## Looking to pass the OSCP, CEH, eCPPT, or LPT? Keep reading… @j0emccray

Greetings!

This blog post will be short.

I received the following email (from Strategic Security owned by Joe McCray) in my inbox:

As many know, I’m embarking on the OSCP challenge (full disclosure: my job is paying for the cert), and I was happy to see this email.

\$50 for a self-paced course that will give you a primer before starting the real (in my case OSCP) course seems like a deal too good to be true…

In this case, it’s not. The email is 100% factual. I signed up for the course about an hour ago, and was presented with the coursework.  I also received an email stating a customer service rep will reach out to me to make sure everything is going well. This customer service rep will be an accountability buddy to make sure that all assignments and quizzes are completed.

So, if you want to study the concepts of the OSCP, eCPPT, LPT, or CEH course(s) before actually taking the class, then look no further than this course. At \$50 what do you REALLY have to lose? At the worst you’re out of a week’s worth of lunch, at best you acquire knowledge that will last a lifetime!

If you want more information about the course, check out Joe McCray on twitter at @j0emccray.

NOTE: I will do a review of the course when I have completed it – so stay tuned!

## PicoCTF 2017 – Programmers Assemble #reverseengineering #assembly #infosec

Another day, another hacking challenge.

In today’s challenge we’re going to focus on a reverse engineering exercise.

Clicking on the exercise we see the following:

Assembly… eeekk!

Let’s break it down – line by line.

eax = ???

ebx = 0

ecx = 8

for the line test %eax, %eax we’re testing to see if the zero flag of the %eax register is equal to zero

When eax is zero then we jump to the fin label, and compare ebx to see if it’s 46992.

So what do we need to set eax so ebx will be 46991? What happens if we divide 46992/8? Could this possibly give us the value of eax? Dividing 46991/8 = 5,874 decimal = 0x16F2.

You may be wondering, why would you divide 46992 by 8?

Looking at the assembly we know that when eax is not zero, we add 8 to the ebx register, and decrement eax by one and jump back to the loop label. We know if we set eax to 0x16F2 or 5,874 decimal then when eax equal 0 the program will jump to the fin label and the ebx register will be 0xb6790 or 46991 decimal. Once the comparison happens the program will jump again to the good label which will assign the eax register to 1.

To put this in a computer language it will be:

eax = 5874;

ebx = 0;

ecx = 8;

if(eax ==0) {

if(ebx == 46991) {

eax = 1;

} else {

eax = 0;

}

else {

ebx = ebx + ecx;

}

eax–;

Moral of the story assembly is the bare bones of ALL programming languages. No matter what language you use it can be broken down into assembly.

Entering 0x16F2 into the text box we acquired 75 points!

## My Experience with SANS SEC542 – Web App Penetration Testing and Ethical Hacking Course #infosec #webapp #sans542 #ethicalhacking #gwapt

Another day, another hacking post.

Today’s blog post will discuss my experience with SANS 542 for the GWAPT certification. I completed the course through the OnDemand (online) version.

Let me preface with a few disclaimers:

1. This class was on my bucket list for the last year, so I was VERY ecstatic when I was able to enroll
2. My job paid for this course as it’s \$6k+ which includes: practice test (2x) and certification attempt. This does not include travel arrangements (flight, hotel, and food).

As you can see the class is expensive, but it’s a good course to invest into if you want to become a penetration tester.

The course is broken into 6 parts. Let’s discuss each section.

Section 1: Introduction and Information Gathering

As the title states, this was a primer of web application testings with reviewing the HTTP and HTTPS protocols, discuss web infrastructure, and discuss reconnaissance using the following tools: WHOIS and DNS. Finally, I was introduced to a web application vulnerability such as Heartbleed.

I found the material to progress at a nice pace. I had a general knowledge of web application pentesting by tinkering with a home lab, but this introduction filled in some of the blanks that I had.

