Inês Martins

Another post about erasing files/directories from git history

~ brew install git-filter-repo ~ git filter-repo --invert-paths --path 'path-to-file-or-directory' ~ git remote remove origin ~ git remote add origin git@github.com:<path-to-repository>.git ~ git push origin --force 'refs/heads/*'Note that I'm using brew to install git-filter-repo, you may need to look for alternative installation methods, depending on your OS.

Exfiltrating data from Android applications via WebView Takeover (Open Redirect)

In this article, I go through the scenarios in which I've been able to exfiltrate data from real Android applications, after detecting a WebView takeover (aka "Open Redirect") vulnerability.

DataStore is the new SharedPreferences, old vulns still apply

Neither DataStore nor SharedPreferences should be used to persist sensitive data ... but as we know, Insecure Data Storage is one of the most common vulnerabilities found in mobile applications.

wordpress

HTB Write-up | Paper

A quick initial scan discloses web services running on ports 80 and 443, as well as an SSH server running on port 22: ~ nmap 10.10.11.143 -F -Pn PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open httpsA closer look at these ports

oracle apex

Creating a very spammable endpoint with Oracle APEX Restful Services

I'm helping an organisation that has a very simple (and very static) corporate website. They were interested in adding a contact form, and wanted the data to be sent to their APEX-managed database. Building an entire back-end service for this purpose seemed like too much work, so I decided to

How to import mySQL data into Oracle APEX (the hard way)

Oracle Application Express (APEX) is a low-code development platform that enables you to build scalable, secure enterprise apps, with world-class features, that can be deployed anywhere.Recently I was asked to import a mySQL database into APEX. Although support for mySQL databases is on the roadmap, it seems like for

HTB Write-up | Previse

Retired machine can be found here. ScanningAs always, we start by mapping the previse.htb hostname to the given IP: ~ sudo nano /etc/hosts 10.10.11.104 previse.htbThe nmap scan is pretty boring, it seems there's a web server running on port 80 and an SSH server on

HTB Write-up | BountyHunter

Retired machine can be found here. ScanningLike with most HTB machines, a quick scan only disclosed SSH running on port 22 and a web server running on port 80: ~ nmap 10.10.11.100 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ~ nmap 10.10.11.100

android

HTB Write-up | Explore

Retired machine can be found here. esketitLet's start with some basic scanning: ~ nmap -A 10.10.10.247 PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:

Exploiting Deep Links in Android - Part 5 (Testing)

EnumerationEnumeration should always start with the App Manifest, which can be extracted from any .apk with a tool such as apktool, e.g.: ~ apktool d com.twitter.android_2021-10-22.apk I: Using Apktool 2.5.0 on com.twitter.android_2021-10-22.apk I: Loading resource table... I: Decoding AndroidManifest.xml

htb

HTB Write-up | Monitors

Retired machine can be found here.ScanningLet's start the same as always, with a basic nmap scan: ~ nmap -sC -sV -A 10.10.10.238 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 11:15 WEST Nmap scan report for 10.10.10.238 Host is up (0.32s

webdisk

Automatic Web Disk deployment with Github Actions

A Web Disk (aka: WebDav) is a protocol that provides a simple interface to manage files stored on a server - it's basically an alternative to FTP that is provided by some hosting services. Some time ago I was given the task to deploy a website using a WebDisk and

deep links

Exploiting Deep Links in Android - Part 4 (Mitigation)

Preventing Deep Link HijackingWhen it comes to preventing Deep Link Hijacking, the message is simple: stop using Scheme URLs and start using (properly verified) App Links or Intent URLs. [If you're lost maybe you should go back to Part 1] As of August 2021 only about 6% of Android devices

android

Exploiting Deep Links in Android - Part 3

So .. what else can we do with deep links? Local File Inclusion (LFI)In part 2 we saw how to achieve LFI via the WebView.loadUrl method. In this part we'll explore an alternative that doesn't require the application to contain a WebView. Let's continue using the ABC Bank Android

ipa

MobSF "IPA Binary Analysis" | Step by Step

MobSF is an open source static and dynamic analysis tool for Android and iOS, which can be used to quickly detect major issues on your mobile application. When scanning an .ipa, the "IPA Binary Analysis" section can report multiple issues that can be hard to interpret. Hopefully this article will

android

Exploiting Deep Links in Android - Part 2

In this part, we're going to start to answer the question: "What can you do if you can trick a user into clicking a malicious deep link?" Let's go back to the ABC Bank example. ABC Bank has both a web and an Android application, and they use deep links

android

Exploiting Deep Links in Android - Part 1

Deep links are an often overlooked way to exploit Android applications. In this series I hope to do a deep dive into their history, common vulnerabilities with real-life examples, possible mitigations, and testing techniques for pentesters and researchers. In this first part, we do a quick overview of the supported

php

Running a PHP application on Big Sur using Apache

If you have a PHP application and want a quick approach for running it on a mac with the latest OS version, then this tutorial might be useful. Testing and launching the Apache serverBig Sur already comes with Apache installed. You can check the current version by running: ~ httpd -v

tshark

USB Keyboard capture parser

During a recent CTF I had to extract keys from a USB Keyboard capture, and (as usual) decided to create a simple Python 3 script to parse the original keys. As shown on the Gist below, this script takes any .pcap file and optionally the path to the tshark executable,

bloodhound

Setting up Bloodhound on macOS

On a recent CTF I needed to set up Bloodhound on macOS and came across some issues. Hope this helps someone in need. :) Installing a compatible Python versionBecause of the way in which Python 3.8 handles multiprocessing in macOS you need to downgrade to Python 3.7.3 to

ghost

Update: Simplest way to host your Ghost blog on GitHub Pages

Last year I created a post about how to get a Ghost blog up and running on Github Pages without much effort. This worked well, but after being forced to update ghost-cli to version 1.17.3 I ran into a few issues and had to rethink the entire process.

oposec

ØxOPOSɆC - HTTP2

URL: https://20.56.49.147/ | Keep calm and get the flag :)When you enter the IP directly on the browser you see only an image sourced from Github and a hidden clue: "Lost? It's evolution, baby...": The image shows the evolution of the HTTP protocol, so it makes sense

macOS

Fixing keyboard type on Big Sur

It seems like Big Sur is randomly defaulting the keyboard type to ANSI and, for some weird reason, Apple has removed the ability to change this directly on the keyboard settings. What to do?Apparently, the only thing to do is to force the OS to re-configure the keyboard: Go

crypto

ØxOPOSɆC - Don Joe [Crypto]

Don Joe insists his site is as secure as can be! Can you prove that the best web dev of all time is wrong?" URL: https://don-joes-blog.herokuapp.com/ There are two flagsDon Joe's Blog has a very simple interface and lists only 4 blog posts: Clicking on the articles

htb

HTB Write-up | Time

Retired machine can be found here.ScanningIt seems like this machine is running OpenSSH on port 22 and an Apache web server on port 80: ~ nmap -sC -sV time.htb PORT STATE SERVICE VERSION PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux;