• Home
  • About
Subscribe

HTB Write-up | Horizontall (user-only)

HTB Write-up | Horizontall (user-only)

Write-up for Horizontall, a retired HTB Linux machine.

  • Inês Martins
Inês Martins Jan 3, 2025 • 3 min read
Automatic Threat Modeling with pytm and Github Actions

Automatic Threat Modeling with pytm and Github Actions

pytm is a OWASP tool that integrates with a custom GPT to make the threat modeling process quicker and more automated. I've developed a custom Github Action that, on every Pull Request event, generates or updates a Threat Model report, based on changes to the Python files generated using the

  • Inês Martins
Inês Martins Nov 14, 2024 • 1 min read
HTB Write-up | FormulaX (user-only)
ctf

HTB Write-up | FormulaX (user-only)

Write-up for FormulaX, a retired HTB Linux machine.

  • Inês Martins
Inês Martins Nov 13, 2024 • 12 min read
HTB Write-up | Blazorized (user-only)
ctf

HTB Write-up | Blazorized (user-only)

Write-up for Blazorized, a retired HTB Windows machine.

  • Inês Martins
Inês Martins Nov 13, 2024 • 6 min read
HTB Write-up | iClean (user-only)
ctf

HTB Write-up | iClean (user-only)

Write-up for iClean, a retired HTB Linux machine.

  • Inês Martins
Inês Martins Aug 4, 2024 • 6 min read
Exploiting SSRF in Kubernetes

Exploiting SSRF in Kubernetes

While testing an API that was exposed to the Internet, I found an unauthorised SSRF vulnerability that allowed me to trick the server into performing any GET request using http or https protocol. I had access to the response (i.e.: this wasn't a blind SSRF), full control of the

  • Inês Martins
Inês Martins Apr 1, 2024 • 1 min read
HTB Write-up | Vessel (user-only)
ctf

HTB Write-up | Vessel (user-only)

Write-up for Vessel, a retired HTB Linux machine.

  • Inês Martins
Inês Martins Nov 12, 2022 • 9 min read
Exfiltrating data from Android applications via WebView Takeover (Open Redirect)

Exfiltrating data from Android applications via WebView Takeover (Open Redirect)

In this article, I go through the scenarios in which I've been able to exfiltrate data from real Android applications, after detecting a WebView takeover (aka "Open Redirect") vulnerability.

  • Inês Martins
Inês Martins Oct 6, 2022 • 2 min read
DataStore is the new SharedPreferences, old vulns still apply

DataStore is the new SharedPreferences, old vulns still apply

Neither DataStore nor SharedPreferences should be used to persist sensitive data ... but as we know, Insecure Data Storage is one of the most common vulnerabilities found in mobile applications.

  • Inês Martins
Inês Martins Sep 15, 2022 • 2 min read
HTB Write-up | Paper
wordpress

HTB Write-up | Paper

Write-up for Paper, a retired HTB Linux machine.

  • Inês Martins
Inês Martins Jul 16, 2022 • 4 min read
Creating a very spammable endpoint with Oracle APEX Restful Services
oracle apex

Creating a very spammable endpoint with Oracle APEX Restful Services

I'm helping an organisation that has a very simple (and very static) corporate website. They were interested in adding a contact form, and wanted the data to be sent to their APEX-managed database. Building an entire back-end service for this purpose seemed like too much work,  so I decided to

  • Inês Martins
Inês Martins May 7, 2022 • 3 min read
How to import mySQL data into Oracle APEX (the hard way)

How to import mySQL data into Oracle APEX (the hard way)

Oracle Application Express (APEX) is a low-code development platform that enables you to build scalable, secure enterprise apps, with world-class features, that can be deployed anywhere.Recently I was asked to import a mySQL database into APEX. Although support for mySQL databases is on the roadmap, it seems like for

  • Inês Martins
Inês Martins Mar 18, 2022 • 2 min read
HTB Write-up | Previse

HTB Write-up | Previse

Retired machine can be found here. ScanningAs always, we start by mapping the previse.htb hostname to the given IP: ~ sudo nano /etc/hosts 10.10.11.104 previse.htbThe nmap scan is pretty boring, it seems there's a web server running on port 80 and an SSH server on

  • Inês Martins
Inês Martins Jan 21, 2022 • 7 min read
HTB Write-up | BountyHunter

HTB Write-up | BountyHunter

Retired machine can be found here. ScanningLike with most HTB machines, a quick scan only disclosed SSH running on port 22 and a web server running on port 80: ~ nmap 10.10.11.100 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ~ nmap 10.10.11.100

