Browse Category

General

Fastest Fix on Open Bug Bounty Platform

This is a write-up on the Fastest Fix on Open Bug Bounty (OBB) Platform. The security team was extremely prompt in responding and fixing the bug.

I don’t usually write articles related to the bugs that I have reported to organisations through responsible disclosure, however, I have gotten explicit permission from Kevag Telekom GmbH to write a blog post about this report.

Fastest Fix Achievement Badge

To achieve “Fastest Fix” on Open Bug Bounty, it is compulsory to complete all the following within 24 hours:

  1. Reporting a bug through the Open Bug Bounty platform (link)
  2. Contacting the affected organisation (via Twitter, Email, Contact form, etc.)
  3. Providing a Proof of Concept (POC) to demonstrate the vulnerability
  4. Getting the organisation to fix the vulnerability and deploy it to the production environment
  5. Conducting a regression test to verify that the vulnerability has been fixed
  6. Triggering Open Bug Bounty platform to verify the fix and update its tracking status

After successfully completing the above steps within 24 hours, the following simple badge has been earned:

Fastest Fix on Open Bug Bounty
In the name of gamification, OBB provides Security Researchers with Awards and Achievements. They are simple badges that could be earned through fulfilling certain criteria.

Keep Reading

A review of my past one-year in Information Security

A Review of my past one-year in Information Security

A review of my past one-year in Information Security
A review of my past one-year in Information Security

Last week, I had my one-year anniversary in the Information Security industry, doing work related to the offensive aspect of security. Surprisingly, it has already been a year since I left my previous role from a local bank and pursued my interest in Information Security. Time really flies…

The purpose of this blog is to document my learning journey, but I have neglected it for a few months due to hectic workload from various sources, however, the good news is that I have decided to consciously remind myself to update it more often moving forward! Well, make it a “new year resolution”!

Now, back to the review…

Keep Reading

My OSCP / PWK Course Review

It have been a tough 3 months of virtual lab and hands-on training – so much learning, and I mean, intensive learning; combo with many sleepless nights and so much sweat and tears (maybe not the tears part but you get the point), I have finally passed my OSCP!

I am now officially an Offensive Security Certified Professional!  Yes, I tried harder #tryharder 🙂

passoscp

It have been a very tough 3 months of journey, which explains why I have not been blogging anything at all since then. I am happy to be back and blogging once again!

Okay, here comes my review about the course, specifically for any fellow aspiring ethical hacker like me, or simply anyone who have passion in the topic of computer security and wants to learn the technical side of the skill set.

A little bit about myself (for reference to the content below): I graduated from the National University of Singapore (NUS), School of Computing, Bachelor of E-Commerce, in 2014. Since then, I have been working as an IT Infrastructure Project Delivery Manager at a bank. In my role, I basically coordinates the completion of various deliverable for either the upgrading of existing systems or setting up of new systems. Up to this point, my job were not security related. To pursue my interest in information security, I left my job. I took up training courses and obtained my EC-Council Certified Ethical Hacker (CEHv9) certification during September 2016. Ever since then, I have been doing a lot of self learning on IT security stuff, especially from trying out hands on self-training by hacking the Virtual Machines downloadable from Vulnhub, you can read some of my write-ups over here.

oscp-certs

Before you sign up for the OSCP course, it is essential to plan your time well! I made a mistake so I’d like you to learn from it. First, you have to know that to obtain the OSCP certification, you will need to register yourself for the Penetration Testing with Kali (PWK) course. The course consists of a virtual lab environment of which the credentials will be sent to you (along with training manual and videos) after you have successfully registered for the course. The mistake which I have made is to directly plan for a nice weekend (and a week with lesser work) to sign up for the course, thinking that I could get started immediately.

Listen/read: You will not start the course immediately. Courses will only start at certain days of each week, and each week can only have a limited number of students to start their PWK course, depending on the sign up rates, which will not be disclosed by Offensive Security. For my case, the earliest I could get started back then was 2 weeks after I have signed up for the course. Noticed the mistake here? I totally expected myself to be able to get started right after I signed up!

i_will_try_harder

With the above mistake and poor time management at the start, I spent several days on the PDF lab manual exercises and the training videos. As reference, I started working on the lab machines 2 weeks after my PWK course commenced. Many people would recommend that you jump straight into the lab and not waste any time. I would like to disagree partially. While I believe that you could learn faster jumping into the lab straight, but there are some skill sets which you have to pick up before just jumping in straight.

