#hack100days Day25: Continued tinkering with script and postman to refine enumeration process on crAPI. Still bash über alles! I *think* I'm finding different version of APIs, so need to work through how to confirm and then, once confirmed, how to exploit. #infosec #cososec
#hack100days Day24: Continued on the exercise from Chapter 9. Couldn't get postman to reproduce the results I was expecting. So, I wrote a bash script to do the enumeration. I get the point. Icing would be to rewrite in python and add some processing. #infosec #cososec
#hack100days Day23: Another chapter down in _Hacking APIs_ and tinkering with postman. Time for a cocktail and then pick it back up after dinner. #infosec #cososec
#hack100days Day22: Found some users. With the secret from "my" jwt and was able forge tokens for each user. With the forged tokens, I could reset their passwords. However, logging in yielded a blank page. Trying out kiterunner to find other API endpoints while I watch the Jan 6 hearings. #infosec #cososec
#hack100days Day21: Enumeration and attacks on crAPI. Error message on one of the screens suggested I might be able to brute force 'a thing'. Used ZAP's regex fuzzer for the first time. Didn't get a hit, so I've either mis-inferred what the message meant or it's a lie. After registering a user, attacked jwt with jwtcrack to see if I could get the secret. Success! JWT payload may be an unfortunate decision, so next step is to find other users to see if I can impersonate them. #infosec #cososec
#hack100days Day20: Published my start/stop script to github (https://github.com/stop-a/misc_scripts/blob/8d8c820922f579e6641b118235269af200f9b7f3/runlab2). Bashed at https://github.com/DevSlop/Pixi in my lab. Got a little more acquainted with Postman. #infosec #cososec
#hack100days Day19: Tested the other deliberately vulnerable apps I had issues with on the new version of docker. All good! Wrote a wrapper script to start/stop the apps as needed. (They're supposed to be cows, not pets ya?) Chapters 7 & 8 read of _Hacking APIs_. #infosec #cososec #mmmmsteak
#hack1000days Day18: Finally managed to get crAPI working. Needed to move to from docker 20.10.14 to 20.10.16, because of course. (I am not enamored of docker.) Finished the first crAPI lab. #infosec #cososec #sysadmin101
#hack100days Day 17: Lab in _Hacking APIs_ wants working version of crAPI. Getting crAPI turned out to be fail. Nuked, paved, and re-started that effort. Same result. Documented steps and results. Opened an issue. Got a quick response for additional info, so we'll see how this goes. In retrospect, I should have anticipated the question. #infosec #cososec #sysadmin101
#hack100days Day16: Continuing reading _Hacking APIs_. Installed OWASP crAPI app on lab machine. Getting some touches with docker. Need to troubleshoot an error w/one of the crAPI containers. Then, time to hack it! #infosec #cososec
#hack100days Day15: Back to _Hacking APIs_. Got Juice Shop installed and tucked behind an nginx reverse proxy, along with DVGA. Now have some #hackthebox systems to put on my list of targets. Next chapter down. #infosec #cososec
#hack100days Day14: SANS ICS Summit CTF. I'm on the board! No where near top 10, but I'm not sussed since I'm learning more about ICS this way. #infosec #cososec #ctf #ics
#hack100days Day13: The chain continues... Another chapter down in _hacking APIs_. Installing deliberately vulnerable apps for the next lab and will bang on them later this evening. In the meantime, kidlet has prepared dinner.
#infosec #cososec
#hack100days Day12: Worked on _Hacking APIs_, Lab 1. Didn't use Burpsuite, used Zap instead. Compared and contrasted with Postman. Slow going at first as I get acquainted with Postman. #infosec #cososec
#hack100days Day11: Continued working on Hacking APIs. Next up is working on the labs. Created a postman account. #infosec #cososec
#hack100days Day8b: Power went out for a couple of hours today. So, went analogue and read two chapters of Hacking APIs by Corey J. Ball (https://nostarch.com/hacking-apis) #infosec #cososec
#hack100days Day6b: Hack the Box Academy. I like the UI for Burp, but I like not having to pay to get the goodness that ZAP brings. Also took a minute to break the rust off for using Metasploit. Can't remember the last time I looked at that. #infosec #cososec
#hack100days Day5b: Read about hacking today. Finished 3-part series on a Cloudflare bug bounty. (https://blog.assetnote.io/2022/05/06/cloudflare-pages-pt1/) #infosec #cososec
#hack100days Day4b: Testing #ssti payloads. Trying to figure out if I’m overthinking it. Tokens matter. #infosec #cososec
#hack100days Day 3b: More reading about #ssti, still need to find right payload. Found an article that walks through a process to find a way to the OS module. #infosec #cososec
Muddling through.