#hack100days I fell down and broke the chain. Watched Nahamsec's Live Recon Sundays session today with Stök and JHaddix where they interviewed @lilc. That was fun and a good reminder to get back at it. Got run some errands and then back at it tonight. #infosec
#hack100days Day1a: New Chain. (Oof.) Today, started a multi-day #ctf by cmd+ctrl. Currently at 1570 points. Found a couple of pages susceptible to #idor, which led to #authbypass and sensitive data disclosure. Solved an encryption challenge and found a "published" DOS bug. Currently banging on an #sqli. #infosec #hashtag ;)
#hack100days Day2a: Continued #ctf. Solved crypto challenge and found hidden end point. Sqlmap continues chewing on user table. Used an idor and a script to enumerate all the users. #infosec #cososec
#hack100days Day3a: Continued #ctf. Solved an image forensics channel. Wrote some scripts to reap user account data and to reap all the images. Read part one of a three part blog on bulbs found in a CDN provider network. CDN Provider had their side published, as well. #infosec #cososec
#hack100days Day4a: Continued #ctf. Poked at login page and got an interesting error. Still tinkering with that between meetings. There's an auth bypass here, I can *smell* it. Also had some vigorous discussion on what Domain Isolation" is and isn't. #infosec #cososec
#hack100days Day5a: Continued #ctf, but haven't gotten much further. Watched Hack the Box's "Hands on Hacking" live-stream that's setting up Cyber Apocalypse CTF 2022, which starts tomorrow. Keep an eye on HtB's youtube channel, they'll be posting the videos. The ippsec interview was good and Sheeraz gave a good overview of K8s, which I found helpful. #infosec #cososec (One more meeting and then I can focus on the auth bypass sqli...)
#hack100days Day6: The new chain is longer than the old chain! Started Cyber Apocalypse CTF 2022 this morning and worked on it for a couple of hours. Got the 'intro' flag. Worked on two of the challenges, but haven't gotten anywhere--oof. Slight blow to psyche. Good weather today, so worked on container gardening. Now that dinner is done and have whisky on the side table, getting back at it. #infosec #cososec
#hack100days Day7: Continued banging on Cyber Apocalypse CTF '22. Finally "really" on the board with a solved web challenge. Downloaded the code for a bunch of other challenges, so it's time to practice code analysis. #infosec #cososec #ctf
#hack100days Day8: Continued Cyber Apocalypse CTF. Getting *way* more acquainted w/JavaScript. I've got an XSS, but I'm still working out weaponization. Still no additional points, but the day ain't done yet. #infosec #ctf #cososec
#hack100days Day9: Continued Cyber Apocalypse #ctf. Moved to a new challenge. Enumerated site, but not finding entry point. Spent good part of day working on groking MSFT Defender for Cloud Apps. #infosec #cososec
#hack100days Day 1b: Dropped the ball yesterday, busy day. Cyber Apocalypse #ctf is done. Working on a #hackthebox machine today. New day, new chain. #infosec #cososec
#hack100days Day 2b: Kept at the #hackthebox machine. Working out a good #ssti payload. Interesting injection point. Also reworking note taking process. Still slow. #infosec #cososec
#hack100days Day 3b: More reading about #ssti, still need to find right payload. Found an article that walks through a process to find a way to the OS module. #infosec #cososec
#hack100days Day4b: Testing #ssti payloads. Trying to figure out if I’m overthinking it. Tokens matter. #infosec #cososec
#hack100days Day5b: Read about hacking today. Finished 3-part series on a Cloudflare bug bounty. (https://blog.assetnote.io/2022/05/06/cloudflare-pages-pt1/) #infosec #cososec
#hack100days Day6b: Hack the Box Academy. I like the UI for Burp, but I like not having to pay to get the goodness that ZAP brings. Also took a minute to break the rust off for using Metasploit. Can't remember the last time I looked at that. #infosec #cososec
#hack100days Day7b: Read the Verizon DBIR. Interesting graphs in there. Nothing really new under the sun. Which isn't a bad thing.
