
- Intended: Append
; secure; samesite=none to cookie. Now,
<script src="https://jason.2021.chall.actf.co/flags?callback=load"></script> would retrieve the flag.
- Unintended: Append .actf.co as domain to cookie using CSRF -> Setup a xss payload in reaction.py challenge -> Log in to this using CSRF -> Payload in Reaction.py exfiltrates document.cookie
- Kerberos Exploitation
- MS MySQL Server
- RCE by uploading web.config
- Windows IIS 7.5
- MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
- File recovery from the memory dump
- Environment variables analysis.
- RAR and Zip password cracking.
- Cracking Windows user password hash.
- Extracting Keepass Master Password from keystrokes of logged data.
- Retrieving the flag from Samba SMB workgroup guest.
- Anonymous login to FTP server.
- Retrieve SSH login username and password from Firefox History
- SQL Injection
- Linpeas Priv-Esc
- The dump has some encrypted functions
- The encrypted bytes are being xorred with a 32 byte key
- Find the xor_key in the dump
- Use xor_key offset to find the offset of AES_key and iv
- AES_CBC decrypt to find flag
- Local File Inclusion