Business Logic Vulnerability | ADM Group
Summary
This machine is about the business logic issues, vulnerable framework and exposed credentials. To begin with, — During registration, I was able to change the role id via burpsuite to make myself the admin and successfully login to admin page. Moving forward, the sub-domain found on the admin page leaks error details of a vulnerable PHP Laravel Framework and its APP Key Hash was exposed. Exploiting that got me the low reverse shell. Through this shell, a user credential was found which I used it to login and gain access. …
AZ-900 - Basics of Azure Cloud Computing
Here I have collated my Azure Fundamentals revision notes. This article is for anyone who wants to take off their career or business in THE CLOUD ;-)
How I planned my Azure Fundamentals Preparation?
- Book your exam first! If you’re a complete newbie in cloud computing, then leave at least 3 months prep time prior to your exam date.
- Daily revision for at least 1 hour.
- In-between I test my understanding of this syllabus via free and paid online multiple-choice questions.
Free Learning Resources
- Microsoft Azure Fundamentals — Free online course which covers 6 domain areas. Also Includes quiz.
- itexams.com — contains part free practice questions
- testpreptraining.com — contains part…
Server-Side Template Injection | Splunk UF RCE
Summary
This machine is running a web application on port 80 that is vulnerable to Server-Side Template Injection (SSTI). This attack can be used to directly attack the internal web server, resulting in RCE attack.
The web application running on this machine is using Twig(PHP) template to embed dynamic content in web pages and emails. Using this web application, user can post comment after getting themself registered to this system. Since there is no sanitization check when the user inputs the data, it therefore makes it highly vulnerable to SSTI attack.
For privilege Escalation, during enumeration it was found that the…
Issues: open svn port > misconfigured svn system > unrestricted file upload > misconfigured settings
Summary
In this machine, I learnt to retrieve sensitive information from the SubVersion Control System open port 3690 via both command line and its client application.
For the reverse shell, I had to spend some time understanding how the application system works and how this could potentially be exploited. After some trials and errors, I managed to get the reverse shell of the user.
The story doesn’t end here. I couldn’t retrieve the user.txt file via the shell I got. I had to horizontal escalate to another user to get the user.txt file. After digging through the information in the user…
Ghidra is a free and open-source Software for Reverse Engineering of executable program(Binary) including Mobile Apps. Ghidra supports installation on multiple OS platforms inc. Windows, Linux and MacOS.
Installing Ghidra
Here I’ve installed Ghidra on Linux.
- Download ghidra.
- While ghidra is being downloaded, open linux terminal and install the required dependencies before we can run Ghidra:
sudo apt install openjdk-11-jdk - Unzip the downloaded Ghidra package > open the ghidra folder and run
./ghidraRunThis will open up the Ghidra-GUI.
Once Ghidra is up and running you’re all set to go!
Why Perform Reverse Engineering for Security Purpose?
- To perform Malware Analysis
- To Remove copy protection schemes/ serial number protection
- To…
In simple terms, Symmetric Key Cryptography is a single, shared key and is used to perform both encryption and decryption process.
Steps to Perform Symmetric Encryption
To encrypt a plaintext using Symmetric Encryption Algorithm, the simple steps include:
- Choose a Symmetric Encryption Algorithm and Key Size. The larger the key, the harder it is to decrypt it.
DIVA Android App
Damn Insecure Vulnerable App DIVA is a vulnerable App designed to teach about the vulnerabilities found in Android App. This article walks you through discovering some of those vulnerabilities and will be continously updated as I complete more android related challenges.
Step 1. Extract the DIVA APK file from here.
Step 2. If you want to setup the android lab using Android Studio Software then visit my previous article here.
Step 3. Once you have the Diva app running on your emulator, Run jadx-gui in your Mac or linux terminal if you want to review the source code in java…
Securing the Modern Threat landscape
In my Red-Teaming Engagement article, I’ve mentioned about its methodology and difference between Red Team and Penetration Testing. In this article, I’ll be focusing only on the Cloud side of Red Teaming Engagement.
Shared Responsibilities for Overall Cloud Security
The below chart shows a high-level view of Shared Responsibilities between Cloud Provider and Customer for the overall cloud security. As sometimes it gets trickier to understand what you can or cannot perform during a pentest or red teaming exercise.
Learning to find the Treasure Trove of Information
In my previous article I mentioned few OSINT tools that can be used for passive reconnaissance. In this article I’ll be attempting some HTB OSINT challenges. OSINT is also one of the key skills essential during the Reconnaissance phase of the Red Team assessment.
Scenario 1 - Understand SPF, DKIM and DMARC
Customers of secure-startup.com have been recieving some very convincing phishing emails, can you figure out why?
1st Flag
Passive Information Gathering Technique
Note: Although some passive tools mentioned in this article are completely legal to use, it could still go against some organisation’s policy. Therefore always ensure you have their consent before attempting any reconnaissance.
Open Source Intelligence (OSINT) is a collection of data of an individual or an organisation that are publicly available in the public domain and Internet.
OSINT is used during the early Reconnaissance Phase in Cyber Kill Chain.
K O M A L
Cyber Security Enthusiast || Aspiring Red-Teamer
