ath0  

Day 1: Enumerate targets in a web application CTF. Explore potential sqli points. Look at SSTI for Werkzeug. Look at SSRF candidate. (dafuq is a gunicorn?)

1
ath0  

Day 2: Listened to @jhaddix@twitter talk about his methodology at NahamCon. Lot of good tools and some advice on things to pay attention to during enumeration. Need to re-watch and take notes--play with some tools. (Also was up to wee hours this a.m. working NahamCon ctf)

1
ath0  

Day 3: Reviewed shub's (@infosec_au@twitter) slides (drive.google.com/file/d/14OFU-) from NahamCon 2022 re: Finding 0days in Enterprise Software. I did not know Lotus Domino was still a thing.

1
ath0  

Day 4: Installed k8s on Ubuntu lab box. Downloaded Kubernetes Goat (madhuakula.com/kubernetes-goat) to install later tonight or tomorrow. I wish to grok the networking better.

1
ath0  

Day 5: Virtually attended SANS CloudSecNext Summit. Really good Keynote by Sounil Yu (youtu.be/mEGqC1tuO4E). Also saw a preso on K8 security by Jay Beale.

1+
ath0  

I fell down and broke the chain. Watched Nahamsec's Live Recon Sundays session today with Stök and JHaddix where they interviewed @lilc. That was fun and a good reminder to get back at it. Got run some errands and then back at it tonight.

1+
ath0  

Day1a: New Chain. (Oof.) Today, started a multi-day by cmd+ctrl. Currently at 1570 points. Found a couple of pages susceptible to , which led to and sensitive data disclosure. Solved an encryption challenge and found a "published" DOS bug. Currently banging on an . ;)

1
ath0  

Day2a: Continued . Solved crypto challenge and found hidden end point. Sqlmap continues chewing on user table. Used an idor and a script to enumerate all the users.

1
ath0  

Day3a: Continued . Solved an image forensics channel. Wrote some scripts to reap user account data and to reap all the images. Read part one of a three part blog on bulbs found in a CDN provider network. CDN Provider had their side published, as well.

1+
ath0  

Day4a: Continued . Poked at login page and got an interesting error. Still tinkering with that between meetings. There's an auth bypass here, I can *smell* it. Also had some vigorous discussion on what Domain Isolation" is and isn't.

1
ath0  

Day5a: Continued , but haven't gotten much further. Watched Hack the Box's "Hands on Hacking" live-stream that's setting up Cyber Apocalypse CTF 2022, which starts tomorrow. Keep an eye on HtB's youtube channel, they'll be posting the videos. The ippsec interview was good and Sheeraz gave a good overview of K8s, which I found helpful. (One more meeting and then I can focus on the auth bypass sqli...)

1
ath0  

Day6: The new chain is longer than the old chain! Started Cyber Apocalypse CTF 2022 this morning and worked on it for a couple of hours. Got the 'intro' flag. Worked on two of the challenges, but haven't gotten anywhere--oof. Slight blow to psyche. Good weather today, so worked on container gardening. Now that dinner is done and have whisky on the side table, getting back at it.

1
ath0
Follow

Day7: Continued banging on Cyber Apocalypse CTF '22. Finally "really" on the board with a solved web challenge. Downloaded the code for a bunch of other challenges, so it's time to practice code analysis.

· 1· 0· 0
ath0  

Day8: Continued Cyber Apocalypse CTF. Getting *way* more acquainted w/JavaScript. I've got an XSS, but I'm still working out weaponization. Still no additional points, but the day ain't done yet.

1
ath0  

Day9: Continued Cyber Apocalypse . Moved to a new challenge. Enumerated site, but not finding entry point. Spent good part of day working on groking MSFT Defender for Cloud Apps.

1
ath0  

Day 1b: Dropped the ball yesterday, busy day. Cyber Apocalypse is done. Working on a machine today. New day, new chain.

