All set to take you through the journey of one of the best hacking time which I had with two of the most prestigious hackers. Before I start, everyone must know these 2 wonders of the cyber world. Akash Mahajan(aka @makash) and Riyaz Walikar (aka @riyazwalikar ), as title of the course suggests they are “Xtreme Web Hackers”. I will be referring them as “Masters” further as they are. They are the one who knows how to break the web applications in most efficient manner because they know how to build one. Once you know the fundamentals of building the things you can easily find the ways of breaking them. And that’s their secret in my view. Sorry but I have to stop here otherwise I need to write another blog then to describe these 2 legends of cyber world.
Coming back to the course, it was not just normal 2days workshop with bunch of slides to go through and forget about. It will all start with building up of war room to embark the journey towards Xtreme web hacking. As I said war room, it was not just machine but man as well and that’s too supermen 😉 with their strategy to break in.
Training Moto: As they say “War games are best way to learn hacking” and “A story can put whole brain to work”. This reflects in their 2 days of workshop.
1) Target web app Machine
2) Intermediate target for lateral movement
3) Offender’s League setup
4) And of course most important offensive strategy
Day I : It all started with setting up a lab infrastructure which was most important part of the journey including installing virtual machines, configuring virtual network, testing connectivity and be ready with your observation book for making a note of each and every observation during this journey.
Whole 2 day’s journey go by their words or we can say strategy of our Masters to put our brains on wheels by narrating, executing and involving everyone into the story woven by them.
It all starts with the target given to you for penetration which is of course a web application. It’s our turn now to wear a devil’s hat and start breaking into application but remember we had 2 Masters along directing our force where exactly we should go. We started with performing a DNS recon on our target domain to get the idea of different web application it is running. Proceeding with finding SQL injection vulnerability on our target for hunting sensitive data from database, but this was done manually and not using any automated tool particularly to make you understand the basics of hacking along with the understanding of application behavior. Next step was to get the admin access of the web application and try to execute the arbitrary code on the server to achieve our goal. Moving forward we started with another target which we found during the time of initial recon of the DNS. Through next course of actions we learned abusing PHP wrapper, using LFI, attack serialization, using hash function, bit padding, and executing final exploit. We reached our final target for Day 1 where we learnt more on XSS, SOP, CORS Headers, setting up XSS payload, hosting your payload, uploading the payload, tricking admin user into executing the payload, cookie stealing, binary stuffing and finally uploading & executing your payload using LFI. So much of offensive security stuff loaded on our mind at the end of day one. In our Master’s language, we were drunk with hacking at the end of Day I.
We started with our focus on moving laterally within the network to find out other hidden servers which were serving internally. We used the previously collected information to hunt internal target with the plan of tunneling the traffic to internal network using pivoting. We tried 2 methods for pivoting, pwfd script and Socat. Then we created our PHP shell using meterpreter and hosted the same on python http server followed by uploading the shell on our target using LFI. Our shell reached the target now it was our turn to ready our metasploit and run the shell on target. Bingo! We have the active meterpreter connection now. Using this connection we started moving further into the network by tunneling the traffic using pivoting. In last we learnt Server Side Request Forgery (SSRF)/ Cross site port attack (XSPA) and also learnt how Riyaz earned Bug bounty using this 😉
We declared the overflow of knowledge but our Master were wearing devil’s hat and they decided to take our exam in the form of CTF where we need to apply the knowledge of 2 days. This CTF helped us in understanding the web application security and methodological sequence to apply while performing any application security.
Key Learning’s: As I always say, what all matters is strategy rather than tools. You might be knowing hundreds of tools but if you don’t know when and where to apply them, then everything fails.
To conclude, we learnt:
How to identify vulnerable application
How to identify exact vulnerability
How to Use the identified vulnerabilities to exploit and gain system access
How to Escalate the privileges and moving laterally to other systems