Personally, I find that you should go through the lab manual on the chapter regarding various methods for file transfer. You should not miss the chapter for buffer overflow too, that is very important, as it teaches you how to craft your own simple fuzzer, shell code and modify the exploit. The fundamental enumeration techniques are very important too, specifically the chapter on using tools like nmap. Essentially, my point is — don’t just jump into the lab unless you know what you are doing. Learn the basics, and then jump in to try out the tools. When things are not right, jump out again. That is the whole point of the lab — for you to practice what you learnt and not just study the theory.

Regarding the learning curve, I must say that it really takes time to get your very first shell and it gets really addictive. Personally, it took me quite awhile to get my first shell even though it is just simply running the Metasploit tool. Don’t know about Metasploit? Fret not, it will be covered in the lab manual. Or you can complete the Metasploit Unleashed Free Ethical Hacking Course, like I did. It was good learning as well and most importantly, it is an Own Time Own Target (OTOT) kind of free online course. Be patient, shell will come, you just need to try harder, don’t give up.

c4rvvpvvcaacekv

Thanks to the advise and encouragement from my mentor (Paul, that’s you), I took up the challenge of hacking Pain as my 10th machine. For those who don’t know what that means — Pain is one of the “boss” machine in the OSCP lab environment, along with his buddies: Sufferance, Humble and Gh0st. Hacking Pain as my 10th machine was no easy task. But like I said, I tried harder, it took my 8 days to root it. No joke, 8 days. Along the way, I learnt a lot of stuff I never imagined myself learning and also never expected myself to be able to understand. Of course, no spoilers, but really, just keep Googling and you will find it, trust me, and trust my mentor. Also thanks to these 8 days of being stuck on a machine, I kind of got used to the suffering (you know the feeling when you have no shells for a long time) and started to really pick up my pace moving forward.

jwevp

While I am not going to spoon feed anyone with any post-enumeration scripts, I must say that you can always write your own scripts, or make use of available resources, there are several very good scripts around, for you to find out. One advise though, don’t just use it blindly. My peers Jin Kun and Ryan Teoh advised me the same when I was using the downloaded scripts happily initially too. There are cases where information are not presented to you directly, or when the operation system are not identical with the scripts target. In those cases, what are you going to do? Are you going to modify your script, do it manually, or give up? We never give up, so we have to understand what the script is doing. If you don’t understand it, don’t use it. Learn. It’s the same as Metasploit exploits — you run it, get shell, yay. Next, you should first, try to understand why that happened and try to get the same result without using Metasploit. The good thing is that in each of the Metasploit modules, you can run the command ‘info’ to read its description and you can read the source code of the modules directly in the “/usr/share/metasploit-framework/modules” directory. Like many people would have also shared with you, for privilege escalation, the only reference notes which you may need are probably just these list for Windows and Linux respectively. Learn and understand them and you are good to go.

pwk-lab-net-intro1

At the end of my lab time, I managed to make my way all the way into the Administrative department (as shown in the image above) and hacked some of the machines in there. During my 3 months of lab time, I managed to root 42 out of [spoiler, not going to tell you] machines. It was not that bad, it is possible, you have to believe in yourself.

Finally, it’s the exams. For those who are not familiar with the exam format, the hands-on exam duration is 23 hours and 45 minutes. There will be several machines for you to attack and get the “flags”. After your time is up, you will be cut off from the exam’s Virtual Private Network (VPN) and you will have to submit a professionally prepared lab report within the next 24 hours. This document should contain the testing process and step-by-step guides on how to replicate the vulnerability and get shell of the highest system privileges.

keep-calm-and-try-harder

I was lucky because there were several components that were very similar to some of the machines which I have rooted previously in the lab. While I cannot specifically share what exactly are the components, I believe I can share that, if you keep working on getting more machines rooted and understand the vulnerabilities that you have exploited to root those machines, trust me — you will recognize it when you see it during the exams. Of course, the exam machines will not be so straight forward, but they will most likely be made up of several vulnerabilities (which you have already seen back then in the lab) being put together, where after exploiting one vulnerability, it leads to the discovery or/and exploitation of the next vulnerability. Again, time management is super important during the exams, you should not get stuck for too long and keep getting stuck in that particular spiral. Move on to the next machine and start enumerating for any attack vectors. Come back again later. Don’t give up. The only reason why the machine is there is because it is hackable, that is the only fact that you should remember during your exams!