Section 2: Configuration, Identity, and Authentication Testing

This section heavily relies on mapping a web application target, and reconnaissance, which is arguably the most important part of testing. Some of the tools that was used were: nmap, cURL, and manual techniques using Burp Suite (such as Burp Intruder). In this section, I was introduced to another web application vulnerability – Shellshock, which surprisingly was vulnerable for 25 years!

I REALLY enjoyed this section as I am a hands-on learner, so tinkering and learning new techniques was great. Also, I had a rush whenever I was able to successfully exploit a vulnerability.

Section 3: Injection

In this section I learned about SQL, Blind SQL, Error based SQL injection, command injection, remote file include (RFI), local file include (LFI), session tracking, authentication bypass by using the vulnerable application Mutillidae. Mutillidae is a great application to use when honing your web application skills as I previously stated the application is vulnerable to A LOT of attacks!

Again, I really enjoyed this section, I learned some new skills (LFI, RFI, and command injection), I already knew about SQL injection before taking the course.

Section 4: XXE and XXS

In this section, I learned about the different flavors of Cross-Site Scripting (XSS) – reflected, stored, or DOM, XML External Entity (XXE), XML and JSON, as well as logic attacks to web applications.

Again, enjoyed this section, and I learned A LOT. I knew about Cross-Site Scripting and the different flavors but had NO clue about XXE or XML. It was interesting to see the techniques on how to launch an XSS attack using JSON. As well as how I can use the logic and data returned from an application to deduce certain aspects of the application and craft attacks to exploit said application.

Section 5: CSRF, Logic Flaws and Advanced Tools

In this section, I learned about Cross-Site Request Forgery (CSRF), and tools such as: Metasploit, WPScan, w3af. Also, I learned how to use Python to leverage attacks on web applications as well as how to pivot inside a web application. Also, a cool talking point was on when the tools fail, which is a real scenario.

I enjoyed this section. I am glad that the professor touched on when tools failed. There are some people who heavily rely on tools and get discouraged or miss vulnerabilities when said tools do not work.

Section 6: Capture The Flag

This by far was my favorite part of the course!!! Since my class was online, the capture the flag was online as well. Note, if this class is completed at a SANS location then the capture the flag is an all day event on the 6th day. The team (or person) who has the highest score receives a medal.

Anyway the capture the flag incorporated all of the concepts of the class into a realistic environment.

Things to say about the capture the flag – while it was fun, I made STUPID mistakes. Remember when I said that information mapping was important? I lost 4 points, due to not correctly map the web application. For instance, I completed IGNORED a server that had a TREASURE TROVE of vulnerabilities. <– Yes, I am still kicking myself for that mistake.

The capture the flag was super fun as it started with answering questions and then progressed into hands-on exploits. Also, the questions started to get harder as the game progressed (I am a gamer at heart!) Also there were some funny Aha moments, such as the classic music video. I also fell prey on trying to use to tools, which made answering some of the questions harder than it needed to be. The question could’ve been on a difficulty level of 3 and I made it into a 9 by customizing a fancy exploit that was not needed.

At the end of the 4 months, I finished #11 out of 40 people. Not too shabby. If I didn’t make the mistakes above, I would’ve finished in the top 10.

Final assessment of the course: I LOVED the course!!! Like I kept reiterating I learned a lot of about exploiting web applications, that I will take with me in my journey as a pentester. I liked that each book was built on top of each other. Meaning in book 1 I started off with a primer and learning about web application architecture(s). When I started book 2, I built on top of book 1’s knowledge to then learn about information gathering and reconnaissance, etc. By book 6 (capture the flag) I had a solid foundation on how to actual execute a web application penetration test.

The good thing about this course is that the exploits are not cookie cutter. There were times where I scratched my head and had to do an exploit two to three times to FULLY understand all of the moving parts. Also, another great thing about the course is that the student will receive books for each day (that you can keep) as well as a custom VM that has all of the labs, vulnerable applications, and tools that were used in the course just in case if you want to study or find more vulnerabilities once the class is over. As my instructor, Eric Conrad stated, “One of the differences between a good and great penetration tester is creativity.” I want to be a great pentester, and this class will help me get there.

