Notes/Plan for my own personal reference!
Started : 16-09-2022
Expected : ?? Donno ?? [bcz of college Assignments/ Exams/ Projects. College Sucks]
Oct to Dec: Got Distracted with bug-bounties + College Assignments/Exams: 2 months
Re-started: 01-12-2022
Goal :
Make yourself familiar enough with all the concepts required to be able to tackle OSWE Course Material and exam
with ease and clear the examination with one single attempt (even if it's gonna be my first certification in the field of cyber sec)
Image Credits https://alaa.blog/wp-content/uploads/2020/08/awae.png
- Linux Notes
- Bash Scripting Notes
- RegEx Notes
- SQL Notes
- AWAE Notes
[^ Above Repo is private for obvious reasons. I don't wanna spoon feed anyone. Plus, why I kept it here? => For my own convenience.]
- Powershell Notes
- Python Notes
- Pre-requisites
- Tools and Methodologies
- ATutor Authentication Bypass and RCE
- ATutor LMS Type Juggling Vulnerability
- ManageEngine Applications Manager AMUserResourceSyncServlet SQL Injection RCE
- Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- DotNetNuke Cookie Deserialization RCE
- ERPNext Authentication Bypass and Server Side Template Injection
- openCRX Authentication Bypass and Remote Code Execution
- openITCOCKPIT XSS and OS Command Injection - Blackbox
- Concord Authentication Bypass to RCE
- Server Side Request Forgery
- Guacamole Lite Prototype Pollution
- Comfort reading and writing at least one coding language.
- This course is not for you if you can't even write few lines of logic - sorry!
- Just in case you can or don't know if you can:
- Familiarity with Linux.
- Linux Cheatsheet
- Book : The Linux Command Line
- Practice:
- Ability to write simple Python / Perl / PHP / Bash scripts.
- Bash Scripting:
- Experience with web proxies.
- General understanding of web app attack vectors, theory, and practice.
- Things that ain't mentioned in pre-requisites but are actually required
- SQL
- ReGex
- Reverse Shells
- An IDE + Code Editor:
- Maybe Visual Studio (IDE)
- Visual Studio Code or ATOM or Sublime Text
- ReGex
Quick Notes:
MetaCharacters (Need to be escaped):
.[{()\^|?*+
For Example:
. - select everything
\. - matches literal dot
- You have to escape \ with \ i.e. \\
Matches characters
. - Any Character Except New Line
\d - Digit (0-9)
\D - Not a Digit (0-9)
\w - Word Character (a-z, A-Z, 0-9, _)
\W - Not a Word character
\s - Whitespace (space, tab, newline)
\S - Not Whitespace (space, tab, newline)
Anchors - matches visible positions between characters
\b - Word Boundary
\B - Not a Word Boundary
^ - Beginning of a String
$ - End of a String
[] - Matches Characters in brackets
[^ ] - Matches Characters NOT in bracket
| - Either Or
( ) - Group
Quantifiers:
* - 0 or More
+ - 1 or More
? - 0 or One
{3} - Exact Number
{3, 4} - Range of Numbers (Minimum, Maximum)
- SQL
codewars
stratascratch
https://pgexercises.com/questions/basic/
https://app.sixweeksql.com/
https://mystery.knightlab.com/
https://schemaverse.com/
https://mode.com/sql-tutorial/
https://advancedsqlpuzzles.com/
https://www.w3schools.com/sql/exercise.asp
https://bipp.io/sql-tutorial
https://learnsql.com/
https://selectstarsql.com/
http://www.sql-ex.ru/
https://www.sqlservercentral.com/stairways
- Syllabus:
- Web Traffic Inspection
- Interacting with web listeners using python
- Source Code Recovery
==> .NET code
==> Java classes
- Source code analysis methodology
- Debugging
| Tools | Features |
|---|---|
Burp Suite |
Web Proxy/Listener |
dnSpy |
.NET Code decompilers |
dotPeek |
|
ilSpy |
|
JD-GUI |
Java decompilers |
Reference:
Best .NET Deompilers: https://www.reddit.com/r/REGames/comments/t6me91/what_best_c_decompiler_that_gives_you_working/
Best Java Classes Decompilers: https://www.reddit.com/r/java/comments/6gyprq/looking_for_a_java_decompiler/
- Vidoes:
- Reversing .NET Applications with ILSpy: https://youtu.be/3xPL0vHGKLE
- dotPeek - .NET decompiler and assembly browser: https://youtu.be/msJVDzrHS2g
- How to Use dnSpy to Reverse Engineer Unity Games: https://youtu.be/jZnT__DphzE
| Syllabus | Version |
|---|---|
| ATutor Authentication Bypass and RCE | ATutor v2.2.1 |
| ATutor LMS Type Juggling Vulnerability | ATutor v2.2.1 |
| ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE | ManageEngine Application Manager before (<) Version 13 (13730 build) |
| Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability | Bassmaster v1.5.1 |
| DotNetNuke Cookie Deserialization RCE | DNN v9.1.1 |
| ERPNext Authentication Bypass and Server Side Template Injection | Probably ERPNext <= v12 |
| openCRX Authentication Bypass and Remote Code Execution | Probably OpenCRX version <= 4.30 and 5.0-20200717 |
| openITCOCKPIT XSS and OS Command Injection | Probably openITCOCKPIT < 3.7.3 |
