Huntress CTF

• Did one of the most useless challenges to date

HTB Academy

• Started Advanced Deserialization Attacks module
• Dotnet deserialization vulns

Burpsuite exam

• Got all the solutions, waiting for the final result, should pass unless something weird happens

Huntress CTF

• Some bullshit challanges time around

Huntress CTF!

• Some log analysis, nothing interesting
• Did some dynamic analysis on a powershell script via procmon

Huntress CTF !

- Some phishing, nothing really exciting here

Huntress CTF!

• jse file decrypting!
• can be done with https://github.com/sstraw/scrdec
• UPDATE: Even better! Use CyberChef!!!

Burpsuite Academy

-Random labs here and there

Burpsuite Academy

• Some mystery boxes, tried SQL injection via burp

Burpsuite Academy

Practice exam

• Did another practice exam
• Did not pass on time again (had some breaks, was very close on first try even with breaks)
• Second try managed to solve it in very little time

XSS practice

- Did some labs to practice XSS filter evasion

Burpsuite academy

• Did pracice exam and some mystery boxes

• Failed on time, managed to solve it on second try

• Need to focus more on filter evasion

BurpSuite Academy

Access Control

• Nothing really new here, good refresher
• Some headers to try bypass restricted routes:

X-Original-URL
X-Rewrite-URL

Eg

GET / HTTP/2
Host: 0a3600fd0451e51281233422003600f9.web-security-academy.net
X-Original-Url: /admin

Cache flaws

• Same here, HTB EasterBunny taught me well on the cache things!
• One random trick: language cookies can be also cached, rarely, but sometimes

Burpsuite Academy

Request smuggling

• Tried to understand how this vuln actually works

  1) Cl.TE

• Frontend server sends content according to the Content-Length header. Backend uses Transfer-Encoding to detect request length

• This can be detected by sending two requests in one connection, Content-length header can be length of the transfer-encoding part and the second request

Example:

POST / HTTP/1.1

Host: 0aff002304fcf3238029800a00c400e7.web-security-academy.net

Content-Length: 49

Transfer-Encoding: chunked

e

q=smuggling&x=

0

GET /404 HTTP/1.1

Foo: x

Here, content length is equal to everything after the first headers. Transfer-Encoding size is put as e (12 in decimal) which includes the "q=smuggling&x=" part. Since frontend uses CL it sends both of these requests in the same time and backend processes these as separate requests. This means that backend sends us a response and starts waiting for end of our smuggled request "GET /404". After we or someone else sends a request they receive error 404 since there is no /404 path.

2) TE.CL

• This works in reverse. Frontend uses Transfer-Encoding header and Backend uses Content-Length. We send a request with small Content-Length header value and include our smuggled request in the Transfer-Encoding part of the request

Example:

POST / HTTP/1.1

Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 4

Transfer-Encoding: chunked

9e

GET /404 HTTP/1.1

Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 144

x=

0

There, content-length is 4 and it includes data just before the next "GET". Transfer-Encoding length (9e) includes the second request. Since frontend uses TE it sends the request as one. Frontend processes these as two requests, and the next request will be the GET /404

Browsed through BurpSuite Academy

Logic bugs

Nothing major, just a reminder to try to always go with unintended application flow and try to go with unexpected or intentionally missing parameters. Also, skip events when possible (don't follow redirects etc..)

Eg. with numbers use negative or very big numbers, On strings use long strings.

Some basic deserilization

Nothing new, nice reminder of mostly php deserilization vulnerabilities

Nice caviat: when comparing number zero to string loosely on PHP it returns always true. Eg

if(0 == "test") {echo "???";}