1
ath0  

Day 2b: Kept at the machine. Working out a good payload. Interesting injection point. Also reworking note taking process. Still slow.

1
ath0  

Day 3b: More reading about , still need to find right payload. Found an article that walks through a process to find a way to the OS module.

1
ath0  

Day4b: Testing payloads. Trying to figure out if I’m overthinking it. Tokens matter.

1
ath0  

Day5b: Read about hacking today. Finished 3-part series on a Cloudflare bug bounty. (blog.assetnote.io/2022/05/06/c)

1
ath0  

Day6b: Hack the Box Academy. I like the UI for Burp, but I like not having to pay to get the goodness that ZAP brings. Also took a minute to break the rust off for using Metasploit. Can't remember the last time I looked at that.

1
ath0  

Day7b: Read the Verizon DBIR. Interesting graphs in there. Nothing really new under the sun. Which isn't a bad thing.

1
ath0  

Day8b: Power went out for a couple of hours today. So, went analogue and read two chapters of Hacking APIs by Corey J. Ball (nostarch.com/hacking-apis)

1
ath0  

Day9b: Decided "hacking" myself counts today. Started using LYT (linkingyourthinking.com) note-taking. Moved a bunch of notes from old program to the new.

1
ath0  

Day10: New chain, longer than the old chain! Read more of Hacking APIs, by Corey Ball. Looking forward to learning more about GraphQL—want to understand the AuthZ patterns and techniques. Also learned about Broken Object Level Authorization (BOLA). The examples look a lot like IDOR, but I think I grok the diff. You can have an IDOR that’s not a BOLA, but I reckon you could get a BOLA as a result of an IDOR. Still need to think and tinker with this one a bit.

1
ath0  

Day11: Continued working on Hacking APIs. Next up is working on the labs. Created a postman account.

1+
ath0  

Day12: Worked on _Hacking APIs_, Lab 1. Didn't use Burpsuite, used Zap instead. Compared and contrasted with Postman. Slow going at first as I get acquainted with Postman.

1
ath0  

Day13: The chain continues... Another chapter down in _hacking APIs_. Installing deliberately vulnerable apps for the next lab and will bang on them later this evening. In the meantime, kidlet has prepared dinner.

1
ath0  

Day14: SANS ICS Summit CTF. I'm on the board! No where near top 10, but I'm not sussed since I'm learning more about ICS this way.

1
ath0  

Day15: Back to _Hacking APIs_. Got Juice Shop installed and tucked behind an nginx reverse proxy, along with DVGA. Now have some systems to put on my list of targets. Next chapter down.

1+
ath0  

Day16: Continuing reading _Hacking APIs_. Installed OWASP crAPI app on lab machine. Getting some touches with docker. Need to troubleshoot an error w/one of the crAPI containers. Then, time to hack it!

1+
ath0  

Day 17: Lab in _Hacking APIs_ wants working version of crAPI. Getting crAPI turned out to be fail. Nuked, paved, and re-started that effort. Same result. Documented steps and results. Opened an issue. Got a quick response for additional info, so we'll see how this goes. In retrospect, I should have anticipated the question.

1
Show more
KETCHUP  

@scottlink here are some tools
github.com/arainho/awesome-api

I just saw your post I will keep close

1
ath0  

@ketchup9080 Thanks! I’ll check the site out.

1
KETCHUP  

@scottlink hack the box has modules in the academy program, there is API module

1
KETCHUP  

@scottlink academy.hackthebox.com/module/

1
ath0  

@ketchup9080 Thx for pointer. Unlocked and in the queue!

0
Hunt€r 🌻  

@scottlink I need to work on my API testing. Very bad currently lol.

0
willc  

@scottlink Is _Hacking APIs_ a good book?

1
Show more
Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.

Resources

Developers

What is CounterSocial?

Created by potrace 1.15, written by Peter Selinger 2001-2017

counter.social

More…