#hack100days Day8b: Power went out for a couple of hours today. So, went analogue and read two chapters of Hacking APIs by Corey J. Ball (https://nostarch.com/hacking-apis) #infosec #cososec
#hack100days Day9b: Decided "hacking" myself counts today. Started using LYT (https://www.linkingyourthinking.com) note-taking. Moved a bunch of notes from old program to the new. #selfdevelopment #selfimprovement #lyt
#hack100days Day10: New chain, longer than the old chain! Read more of Hacking APIs, by Corey Ball. Looking forward to learning more about GraphQL—want to understand the AuthZ patterns and techniques. Also learned about Broken Object Level Authorization (BOLA). The examples look a lot like IDOR, but I think I grok the diff. You can have an IDOR that’s not a BOLA, but I reckon you could get a BOLA as a result of an IDOR. Still need to think and tinker with this one a bit. #infosec #cosocec
#hack100days Day11: Continued working on Hacking APIs. Next up is working on the labs. Created a postman account. #infosec #cososec
#hack100days Day12: Worked on _Hacking APIs_, Lab 1. Didn't use Burpsuite, used Zap instead. Compared and contrasted with Postman. Slow going at first as I get acquainted with Postman. #infosec #cososec
#hack100days Day13: The chain continues... Another chapter down in _hacking APIs_. Installing deliberately vulnerable apps for the next lab and will bang on them later this evening. In the meantime, kidlet has prepared dinner.
#infosec #cososec
#hack100days Day14: SANS ICS Summit CTF. I'm on the board! No where near top 10, but I'm not sussed since I'm learning more about ICS this way. #infosec #cososec #ctf #ics
#hack100days Day15: Back to _Hacking APIs_. Got Juice Shop installed and tucked behind an nginx reverse proxy, along with DVGA. Now have some #hackthebox systems to put on my list of targets. Next chapter down. #infosec #cososec
#hack100days Day16: Continuing reading _Hacking APIs_. Installed OWASP crAPI app on lab machine. Getting some touches with docker. Need to troubleshoot an error w/one of the crAPI containers. Then, time to hack it! #infosec #cososec
#hack100days Day 17: Lab in _Hacking APIs_ wants working version of crAPI. Getting crAPI turned out to be fail. Nuked, paved, and re-started that effort. Same result. Documented steps and results. Opened an issue. Got a quick response for additional info, so we'll see how this goes. In retrospect, I should have anticipated the question. #infosec #cososec #sysadmin101
#hack1000days Day18: Finally managed to get crAPI working. Needed to move to from docker 20.10.14 to 20.10.16, because of course. (I am not enamored of docker.) Finished the first crAPI lab. #infosec #cososec #sysadmin101
#hack100days Day19: Tested the other deliberately vulnerable apps I had issues with on the new version of docker. All good! Wrote a wrapper script to start/stop the apps as needed. (They're supposed to be cows, not pets ya?) Chapters 7 & 8 read of _Hacking APIs_. #infosec #cososec #mmmmsteak
#hack100days Day20: Published my start/stop script to github (https://github.com/stop-a/misc_scripts/blob/8d8c820922f579e6641b118235269af200f9b7f3/runlab2). Bashed at https://github.com/DevSlop/Pixi in my lab. Got a little more acquainted with Postman. #infosec #cososec
#hack100days Day21: Enumeration and attacks on crAPI. Error message on one of the screens suggested I might be able to brute force 'a thing'. Used ZAP's regex fuzzer for the first time. Didn't get a hit, so I've either mis-inferred what the message meant or it's a lie. After registering a user, attacked jwt with jwtcrack to see if I could get the secret. Success! JWT payload may be an unfortunate decision, so next step is to find other users to see if I can impersonate them. #infosec #cososec
#hack100days Day22: Found some users. With the secret from "my" jwt and was able forge tokens for each user. With the forged tokens, I could reset their passwords. However, logging in yielded a blank page. Trying out kiterunner to find other API endpoints while I watch the Jan 6 hearings. #infosec #cososec
#hack100days Day23: Another chapter down in _Hacking APIs_ and tinkering with postman. Time for a cocktail and then pick it back up after dinner. #infosec #cososec
#hack100days Day24: Continued on the exercise from Chapter 9. Couldn't get postman to reproduce the results I was expecting. So, I wrote a bash script to do the enumeration. I get the point. Icing would be to rewrite in python and add some processing. #infosec #cososec
#hack100days Day25: Continued tinkering with script and postman to refine enumeration process on crAPI. Still bash über alles! I *think* I'm finding different version of APIs, so need to work through how to confirm and then, once confirmed, how to exploit. #infosec #cososec