To sum up, it was a very fruitful and enriching 3 months of lab time taking the PWK course. Definitely, if time allows, I would love to take up other courses from Offensive Security. A shout out: I am very thankful to my friends at Vantage Point Security, whom never fails to ask me about my progress on the lab machines and listen to my rants and gave me motivational speeches. Special thanks to Paul Craig, Jin Kun and Ryan Teoh, whom constantly gave me constructive advise and encouragement that keeps me going, not forgetting the many ping pong sessions whenever I am having mind blockage. Also thanks my family for supporting me! Lastly, my girlfriend is so awesome, for being so understanding and considerate towards me during my busy 3 months of journey towards getting my OSCP certification.

Good luck to anyone who wish to take up the challenge of becoming an Offensive Security Certified Professional (OSCP)!

OverTheWire: Bandit Level 25 to Level 26

Level goal: Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Indeed, logging in is easy, simply run the usual command which allow you to login using SSH key instead of login credentials

ssh -i bandit26.sshkey [email protected]

bandit25_1

However, after you logged into bandit26, you will be logged out immediately, “Connection to localhost closed.”

As hinted by the question, let’s take a look at the bash used by bandit26,

[email protected]:~$ cat /etc/passwd | grep bandit26
 bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Instead of /bin/bash, bandit26 is using /usr/bin/showtext, which is apparently not a shell. Let’s look at the content of the file

[email protected]:~$ cat /usr/bin/showtext
 #!/bin/sh
 more ~/text.txt
 exit 0

The way to obtain the password for this level is extremely creative, I salute the team who designed this portion of the challenge, it’s really good.

As we know, we will be logged out immediately after we gain access to the server using the SSH key. The way to get the level 27 password is to gain access to the file before your shell gets terminated.

Think about it, how can that be possibly done? The hint is that you are able to “log in” to the system, just that when it spawns a shell, it terminates the shell immediately – the exact code is “exit 0” as we have see in the showtext “shell”.

Here’s the solution:

First, minimize your terminal so that when you are logged into bandit26 via ssh command, the large “bandit26” ASCII art banner will force a “more” message to prompt you to continue the output. You may refer to the screenshot as an illustraton of how I have minimized my terminal,

bandit25_2

ssh -i bandit26.sshkey -t [email protected] cat text.txt

bandit25_3

Now that you have forces the terminal to prompt you to continue the display via “more” or “–More–(50%)” in this case, press “v” to enter “vim”, a built-in text editor on Unix machines. You will see the output as per below,

bandit25_4

Now, press “:e /etc/bandit_pass/bandit26” to edit the password file of bandit26.

bandit25_5

There you go, you have the password to proceed to level 27!!

Let’s review what we have done. We have forces the terminal to display a “more” output, where we can open a VIM text editor and open the password file of bandit26 using the file opening command within the VIM text editor. We are able to open this password file containing the bandit26 password because we have logged into the bandit26 account and this is right before the “exit 0” portion of the code boot us out from the machine.

The password to gain access to the next level is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z. However, level 27 is not up yet, therefore level 26 is the final bandit challenge as of now.

OverTheWire: Bandit Level 24 to Level 25

Level goal: A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bandit24_2

The following is my script to perform this brute-forcing techqnies,

#!/bin/bash

pass24=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

pin=0

while [ $pin -lt 10000 ]; do

echo “Attempting PIN: $pin”

attempt=”$(echo $pass24 $pin | nc localhost 30002)”

if ! [[ $attempt == *”Wrong!”* ]]; then

echo -ne “$attempt”

break

fi

((pin++))

done

The script will iterate through each possible PIN to perform brute forcing in identifying the secret pincode of bandit25.

bandit24_1

The password to gain access to the next level is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG.