Tag Archives: OSCP

PyMedusa OS Command Injection

PyMedusa is a well-known video library manager that many of us self-hosted types may use to organize our libraries. I decided to give it a spin one day and found a classic OS command injection as seen here. I reported it ASAP, though I was a little confused as to how to fix it at that time, but the team fix it quite quickly. A great response time!

Sometimes people may say, “Hey, the OSCP is worthless and you won’t find anything like that IRL.” To that I’d reply, “You’d be surprised.” Also, this is a good example of OSWE level security issues. This is a Python app that you can simply clone, install the requirements, and debug easily in VSCode.

This was given CVE-2023-28627.

Offensive Security PEN-300 Evasion Techniques and Breaching Defenses – Course and Exam Review

You know, OffSec describes the OSEP as: “Evasion Techniques and Breaching Defenses (PEN-300) is an advanced penetration testing course”. I don’t know how advanced it is, if I can pass, lol. I generally have no idea what I’m doing.

Anyway, I really liked the course. There is a lot of material to keep you busy. Unless you’re already familiar with a large chunk of the topics, you’re probably best-served by purchasing the 90 day version of the course. The challenge labs are fun. Make sure you do them before the exam.

The exam was challenging, but fair. You should be able to figure out what you need to do next somewhat quickly, but executing it may be a different story, if you’re anything like me. Just ask yourself, “What did I just accomplish, and what does that allow me to do now?” If you’ve completed the challenge labs, you will be well-prepared for the exam. Some people say to make sure you do all the questions and extra miles in the lab manual, but I only did, I don’t know, 30% of them?

I don’t know what’s next for me. I have a voucher to do the OSED, but I’m a little burned out at this point. I’ll probably put that off until the summer – because who doesn’t like sitting inside and writing exploits when the weather is nice?

Evasion Techniques and Breaching Defenses (PEN-300) – OSEP – Initial Thoughts

I just started this course the other day. I’m already neck deep in VBA, C#, and Powershell, which I need more experience in anyway. I had to do some C# for the AWAE/OSWE and I’ve written a couple very small web apps in C#. I’ve done a very minimal amount of Powershell, though I’ve been meaning to change that.

I know a lot of people say the OSCP is lacking in Active Directory attacking, which may be true. I’d counter by saying what the OSCP doesn’t cover, PEN-300 will cover. The courses go hand in hand. My early opinion is that anybody that takes and passes the OSCP should do PEN-300

All in all, I’m pleased so far. I’m only about 1/7th of the way through the PDF, though. I have a lot to go. With all that I have going on IRL, I’m not sure I’ll be able to finish it in the two months I’m allotted – I may have to get an extension.

My plan is to pass the OSEP exam in October and then start the EXP-301 course and pass that exam by the end of the year. This is an aggressive, and probably unrealistic goal, but oh well, haha.

Anyway, I’ll be back with a full report after the exam.

Advanced Web Attacks and Exploits -AWAE – Exam Review

> AWAE Course Overview

For people unfamiliar with this course and exam, here is a link to the Offensive security website. I’ve also written about it before, so you can check my post history. Basically the course is a giant pdf and a bunch of videos that go over web application attacks. You then get access to a lab consisting of 13 machines that are running a wide variety of vulnerable web-apps. In regards to languages/DBs/tech, this course covers VSCode, Visual Studio, JDGui, Javascript, PHP, Node, Python, Java, C#, mysql, and postgres – so it’s pretty thorough.

The exam is a 48 hour long exam where they give you access to two machines running vulnerable web-apps. You have to bypass auth on them to get administrator access and then escalate your attack to full-blown remote code execution. You’ll get two debugging machines that are running the same apps as the exam machines. You get full access to the app source code – this is a white-box course after all. You have to review the code base, and then use these debugging machines to develop ‘one-shot’ exploit script that bypasses auth and trigger RCE. I used python, as do most people, I think.

Oh yeah, and they watch you on camera the whole time.

After the exam time is up, assuming you have enough points to pass, you have another 24 hours to write an exam report documenting what you found and how you exploited it.

> How did it go?

