Excerpt with multiple paragraphs Here’s another paragraph in the excerpt. GrinchNetworks

Intro

In this write-up I will talk about the feelings, the learnings and the pain to successfully complete all 12 levels of the hackerone CTF challenge "hacky holiday" Dec. 12 - 24th 2020. Goto Challenge Site. I will focus on the vulnerabilities and the tools / methods I have used to find them, the actual exploit and additional information. At the end of each section I will point to some useful further readings.

I have used Kali-Linux for some of my tests, but it is not required. Any other Debian based system should be fine to follow the tasks in my write-up. If scripting was needed or helpful I have used simple shell scripts for the automation.

Basic tool-set

  • Web browser (Chrome, Firefox)
  • Linux OS (Kali or any other debian based operating system)
  • Basic Knowledge about Web, Databases, Linux, Shell-Scripting

Challenge-Overview

Final Words

I have learned a lot within the last 12 days. Before start fuzzing, brute forcing READ and LEARN the application code and structure! Try to understand how the application is build. Read the source code and check manually for some common files! (README.md, README.txt, robots.txt).

A lot of others hackers asked my on discord about what tool I have used to complete the challenge or how to run sqlmap for example. At the beginning of the challenge I wasn’t sure what to answer but now I would say:

What tool??? USE YOU BRAIN!!

All tools listed or mentioned here are helpful in some sort but they become helpful at the point you have found the actual vulnerability or at least you have an idea where to start. You as a hacker with your brain are the best tool you can get to find vulnerabilities. All the other tools are just helpers to support you. They will never to your job!