Tag Archives: cyber

Evasion Techniques and Breaching Defenses (PEN-300) – OSEP – Initial Thoughts

I just started this course the other day. I’m already neck deep in VBA, C#, and Powershell, which I need more experience in anyway. I had to do some C# for the AWAE/OSWE and I’ve written a couple very small web apps in C#. I’ve done a very minimal amount of Powershell, though I’ve been meaning to change that.

I know a lot of people say the OSCP is lacking in Active Directory attacking, which may be true. I’d counter by saying what the OSCP doesn’t cover, PEN-300 will cover. The courses go hand in hand. My early opinion is that anybody that takes and passes the OSCP should do PEN-300

All in all, I’m pleased so far. I’m only about 1/7th of the way through the PDF, though. I have a lot to go. With all that I have going on IRL, I’m not sure I’ll be able to finish it in the two months I’m allotted – I may have to get an extension.

My plan is to pass the OSEP exam in October and then start the EXP-301 course and pass that exam by the end of the year. This is an aggressive, and probably unrealistic goal, but oh well, haha.

Anyway, I’ll be back with a full report after the exam.

So you wanna bug hunt?

> All the Rage:

Bug hunting seems to be all the rage these days. I can understand that, hacking is fun. So if you can hack (legally) and get paid, why not? Let me just tell you what you’re getting yourself into.

For one, you probably aren’t going to make much money, and even if you do make some money, you’d have probably made more with a part time job, or doing whatever needs to get done at your day job to move up in the organization and make more money.

Here are a few questions to ask yourself before you bug hunt.

Can you afford $20-$40 a month for a VPS? You’ll be doing A LOT of recon and you don’t want to do it from your home IP address. You’ll get IP bans, and it will really make your household angry if they can’t get on Netflix because you spent all night hammering Akamai or whatever the case may be.

Can you afford a $400 Burp Pro subscription? Yeah, you may be able to get away without it, but IMO it isn’t worth the effort – double so if you do/are planning to work in the security industry.

> Programs:

Now, you see all those programs listed for hacking on HackerOne and and BugCrowd? Well they are all public programs that have had thousands of people picking over their programs for YEARS at this point. That’s not to say some bugs aren’t still there, they are, but they are way, way less in numbers. Not to mention, many of them have had paid pentesters hacking on them. A lot of these programs were private before they went public too, so when you see the “launched” time, it actually isn’t true – the program didn’t just launch this month.

And don’t get me started on the unpaid bounty programs. They basically are getting all this work done without having to pay anybody. But hey, you’ll get points for hacking them!!!!! Oh wow, great. Unpaid programs should not exist. It lessens the value of our work.

Let me tell you a story of me and an unpaid program. About a year ago, I got invited to this program, and I immediately realized the scope was very large – which is awesome. Within a few days, I had found a bunch of bugs. All of these bugs were medium or higher, and one was EXTREMELY critical. So naturally, I’m happy, and I’m thinking I’m going to make some good money. Wrong. That’s when I found out that this program was unpaid.

I know, I know – it is my fault for not checking first. At the time, I was under the assumption that you had to be a paid program to be a private program. I don’t know where I got that from. My point remains valid. Basically, there is a good chance I saved this company millions of dollars, and without going into details, it could have been worse that just a monetary loss for them. You know what I got in return? Points. Great. Wow.

This actually happened to me again recently. Yes, I’m stupid. But I digress, haha.

> Coding:

I see a lot of posts asking if you need to know how to code to bug hunt. It sounds like a lot of these people are trying to get away without learning how to code. Let me help you.

YOU NEED TO KNOW HOW TO CODE.

You don’t have to be a pro, but you need to be decently fluent in python and bash, and at the very least, be able to read PHP and Javascript. The more experienced you are the better.

You see those people making a lot of money bug hunting? They are probably good coders. They’ve probably automated all their recon with Python or Bash scripts. They can decompile mobile and web apps. They’re pretty good coders, generally.

> Certs:

Let’s talk about the OSCP. Is it a cool cert? Yes. Does it teach you much about bug hunting? Yes and no. You’ll need to add a lot more techniques and tools to your arsenal to be successful. The offsec AWAE does have some topics that are useful to bug hunting – web apps in particular.

Let’s talk about these techniques and tools.

You’ll need to install a lot of tools you’ve never heard of. And listen, everybody has a massive amount of bug hunting scripted. They are constantly scanning ALL the hosts in EVERY program for low hanging fruit. Again, that doesn’t mean you won’t find anything, but it greatly reduces your chances.

You still wanna bug hunt? Go for it. But don’t get discouraged when you’re in the hole $600 bucks and you’ve found two self XSS vulns after a year. Lol

> TLDR:

Don’t bug hunt, and if you do, avoid unpaid programs. Better yet, spend your time advancing your career or getting a part time job. Also, use my Linode link for your VPS 😉

Offsec Proving Grounds Review

If you don’t already know, the Offsec Proving Grounds are a new laboratory created by Offsec to compliment their training courses. It’s basically a Hack the Box version of Vulnhub, and it explains why Offsec purchased Vulnhub recently.

I’ve been trying it out for a couple of months now, and I think it was a good move for Offsec, but it is lagging vs. the competition.

> Price

First off, for $20 a month, it is significantly more expensive than HTB’s standard VIP option, which is about $10. HTB also has more boxes, challenges, labs, etc. So Offsec is definitely behind, in this regard. With that said, Offsec has started paying people to submit boxes, so I see the number and quality of boxes available increasing soon. I know if I was to make a box, and I’ve toyed around with the idea, I’d probably submit it to Offsec before HTB, at this point.

> Site Design

Offsec’s website design is functional, but it isn’t as flashy as HTB. That may be a positive or negative, depending on your taste. At first I had some troubles getting machines to start properly, but that appears to be ironed out.

> Functionality

It seems you have to have your VPN connection going to start a machine, which is almost as annoying as the machines changing IP addresses each time they are restarted. Also, don’t log out and clear your cookies, that will make stuff go a bit haywire, though that may be cleared up by now. I think you should be able to add this to your .ovpn file to automatically log in

auth-user-pass /home/user/.ssh/login.conf

And then create login.conf in the same directory as the ovpn file. In login.conf, put your username on one line and password on the next line – that’s all. Two lines, first is username and the second is your password.

> Conclusion

I’d say the proving grounds are best for those people working towards an OSCP. They easy boxes on the site are actually easy in comparison to the newer HTB “easy” boxes. Offsec needs to work on updating the website to be a bit more modern, and add more features to increase the value. After all, why would somebody pay nearly double the price of HTB for less value? Also, please make it so I don’t have to enter my obscure VPN credentials every time I log in.