Inês Martins

HTB Write-up | Horizontall (user-only)

Write-up for Horizontall, a retired HTB Linux machine.

Automatic Threat Modeling with pytm and Github Actions

pytm is a OWASP tool that integrates with a custom GPT to make the threat modeling process quicker and more automated. I've developed a custom Github Action that, on every Pull Request event, generates or updates a Threat Model report, based on changes to the Python files generated using the

ctf

HTB Write-up | FormulaX (user-only)

Write-up for FormulaX, a retired HTB Linux machine.

ctf

HTB Write-up | Blazorized (user-only)

Write-up for Blazorized, a retired HTB Windows machine.

ctf

HTB Write-up | iClean (user-only)

Write-up for iClean, a retired HTB Linux machine.

Exploiting SSRF in Kubernetes

While testing an API that was exposed to the Internet, I found an unauthorised SSRF vulnerability that allowed me to trick the server into performing any GET request using http or https protocol. I had access to the response (i.e.: this wasn't a blind SSRF), full control of the

ctf

HTB Write-up | Vessel (user-only)

Write-up for Vessel, a retired HTB Linux machine.

Exfiltrating data from Android applications via WebView Takeover (Open Redirect)

In this article, I go through the scenarios in which I've been able to exfiltrate data from real Android applications, after detecting a WebView takeover (aka "Open Redirect") vulnerability.

DataStore is the new SharedPreferences, old vulns still apply

Neither DataStore nor SharedPreferences should be used to persist sensitive data ... but as we know, Insecure Data Storage is one of the most common vulnerabilities found in mobile applications.

wordpress

HTB Write-up | Paper

Write-up for Paper, a retired HTB Linux machine.

oracle apex

Creating a very spammable endpoint with Oracle APEX Restful Services

I'm helping an organisation that has a very simple (and very static) corporate website. They were interested in adding a contact form, and wanted the data to be sent to their APEX-managed database. Building an entire back-end service for this purpose seemed like too much work, so I decided to

How to import mySQL data into Oracle APEX (the hard way)

Oracle Application Express (APEX) is a low-code development platform that enables you to build scalable, secure enterprise apps, with world-class features, that can be deployed anywhere.Recently I was asked to import a mySQL database into APEX. Although support for mySQL databases is on the roadmap, it seems like for

HTB Write-up | Previse

Retired machine can be found here. ScanningAs always, we start by mapping the previse.htb hostname to the given IP: ~ sudo nano /etc/hosts 10.10.11.104 previse.htbThe nmap scan is pretty boring, it seems there's a web server running on port 80 and an SSH server on

HTB Write-up | BountyHunter

Retired machine can be found here. ScanningLike with most HTB machines, a quick scan only disclosed SSH running on port 22 and a web server running on port 80: ~ nmap 10.10.11.100 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ~ nmap 10.10.11.100

android

HTB Write-up | Explore

Retired machine can be found here. esketitLet's start with some basic scanning: ~ nmap -A 10.10.10.247 PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:

Exploiting Deep Links in Android - Part 5 (Testing)

EnumerationEnumeration should always start with the App Manifest, which can be extracted from any .apk with a tool such as apktool, e.g.: ~ apktool d com.twitter.android_2021-10-22.apk I: Using Apktool 2.5.0 on com.twitter.android_2021-10-22.apk I: Loading resource table... I: Decoding AndroidManifest.xml

htb

HTB Write-up | Monitors

Retired machine can be found here.ScanningLet's start the same as always, with a basic nmap scan: ~ nmap -sC -sV -A 10.10.10.238 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 11:15 WEST Nmap scan report for 10.10.10.238 Host is up (0.32s

deep links

Exploiting Deep Links in Android - Part 4 (Mitigation)

Preventing Deep Link HijackingWhen it comes to preventing Deep Link Hijacking, the message is simple: stop using Scheme URLs and start using (properly verified) App Links or Intent URLs. [If you're lost maybe you should go back to Part 1] As of August 2021 only about 6% of Android devices

android

Exploiting Deep Links in Android - Part 3

So .. what else can we do with deep links? Local File Inclusion (LFI)In part 2 we saw how to achieve LFI via the WebView.loadUrl method. In this part we'll explore an alternative that doesn't require the application to contain a WebView. Let's continue using the ABC Bank Android

ipa

MobSF "IPA Binary Analysis" | Step by Step

MobSF is an open source static and dynamic analysis tool for Android and iOS, which can be used to quickly detect major issues on your mobile application. When scanning an .ipa, the "IPA Binary Analysis" section can report multiple issues that can be hard to interpret. Hopefully this article will

android

Exploiting Deep Links in Android - Part 2

In this part, we're going to start to answer the question: "What can you do if you can trick a user into clicking a malicious deep link?" Let's go back to the ABC Bank example. ABC Bank has both a web and an Android application, and they use deep links

android

Exploiting Deep Links in Android - Part 1

Deep links are an often overlooked way to exploit Android applications. In this series I hope to do a deep dive into their history, common vulnerabilities with real-life examples, possible mitigations, and testing techniques for pentesters and researchers. In this first part, we do a quick overview of the supported

php

Running a PHP application on Big Sur using Apache

If you have a PHP application and want a quick approach for running it on a mac with the latest OS version, then this tutorial might be useful. Testing and launching the Apache serverBig Sur already comes with Apache installed. You can check the current version by running: ~ httpd -v

tshark

USB Keyboard capture parser

During a recent CTF I had to extract keys from a USB Keyboard capture, and (as usual) decided to create a simple Python 3 script to parse the original keys. As shown on the Gist below, this script takes any .pcap file and optionally the path to the tshark executable,

bloodhound

Setting up Bloodhound on macOS

Edit: This article is now outdated, I recommend that you follow the instructions at https://bloodhound.specterops.io/get-started/quickstart/community-edition-quickstart to install the latest version of Bloodhound on macOS. On a recent CTF I needed to set up Bloodhound on macOS and came across some issues. Hope this helps