Categoryctf

Intermediate Hacking

TL;DR – Pwn all the Flags

Introduction

While there is a wealth of resources for beginners, taking the next step is overly simple and consequently under documented. That is because the way to progress your penetration testing skills really comes down to practice.

At this stage, you should have an awareness of vulnerabilities and attack patterns. You are proficient with a wide selection of tools that you have been exposed to, and have had some success using these tools. You are understanding that just as defenses are layered, so to must the attacks be. At this stage, you may have difficulty finding vulnerabilities and shared exploits for your targets. You have probably heard about ‘fuzzing’ and recognize that that is how many vulnerabilities are identified. You probably have some strengths with either network/system attacks or web application attacks. So what next?

Practice.

There is too much to learn and that is a wonderful thing. Just to be proficient as an entry level penetration tester requires you to have a working familiarity with the entire SDLC as well as IT operations. So why are there so many young penetration testers in the field? Dedication, and largely, specialization. In order to develop your skills, you need to keep practicing. Either by specializing on one or a couple aspects, or by developing your understanding of attack (and defense) methodologies.

While this sounds trite, the difficulty is often in staying motivated. Like most everything in life, it is not what you are good at, it is what you enjoy. Persistence builds competence.
That said, there are aspects of hacking that will not appeal to you. Sadly, you have to be a jack of all trades to be a master of one in this game. Keep the end game in mind when you hit one of these. And chances are, you will find something fun in it, because, well it is still hacking.

Vulnerable Virtual Machines

There are a lot of vulnerable virtual machines (VM’s) out there for practice. VulnHub (https://www.vulnhub.com/) and PentesterLab (https://pentesterlab.com/) both offer free VM’s for you to download and practice against.

The problem with vulnerable VM’s is that once you pwn them, their fun usefulness greatly diminishes. However, a few are valuable for leaving on hand to practice tools and techniques. Metasploitable2 is great because it has the common vulnerable web applications on it (Mutillidae and DVWA). Additionally, building a virtualized network and practice perimeter exploitation and firewall/WAF/IDS/IPS bypasses can benefit from having some easy boxes to pivot from. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide, by Lee Allen, does a good job of covering how to setup a virtualized network, including using a pfSense box as a firewall.

Testing Methodologies and Write-ups

Common advice suggests that your practice should include writing a full penetration report. While this is a great idea, it is a lot of effort. However, if you perform a thorough test and write a complete report, you now have a work sample that shows you understand how to document findings and address your audiences (management and technical staff).

Being familiar with OWASP Testing Guide is important to web application penetration testing. Seriously, best testing guide I have seen as it explains the how (referencing tools and providing examples and references) and why. Even if you not interested in web application testing, give it a once over. The guide is well organized and contains valuable detail:

OWASP Testing Guide, Version 4 
Testing Guide Spreadsheet

For network penetration testing, the Penetration Testing Execution Standard (PTES) contains a lot of good information but does not include a testing guide. PTES at this point is largely a taxonominary (taxonomy and dictionary, of course (right, just taxonomy, but there is good detail)). Due to the breadth of network penetration testing, distilling everything into a set of tests as OWASP has done is a monumental effort. Setting that tangent aside, PTES does present a valuable resource for beginners since it defines attack phases and concepts (http://www.pentest-standard.org/index.php/Main_Page) as well as describing tools and procedures (http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines).

Due to the sensitive nature of pentest reports, there are not many real world write-ups out there. However, there are a lot of capture the flag write-ups. While specific, these can help develop your understanding of exploitation and combining attacks.

Two take-aways from this recommendation:

  1. Evidence collection and reporting is very important. It makes it easier for you to repeat processes and communicate findings.
  2. Reading standards and reports provides a good source of information and broadens knowledge of methods and tools.

Capture the Flag

A couple of the sites I like require a brief write-up to submit the challenge, or get points. I think this adds a lot of value because it forces you to consider why the exploit worked and how to mitigate it.

Hacking-Lab is one such practice site. While the actual CTF events it hosts are largely Euro-centric, that does not detract from the service they proide; they have a dedicated VM, they host CTF events, and you get points. Points has been a motivator for me (seriously, you want to stay ranked a hobo?). I think Hacking-Lab is a good starting point—they have a wide range of challenges, and enough pentesting challenges (OWASP Top 10 and such) to keep you busy for quite a while.

