So, I haven’t been playing HTB for quite sometime, and I finally had some motivation (or mood) to try out some boxes. So here is my writeup for the HTB seasonal machine: PermX.

SQL Injection (SQLI) is a common web security vulnerability that occurs when an attacker manipulates the SQL query sent from an application to its underlying database. By altering the intended query, attackers can access, modify, or delete data without proper authorization. This form of attack typically occurs in the WHERE clause of SELECT queries and can lead to severe consequences such as unauthorized data access or even complete compromise of the server (e.g., gaining administrative privileges).

The previous Cloud Services Appliance (CSA) flaw CVE-2024-8190 discovered within Ivanti, now have another vulnerability affecting the same product, CVE-2024-8963 that is currently being actively exploited. The newly identified flaw, CVE-2024-8963, has been assigned a CVSS score of 9.4 out of 10.

This year, wargames is filled with very interesting challenges. As for this miscellaneous challenge - Splice, it’s a more lighthearted challenge as compared to the other brain-cells consuming challenges. The challenge is to recover 2 QR code that are removed at the middle of the QR image.

The ASCIS CTF is an annual Vietnam CTF challenge that many teams from ASEAN countries will participate. This year, the CTF consists of 3 rounds, Warmup Round which requires teams to at least solve 1 challenge to proceed with the next round; Semi-Finals, and 2 different Finals, in which top20 overall teams will be playing Attack and Defense CTF, while the remaining teams continue the Jeopardy CTF.

Petronas CTF 2023 is a local CTF organized by Petroliam Nasional Berhad Malaysia. The CTF was held on 9th and 10th October 2023, in Kuala Lumpur Convention Center for 2 days with an elimination round and a top 25 final round. The challenges were quite interesting and majority are great quality challenge. In this web challenge, a featureless website was provided.

SKR CTF is a good platform to practice CTF challenges and test out cybersecurity knowledge. The challenge done is a medium level web challenge called Kuki Bank.

On 26th and 27th August 2023, I’ve attended my first HITBSec conference in Phuket,Thailand. HITBSec Conf or the Hack In The Box Security Conference is an annual security event that security researchers and professionals around the world will come together to share their latest findings through research or experience. The conference was firsly founded in Malaysia, but then had evolved into a bigger scaled conference where it is held internationally in such that the conference held commonly at Amsterdam.

CTF or capture the flag is a hacking competition that participants race against time to solve as many challenges and gain as much points to win. There are mainly 2 types of CTF, Jeopardy-Style in which is the traditional challenge solving CTF, or Attack-and-Defence Style that competitors will hack into each other’s system while patching their own vulnerable systems.