Skip to main content

Pen-Testing Comps, Winter 2024

Ideas for deeper diving

Jeff Ondich

As we have discussed a couple times, I'm hoping (and I believe you're hoping, too) that your vulnerable machines won't consist solely of a list of simple and pretty boring vulnerabilities chained together (e.g., find a text file with passwords left open on the website; ssh with those creds to find an encrypted zip file whose password is easily cracked to discover yet more creds; ssh again; sudo -l to discover somebody has full passwordless sudo permissions; now you're root!)

To avoid that danger, I'd like you to think of one or more of the vulnerabilities built into your target VM as an opportunity to dig a little deeper and learn about something you want to know more about. Here are a few ideas, pretty much off the top of my head. There's a long list waiting to be added to these few ideas. Follow your curiosity and see what you can learn.

For all of these ideas, you would combine your learning with a demonstration of how the relevant vulnerability comes to exist in the first place (i.e., by implementing it in your target VM), and with a demonstration of an exploit (in your walkthrough).

Exposed .git folders

How do the data structures in this folder store the entire history of a repo? What are the file formats involved? How are commits stored? How are branches stored? etc.

Web sessions

How do session keys work in practice? Is login state stored on the client machine or the server, or does it depend on the system? In what ways are session keys vulnerable?

Password cracking

  • How do cryptographic hashes work?
  • What kinds of attacks on older hashes (e.g. MD5) have been published, and exactly how vulnerable are they?
  • What kinds of data structures and algorithms do state-of-the-art password-cracking systems use?

Dangerous file types

Besides just putting user names and passwords in text files, what other kinds of files can be exposed (on a website, say), and what are their file formats? One example is everything in a .git folder (see above), but what about .swp, .pyc, .class,... files?

WordPress

  • How are plugins structured, and how can they be abused?
  • How is authentication handled, and how can that be attacked?
  • What public exploits exist that can lead to remote code execution?

Famous (or not) vulnerabilities in open source software

  • Set up a vulnerable system
  • Set up an exploit to demonstrate the attack
  • Study and explain the vulnerable source code (in Linux, Apache, OpenSSH, or whatever) and the commits that corrected the vulnerabilities
  • Lots of great choices: Shellshock, Heartbleed, log4shell, that Apache 2.4.50 directory traversal we were talking about, etc., etc.

SQL injection

  • Study the varieties of SQL injection attack categories, and compare the techniques an attacker needs to use to succeed against each vulnerability type.
  • Demo the various types of programming errors that lead to injection vulnerabilities, and prescribe solutions for these errors.
  • Study how sqlmap launches its attacks. (Watching sqlmap using its "verbose" setting is truly a revelation in how sneaky and clever an attack can be.)

Privilege escalation with setuid

  • Why does the setuid system exist in the first place? What legitimate (and important) purposes does it serve?
  • What conditions are required for you to exploit a setuid vulnerability once you have a foothold on a machine?
  • How is setuid implemented within the Linux code? How does that code correspond to what happens when you run a setuid application?
  • What kinds of commands does gtfobins exploit, and do the exploits have any common themes?

Privilege escalation with sudo

  • What does sudo do?
  • How can a user be given sudo privileges?
  • How is sudo implemented in the Linux code?
  • Same questions as with setuid regarding gtfobins

Cron jobs

  • Classify (and demonstrate) various approaches to exploiting existing cron jobs from an unprivileged account.
  • How are cron jobs created from the user/sysadmin point of view? (i.e., how do you set one up?)
  • What tools can you use to monitor cron jobs in action?
  • How are cron jobs implemented in the Linux code?

Misc other stuff I've heard of

More ideas...

What do you think?