One last thing… the GWAPT certification. I will not go into detail about test questions (as that is unethical), BUT I will say the test is open book. Make sure to fully utilize the practice test(s) by pretending it’s the REAL test. These practice tests will give you a baseline of how well you know the material. You then can go back and review said concepts and take the second test again to see if there’s improvement. I have taken 4 SANS courses (including this one), with 3 certs, and I can tell you that your index is the MOST important thing for when you take the real test. Your index will literally make or break you, so it’s important to spend a considerable amount of time to make sure your index matches your learning style. The test has a time limit of 3 hours, and you will need to answer 75 questions with a passing score of 71% and above. If you score 90% and above you will be placed in an elite group called the Advisory Board. You can learn more here.

If there are anymore questions, please do not hesitate to reach out to me on twitter at @DevSecOpsGrl007.

Until next time!

## How to Get Started in Pentesting #infosec, #pentesting, #appsec, #security @j0emccray, @infosecaddicts, @ppentestlabs, @pentesterlab, @blackroomsec, @securitytube

Happy Hacking!

Today’s blog post will be on how to get started with pentesting… on a budget.

If you’re following or reading my twitter timeline (@devsecopsgrl007), you will know that I am currently taking SANS SEC542 – Web App Penetration Testing. I am doing this class OnDemand (online), and I have access to the training for 4 months, along with two practice tests, and the certification (once I pass, putting it into existence!) While this course is GREAT, it is EXPENSIVE!

I know if you’re a student, this is WAY out of your price range. So, I would like to list alternatives where you will learn the same content, but it might take you a bit longer.

So without further ado here’s my list:

1. Skillshare has a Ethical Hacking package that is \$19 for 8 courses. These courses original value was \$1,273 – which is a 99% savings. You can buy the class HERE.
2. There’s a book that is the holy grail for Web Pentesting called, “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” This book has a lab accompanied with the book that is \$7/hour. You can buy the book HERE.
3. Another book, Penetration Testing Essentials, is another GREAT book. It gives an overview of the different concepts of pentesting. You can buy the book HERE.
4. Joe McCray has a Pentester Candidate Program that is also a GREAT program. Follow Joe on twitter (j0emccray) or his program – @infosecaddicts
5. PentesterLab has a program – PentesterLabPro where you can pay \$19.99/month, or pay for a year and get two months free. More information can be found HERE. PentesterLab also has a bootcamp which is free. More information can be found HERE.
6. PentesterAcademy has a monthly subscription for \$39.99/month. The good thing about PentesterAcademy is they have A LOT of information. Web App Pentesting, Python, etc. More information can be found HERE.
7. PracticalPentestLab has a promotion where you can pay a one time fee of \$42.99 to get the VIP content which has subjects in pentesting, windows exploit, etc. You can contact them on twitter @ppentestlabs. More information can be found HERE.
8. Hacking-Lab is a free online platform where you can learn hacking skills. More information can be found HERE.
9. Cybrary is another free website that has an assortment of courses. More information can be found HERE.
10. PicoCTF is an online CTF platform that is geared towards high school students, but it’s open to anyone. All you need to do is sign-up. More information can be found HERE.

Another big piece is to practice the skills that you have learned.

To do this you will need vulnerable machines to hack đŸ™‚

One of my favorites is HackTheBox which has an assortment of machines. More information can be found HERE. Note: That you will need to hack the site to get the invite code.

Another website that I love is VulnHub. VulnHub has an assortment of machines. The good thing about VulnHub is that some of the machines have been used in CTFs and other security conferences. More information can be found HERE.

The next website is my favorite, called OverTheWire. OverTheWire is a website that has multiple challenges in different areas, web app pentesting, linux, etc. More information can be found HERE.

There’s another website RootMe which is a free online platform to practice pentesting. More information can be found HERE.

