Web App Hacking (Lab series): CVE-2022-2143 (iView2)
Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that. I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system". I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab. Any directions/suggestions/hints would be greatly appreciated! Thanks in advance. J
S3: Demonstrate Your Skills
I have completed all 10 questions except question 6. 6. Access control Create an access point (AP) called metrolio-dev-ap attached to the metrolio-data-467e6352 bucket. This should allow developers working in the dev vpc vpc-08333ea4fc7562479 using the role arn:aws:iam::447645673093:role/metrolio-developer to list and get all objects in the bucket. Ensure you follow best practices of blocking public access. NOTE: AWS often faces internal errors – we believe these to be race conditions – when applying policies to new access points. You may need to re-apply the policy to the AP. I have re-applied the Access Point policy several times but still is not detected. I’m not sure if it is my Access Point policy or the AWS Immersivelabs that is at fault. Any help would be greatly appreciated. This is my Access Point Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::447645673093:role/metrolio-developer" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap/object/*", "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap" ], "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-08333ea4fc7562479" } } } ] } I tried to replicate similar permissions on bucket policy only to be denied by restrictive permission. NOTE: Account ID, Bucket names and few other identifiers do not match between screenshot 1-2 and screenshot 3. The screenshot 3 is from different attempt.
Radare2 Reverse Engineering: Ep.2 – Windows Binary Part 2
I have run into a challenge with Question 3 on this lab. I can't seem to get the appropriate md5 hash value for the .text section to correctly answer this question. I feel that I am close but slightly off on one of the mandatory calculations. Any insight or guidance on what I'm missing / doing incorrectly would be greatly appreciated. Thanks in advance.APT29 Threat Hunting with Splunk Ep.11 Q11
What other value was set on the same key to facilitate the bypass. Searching on the key, there's only one log entry. I'm not clear on what "other value" means. I've tried all the file paths referenced in that log entry, different parts of the registry key, parts of the script that executes, even the cat.png file. What am I missing?Threat Hunting: Investigating a Fake PoC Q9
I am having issues trying to solve this last question. After running some obfuscated Powershell commands, the program outputs either a success or a failure message. What command is executed that sets the value of the "text" variable within the "main" function? Any tip? Thanks
