How to Get Started in Pentesting #infosec, #pentesting, #appsec, #security @j0emccray, @infosecaddicts, @ppentestlabs, @pentesterlab, @blackroomsec, @securitytube

Happy Hacking!

Today’s blog post will be on how to get started with pentesting… on a budget.

If you’re following or reading my twitter timeline (@devsecopsgrl007), you will know that I am currently taking SANS SEC542 – Web App Penetration Testing. I am doing this class OnDemand (online), and I have access to the training for 4 months, along with two practice tests, and the certification (once I pass, putting it into existence!) While this course is GREAT, it is EXPENSIVE!

I know if you’re a student, this is WAY out of your price range. So, I would like to list alternatives where you will learn the same content, but it might take you a bit longer.

So without further ado here’s my list:

  1. Skillshare has a Ethical Hacking package that is $19 for 8 courses. These courses original value was $1,273 – which is a 99% savings. You can buy the class HERE.
  2. There’s a book that is the holy grail for Web Pentesting called, “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” This book has a lab accompanied with the book that is $7/hour. You can buy the book HERE.
  3. Another book, Penetration Testing Essentials, is another GREAT book. It gives an overview of the different concepts of pentesting. You can buy the book HERE.
  4. Joe McCray has a Pentester Candidate Program that is also a GREAT program. Follow Joe on twitter (j0emccray) or his program – @infosecaddicts
  5. PentesterLab has a program – PentesterLabPro where you can pay $19.99/month, or pay for a year and get two months free. More information can be found HERE. PentesterLab also has a bootcamp which is free. More information can be found HERE.
  6. PentesterAcademy has a monthly subscription for $39.99/month. The good thing about PentesterAcademy is they have A LOT of information. Web App Pentesting, Python, etc. More information can be found HERE.
  7. PracticalPentestLab has a promotion where you can pay a one time fee of $42.99 to get the VIP content which has subjects in pentesting, windows exploit, etc. You can contact them on twitter @ppentestlabs. More information can be found HERE.
  8. Hacking-Lab is a free online platform where you can learn hacking skills. More information can be found HERE.
  9. Cybrary is another free website that has an assortment of courses. More information can be found HERE.
  10. PicoCTF is an online CTF platform that is geared towards high school students, but it’s open to anyone. All you need to do is sign-up. More information can be found HERE.

Another big piece is to practice the skills that you have learned.

To do this you will need vulnerable machines to hack 🙂

One of my favorites is HackTheBox which has an assortment of machines. More information can be found HERE. Note: That you will need to hack the site to get the invite code.

Another website that I love is VulnHub. VulnHub has an assortment of machines. The good thing about VulnHub is that some of the machines have been used in CTFs and other security conferences. More information can be found HERE.

The next website is my favorite, called OverTheWire. OverTheWire is a website that has multiple challenges in different areas, web app pentesting, linux, etc. More information can be found HERE.

There’s another website RootMe which is a free online platform to practice pentesting. More information can be found HERE.

I can’t stress enough that you will need to practice. The old adage holds true in this case, practice makes perfect.

Finally, please follow @blackroomsec on twitter who’s a sweetheart! She has a website that lists even more free or inexpensive opportunities to learn pentesting.

 

Advertisements

The BodgeIT Store Series #4, Find Diagnostic Data – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #4 in the BodgeIt Store series.

If you want to view post #3 click HERE.

In today’s post we’re going to find diagnostic data.

So exactly what is diagnostic data?

In this case, we’re looking for a webpage inside the store that will reveal debugging data.

What exactly is debugging data?

Debugging data is used by developers who want to make sure their application is working correctly.

The problem is that the developers do not turn off the debugging feature before moving their application to production (live).

Let’s get started.

So how are we going to find the debug data? We’re going to add the following in the URL address bar: ?debug=true

Let’s start with the home page:

debug_true_1

We added the debug command, and it the page rendered the same. No debugging code on this page.

Let’s try the about us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_2

 

Let’s try the contact us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_3

Let’s try the login page.

Adding the debug command… the page rendered:

debug_true_4_yess

If you view the top of the page, you will see the new line – DEBUG: Clear.

This is an example of debugged code!

We were able to find diagnostic code in the application.

Let’s try the Your Basket page, and see what we get:

debug_true_5_yes

We found another page that has diagnostic data! In this case the debugged line says – DEBUG basketid = 5.

Let’s try search page, and see what we get:

debug_true_6

No diagnostic data here.

Let’s see what the scoreboard says:

bodgeit_scoring_5

We have successfully completed the find diagnostic data challenge (it’s green)!

The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s post is #3 in a series of solving the BodgeIt Store.

If you want to check post #2, click HERE.

In today’s challenge we will make the store owe us money.

Before continuing on, you will need an interception proxy.

Two of the most popular interception proxies are ZAP and Burp.

I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.

After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.

Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)

When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.

burp_settings

Going to your browser, go to Options.

In Chrome, click the three dots, and select Settings

You should see the following screen:

chrome_settings

In the search settings type in “proxy” which will show the following:

chrome_proxy_settings

Clicking on the last option – Open proxy setting we see:

internet_properties_1

Clicking on the Connections tab, we see:

internet_properties_2

Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.

internet_LAN_properties

To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.

Going back to Burp, make sure that the intercept is on –  see screenshot:burp_intercept

Refreshing the BodgeIt page, we see:

burp_bodgeit

Yay! our traffic is being trapped properly through Burp.

Click Forward until the Raw tab is blank, and turn the intercept off.  Click the intercept is on box once and it will turn off the interception.

OK… now let’s earn some $$$!!!

Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:

Doodah_1

I am going to click on the most expensive item which in this case is Doo dah day, and I see:

Doodah_2

OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.