I can’t stress enough that you will need to practice. The old adage holds true in this case, practice makes perfect.

Finally, please follow @blackroomsec on twitter who’s a sweetheart! She has a website that lists even more free or inexpensive opportunities to learn pentesting.

## The BodgeIT Store Series #7, Change your Passwords via a GET Request â€“ #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #7 in the BodgeIt Store series.

To view the blog post #6 click HERE.

Today’s topic is we’re going to change our password via a GET request.

Let’s get started.

Logging into the application as user1@thebodgeitstore.com’ OR ‘1’=’1

We get the following:

Clicking on the user1@thebodgeitstore.com link we see:

Let’s view the page source of the webpage:

We see that the update password is looking for a POST, but we need to send it as a GET. How are we going to solve this?

Let’s do a right click on one of the text boxes and select “inspect element”.

From there we see:

Double clicking on the form method we’re going to change the method from POST to GET.

Going back to the password page, we can select the password to anything. I am going to use “hello”, and press “Submit”

We we’re able to change our password, through a GET request.

Let’s see if our solution was accepted.

Our solution was accepted (as the challenge is now green)!

## The BodgeIT Store Series #6, Access Someone Else’s Basket â€“ #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #6 in the BodgeIt Store series.

To view post #5 in the BodgeIt Store series click HERE.

The topic for today is to access someone else’s basket.

First, let’s go to the admin page, and notice the different basket ids:

We see that for each user – there’s a corresponding basket id.

Let’s go to the Your Basket page. Going there we see the following:

Let’s open Burp and see if our traffic will reveal anything to us.

After opening Burp, and clicking on the “Update Basket” button we see:

Hmm.. we see there’s a cookie value of b_id. Could this possibly be basket id?

Let’s try changing the value from 8 to 0 (which is the admin basket).

OK… we see that the basket has been updated and we received a system error. This let’s me know that admin basket didn’t work too good.

Let’s go back and try another basket id of 1 which is the user1 account.

OK, changing the basket from 8 to 1 (user1 account) we see that our basket has been updated to show the user1 basket.

Let’s go back to the scoring page and see if we have successfully solved the challenge.

We solved the challenge successfully!

## The BodgeIT Store Series #5, Login as a Different User?! â€“ #bodgeit #infosec #sqli #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #5 in the BodgeIt Store series.

To view blog post #4, click HERE.

The challenges we’re going to solve are the following:

1. Log into the application as test@bodgeitstore.com
2. Log into the application as user1@bodgeitstore.com

Let’s begin.

Going to the application let’s go to the login page – screenshot:

Reviewing the objectives we have the username (email), but we don’t have the password… Meaning we can’t log into the application… well let’s see.

We already know the application is buggy (our favorite!) so it will not be hard to deduce that the application is not sanitizing our input. Meaning we can append certain characters in the username box and bypass entering a password to log into the application.

What possibly are these characters?

We know that for a valid login there has to be an back-end database that is used to test the username and password. We have the username, but what if we trick the database with a true statement and allow us to log into the application without entering a password.

The topic that I am talking about is SQL Injection. Doing a Google search you will see there are plenty websites dedicated to this topic.

Let’s imagine that the back-end database is the following:

Note: valid_login will return a boolean (TRUE/FALSE)

The username is the email that we have plus the appended characters –> test@bodgeitstore.com’ OR ‘1’=’1

Password is going to be blank.

So the above line will be:

SELECT valid_login FROM customers WHERE username=’test@bodgeitstore.com’ OR ‘1’=’1 AND password=<blank>;

The password is going to be blank.

Let’s break down the above statement

We’re closing the test@bodgeitstore.com expression, and then we’re going to include a new expression using the OR statement. The next expression is 1=1 which will ALWAYS evaluate to true (1 does equal 1).

Try it in the application and see what happens.

First, let’s configure our browser to listen through our Burp proxy.

Going to the login page, let’s add the username of test@bodgeitstore.com’ OR ‘1’=’1′, with no password, and press the Login button.

