Search This Blog

7.19.2021

Portswigger Academy SQL injection login bypass walkthrough

 This is the second of the labs for SQL Injection, the first section of the apprentice track in Portswigger Academy.  Like the first lab, it doesn't require Burp Suite, although you can use it.  I chose not to.

The lab website is a sample store.  Click the My Account link at the top of the page.


This takes you to a login page. 


In the Username box, type administrator'-- and in the password box, enter anything (the password will not get passed to the database).  That's it, you're now logged in as administrator, and the banner pops up congratulating you on completing the lab.

7.12.2021

Copperhead, Job Hunting

 I'm trying to decide whether to even bother writing Copperhead.  It's supposed to run nmap -sV scans against hosts, then check exploitdb for known exploits.  The problem is, it takes a ton of text parsing and massaging to get something vague enough to search exploitdb without being too vague.  Oh, and it'd have to require the offline version of exploitdb and its tools, because I can't find a way to search exploitdb's website.

It almost seems like a solution in search of a problem.  So at the moment, it's on the back burner.

I'm also getting discouraged in my job hunt.  I'm not sure if I'm not putting myself out there well enough (too shy and stuttery, bad body language, etc.) or if my lack of experience is my problem.  I do have about 3 years of experience in security... as a sysadmin.  But because I didn't have "security" in my job title, that doesn't seem to count.  Plus that was 6 years ago.  I'm re-teaching myself everything I've forgotten about security over the years plus adding new skills, but... I don't know.  Job hunting is feeling futile at the moment.

6.28.2021

Miscellany

 I've been doing little things here and there, but nothing worthy of a full blog post.  I'm trying to get in the habit of writing at least weekly, though.

I'm doing little things here and there on TryHackMe, but I'm running into more and more rooms that are premium-only.  Rooms that you need to complete to finish training paths, or even worse, to complete free rooms.  Looking over Hack The Box, it's similarly restricted for free users, plus it has time limits and no way around the time limits.  At least THM only limits your use of their in-browser attack box for free users, but VPN access is unlimited.  The $10/mo. doesn't sound like much for THM, but it adds up and I really can't justify it right now.

I'm still slowly working my way through "Violent Python", and it's inspired Copperhead and Pocketnuke over on my github.  Pocketnuke is a more refined version of the C runstub I mentioned previously in this blog.

I had been studying again for my CCNA, but that's fallen by the wayside for right now.  Instead, I'm slowly working on studying for the eJPT.  Or at least, doing INE's PTS courses through their free "starter pass".  I'm not sure I want to do pentesting, or jump right into Red Team, but at least in my opinion, you can't defend against the enemy properly unless you know how they think and operate.  So, like when I was in high school and hung out in 2600 IRC to learn how they would attack my server so I could protect it, I'm learning pentesting.

6.14.2021

Book Reviews - "Defensive Security Handbook" and "Practical Cloud Security"

 To brush back up on security and learn new things that have become the standard in the past five years or so, I've bought a stack of books I'm working my way through.  The first two I decided to start with are "Defensive Security Handbook" by Brotherston and Berlin and "Practical Cloud Security" by Dotson.

"Defensive Security Handbook" built nicely upon what I already knew from doing security as a sysadmin and what was taught in the Security+ study materials.  It's basically a crash-course in how to set up good security policies and procedures if you're a sysadmin or something similar who has been handed a whole environment and been told "oh, by the way, we think this was secure, but you need to make sure and you need to bring the security up to date.".  Needless to say, I wish I'd had this book when I was at All-Spec, but it came out long after I'd left there.  If you find  yourself in a similar situation, or just want to make sure your security is right, or are trying to make the move from the infrastructure side of IT to the security side, I highly recommend this book.  I finished it in a week or so, and enjoyed it.  The writing is engaging as well as informative.  The book isn't meant to be a comprehensive security book, just a starting point with suggestions on where to go beyond what's covered in the book.  5/5

"Practical Cloud Security", conversely, was a slog.  The problem might be the fact that I have very little hands-on experience with cloud, but I kept finding myself getting bored by this book, and I'm not sure I retained much of the information I read.  It's definitely geared for someone facing a move to a cloud environment, or starting a position with a company that has a cloud environment, who's going "now what?".  I do like that for any specific cloud security features, the name of each feature in each cloud environment was listed.  I'll reserve judgement on the book for now, and just give it a 3/5.

Next up on the menu will be "Violent Python" and "Applied Incident Response".  Happy hacking.

6.07.2021

Changing users with SUID and setuid/setgid

 Doing the Linux privilege escalation room on TryHackMe reminded me of a trick I've used in the past.  I haven't used it for nefarious purposes, only to get around a web script being run as the woefully unprivileged apache user, when it needed to run as a more privileged user.  It could easily be used as a good pentesting exploit.  I DO NOT endorse using this for evil.  Only use this for good, people.

It uses what I call a run stub.  It's a C wrapper that launches the script, but only after it changes the UID/GID to the desired higher-privileged user.  The run stub has to have SUID permissions and be owned by root.  So, chmod u+s runstub after compiling runstub.c into runstub.  The permissions listing should say: -rwsr-xr-x root root.

Below is the code: 

#include <stdio.h> 
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>

int uid;
int gid;
char runprog[512];
int main(int argc, char *argv[])
{
setgid(<gid>); /* <gid> is whatever GID you want to switch to */
setuid(<uid>);  /* <uid> is whatever UID you want to switch to */
snprintf(runprog, 512, "/path/to/script %s", argv[1]);  /* runprog is the buffer, 512 is the size of the buffer, the rest is the script you're trying to run and any arguments you want to pass to it, specified on the run stub's command line */
system(runprog);
return 0;
}

The two magic parts here are setuid()/setgid(), which *nix uses to switch users and groups in things like sudo and su, and system().  The snprintf() line formats the command into a string that can be passed to system(), which executes commands.

So, use your powers for good, and happy hacking.

5.11.2021

It's been a while

 So, yeah, it's been a while since I posted.  I either haven't had anything interesting I've been working on, or things at work have been interesting to me, but not something I think is interesting to others or can be sufficiently sanitized.  I've also been busy with non-computer hobbies like gardening and writing fiction.

Now I'm trying to get (back) into cybersecurity, so I'll have interesting projects I'm doing on the side.  I got my Security+ cert about a month ago.  I bought a small library of books with my latest stimulus check that I'm slowly working my way through.  I've been doing some TryHackMe rooms, so I might do some writeups of those.  And I have a tool I'm starting on, an automated banner-grabber that looks up exploits in exploitdb.