#hack100days Day26: Continued reviewing results of running script for 3 scenarios--got a couple of more I could try, but I want to tweak the output. Read chapter 10 of _Hacking APIs_, in the past I've failed to consider the the real signal in an HTTP 405. Do better! #infosec #cososec
#hack100days Day27: Tried out the exercise at the end of chapter 10. Read chapter 11 of _Hacking APIs_. #infosec #cososec
#hack100days Day28: Time to read chapters 12 and 13 of _Hacking APIs_. Busy day. #infosec #cososec
#hack100days Day30: Finished _Hacking APIs_ last night. Will review and finish labs tomorrow. Spent a couple of hours looking at a VDP/Bug Bounty program with a really big scope. Started nailing down and documenting some of the detailed scope—DNS domains, net blocks, websites, etc. #infosec #cososec #bugbounty
#hack100days Day32: More enumeration of VDP scope. A host/subdomain I initially picked off looks to be an orphaned DNS name. Will keep an eye out for calls to it from other assets. Maybe the glb/waf is looking for something "magical". Found a doc spelling out a policy that may help. #infosec #cososec #enumallthethings
#hack100days Day33: More enum. Found a new tld to chew on. Started poking at an apparent code repository, but it's pretty thin. Need to do some reading on the product. Another host is H U G E, relatively speaking, and is running Wordpress. Managed to get my IP baninated spidering the site. Getting acquainted with axiom now. #infosec #cososec #enumallthethings
#hack100days Day34 (1/3rd of the way!): A scan is still going, but it's NAT is likely sinkholed. Will wait until scan is done to confirm. Spider results from ZAP are still getting chewed on. So, in the meantime, read ahead on _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day35: Scan is done and the results are thin. I did feed it too much, but the results suggest I may have misused the tool. Shrinking the target and trying another tool. Some of the URLs in the spider results have queries, so checking for sqli test candidates. ZAP continues trying to choke down the analysis of the spidering. #infosec #cososec #enumallthethings
#hack100days Day36: Tried out feroxbuster. Seems like it's hung, so I'll give it some more time. Took another look at the code repository's search function to see if I could find more 'stuff'. No joy there. Need to read some more. Might be time to look at another host in the VDP. #infosec #cososec #enumallthethings
#hack100days Day37-ish: Feroxbuster was hung. Killed it off, pulled state file and output log back for additional analysis. Gave to face discussions with a netsec vendor about netflow analysis, which dovetailed with risky.biz podcast I listened today. They talked w/Gigamon on the same topic. #infosec #cososec
#hack100days Day38: Vacation! Which is going to cramp my activities. Reading chapter 6 of _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day39: Vacation! Reading chapter 7 of _Bug Bounty Bootcamp_. #infosec #cosocec
#hack100days Day40: Still vacationing. Read Chapter 8 of _Bug Bounty Bootcamp_. (Also watched _Dr. Strange and the Multiverse of Madness_.) #infosec #cososec #movienight
#hack100days Day41: Read chapter 9 of _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day42: Read chapter 10 of _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day43: Read chapters 11 & 12 of _Bug Bounty Bootcamp_. Tomorrow is travel day. #infosec #cososec
#hack100days Day44: Chapter 13 of _Bug Bounty Bootcamp_ done. #infosec #cososec
#hack100days Day45: Baseball Hall of Fame visited today and Chapter 14 of _Bug Bounty Bootcamp_ done. Going to need to do some more labs and walkthroughs of deserialization. Feels a bit like a dark art. #infosec #cososec #vacation
#hack100days Day46: “Home again, home again, jiggity jig.” Rock and Roll Hall of Fame and chapter 15 of _Bug Bounty Bootcamp_ done. Enjoying a jigger of Canadian whiskey to unwind.
#hack100days Day47: Read chapter 16 of _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day48: Mixed it up today. Started watching https://www.youtube.com/watch?v=Llw2PAlXUoE, which led to a twitter/@Alh4zr3d livestream on https://www.twitch.tv/alh4zr3d, which then led me to twitter/@mttaggart and led me to https://www.youtube.com/taggarttech which has an API hacking video I want to watch next. #infosec #cososec
#hack100days Day49: Read chapters 17 and 18 of _Bug Bounty Bootcamp_. #infosec #cososec
#hack100days Day31: Diving back into _Bug Bounty Bootcamp_ by Vickie Li (@vickieli7/twitter). Skimmed/refreshed chapters 1-4. Slowed down on chapter 5 and started blindly applying examples to the VDP I picked last night. Finding hosts and subdomains. #infosec #cososec #bugbounty #enumallthethings