Business Logic Vulnerability | ADM Group

Image for post
Image for post

Summary

This machine is about the business logic issues, vulnerable framework and exposed credentials. To begin with, — During registration, I was able to change the role id via burpsuite to make myself the admin and successfully login to admin page. Moving forward, the sub-domain found on the admin page leaks error details of a vulnerable PHP Laravel Framework and its APP Key Hash was exposed. Exploiting that got me the low reverse shell. Through this shell, a user credential was found which I used it to login and gain access. …


AZ-900 - Basics of Azure Cloud Computing

Here I have collated my Azure Fundamentals revision notes. This article is for anyone who wants to take off their career or business in THE CLOUD ;-)

Image for post

How I planned my Azure Fundamentals Preparation?

  • Book your exam first! If you’re a complete newbie in cloud computing, then leave at least 3 months prep time prior to your exam date.
  • Daily revision for at least 1 hour.
  • In-between I test my understanding of this syllabus via free and paid online multiple-choice questions.

Free Learning Resources


Server-Side Template Injection | Splunk UF RCE

Summary

This machine is running a web application on port 80 that is vulnerable to Server-Side Template Injection (SSTI). This attack can be used to directly attack the internal web server, resulting in RCE attack.

The web application running on this machine is using Twig(PHP) template to embed dynamic content in web pages and emails. Using this web application, user can post comment after getting themself registered to this system. Since there is no sanitization check when the user inputs the data, it therefore makes it highly vulnerable to SSTI attack.

For privilege Escalation, during enumeration it was found that the…


Issues: open svn port > misconfigured svn system > unrestricted file upload > misconfigured settings

Image for post
Image for post

Summary

In this machine, I learnt to retrieve sensitive information from the SubVersion Control System open port 3690 via both command line and its client application.

For the reverse shell, I had to spend some time understanding how the application system works and how this could potentially be exploited. After some trials and errors, I managed to get the reverse shell of the user.

The story doesn’t end here. I couldn’t retrieve the user.txt file via the shell I got. I had to horizontal escalate to another user to get the user.txt file. After digging through the information in the user…


Ghidra is a free and open-source Software for Reverse Engineering of executable program(Binary) including Mobile Apps. Ghidra supports installation on multiple OS platforms inc. Windows, Linux and MacOS.

Image for post
Image for post

Installing Ghidra

Here I’ve installed Ghidra on Linux.

  • Download ghidra.
  • While ghidra is being downloaded, open linux terminal and install the required dependencies before we can run Ghidra:sudo apt install openjdk-11-jdk
  • Unzip the downloaded Ghidra package > open the ghidra folder and run ./ghidraRun This will open up the Ghidra-GUI.

Once Ghidra is up and running you’re all set to go!

Why Perform Reverse Engineering for Security Purpose?

  • To perform Malware Analysis
  • To Remove copy protection schemes/ serial number protection
  • To…


In simple terms, Symmetric Key Cryptography is a single, shared key and is used to perform both encryption and decryption process.

Image for post
Image for post
https://www.101computing.net/symmetric-vs-asymmetric-encryption/

Steps to Perform Symmetric Encryption

To encrypt a plaintext using Symmetric Encryption Algorithm, the simple steps include:

  1. Choose a Symmetric Encryption Algorithm and Key Size. The larger the key, the harder it is to decrypt it.


DIVA Android App

Damn Insecure Vulnerable App DIVA is a vulnerable App designed to teach about the vulnerabilities found in Android App. This article walks you through discovering some of those vulnerabilities and will be continously updated as I complete more android related challenges.

Image for post
Image for post
https://pentesttools.net

Step 1. Extract the DIVA APK file from here.

Step 2. If you want to setup the android lab using Android Studio Software then visit my previous article here.

Step 3. Once you have the Diva app running on your emulator, Run jadx-gui in your Mac or linux terminal if you want to review the source code in java…


Securing the Modern Threat landscape

In my Red-Teaming Engagement article, I’ve mentioned about its methodology and difference between Red Team and Penetration Testing. In this article, I’ll be focusing only on the Cloud side of Red Teaming Engagement.

Image for post
Image for post
Photo by İsmail Enes Ayhan on Unsplash

Shared Responsibilities for Overall Cloud Security

The below chart shows a high-level view of Shared Responsibilities between Cloud Provider and Customer for the overall cloud security. As sometimes it gets trickier to understand what you can or cannot perform during a pentest or red teaming exercise.


Learning to find the Treasure Trove of Information

In my previous article I mentioned few OSINT tools that can be used for passive reconnaissance. In this article I’ll be attempting some HTB OSINT challenges. OSINT is also one of the key skills essential during the Reconnaissance phase of the Red Team assessment.

Image for post
Image for post
Photo by Roman Kraft on Unsplash

Scenario 1 - Understand SPF, DKIM and DMARC

Customers of secure-startup.com have been recieving some very convincing phishing emails, can you figure out why?

1st Flag


Passive Information Gathering Technique

Note: Although some passive tools mentioned in this article are completely legal to use, it could still go against some organisation’s policy. Therefore always ensure you have their consent before attempting any reconnaissance.

Image for post
Image for post
https://divadilemma.wordpress.com/2012/08/23/diva-detective/

Open Source Intelligence (OSINT) is a collection of data of an individual or an organisation that are publicly available in the public domain and Internet.

OSINT is used during the early Reconnaissance Phase in Cyber Kill Chain.

K O M A L

Cyber Security Enthusiast || Aspiring Red-Teamer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store