Month: April 2018

This was a rough week.  First, I was on call, which is always stressful.  Second, everyone else in the house had a head cold of some sort.  We suspect it was weather related.  I ended up working from home, bouncing back and forth between putting out fires/handling normal requests for work, and checking on the kids and wife/fixing meals/handling household chores to keep us from falling too far behind.  Third, Saturday was the 10 year anniversary of the murder of my little brother.  I’ve been in a dark place this month, and that event was the primary driver for it.

As a progress report, I can say that I managed to get past a few more of the Essentials Badge exercises.  I also completed all of the newest unlocked exercises for the Unix badge.  This brings me to 18/60 Essentials Badge total, and 32/35 Unix Badge total exercises.  I got stuck on another Essentials Badge exercise, caved a little early, sent a support request, then figured it out on my own about five minutes after sending the request in.

The issue was that I wasn’t URL encoding the plus sign with “%2b” since the browser was encoding most everything else for me.  I didn’t realize it also needed encoding.  I’m almost positive I read that it needed to be, but my brain again translated that as “if it needs it, browser will take care of it” and I didn’t check my work.  As soon as I figured it out, I tested with manual encoding, and got the flag for completion.

I’m not stuck on the next exercise, but it’s a little more involved, and I’m already exhausted from my hell week adventures.  I’ll tackle them more later this coming week.

As a depression management tactic, my wife took me to see Avengers: Infinity War, on Sunday.  It was a real tear jerker, but I was expecting it, and it really did me more good than harm, so it was a good call.  Any kind of date with my wife helps, but I’m really impressed with the Marvel Cinematic Universe movie franchise, thus far, so I was glad for the distraction.

This coming week, I’m supposed to be learning a little Python with some other coworkers.  I have a distaste for the language, due to the structure of the code (it always looks like it wants to just drift off the page, then wakes up and slams back to the left to do it all over again.)  I’ve been forcing myself to try to learn it a little along, however, and this class will give me some structured direction to my learning.  My current tactics have mostly included converting the python2.x code from Violent Python into python3.6 compatible code.  In this way, I learn a little of both 2 and 3, and it forces me to think about the code, not just blindly type what’s in the book and pray that it works.

That’s all I have for this week.  Hopefully, next week will be a better update in general.

When last we left our student, he was stuck on an exercise at PentesterLab PRO.  The exerise was the last AUTHO in the list.  Two weekends straight were rough, and he finally broke down and started speaking of himself in the third person.  Or contacted support to determine whether the exercise itself was broken, or something else was wrong with his understanding.

He… ahem… *I* got a response, and I kicked myself repeatedly after I received it.  I did nothing wrong, other than spell the word wrong.  There’s a distinct difference in how the word for the parameter is spelled in American English vs. European English.  In America, we spell it with a “z” before the “ation.”  The exercise uses the European spelling, and while my brain read it fine, when I went to type in the parameter into either mitmproxy or Burp Suite, I Americanized it,every… single… time.

My boss has a habit of copy/pasting most everything.  His keyboard skills for highlighting the bits he wants to select, copying, then moving to the line he wants to modify, and pasting in things like Google Mail, and Docs are beyond me.  I have to move my hand to the mouse, and that bothers me.  I also type somewhere between 70 and 90 WPM on a good day, so I often just type instead.

I should listen to my boss more often.  I should learn some of this keyboard tricks.  I probably won’t, but I should.

I was so frustrated with myself over this that I didn’t touch the labs again until Sunday.  I did one exercise to force myself to progress, and I’ll probably work on it more during the week, this week, but for now I only progressed by five exercises.  The last AUTHO and the first four CODEXEC (code execution) exercises were all I managed, this week.

I did let myself get distracted by some of my non-tech hobbies, though.  I put a couple of plants in the ground, purchased my copy of “The Great American Farm Tour” (GAFT) from Abundant Permaculture, and watched some videos from the purchase.