OverTheWire is another great resource. They have a few sets of games, with a suggested order. Helps get you familiar with Linux hacking, privilege escalation and just generally figuring things out on your own. I was really struggling with privilege escalation, and doing Bandit I think gets you into the proper mindset: What do I have access to? What runs with more permissions than I have? How do I exploit that? They also help with buffer overflows and such (still my greatness weakness). Also, a lot of public write-ups which can be quite helpful as a beginner.

Hacker.org is much more about puzzles, crypto and coding challenges than hacking/pentesting. However, it is a great resource with many good challenges. If you do the coding ones, you will start to develop a script library that will help with solving CTF’s in general.

RingZer0Team is really a fantastic resource. It has a lot of challenges, categorized and spanning forensics through SQLi. While the site is slow, and many of the challenges are very hard (even sometimes after figuring them out and/or using hints), the content and support team and user base are top notch. Optionally you can submit write-ups for solved challenges. This gets you ‘gold’ that you can then use to buy hints for challenges. They also have a Slack channel that is active enough with some resources that can help out. Highly recommend this site. And the Forensics challenges in particular will hone your research skills.

Finally, the starting point; We Chall. We Chall allows you to link all of your challenge-sites into this centralized beast. They also host a set of good challenges. Check out some of the other sites as well—there are lot more than what I have included.

Documentation

My personal recommendation is that no matter how much or little you do—keep a log. Having done something once does not ensure that you will remember it exactly and/or be able to readily repeat it. And it can be annoying trying to find something again; should be easier the second time around, right? Sometimes Google penalizes you for knowing a specific term–it is a search engine, not a bookmark engine–so don’t try to do its job.

Building out a set of scripts improves those skills and saves you time later. This is also part of your playbook–how you enumerate and test. While challenges are typically one-offs, there are only so many types of puzzles, and it falls under practice. The first time you are able to use a ‘find -exec’ without looking up the ‘{} \;’ bit is nice.

Scripts should be sufficiently commented–it will make grepping them easier. If you base your script on something else, include the URL/script name–may be helpful on your next revision. Be reasonable here–most of your ‘scripts’ will essentially be ‘functions.’

I distill this log into a notebook that reminds me of techniques, scripts, exploits and such. The daunting breadth of knowledge greatly benefits from organization.

Conclusion

In summary, practice. Find what motivates you to practice; be that bug bounties or CTF sites or writing tools. Part of that practice should include formalizing your efforts–save your scripts, take notes and practice writing. The resulting playbook is your personal guide to intermediate hacking.

Bashing Wargames

As much as I like Python, I have a weird obsession with coming up with bash solutions for wargames. I do not want to see each attempt, just the right answer. This has led to some good uses of constructors and grep inversions, improving my ability to Bash.

Today I discovered the true power of the Bash Brace Expansion. The expression ‘{0..9}’ will output the numbers zero through nine, and ‘{a-z}’ will give you all the letters. To get letters and numbers into one variables, nest them:

{{a..z},{0..9}}

Armed with this knowledge, let’s generate all four-digit alphanumeric PIN combinations:


# Brute Force Four Character Alphanumeric Password
# Solution for Yrivnguna 6: Runs program ( ~/yrivnguna6) to determine result
#!/bin/bash
# Constructor to generate four character alphanumeric combinations:
for i in {{a..z},{0..9}}{{a..z},{0..9}}{{a..z},{0..9}}{{a..z},{0..9}}
do
~/yrivnguna6 $i | if grep -q -v "Wrong"; then print 'Answer: $i'; fi
done

2015 SANS Holiday Hack Challenge

It is exciting to see the SANS Holiday Hack Challenge write-ups being shared. So I thought that I would share the write-up that I submitted. While I did not manage to compromise the final server, I did manage a lot of learning the fun that goes with progress. SANS and CounterHack did an incredible job creating the game, story and environments, as they do every year.

© 2019 /dev/thought

Theme by Anders NorénUp ↑