See screenshots:

We’ve successfully logged in without a valid password!

Let’s see if we can do this with the second username: user1@bodgeitstore.com

We were able to log into the application as user1, without supplying a valid password!

Going back to the login page, let’s enter the username as admin@thebodgeitstore.com without supplying a password.

We were able to log into the application as an admin without supplying a valid password.

Hmm… we see with the admin login we have a new link – Comments. We’ll come back to this in another post.

Going back to the scoreboard we see:

All of the login challenges are now complete (green)!

## The BodgeIT Store Series #4, Find Diagnostic Data â€“ #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #4 in the BodgeIt Store series.

If you want to view post #3 click HERE.

In today’s post we’re going to find diagnostic data.

So exactly what is diagnostic data?

In this case, we’re looking for a webpage inside the store that will reveal debugging data.

What exactly is debugging data?

Debugging data is used by developers who want to make sure their application is working correctly.

The problem is that the developers do not turn off the debugging feature before moving their application to production (live).

Let’s get started.

So how are we going to find the debug data? We’re going to add the following in the URL address bar: ?debug=true

We added the debug command, and it the page rendered the same. No debugging code on this page.

Let’s try the about us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

Adding the debug command, the page rendered the same. No debugging code on this page.

Let’s try the login page.

Adding the debug command… the page rendered:

If you view the top of the page, you will see the new line – DEBUG: Clear.

This is an example of debugged code!

We were able to find diagnostic code in the application.

Let’s try the Your Basket page, and see what we get:

We found another page that has diagnostic data! In this case the debugged line says – DEBUG basketid = 5.

Let’s try search page, and see what we get:

No diagnostic data here.

Let’s see what the scoreboard says:

We have successfully completed the find diagnostic data challenge (it’s green)!

## The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s post is #3 in a series of solving the BodgeIt Store.

If you want to check post #2, click HERE.

In today’s challenge we will make the store owe us money.

Before continuing on, you will need an interception proxy.

Two of the most popular interception proxies are ZAP and Burp.

I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.

After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.

Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)

When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.

Going to your browser, go to Options.

In Chrome, click the three dots, and select Settings

You should see the following screen:

In the search settings type in “proxy” which will show the following:

Clicking on the last option – Open proxy setting we see:

Clicking on the Connections tab, we see:

Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.

To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.

Going back to Burp, make sure that the intercept is on –  see screenshot:

Refreshing the BodgeIt page, we see:

Yay! our traffic is being trapped properly through Burp.

Click Forward until the Raw tab is blank, and turn the intercept off.  Click the intercept is on box once and it will turn off the interception.

OK… now let’s earn some \$\$\$!!!

Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:

I am going to click on the most expensive item which in this case is Doo dah day, and I see:

OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.

After the interception is on, click on the basket button. I see:

Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:

Going back to BodgeIt…

We have successfully made the store owe us money!!!

Going back to the scoreboard…

we see this challenge is now complete (green)!

## The BodgeIT Store Series #2, Find Hidden Content as a Non-Admin User – #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #2 in a series of solving the BodgeIt Store vulnerability.

If you want to read the initial post, click HERE.

As the title says, we’re going to solve the vulnerability of finding hidden content as a non-admin user.

Let’s begin.

Going back to the Scoring Page (About Us –> Scoring Page Link) we see the following. Pay attention to our username, right now we’re logged in as a guest user.

Going to the home page we see the following:

What would happen if we view the HTML source of the page? Let’s try it.

Right clicking the page, and select View Page Source we see:

Hmm… we see a commented code on line 41 (green line) that shows a link to an admin page. What will happen if we navigated to this page?

Navigating to this page we see the following:

We found a hidden page! This page lists the different user, and their role. Along with their BasketId, ProductId, and Quantity.

Let’s bookmark this page because I am sure we will need this page later for the other vulnerabilities.

Going back to the scoring page we see:

The hidden content as a non admin user is now complete (green)!