Notes/Plan for my own personal reference!
๐๐๐๐/๐๐๐๐ ๐๐ซ๐-๐๐ซ๐๐ฉ๐๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ง ๐๐ง๐ ๐๐จ๐ญ๐๐ฌ
Started : 16-09-2022
Expected : ?? Donno ?? [bcz of college Assignments/ Exams/ Projects. College Sucks]
Oct to Dec: Got Distracted with bug-bounties + College Assignments/Exams: 2 months
Re-started: 01-12-2022
Goal :
Make yourself familiar enough with all the concepts required to be able to tackle OSWE Course Material and exam
with ease and clear the examination with one single attempt (even if it's gonna be my first certification in the field of cyber sec)
Image Credits https://alaa.blog/wp-content/uploads/2020/08/awae.png
๐๐ฒ ๐จ๐ฐ๐ง ๐๐๐ญ๐๐ข๐ฅ๐๐ ๐ง๐จ๐ญ๐๐ฌ ๐๐ง๐ ๐ฉ๐ซ๐๐๐ญ๐ข๐๐ ๐ซ๐๐ฉ๐จ๐ฌ๐ข๐ญ๐จ๐ซ๐ข๐๐ฌ
- Linux Notes
- Bash Scripting Notes
- RegEx Notes
- SQL Notes
- AWAE Notes
[^ Above Repo is private for obvious reasons. I don't wanna spoon feed anyone. Plus, why I kept it here? => For my own convenience.]
- Powershell Notes
- Python Notes
- Pre-requisites
- Tools and Methodologies
- ATutor Authentication Bypass and RCE
- ATutor LMS Type Juggling Vulnerability
- ManageEngine Applications Manager AMUserResourceSyncServlet SQL Injection RCE
- Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- DotNetNuke Cookie Deserialization RCE
- ERPNext Authentication Bypass and Server Side Template Injection
- openCRX Authentication Bypass and Remote Code Execution
- openITCOCKPIT XSS and OS Command Injection - Blackbox
- Concord Authentication Bypass to RCE
- Server Side Request Forgery
- Guacamole Lite Prototype Pollution
- Comfort reading and writing at least one coding language.
- This course is not for you if you can't even write few lines of logic - sorry!
- Just in case you can or don't know if you can:
- Familiarity with Linux.
- Linux Cheatsheet
- Book : The Linux Command Line
- Practice:
- Ability to write simple Python / Perl / PHP / Bash scripts.
- Bash Scripting:
- Experience with web proxies.
- General understanding of web app attack vectors, theory, and practice.
- Things that ain't mentioned in pre-requisites but are actually required
- SQL
- ReGex
- Reverse Shells
- An IDE + Code Editor:
- Maybe Visual Studio (IDE)
- Visual Studio Code or ATOM or Sublime Text
- ReGex
Quick Notes:
MetaCharacters (Need to be escaped):
.[{()\^|?*+
For Example:
. - select everything
\. - matches literal dot
- You have to escape \ with \ i.e. \\
Matches characters
. - Any Character Except New Line
\d - Digit (0-9)
\D - Not a Digit (0-9)
\w - Word Character (a-z, A-Z, 0-9, _)
\W - Not a Word character
\s - Whitespace (space, tab, newline)
\S - Not Whitespace (space, tab, newline)
Anchors - matches visible positions between characters
\b - Word Boundary
\B - Not a Word Boundary
^ - Beginning of a String
$ - End of a String
[] - Matches Characters in brackets
[^ ] - Matches Characters NOT in bracket
| - Either Or
( ) - Group
Quantifiers:
* - 0 or More
+ - 1 or More
? - 0 or One
{3} - Exact Number
{3, 4} - Range of Numbers (Minimum, Maximum)
- SQL
codewars
stratascratch
https://pgexercises.com/questions/basic/
https://app.sixweeksql.com/
https://mystery.knightlab.com/
https://schemaverse.com/
https://mode.com/sql-tutorial/
https://advancedsqlpuzzles.com/
https://www.w3schools.com/sql/exercise.asp
https://bipp.io/sql-tutorial
https://learnsql.com/
https://selectstarsql.com/
http://www.sql-ex.ru/
https://www.sqlservercentral.com/stairways
- Syllabus:
- Web Traffic Inspection