My focus this year is still UnixSecLab, and getting my OSCP is a hug part of that.  I’m still not completely abandoning Jack of all Hobbies, though, and I’m getting ideas for next year so I can ramp up operations for it.  Until then, all posts will be here, and the other will just lie dormant.

Next week, I should have much more progress to report.  Thanks for sticking with me through my journey.

Last week, I got kind of stuck on one of the Essentials Badge exercises, and I’m trying really hard to just do these in the order presented.  I wasn’t able to work on this any during the week.  Friday, I had a serious sinus flare up that kept me home from work, but later than evening and during the weekend, I started on a different badge as a “feel good, lots of progress” kind of thing.  I did all 27 of the available Unix Badge exercises.  There are 35 total, but only 27 are unlocked, at this time.

My goal for the rest of the week is to work on the Essentials Badge some more, one exercise or two at a time (per day.)

The rest of the weekend was kind of procrastination, because I focused on getting some progress in my favorite online game: Guild Wars 2.  I did this, because sometimes you just need a break, and have some fun.  I’ll keep working on getting my griffon mount, but I’m not allowed to touch the game each day until I’ve either completed an exercise in PentesterLab, or I’ve worked a full two hours without progress.  If I can’t get the exercise in two hours, I don’t need to be stressing myself out over it.

The goal at this point is to get through the Essentials Badge over the next couple of weeks, then take a look at the White Badge.

So far, these exercises have been pretty straight forward, until they aren’t.  I’m not sure if the last AUTHO_06 exercise I got stuck on is due to a failure to understand the requirement on my part, or due to a bug in the system.  I believe I understand what is wanted, but nothing I tried last week was working, so I can’t really say.  I’m considering going back through the entire AUTHO_# set using the same username every time, in case the later ones play on earlier ones, and I may have gotten my stuff out of sync, somehow.

We had some birthday related festivities in the house most of the weekend, but I did work on the PentesterLab PRO progression this week(end.)

There are 60 progression levels in the Essentials Badge grouping.  It started off overly simple, went straight to hair pulling, then got overly simple again for a few more, then I hit the AUTHO_05 level, which is a mass assignment vulnerability issue.  Note that AUTHO_04 is, as well, and it wasn’t terrible.  The AUTHO_05 level is AUTHO_04 “fixed” so you have to find another way to get to the goal.

I spent several hours banging my head against the wall on this.  I shut down my kali vm, walked away for a bit, ate some dinner, and came back to it.  I finally got past it by changing my “true” to a “1” in the key/value pair I was injecting via the proxy.  Seriously?  Seriously.

AUTHO_06?  Yeah, it’s just as bad.  Still trying to figure out what magic combination of key(name) and value(name) to use for it.  The “hint” says one thing, but nothing I try around that is working, so it’s probably either a big mess, or something really simple I’m missing.

My lack of experience with Burp Suite and mitmproxy may be my biggest problem, but I actually had some decent success with both tools for most of the exercises, thus far.  I was planning to use OWASP ZAP as part of my progression, but I changed my mind.  Burp and ZAP are the two biggest players in the attack proxy space, but mitmproxy is command line based, and thus has a smaller memory footprint.  The only exercise I wasn’t able to use it on, yet, was one where when I modified the POST to be sent, I never got the full page response back, and that’s more due to a lack of familiarity with the tool than anything.  I’m going to try to learn what other flags and/or settings I might need in order to make those work, and when I’m comfortable with it, I’ll do a write-up here on how to use it in comparison to Burp (which I’m also having to learn as I go.)

One of the exercises led me to two other CLI tools to stick in my back pocket.  The “hash-identifier” tool helps narrow down what kind of hash a string of characters might be.  The “findmyhash” command helped search a massive number of online rainbow table style sites to check what the keyword to the hash was.  What was messing me up the most on this was I guessed it to be a certain kind of hash, but when I passed the suspect key (the name of the user) to that hash using the echo command to print the word being hashed piped to the openssl <hash> command, the value I got back didn’t match what I was comparing it to.  My problem was using “echo” instead of “printf” since echo tacks on a carriage return and/or new line, and that messes up the hash.  Once I figured this out, I was able to progress to the next exercise quickly.

