So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting (using Firefox):
One of the good things about Defcon is that there is a No Starch Press store at the vendors area.
So I bought it for the flight, but it took a bit longer until I was through the book.
The book has 20 chapters, starting with Bug Bounty Basics. The next 17 chapters go through different classes of vulnerabitlites like XSS, SQLi, memory corruption, CSRF and so on.
After an explanation of the vulnerabilty itself, real reports are also included with further hints. At the end of each chapter the reader can find useful takeaways.
The last two chapters are not about bugs, one is about finding bugs in general, including some descriptions for tactics and tools. The last chapter is about writing a good report, communication to the companies and how to deal with the different programmes, which seems very useful to me.
Real-World Bug Hunting is helping to maximaize payouts and finding more bugs. It shows up lots of attack vectors and creative way for exploing them.
Real-World Bug Hunting: A Field Guide to Web Hacking Author: Peter Yaworski Content: A very practical guide to bug hunting and bug bounties Career: Penetration Tester, Bug Bounty Level: Beginner, Intermediate Buy at Amazon U.S. Buy at Amazon Germany
End of August I travelled from Germany to far away Kathmandu in Nepal for visiting threatcon and the browser security workshop by Mario Heiderich and the beautiful country. Here is a short review.
Browser Security Workshop
With the conference I booked the 2 days workshop Offensive HTML, SVG, CSS & Other Browser-Evil. The covered topics:
History of browser security and the browser market
Unicode, character sets
Breaking Filters (WAF)
IE/Edge compatibility modes
The presentation includes 255 slides, so in 2 days it was not possible to cover everything, also there was no time for the hands-on parts. XSS is not the big topic anymore, but I was happy I can fresh up my knowlege and also learned some new stuff.
The conference was one day with a single track, so contrary to Blackhat & Defcon everything was clearly arranged. On the speaker list were Mario Heiderich, Jim Manico, Georgia Weidman, Vignesh, Yogesh Ojha, Aniruddha Dolas and Prashant Tilekar, you may see some familiar names here.
Between the presentations there was lot of time for networking and discussions, with the business pass I also joint the evening event which came with great drinks & food.
For me the best at conferences, of course, is the networking part. It was a great pleasure to meet and connect with new people and friends.
When you are new to IT security I highly recommend to visit smaller and local conferences if possible, it is much easier to connect and to visit.
Thanks to the organizers of threatcon for a great event.
After the conference I took four days for traveling and sightseeing, this is just a very small impression (I made >1000 shots). I travel a lot, and this was one of the most impressive experiences I’ve had.
Black Hat is a pretty commercial conference, tickets for two days cost more than 2000$, if you want to attend the briefings. There are also trainings, costs vary and are much higher. The content qualitiy is usually very high, the attendees vary from consultants, CISOs, developers, and all kind of IT security professionals. There is a big crowd with about 17000 attendees in 2017.
The briefings are picked by a review board in a call for papers process. Researchers present their top work, often campaigned weeks before the conference. In the business halls all kind of vendors are present and giving away loads of swag for attendees and also throwing parties.
Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi
I am mainly at the Black Hat for the Arsenal. It is a great opportunity for developers to present their work at booths that are also located at the business hall. For the last three years I could thankfully present AVET (AntiVirus Evasion Tool), which is giving presenters a briefings pass. The tools are also picked by a review board.
Defcon is the “real” hacker event in Vegas and is completly different as Black Hat (although both have the same founder). Black Hat and Defcon overlap one day, Defcon is four days. Costs for 2019 were 300$, qualitiy of the talks is also high and more fun might be included (like talks about phreaking). More offensive security stuff seems to be included here.
This year the event was spread over four hotels including four presentation tracks, several villages (areas with talks and hands-on for several topics), parties, CTFs, movies and so on. It was said that about 30000 people attended defcon in 2019, so everything was pretty crowded and also a bit confusing. Walking between the different spots can take between 10-20 minutes.
Defcon is meant to be a hacker con, which is true. Also, there is a strong drinking culture present, fist time speakers must drink a shot (and attendees demand it loudly).
If you have the chance to attend Black Hat/Defcon you should give it a try. It is great to connect and develop your skills and I have met some great people and made new friends. For people who want to advance their career it is definetly great, but if it is your first conference you might consider to go to a smaller event. The atmosphere in Las Vegas is somewhat special, whith the hotels, the casinos and the tourists around.
This week I did read the great book The Hacker Playbook 3 by Peter Kim. The focus of the book lies on Red Teaming, it makes sense to read also the first two books if you do not have prior knowledge to penetration testing.
Difference between pentesting and red teaming
MITRE ATT&CK framework
optional lab setup & exercises
about web attacks like node.js, nosql injections, deserializiation attacks and more
hacking the (windows) network for example with responder, password spraying
privilege escalation with misconfigured services, exploit suggester and more
mimikatz magic of course
attacks on macs with empire
bloodhound and sharphound
lateral movement using different techniques
social engineering campaings & physical attacks
recompile meterpreter dlls for avoiding detection
write your own droppers
I highly recommend this book, especially if you are into Red Teaming it is a good resource. Maybe a report about owing the Cyber Space Kittens lab would have been nice, since reporting in Red Teaming is a non trivial task.
After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.
Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152
Host is up (0.043s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM inetpub
| 07-16-16 09:18AM PerfLogs
| 02-25-19 10:56PM Program Files
| 02-03-19 12:28AM Program Files (x86)
| 02-03-19 08:08AM Users
|02-25-19 11:49PM Windows
| SYST: Windows_NT
80/tcp open http Indy httpd 188.8.131.5246 (Paessler PRTG bandwidth monitor)
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-trane-info: Problem with XML parsing of /evox/about
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 54.00 ms 10.10.12.1
2 54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds
Connect via FTP
The user hash is easily found:
Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…
But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:
Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.
Also in c:\windows:
c:\ProgrammData is hidden but can be seen if you access it directly:
Get netmon prtgadmin credentials:
Something interesting in PRTG Configuration.old.bak:
After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453
Add a notification:
Leave defaults and choose “Execute Program” with the following settings:
Success, we can now get the hash from the test,txt file:
Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.