After the interception is on, click on the basket button. I see:

burp_price

Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:

burp_updated_price

Going back to BodgeIt…

We have successfully made the store owe us money!!!

burp_updated_price_final

Going back to the scoreboard…

bodgeit_scoring_4

we see this challenge is now complete (green)!

OverTheWire: Natas Level 8 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s challenge we’re going to solve level 8 from the Natas wargame.

Let’s begin.

Going to the following link, and entering the username “natas8” and password “DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe” we get the following:

Natas8_WarGame_1

Natas8_WarGame_2

OK, we see a page that is asking for an input secret. Clicking the view sourcecode link we see:

Natas8_WarGame_4

Looking at the screen, there’s PHP code with an encoded secret variable that seems to be in hexadecimal. There’s also a function titled “encodeSecret” that does the following steps:

  1. Change the binary to hex (bin2hex)
  2. Reversing the string (strrev)
  3. Base64 encoding (base64_encode)

From there the code is checking to see if our input secret equals the encoded secret. If it does then we get the code for level 9, otherwise we need to try again.

So, how are we going to solve this?

Going to Google and looking for a PHP interpreter, we’re presented with the following link.

From there, We’re going to do the reverse the steps of above. Our new steps are:

  1. Convert the hex to binary (hex2bin)
  2. Reverse the string (strrev)
  3. Base64 decode (imap_base64)

Below is the screenshot that depicts the above steps.

Natas8_WarGame_5

Doing the steps, we are presented with the decoded secret which is “oubWYf2kBq”

Going back to the level 8 page, and entering our decoded secret we get the following:

Natas8_WarGame_6

We found the flag!

OverTheWire: Natas Level 7 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we will solve level 7 from the Natas wargame challenge.

Let’s begin.

Going to the following link, and entering username “natas7” and password “7z3hEENjQtflzgnT29q7wAvMNfZdh0i9” we see the following:

Natas7_WarGame_1

Natas7_WarGame_2

Hmm… we see a Home and About links. Let’s click the links and see what happens.

Natas7_WarGame_3

Natas7_WarGame_4

After clicking the links we see there’s not much that’s showing on the screen.

Let’s view the source and see if there are any hints there.

Doing a right click, view page source we see:

Natas7_WarGame_5

Hmm… we see a comment that says, “password for webuser natas8 is in /etc/natas_webpass/natas8”

How can we use this information?

Looking at the above screenshots of Home and About – we notice that at the end of the URL it’s referencing a page. For instance for the home page it’s “page=Home” and for About it’s “page=About”. Let’s try to change the page name to the hint that was provided to us.

Changing the URL to: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8, we see…

Natas7_WarGame_6

the flag!

OverTheWire: Natas Level 6 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going t solve level 6 in the Natas wargame.

Let’s begin.

Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas6_WarGame_2

Natas6_WarGame_3

Doing a right click, view source we see:

Natas6_WarGame_4

Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…

Natas6_WarGame_5

Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.

Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:

Natas6_WarGame_6

… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.

Doing a right click, view page source we see the following:

Natas6_WarGame_7

Hmm… looks like we find the secret.

Let’s enter this into the input box and see if this unlocks the level.

Entering the secret above into the input box we get:

Natas6_WarGame_8

Natas6_WarGame_9

We found the flag!

OverTheWire: Natas Level 5 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post, we’re going to solve level 5 from the Natas wargame challenge.

Let’s begin.

Going to the following link and entering username of “natas5” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas5_WarGame_1

After pressing “OK” we see:

Natas5_WarGame_5

Hmm… we see that we’re not logged in and access is disallowed.

Using Tamper Data, let’s see if the request headers show us a way to bypass the login feature.

Opening the Tamper Data application and refreshing the website we see:

Natas5_WarGame_2

Hmm… we see inside the Cookie that there is a loggedin that is currently set to zero. What if we change it to 1?

Changing the loggedin feature to 1 and pressing Enter we see:

Natas5_WarGame_4

Natas5_WarGame_3

We received the flag!

OverTheWire: Natas Level 4 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

Today’s blog post we’re going to solve level 4 from the Natas wargame.

Let’s begin.

Going to the following link we see:

Natas4_WarGame_1

After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:

Natas4_WarGame_2

Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.

In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.

We’re going to use Tamper Data for this challenge.

 

Starting Tamper Data, and going to the level 4 we see:

Natas4_WarGame_4

We see that the referrer shows natas4, what happens when we change it to natas5?

 

Changing the referrer to natas5, and clicking OK we see:

Natas4_WarGame_5

Natas4_WarGame_6

We found the flag!

OverTheWire: Natas Level 3 – #appsec #webapp #websecurity #wargames

Another day, anther challenge…

In today’s challenge we will solve level 3 from the Natas wargame. Let’s begin.

Going to the following link, and entering the username of “natas3” and password we retrieved from the second challenge we see:

Natas3_WarGame_1

Password from level 2:

Natas2_WarGame_6

Pressing Enter we see:

Natas3_WarGame_2

Doing a right click, view source we see:

Natas3_WarGame_3

Hmm… we have a hint. “No more information leaks!! Not even Google will find it this time…”

Knowing a thing or two about how Google indexes websites, I know that some websites use a robots.txt file. Let’s see if this website is using that.

Entering “robots.txt” at the end of the URL we see:

Natas3_WarGame_4

OK – the first parameter user-agent specifies that any agent is allowed. We’re disallowing the /s3cr3t/ folder. Let’s go to this folder and see what’s there…

Entering the /s3cret/ folder we see:

Natas3_WarGame_5

Hmm… there’s a users.txt file. Let’s see what’s there.

Natas3_WarGame_6

We found the password for level 4!