Certified in The Art of Hacking - Day 5

This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning!

Verdicts

Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one because the question told me to go to one URl, but I had to guess the one which was vulnerable. Felt like a bit of a "gotcha" moment. Perhaps in a proper lab environment it might have made more sense - but because we're mostly just learning how to use tools, I wasn't really prepared to use my critical thinking skills!

Only a half day, again. Good discussion of XSS and CSRF - but only a surface discussion of what they can do and how to prevent them. That's the problem with these sorts of courses - they can only say "sanitise user input", they can't explain how to do it for every environment.

SQL Injection. Good length of session. The standard Little Bobby Tables joke. And quite focused on Burp Suite and SQLMAP. A small bit on preventing them with parametrised queries.

CIA triad was briefly mentioned - but not really discussed. I would have expected more on that as it is fairly fundamental.

XXE. Malicious XML files. Billion Laughs Attack was (very) briefly covered.

Web shells from insecure file upload. A few tricks on how to fool UGC checkers. But not too much on defending.

The object serialisation stuff seemed a bit obscure. Not sure how relevant that is to the real world - but interesting none the less.

In the end, my overall verdict is that this is a good practical course. But because it covers so much, and spends so long setting up environments, it only gives a brief overview. It's rather geared towards specific tools - and that means lots of syntax memorisation for the exam.

The Exam

I fucking hate exams. There are very few times in life where you have a hard deadline, no one to help, and no ability to consult external sources.

Because of the intrusive spyware used on their proctoring system (more on that tomorrow), I'm going to have to go to a test centre to take the exam.

The exam gives 70 minutes to complete 50 multiple choice questions. 50% needed for a pass mark. That seems achievable. But it really depends on how many Windows questions there are, and how many ask me to precisely remember command line options.

Practice questions

The first time I scored 10/10. I know this stuff ☺

1. John has run dirbuster against a target website looking for possible pages to investigate and receives the following results. What does the 401 response mean?
   • HTTP 401 response means that the page is not available
   • HTTP 401 response means that the server has returned an internal error
   • HTTP 401 response means that the client should use the version in its cache
   • HTTP 401 response means that the resource is available, but requires authentication credentials to be able to be accessed
2. What port does BurpSuite use by default?
   • 80
   • 4444
   • 8888
   • 8080
3. What file is commonly used to inform search engines about the folders/files they are forbidden to index?
   • robots.txt
   • index.html
   • search.csv
   • spider.txt
4. Sally wishes to retrieve all the pdf documents from targetsite.com. Which of the following Google Dorks would satisfy that demand?
   • intitle:index_of *.pdf location:targetsite.com
   • site:targetsite.com filetype:pdf
   • pdf domain:targetsite.com
   • targetsite.com filetype:pdf
5. Connor is experimenting with a XSS vulnerability on a website. He uploads the following script but gets no response. What is the issue here? <script>alert(XSS);</script>
   • The syntax should be <script>alert("XSS");</script>
   • The syntax should be <script alert("XSS); />
   • syntax should be <script>alert="XSS";</script>
   • syntax should be <script>display.alert("XSS");</script>
6. Fiona has identified a vulnerable web app that allows her to perform SQLi. She wants to identify what database is behind the web app. What SQLi command would allow Fiona to get this data?
   • SELECT @@information_schema --
   • @@version --
   • @@database --
   • @@schema--
7. Jonas has identified a vulnerable web app that allows SQLi. He is using SQLMap to explore the system. What command should Jonas use to enumerate the available databases on the server?
   • --database
   • --layout
   • --dbs
   • --db
8. Which of the following file uploads should you prohibit if you wanted to ensure no-one can upload malicious files to your webserver?
   • file.asp:.jpg
   • file.php.jpg
   • php%00.jpg
   • All of them
9. True or False, SSL v3.0 offers better encryption than TLS v1.2
   • True
   • False
10. Complete the sentence... HTTP is classed as a ________ protocol
    • secure
    • stateless
    • web 2.0
    • dynamic

Notes

XSS. Recap. Can be from HTTP headers, cookies, and other weird things - not just GET. Can persist on the server.

Impact - phishing, hijack cookies, use browser exploitation, BitCoin mining.

Bug bounties available.

How not to prevent. Don't use blacklist regex - easy to bypass. XSS can work without script tags, eg onmouseover. UTF-7 encoding, URL encoding.

CSRF - cross site request forgery. Not stealing cookies and credentials. Force the user's browser to connect to a previously authorised site. Session Riding or Confused Deputy. Eg craft a link which forces the user to change their password on a different site. Relies on predictable patterns. Use of random tokens per request - which are then verified. Tokens shouldn't be reusable.

SQL injection. Can take input from the user, no filtering, pass requests directly to the DB. Good way to exfiltrate data - or even destroy it. Use of single quotes, boolean operators, balancing syntax.

Error based SQLi - see the stack trace etc from error messages. UNION operator - concatenate multiple queries - first legit, 2nd malicious. Blind - you can't see the results. Time Based - if my request is OK, sleep for 5 seconds. Out of Band - rare, depends of privileges being enabled when they shouldn't be.

String vs integer.

Select X from Y where Z UNION SELECT @@version--

Metadata table - information_schema

Pentest Monkey cheat sheets.

Concatenate results.

UDF - user defined functions to run code on machine. Local File Access. Create web shell by browsing to maliciously uploaded code.

Use of ASCII values rather than quoted strings. Blind injection - observe the difference in what is returned by a true or false query.

Principle of least privilege. Make sure the website can only read. A separate trusted process to write. root and sa(?) shouldn't be enabled from the web.

SQLMAP tool. Use of, find vulns, get tables, set up proxy to Burp.

Defend using input validation - blocklists not enough. Paramatise the SQL. ORM(?) Object-relational-mapping Frameworks. Principle of Least Privilege. Don't roll your own!

CIA (Confidentiality, Integrity, Availability)

XXE to get /etc/passwd - weakly configured XML parser. Anything which accepts user-created XML could be vulnerable. Very common on SOAP.

Insecure file upload. Get Web Shell. Filenames can have XSS. Distribute malware or warez.

%00 null byte to avoid extension check file.php%00.jpg

Change content type header - send a .php file as image/jpg. Fiddle with magic bytes. malicious.asp;jpg on IIS. Or file.php.jpg

WebDAV and Put might be available.

WebShell provides a web interface to the OS level commands. What context are you running in? Might not be root. Upload and download. Execute SQL. Kali stores them in /usr/share/webshells

C99 Shell - and other tools. Hacking tools are often backdoored. The creator has access to the shell you've created.

EICAR test to see if anti-malware is running. Change MiMe type when uploading. Is JS checking for file types?

Validate headers and MIME. Check file size. Don't rely on client side - always server side. Only upload to web root. Rename files after upload. Upload to temporary, then virus scan. Change the extension. Restrict folder permissions.

Serialise / Deserialise.

Take PHP, serialise it to an object. PHP warms of passing untrusted user input to unserialize. JSON is better than serialised objects. Must use magic method to attack (??) eg __construct() Trying to force the server to gadget chain??

pickle.load in Python. Marshal.load() in Ruby. Allow list for the things you want to serealised. Some firewalls

Use !ENTITY (variables). Inject external XML files. Calls to SMB servers to get NTLM hashes. Then SMBRelay to pass the hash. Using PSexec. Back to Windows ☹. Disable XXE in the parser - or have very strict allow-lists.