- Interacting with web listeners using python
- Source Code Recovery
==> .NET code
==> Java classes
- Source code analysis methodology
- Debugging
| Tools | Features |
|---|---|
Burp Suite |
Web Proxy/Listener |
dnSpy |
.NET Code decompilers |
dotPeek |
|
ilSpy |
|
JD-GUI |
Java decompilers |
Reference:
Best .NET Deompilers: https://www.reddit.com/r/REGames/comments/t6me91/what_best_c_decompiler_that_gives_you_working/
Best Java Classes Decompilers: https://www.reddit.com/r/java/comments/6gyprq/looking_for_a_java_decompiler/
- Vidoes:
- Reversing .NET Applications with ILSpy: https://youtu.be/3xPL0vHGKLE
- dotPeek - .NET decompiler and assembly browser: https://youtu.be/msJVDzrHS2g
- How to Use dnSpy to Reverse Engineer Unity Games: https://youtu.be/jZnT__DphzE
๐ฝ๐๐๐๐๐๐๐๐๐ ๐ฝ๐๐๐๐๐๐๐ ๐๐ ๐จ๐๐๐๐๐๐๐๐๐๐๐ ๐ ๐๐๐๐๐๐๐๐ ๐๐ ๐๐๐ ๐๐๐๐๐๐
| Syllabus | Version |
|---|---|
| ATutor Authentication Bypass and RCE | ATutor v2.2.1 |
| ATutor LMS Type Juggling Vulnerability | ATutor v2.2.1 |
| ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE | ManageEngine Application Manager before (<) Version 13 (13730 build) |
| Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability | Bassmaster v1.5.1 |
| DotNetNuke Cookie Deserialization RCE | DNN v9.1.1 |
| ERPNext Authentication Bypass and Server Side Template Injection | Probably ERPNext <= v12 |
| openCRX Authentication Bypass and Remote Code Execution | Probably OpenCRX version <= 4.30 and 5.0-20200717 |
| openITCOCKPIT XSS and OS Command Injection | Probably openITCOCKPIT < 3.7.3 |
Reference:
ATutor to DotNetNuke: https://github.com/timip/OSWE
ManageEngine Application Manager SQLi & RCE: https://www.manageengine.com/products/applications_manager/issues.html
ERPNext Authentication Bypass and Server Side Template Injection:
A lot of Google Search based on syllabus pdf +
https://erpnext.com/security/references
https://github.com/frappe/frappe/pull/8044
https://www.cvedetails.com/cve/CVE-2019-14965/
https://infosecwriteups.com/frapp%C3%A9-technologies-erpnext-server-side-template-injection-74e1c95ec872
OpenCRX Authentication Bypass and Remote Code Execution:
https://nvd.nist.gov/vuln/detail/CVE-2020-7378
https://www.rapid7.com/blog/post/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/
openITCOCKPIT XSS and OS Command Injection:
https://openitcockpit.io/security/
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/
๐๐๐ฎ๐ญ๐จ๐ซ ๐๐ฎ๐ญ๐ก๐๐ง๐ญ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐ฒ๐ฉ๐๐ฌ๐ฌ ๐๐ง๐ ๐๐๐
- ๐ท๐๐-๐๐๐๐๐๐๐๐๐๐:
- SQL Injection - Specifically Blind Boolean Based
- File Upload Vulnerabilities
- ๐ฐ๐๐๐๐๐๐๐๐๐๐๐:
- Download: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
- (Worked for me on my local windows machine) XAMPP v3.2.2 : https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/
- It's one of these versions:
- I don't exactly remember which one I installed even if I could see the date modified and compiled date.
- Even installing this on my local machine was a great exercise for me personally.
- ๐ฝ๐๐๐๐๐๐๐๐๐๐๐๐๐๐:
- ๐ท๐๐๐๐๐๐๐:
I was thinking about something and an Idea popped up in my mind.
Idea:
What if we try finding each and every CVE mentioned in the CVE list about an application on our own? Don't you think it would be a great practice exercise?
1. Install the vulnerable version of the application.
2. Deploy it
3. Refer the CVE details and try finding that vulnerability on our own.
Great idea isn't it?
๐๐๐ฎ๐ญ๐จ๐ซ ๐๐๐ ๐๐ฒ๐ฉ๐ ๐๐ฎ๐ ๐ ๐ฅ๐ข๐ง๐ ๐๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ
- ๐ท๐๐-๐๐๐๐๐๐๐๐๐๐:
- PHP Type Juggling
- Magic Hashes
- Python Module:
- Hashlib
- ๐ฝ๐๐๐๐๐๐๐๐๐๐๐๐:
- ๐น๐๐๐๐๐๐๐๐:
- ๐ธ๐๐๐๐ ๐ต๐๐๐๐:
- Magic Hashes:
Plaintext MD5 Hash 240610708 0e462097431906509019562988736854 QLTHNDT 0e405967825401955372549139051580 QNKCDZO 0e830400451993494058024219903391 PJNPDWY 0e291529052894702774557631701704 NWWKITQ 0e763082070976038347657360817689 NOOPCJF 0e818888003657176127862245791911 MMHUWUV 0e701732711630150438129209816536 MAUXXQC 0e478478466848439040434801845361 IHKFRNS 0e256160682445802696926137988570 GZECLQZ 0e537612333747236407713628225676 GGHMVOE 0e362766013028313274586933780773 GEGHBXL 0e248776895502908863709684713578 EEIZDOI 0e782601363539291779881938479162 DYAXWCA 0e424759758842488633464374063001 DQWRASX 0e742373665639232907775599582643 BRTKUJZ 00e57640477961333848717747276704 ABJIHVY 0e755264355178451322893275696586 aaaXXAYW 0e540853622400160407992788832284 aabg7XSs 0e087386482136013740957780965295 aabC9RqS 0e041022518165728065344349536299 0e215962017 0e291242476940776845150308577824
Plaintext SHA1 Hash aaroZmOk 0e66507019969427134894567494305185566735 aaK1STfY 0e76658526655756207688271159624026011393 aaO8zKZF 0e89257456677279068558073954252716165668 aa3OFF9m 0e36977786278517984959260394024281014729
Plaintext MD4 Hash bhhkktQZ 0e949030067204812898914975918567 0e001233333333333334557778889 0e434041524824285414215559233446 0e00000111222333333666788888889 0e641853458593358523155449768529 0001235666666688888888888 0e832225036643258141969031181899
Reference: https://github.com/JohnHammond/ctf-katana#php
๐๐๐ง๐๐ ๐๐๐ง๐ ๐ข๐ง๐ ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐๐ง๐๐ ๐๐ซ ๐๐๐๐ฌ๐๐ซ๐๐๐ฌ๐จ๐ฎ๐ซ๐๐๐๐ฒ๐ง๐๐๐๐ซ๐ฏ๐ฅ๐๐ญ ๐๐๐ ๐๐ง๐ฃ๐๐๐ญ๐ข๐จ๐ง ๐๐๐
- ๐ท๐๐-๐๐๐๐๐๐๐๐๐๐:
- Servlets (java)
- PostgreSQL
- Reverse Shells
- ๐ฝ๐๐๐๐๐๐๐๐๐๐๐๐๐๐:
- ๐ฐ๐๐๐๐๐๐๐๐๐๐๐:
- Download: https://archives.manageengine.com/applications_manager/13720/
- Direct Download: https://archives.manageengine.com/applications_manager/13720/ManageEngine_ApplicationsManager_64bit.exe
- The above version should have worked but ain't working for me on my windows 10 vm. The latest version ran fine. I don't know why it's not working. I'll try downloading and installing few other versions and will mention it here later.
- oops! this might be the reason, I should find a workaround:
- Damn! It was more difficult than I thought. It took me 3 days to make it work, finally, sigh!
- For anyone who feels like they'll need my help installing MAM, you can email me or DM me on linkedin. You know where to find me ;) If not, do research เฒ _เฒ .
- ๐ท๐๐๐๐๐๐๐:
๐๐๐ฌ๐ฌ๐ฆ๐๐ฌ๐ญ๐๐ซ ๐๐จ๐๐๐๐ ๐๐ซ๐๐ข๐ญ๐ซ๐๐ซ๐ฒ ๐๐๐ฏ๐๐๐๐ซ๐ข๐ฉ๐ญ ๐๐ง๐ฃ๐๐๐ญ๐ข๐จ๐ง ๐๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ
- ๐ท๐๐-๐๐๐๐๐๐๐๐๐๐:
- NodeJS
- ๐ฝ๐๐๐๐๐๐๐๐๐๐๐๐๐๐:
- ๐ฐ๐๐๐๐๐๐๐๐๐๐๐:
npm install [email protected]