  • Inês Martins
Inês Martins Nov 29, 2021 • 7 min read
HTB Write-up | Explore
android

HTB Write-up | Explore

Retired machine can be found here. esketitLet's start with some basic scanning: ~ nmap -A 10.10.10.247 PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:

  • Inês Martins
Inês Martins Oct 30, 2021 • 3 min read
Exploiting Deep Links in Android - Part 5 (Testing)

Exploiting Deep Links in Android - Part 5 (Testing)

EnumerationEnumeration should always start with the App Manifest, which can be extracted from any .apk with a tool such as apktool, e.g.: ~ apktool d com.twitter.android_2021-10-22.apk I: Using Apktool 2.5.0 on com.twitter.android_2021-10-22.apk I: Loading resource table... I: Decoding AndroidManifest.xml

  • Inês Martins
Inês Martins Oct 30, 2021 • 4 min read
HTB Write-up | Monitors
htb

HTB Write-up | Monitors

Retired machine can be found here.ScanningLet's start the same as always, with a basic nmap scan: ~ nmap -sC -sV -A 10.10.10.238 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 11:15 WEST Nmap scan report for 10.10.10.238 Host is up (0.32s

  • Inês Martins
Inês Martins Oct 9, 2021 • 9 min read
Exploiting Deep Links in Android - Part 4 (Mitigation)
deep links

Exploiting Deep Links in Android - Part 4 (Mitigation)

Preventing Deep Link HijackingWhen it comes to preventing Deep Link Hijacking, the message is simple: stop using Scheme URLs and start using (properly verified) App Links or Intent URLs. [If you're lost maybe you should go back to Part 1] As of August 2021 only about 6% of Android devices

  • Inês Martins
Inês Martins Sep 23, 2021 • 3 min read
Exploiting Deep Links in Android - Part 3
android

Exploiting Deep Links in Android - Part 3

So .. what else can we do with deep links? Local File Inclusion (LFI)In part 2 we saw how to achieve LFI via the WebView.loadUrl method. In this part we'll explore an alternative that doesn't require the application to contain a WebView. Let's continue using the ABC Bank Android

  • Inês Martins
Inês Martins Sep 4, 2021 • 4 min read
MobSF "IPA Binary Analysis" | Step by Step
ipa

MobSF "IPA Binary Analysis" | Step by Step

MobSF is an open source static and dynamic analysis tool for Android and iOS, which can be used to quickly detect major issues on your mobile application. When scanning an .ipa, the "IPA Binary Analysis" section can report multiple issues that can be hard to interpret. Hopefully this article will

  • Inês Martins
Inês Martins Aug 21, 2021 • 9 min read
Exploiting Deep Links in Android - Part 2
android

Exploiting Deep Links in Android - Part 2

In this part, we're going to start to answer the question: "What can you do if you can trick a user into clicking a malicious deep link?" Let's go back to the ABC Bank example. ABC Bank has both a web and an Android application, and they use deep links

  • Inês Martins
Inês Martins Aug 15, 2021 • 3 min read
Exploiting Deep Links in Android - Part 1
android

Exploiting Deep Links in Android - Part 1

Deep links are an often overlooked way to exploit Android applications. In this series I hope to do a deep dive into their history, common vulnerabilities with real-life examples, possible mitigations, and testing techniques for pentesters and researchers. In this first part, we do a quick overview of the supported

  • Inês Martins
Inês Martins Aug 13, 2021 • 6 min read
Running a PHP application on Big Sur using Apache
php

Running a PHP application on Big Sur using Apache

If you have a PHP application and want a quick approach for running it on a mac with the latest OS version, then this tutorial might be useful. Testing and launching the Apache serverBig Sur already comes with Apache installed. You can check the current version by running: ~ httpd -v

  • Inês Martins
Inês Martins Jul 23, 2021 • 2 min read
USB Keyboard capture parser
tshark

USB Keyboard capture parser

During a recent CTF I had to extract keys from a USB Keyboard capture, and (as usual) decided to create a simple Python 3 script to parse the original keys. As shown on the Gist below, this script takes any .pcap file and optionally the path to the tshark executable,

  • Inês Martins
Inês Martins Jul 18, 2021 • 1 min read
Setting up Bloodhound on macOS
bloodhound

Setting up Bloodhound on macOS

Edit: This article is now outdated, I recommend that you follow the instructions at https://bloodhound.specterops.io/get-started/quickstart/community-edition-quickstart to install the latest version of Bloodhound on macOS. On a recent CTF I needed to set up Bloodhound on macOS and came across some issues. Hope this helps

  • Inês Martins
Inês Martins Jul 11, 2021 • 3 min read
© 2025
Powered by Ghost