Trick or Treat on Specter Street: Phantom Pages
Hey everyone! 👋 I've been working through Trick or Treat and having a blast so far. However, I've hit a wall on Question #3 of Phantom Pages and could use some help! What I've tried: Found the library and answer to #2 Examined all the book titles Identified 3 titles that have numbers at the end Reviewed the available hints I have these books with the numbers (horror, swamp and mask) but I'm not sure how to combine or use anything to create the 9 digits authorization code. Am I missing a pattern? Should I be looking at something else? Any hints or help would be greatly appreciated! Thanks in advance!
Server-Side Request Forgery Q6 & Q7
Hi, I am looking for some help with the question "Exploit the SSRF vulnerability and read the configuration file of the previously identified service account, running on port 3000. What version number is the bot running?" I have found the bot name and tried the URL 10.102.160.173/lookup?url=http://localhost:3000/svc-debug/config However, it doesn't matter which way I try the URL; I can't seem to get it to work. Any Suggestions. I would think that the help for this would also assist with Q7.
Trick or Treat on Specter Street: Widow's Web
I am very stucked in Trick or Treat on Specter Street: Widow's Web I can't do none of the questions, but in any case I start by 4th that is the first answerable one Your first task is to simulate the loyal Crawlers. Run legitimate-crawler and inspect the output in Lab-Files to observe their behavior. To simulate the rogue Crawlers, you must discover the hidden paths on the website. Read the blog posts – they contain clues. Disallow these in Website-Files/robots.txt and run malicious-crawler. Inspect the output in Lab-Files. What is the token? I have created the robots.txt file since I understand that malicious-crawler goes expressedly there. My robots.txt contains all url's I can imagin Disallow: /secret Disallow: /treat Disallow: /hidden Disallow: /crypt Disallow: /warden Disallow: /rituals Disallow: /witch-secrets Disallow: /admin Disallow: /vault Disallow: /uncover Disallow: /post1 Disallow: /post2 Disallow: /post3 Disallow: /post4 Disallow: /contact Disallow: /drafts/rituals But the result of malicious-crawler.txt doesn't give me either a token nor a hint I have curl-ed all pages looking for words as token and nothing. I have found some key words in http://127.0.0.1:3000/witch-secrets as intercepted-incantations, decoded them and nothing. I have searched in spider-sigthings.log what hapened at 3.00 am but nothing Can someone gime me a hint?Trick or Treat on Specter Street: Ghost of the SOC
I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall with this one! If anyone can point me in the right direction of the specific persistence mechanism I think that would be a start Q8. Use the service account to delete the spirit's persistence mechanism. The methods you employ to gain access to this account are up to you.
Trick or Treat on Specter Street: Ghost of the SOC
Hi, I am being very blind here but i am struggling so a hint would be great. I am at Q3 trying to find the username the Glitch Geist executed the script under. The alert i have found in kibana relates to a powershell issue, but everything i see around that alert suggests the user.name is Administrator which is not accepted as the answer. Also tried this which i have seen S-1-5-18 and what i believe it relates to Local System. Any nudges in the right direction would be appreciated.
CVE-2021-22205 (GitLab) – Defensive
Hello, I'm going through some old labs I haven't managed to complete. This one's a bit of a beast. I can get a reverse shell, I can see I am git. however I cannot for the life of me Identify the NGINX log files. this doesn't return anything from the shell or when I am shh'd into the gitlab server find / -type f -name "gitlab_access.log" 2>/dev/null and this isn't returning anything from either the shell or ssh session iml-user@defsec:~/Desktop$ sigmac -t grep sigma.yml grep -P -i '^(?:.*(?=.*POST)(?=.*499))' any clues gratefully received ;)