First things first: I had to take this one twice. My power went out twice, briefly, and my father had to go to the hospital (he’s fine) during my first attempt. Even though he lives hours away, and there wasn’t much I could do, I was a little distracted. And it wasn’t like I was in front of the computer for the full 48 hours. I took a break about every 1.5 hours or so and slept 5-6 hours both nights.

Nevertheless, I still managed RCE on one of the boxes, and if I had another hour or so, I would have had an auth bypass on the second box – which would likely have let me pass. I look back and I just kind of laugh at how I failed it. I missed something simple that would have given me enough points to pass. I even knew what I needed – I just overlooked it.

I actually noticed the vulns on both boxes within an hour of looking at them. I then went down some rabbit holes for a bit and got sidetracked – especially on the box that I considered the harder one.

The second time around I crushed the exam in about 8 hours – RCE on both boxes. I had my report turned in at the 20 hour mark or so – and I was lollygagging.

If you don’t know me, my background is this: I’m not a professional developer. I don’t work in IT. I have never worked in IT. I just like computers. If I can pass this exam, so can you.

> Advice and Review

My advice for people that are preparing to take this exam is to just take their time and read the code. You need to know how to get the VSCode debugging going. It is a lifesaver. It is probably hard to pass if you don’t get it working. If you follow the code flow in a debugger, things should pop out at you. With that said, they do throw in a couple curve balls, which I bet throws some people for a loop. Now these curve balls aren’t hard to hit, per se, but someone that hasn’t been in the infosec/CTF/bug bounty world may miss these things.

Another question that I’ve been asked is, “Do you need an OSCP to do this couse?” I’ve changed my mind on this several times, and while I think an OSCP will give you a leg up, you don’t really need to have one – especially if you’re already involved the hacking/bug bounty/CTF world. If you’re coming at it straight from being a developer, it may not hurt to expose yourself to this stuff beforehand.

All in all, I’d say the exam was fair and maybe a little on the easy side. I say that as someone that failed it once, too, haha. But not only that, the exam is also a lot of fun. I love the Offensive Security exams. Some people will probably hate me for saying that, but they are a lot of fun.

Offensive Security AWAE/OSWE

I recently was enrolled in the Offensive Security Advanced Web Attacks and Exploits course. This is the newer version of the course, and it leads to the Offensive Security Web Expert Certification. Well, you’ll get the cert after you pass a 48 hour hands-on exam and write a report of your findings. Fun.

First off, I have bug bounty hunting/web app testing experience, so some of the material in the course is not new to me. With that said, the material is presented well, and I enjoyed being able to see somebody else’s methodology of going from initial exploit to full-blown remote code execution. And I definitely still learned a lot along the way.

I’m a mostly self-taught hacker, as are a lot of people in the field. Unfortunately, I find that when I learn on my own, I miss some things along the way. Usually it’s just little time-saving tricks or different ways of doing things, but sometimes I miss things that may cost me money in the bug hunting world. So, I like to supplement the self-learning with some courses occasionally.

If you’re reading this, you probably know how the labs are set up. You get access to 12 boxes running vulnerable software. You exploit them from initial exploit to RCE. The course manual and videos walk you through it, and then they give you “extra miles” to complete, if you’re inclined. The course manual and videos are well put together and explain all the exploits thoroughly.

Should you purchase this course? That depends. I think if you’re already established in the field and making some money bug hunting, you can probably pass it over. If you’re looking to make a transition into web-app pentesting from dev work, it would be a good choice for you. If you’re looking to challenge yourself, go for it. If you’re looking to bolster the resume, go for it.

What do you need to know to complete the course? Well, my skills in C# and Java are a little lacking, so those parts were the most challenging for me, but they were also the parts where I learned the most. I’ve seen some people recommend having an OSCP cert before starting the AWAE, but I don’t think that’s necessary. They are different beasts, and while there is some overlap, it isn’t much. I’d say having a thorough understand of Python (requests package and sessions), and Linux is much more helpful than having an OSCP. The course touches PHP, Node, regular Javascript, Python, C#, and Java (am I forgetting anything?), so if you are lacking experience in any of those, I’d recommend familiarizing yourself with them before you start the course.

Offsec Proving Grounds Review

If you don’t already know, the Offsec Proving Grounds are a new laboratory created by Offsec to compliment their training courses. It’s basically a Hack the Box version of Vulnhub, and it explains why Offsec purchased Vulnhub recently.

