We had some birthday related festivities in the house most of the weekend, but I did work on the PentesterLab PRO progression this week(end.)
There are 60 progression levels in the Essentials Badge grouping. It started off overly simple, went straight to hair pulling, then got overly simple again for a few more, then I hit the AUTHO_05 level, which is a mass assignment vulnerability issue. Note that AUTHO_04 is, as well, and it wasn’t terrible. The AUTHO_05 level is AUTHO_04 “fixed” so you have to find another way to get to the goal.
I spent several hours banging my head against the wall on this. I shut down my kali vm, walked away for a bit, ate some dinner, and came back to it. I finally got past it by changing my “true” to a “1” in the key/value pair I was injecting via the proxy. Seriously? Seriously.
AUTHO_06? Yeah, it’s just as bad. Still trying to figure out what magic combination of key(name) and value(name) to use for it. The “hint” says one thing, but nothing I try around that is working, so it’s probably either a big mess, or something really simple I’m missing.
My lack of experience with Burp Suite and mitmproxy may be my biggest problem, but I actually had some decent success with both tools for most of the exercises, thus far. I was planning to use OWASP ZAP as part of my progression, but I changed my mind. Burp and ZAP are the two biggest players in the attack proxy space, but mitmproxy is command line based, and thus has a smaller memory footprint. The only exercise I wasn’t able to use it on, yet, was one where when I modified the POST to be sent, I never got the full page response back, and that’s more due to a lack of familiarity with the tool than anything. I’m going to try to learn what other flags and/or settings I might need in order to make those work, and when I’m comfortable with it, I’ll do a write-up here on how to use it in comparison to Burp (which I’m also having to learn as I go.)
One of the exercises led me to two other CLI tools to stick in my back pocket. The “hash-identifier” tool helps narrow down what kind of hash a string of characters might be. The “findmyhash” command helped search a massive number of online rainbow table style sites to check what the keyword to the hash was. What was messing me up the most on this was I guessed it to be a certain kind of hash, but when I passed the suspect key (the name of the user) to that hash using the echo command to print the word being hashed piped to the openssl <hash> command, the value I got back didn’t match what I was comparing it to. My problem was using “echo” instead of “printf” since echo tacks on a carriage return and/or new line, and that messes up the hash. Once I figured this out, I was able to progress to the next exercise quickly.
All in all, web app testing is one of my weaknesses, and these exercises have been very helpful, thus far. I recommend PentesterLab PRO for brushing up on these kinds of attacks, since they cover a wide array of attack types without giving you too much detail so you are forced to research and learn, much as I suspect the PWK/OSCP will be.
A quick note about all of the commands I’ve mentioned in this post. They are all installed by default in the full Kali VM OVA build. I didn’t have to apt-get install any of them.