Reference:
ATutor to DotNetNuke: https://github.com/timip/OSWE
ManageEngine Application Manager SQLi & RCE: https://www.manageengine.com/products/applications_manager/issues.html
ERPNext Authentication Bypass and Server Side Template Injection:
A lot of Google Search based on syllabus pdf +
https://erpnext.com/security/references
https://github.com/frappe/frappe/pull/8044
https://www.cvedetails.com/cve/CVE-2019-14965/
https://infosecwriteups.com/frapp%C3%A9-technologies-erpnext-server-side-template-injection-74e1c95ec872
OpenCRX Authentication Bypass and Remote Code Execution:
https://nvd.nist.gov/vuln/detail/CVE-2020-7378
https://www.rapid7.com/blog/post/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/
openITCOCKPIT XSS and OS Command Injection:
https://openitcockpit.io/security/
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/
- 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
- SQL Injection - Specifically Blind Boolean Based
- File Upload Vulnerabilities
- 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
- Download: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
- (Worked for me on my local windows machine) XAMPP v3.2.2 : https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/
- It's one of these versions:
- I don't exactly remember which one I installed even if I could see the date modified and compiled date.
- Even installing this on my local machine was a great exercise for me personally.
- 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
- 𝑷𝒓𝒂𝒄𝒕𝒊𝒔𝒆:
I was thinking about something and an Idea popped up in my mind.
Idea:
What if we try finding each and every CVE mentioned in the CVE list about an application on our own? Don't you think it would be a great practice exercise?
1. Install the vulnerable version of the application.
2. Deploy it
3. Refer the CVE details and try finding that vulnerability on our own.
Great idea isn't it?
- 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
- PHP Type Juggling
- Magic Hashes
- Python Module:
- Hashlib
- 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒚:
- 𝑹𝒆𝒔𝒐𝒖𝒓𝒄𝒆𝒔:
- 𝑸𝒖𝒊𝒄𝒌 𝑵𝒐𝒕𝒆𝒔:
- Magic Hashes:
Plaintext MD5 Hash 240610708 0e462097431906509019562988736854 QLTHNDT 0e405967825401955372549139051580 QNKCDZO 0e830400451993494058024219903391 PJNPDWY 0e291529052894702774557631701704 NWWKITQ 0e763082070976038347657360817689 NOOPCJF 0e818888003657176127862245791911 MMHUWUV 0e701732711630150438129209816536 MAUXXQC 0e478478466848439040434801845361 IHKFRNS 0e256160682445802696926137988570 GZECLQZ 0e537612333747236407713628225676 GGHMVOE 0e362766013028313274586933780773 GEGHBXL 0e248776895502908863709684713578 EEIZDOI 0e782601363539291779881938479162 DYAXWCA 0e424759758842488633464374063001 DQWRASX 0e742373665639232907775599582643 BRTKUJZ 00e57640477961333848717747276704 ABJIHVY 0e755264355178451322893275696586 aaaXXAYW 0e540853622400160407992788832284 aabg7XSs 0e087386482136013740957780965295 aabC9RqS 0e041022518165728065344349536299 0e215962017 0e291242476940776845150308577824
Plaintext SHA1 Hash aaroZmOk 0e66507019969427134894567494305185566735 aaK1STfY 0e76658526655756207688271159624026011393 aaO8zKZF 0e89257456677279068558073954252716165668 aa3OFF9m 0e36977786278517984959260394024281014729
Plaintext MD4 Hash bhhkktQZ 0e949030067204812898914975918567 0e001233333333333334557778889 0e434041524824285414215559233446 0e00000111222333333666788888889 0e641853458593358523155449768529 0001235666666688888888888 0e832225036643258141969031181899
Reference: https://github.com/JohnHammond/ctf-katana#php
- 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
- Servlets (java)
- PostgreSQL
- Reverse Shells
- 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
- 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
- Download: https://archives.manageengine.com/applications_manager/13720/
- Direct Download: https://archives.manageengine.com/applications_manager/13720/ManageEngine_ApplicationsManager_64bit.exe
- The above version should have worked but ain't working for me on my windows 10 vm. The latest version ran fine. I don't know why it's not working. I'll try downloading and installing few other versions and will mention it here later.
- oops! this might be the reason, I should find a workaround:
- Damn! It was more difficult than I thought. It took me 3 days to make it work, finally, sigh!
- For anyone who feels like they'll need my help installing MAM, you can email me or DM me on linkedin. You know where to find me ;) If not, do research ಠ_ಠ.
- 𝑷𝒓𝒂𝒄𝒕𝒊𝒔𝒆:
- 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
- NodeJS
- 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
- 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
npm install bassmaster@1.5.1