All in all, web app testing is one of my weaknesses, and these exercises have been very helpful, thus far.  I recommend PentesterLab PRO for brushing up on these kinds of attacks, since they cover a wide array of attack types without giving you too much detail so you are forced to research and learn, much as I suspect the PWK/OSCP will be.

A quick note about all of the commands I’ve mentioned in this post.  They are all installed by default in the full Kali VM OVA build.  I didn’t have to apt-get install any of them.

Last Monday, I posted about my plan for preparing for and eventually taking and passing the OSCP (Offensive-Security Certified Professional.)

My prep work for the week has included:

• Finishing my Cornell Style notes on the eLearnSecurity Reports and Methodology information.
• Signing up for PentesterLab PRO.
• Passing the “Introduction” badge on PentesterLab PRO.
• Installing 4 of the 5 lab machines as described in Tony Robinson’s “Building Virtual Machine Labs” book.
  • The only lab machine left is the Metasploitable machine, which I intend to work on this week.
• Installed Kali VM on my main gaming laptop for doing further PentesterLab PRO exercises.

Sunday (April 1) Michael W. Lucas announced his “#mwlSecretbook” title.  He’s been working on this book for months, but kept the title secret, until now.  This is the 13th book in the “Mastery” series, and as a Print Sponsor (and Print Patreon Patron,) I got a copy of the PDF bright an early in my email.  I took the morning to read the book.

The title?  “Ed Mastery.”  That’s right… this book is all about using the “ed” line editor for Unix systems.  I think this was an excellent book to release, for multiple reasons.

1. There are already excellent books on the “sed” and “awk” commands that give a brief explanations, one-liners, and so on, available on the market.
2. The “ed” editor is one of the least utilized editors, yet it is almost guaranteed to exist on any Unix system you may find yourself on.  The “ed” command is part of the POSIX definitions, after all.  Some newer Linux distributions are beginning to leave this out, but I blame the stupidity that is “systemd” for swaying this kind of thinking.
3. The simplicity of the command is staggering, and after you’ve used it for a few days, it seems second nature.  It’s worth at least practicing this command to have it in your back pocket.
4. It works, even when your TERM settings get jacked up.  It works when you’re in a single user session that only mounted “/” because of corrupted filesystem issues, and you need to modify configuration files but don’t have access to “vi” since that usually lives in “/usr” (and isn’t statically compiled.)  It just works.  Period.

At a previous place of employment, we had to fix some boot issues every now and then.  Doing this required booting into single user mode (root) where the filesystem only mounted “/” at first.  Sometimes, we could mount “/usr” manually, then use vi to modify our files.  The problem was that “vi” wasn’t statically compiled, and thus lived in “/usr” instead of “/bin” where the statically compiled programs were stashed.  I always wondered what would happen if “/usr” crapped itself, and thought it would be best to learn “ed” as an alternative.

I first learned ed by forcing myself to use it instead of any other text editor for a whole week.  The first couple of days were a little painful, but after that, it became pretty comfortable.

I haven’t been forced to use it, but I’ve always been happy to have it in my back pocket.  I have used it (and vi) to demonstrate poorly configured SUDO policy in the past.

After spending my morning reading the PDF version of this book, I’ve decided I need to brush up on it.  It’s been a few years since I forced myself to learn it, and this book does include some tricks I never figured out on my own back then.  If you’re in the Unix space: User, SysAdmin, or Pentester; get this book.

Plans for this coming week:

• Finish building the Tony Robinson style lab.
• Continue working on the Essentials Badge on PentesterLab PRO.
• Continue improving my workflow and documentation methodology.
• Begin using “ed” regularly, again.