#hack100days : Day 16 : Still banging at the crypto challenge. I've gotten a big push, by the implementation is still escaping me. I've focusing on the decimal values of the ASCII char set. Maybe tomorrow I try with hex values and see if that leads to a breakthrough. #crypto #ctf #getsmart #infosec #cososec
#hack100days : Day 15 : Looks like matactf.com's Thanksgiving CTF is only the five challenges. I'm hit and miss with crypto. I've managed to work out part of the plaintext. Gonna keep noodling on it. #ctf #getsmart #infosec #cososec
#hack100days : Day 14 : Took a crack at metactf.com's Thanksgiving CTF. It's multiple days. Today there are six challenges. I've gotten 5. #ctf #getsmart #infosec #cososec
#hack100days : Day 13 : Today was a little weaksauce. Researched kit to bolt onto a Raspberry Pi 3 to make a wifi hacking rig. #getsmart #infosec #wifihacking #cososec
#hack100days : Day 11 : More JuiceShop. Explored business logic. Managed to break the server a couple of times. Error checking and handling is hard. #getsmart #infosec #WebAppPentesting #cososec
#hack100days : Day 10 : Watched a twitch stream of an attack on a #tryhackme box. Lots of malding, lol. Also poked at JuiceShop some more. #getsmart #infosec #cososec
#hack100days : Day 9 : Analysing main.js from juice shop. Finding endpoints on the server to explore and “endpoints” on the local app to explore. Router is a magic word. Need to do more poking and prodding to ascertain what kind of magic word “selector” is. #getsmart #infosec #webapplicationtesting #cososec
#hack100days: Day 8: Spun up Juice Shop and started in. Used ZAP to spider. Found an auth bypass. Found a dir from robots.txt with some goodies. Recalled a hint from PWST to reap the goodies. Need to look at hacking a Keepass file. I'm sure I've seen that in a CTF or three. Need to attack the business logic in the app. Look at API enumeration. Time to kick off a directory brute-force and go to bed. #infosec #webapplicationtesting #getsmart #cososec
#hack100days: Day 7 : Finished sections 8 and 9 of PWST. Next up, hack Juice Shop. #infosec #getsmart #webapplicationtesting #cososec
#hack100days : Day 6 : Finished section 7 of PWST. #infosec #getsmart #cososec
#hack100days : Day 5 : Took a crack at #hackthebox new release, Forgot. Learned some stuff, so that's good. I'm still slow, but eventually got root. I think some of it was more CTF than real life, but I look forward to seeing the reviews from the old hands. #infosec #getsmart #cososec
#hack100days : Day 4a : Finished off sections 5 and 6 of PWST. #infosec #WebAppPentesting #cososec
#hack100days : Day 3a : Watched BHIS Webcast: Securing AWS: Discover Cloud Vulnerabilities via Pentesting Techniques w/ Beau Bullock. Adding checking out CloudGoat and getting familiar with weirdAAL to the list. #cososec
#hack100days : Day 2a : Attended monthly security meetup. Help a peer tackle a wifi ctf. Don’t know much about wifi, but we muddled through. #cososec
#hack100days: day 1a: Missed yesterday. An internal org sent a link to a Wordle-type site as part of an awareness campaign for their services. At the end of the URL is some jumbled characters. Wonder if it's the word in encoded or encrypted format... Site let's one create a link to a word of their choosing. Trivial to go to the site and work out a key. They used the Vigenere Cipher. I win. (I'm also wkrup.) #cryptography #cososec
#hack100days : Day4 : A good chunk of time in #htb Release Arena. Banged on Flight, a hard Windows box. I've gotten user with some nudges from a Discord group I worked with. Still working on root. Been a while since taking a crack at a Windows box. #infosec #getsmart #cososec
#hack100days : Day3 : More time working on PWST, sections 4-8 through 4-13. Videos were short, so don't too excited. There a 'more practice' video left in section 4, so plan is to spend some time on that tomorrow. #infosec #getsmart #cososec
#hack100days : Day2 : Tuned in to @Alh4zr3d@twitter's twitch (https://www.twitch.tv/alh4zr3d). He streamed pwning the #hackthebox Tricky box. Watched @mttaggart's _Practical Webapp Security and Testing_ (https://academy.tcm-sec.com) (henceforth, PWST), sections 4-6 and 4-7. Need to spend some more time on 4-7 and the javascript trickiness. #htb #infosec #CoSoSec
#hack100days : Day 1: Picked back up "Practical Webapp Security and Testing" by @[email protected]. Knocked out section 4-5, which is about sqli. Played around with ZAP Active Scan, tried out some different files for fuzzing and detecting sqli--fuzzdb, SecLists, and one I compiled from a couple of books. Will continue tinkering with manually enumerating the db before bed. Maybe see about getting mysql/mariadb table enum into my home-grown list. #infosec #CoSoSec
Muddling through.