I’ve been trying it out for a couple of months now, and I think it was a good move for Offsec, but it is lagging vs. the competition.

> Price

First off, for $20 a month, it is significantly more expensive than HTB’s standard VIP option, which is about $10. HTB also has more boxes, challenges, labs, etc. So Offsec is definitely behind, in this regard. With that said, Offsec has started paying people to submit boxes, so I see the number and quality of boxes available increasing soon. I know if I was to make a box, and I’ve toyed around with the idea, I’d probably submit it to Offsec before HTB, at this point.

> Site Design

Offsec’s website design is functional, but it isn’t as flashy as HTB. That may be a positive or negative, depending on your taste. At first I had some troubles getting machines to start properly, but that appears to be ironed out.

> Functionality

It seems you have to have your VPN connection going to start a machine, which is almost as annoying as the machines changing IP addresses each time they are restarted. Also, don’t log out and clear your cookies, that will make stuff go a bit haywire, though that may be cleared up by now. I think you should be able to add this to your .ovpn file to automatically log in

auth-user-pass /home/user/.ssh/login.conf

And then create login.conf in the same directory as the ovpn file. In login.conf, put your username on one line and password on the next line – that’s all. Two lines, first is username and the second is your password.

> Conclusion

I’d say the proving grounds are best for those people working towards an OSCP. They easy boxes on the site are actually easy in comparison to the newer HTB “easy” boxes. Offsec needs to work on updating the website to be a bit more modern, and add more features to increase the value. After all, why would somebody pay nearly double the price of HTB for less value? Also, please make it so I don’t have to enter my obscure VPN credentials every time I log in.

OSCP Exam Review

offsec
watch out for that mysterious hacker standing in the doorway!

I took the OSCP (Offensive Security Certified Professional) some time ago, but recently enough. If you’re reading this, you probably know of the exam, but for those that don’t, here is a short explanation.

Basically, it’s a cybersecurity exam where you’re given access to a computer network containing five machines (computers). In the first 24 hours of the exam, your goal is to break into (or root, as we say) as many of these machines as possible. The second 24 hours is reserved for writing a report detailing the results of your penetration test. It’s supposed to mimic, in some fashion, a “real life” penetration test.

The test has a reputation of being really hard. It’s commonplace for people to not sleep much in the 48 hours they’re allotted to hack and write. And, after all, it isn’t an exam where you can just read a book, or memorize multiple choice questions – you actually have to know how to hack. Offensive Security, the company that runs the program, actually watches you the whole time via webcam.

With that said, I feel that the difficulty of the exam is overstated. That isn’t because I’m some sort of IT professional that has been doing this for 10 years professionally. I don’t work in IT, software engineering, or anything even tangentially related to computers. Nor do I have a degree in IT or Computer Science. I think people have issues with the exam for one main reason.

I think many people come into it it way unprepared. And this may seem obvious, since if they were prepared, they would have passed, but please stick with me. They signed up for the OSCP, rooted a dozen boxes in the lab that you’re given access to, did a bit of the exercises in the manual, and called it a day, thinking they knew what they were doing because they’ve been working in IT for a decade. Well, let me tell you, they can always throw some software or web app at you that you’ve never even seen before, which is what happens to me weekly on HTB. However, the methods of attack will all be the same. In fact, I’d say the exam boxes were EASIER than easy boxes on HTB – especially the newer easy boxes.

In my opinion, you need root >90% of the lab machines, and then be active on HTB for a few months to be fully prepared for this exam. You need to make box enumeration and privilege escalation second nature. You need to have notes, too. They can be very helpful. You need to be able to rip out a custom buffer overflow exploit in python in less than an hour. You need to LEARN HOW TO GOOGLE. If you do this you’ll be golden.

I went in expecting Cyber World War 3, and was laughing and confused after about 5 hours when I had enough points to pass.

And then, once you pass, you can start in on something harder – the Advanced Web Attacks and Exploitation course to get the Offensive Security Web Expert certification also created by Offensive Security. That one is a 48 hours online exam followed by 24 hours to write a report, and supposedly much harder.

Good luck!