#privesc

So I found out that 2 years ago, my OSCP automation repo was actually posted by a company named National Cyber Security Services. :D https://m.facebook.com/ncybersec/photos/oscp-automation-a-collection-of-personal-scripts-used-in-hacking-exercises-1-enu/1502887116548674/

I actually found this because I'm about to do some HTB and I was going to use that as reference material.

It may seem like such a minor thing, but it's actually amazing to see that a company saw value in it enough to post about it (even with the fact that it was extremely basic and the enum script is now an older version before I debugged due to being a complete noob with GitHub at the time.) Fangirl moment. XD

Repos below for the curious, though that GitHub account isn't active anymore (I stupidly registered it with a university email and never bothered to look into getting it back!)

I am actually thinking of re-creating something like this as I start up with HTB again (kinda got the hacking bug...)

Mai multe pe

| Drogat cu Sentimente - Tumblr

Hey there! So it’s been a while since I posted anything worthwhile: you’re not supposed to share information on the challenges in RastaLabs and I also had to complete four modules with the Open University. 

Well, long story short: I hate university. I was missing out on time I could spend on developing my hacking skills (this is a lot of time too :/) and quite frankly, you could leave university with a first class degree in Cyber Security and still struggle to land an entry-level pentester role due to a lack of industry experience.

Due to this, I made the decision two weeks ago to actively seek out an entry-level Penetration Tester role. While this would usually be an extremely difficult process and would probably take months to even secure an interview, I’ve been very lucky and managed to land a remote job as a full-time Penetration Tester/Python Programmer. As of now I have reduced university to part-time.

This week is my first week- while I’m still in training on in-house software, I have also been introduced to my new team and today we’re all working on a project together involving the use of APIs.

A little rusty, I did some searching for API-based hacking challenges and came across DVWS (https://github.com/snoopysecurity/dvws-node.) Giving the impression of being short but sweet, I decided to give it a try for a couple of hours.

1. Vertical Privilege Escalation

As you can see, addition of the admin key with a value of true results in successful user creation. I got this idea from the data captured in the first image (note to self: note this endpoint in future!)

2. Remote Command Execution

The page of the requested directory was being directly passed to the system CLI in this endpoint; an ‘-a’ flag was being appended to every command resulting in some failing to execute.

This was easily bypassed by appending with the || (or) operator; other possibilities such as a semi-colon would result in the production of an error as the ‘-a’ flag would be interpreted as a command.

3. XXE

The first image shows the request sent when accessing dvwsuserservice- you can see that XML is sent with this POST request.

When you see that XML is sent with a request, it’s always worth attempting an XML external entity attack as such a threat results in the exposure of data stored on the system.