Our second week was better than the first. I think that both Chaz and I are feeling a lot more like we are part of the team.
This week we didn't spend as much time on our computers, we had a week long in-house training course on WebApp testing where we listened and discussed various techniques, concepts, and other nuanced things that take place during a WebApp PenTest.
After each section, we were given a specific challenge pertaining to that section. Throughout the course we used the same WebApp but were encouraged not to get ahead of ourselves. Instead we learned to focus on one phase at a time.
First we focused on information gathering, pin-pointing what we could from the WebApp: headers, comments, frameworks. As well as exploring all functionality that was available to us: registering, forgot password, login, etc.
Next, we focused on identifying which areas were potentially weak based on various conditions: unenforced or weak password policies, weak systems such as forgotten password retreival, account enumeration through overly verbose error messages, etc.
Afterwards, we focused on crypto, checking the configuration of the WebApp and web server to make sure it was employing all the best standards and not using any weak ciphers, etc.
Next we were asked to explore session management and cookies, to take them apart as best we could and figure out what we could learn from them. We ended up discovering a lot of issues with sessions and cookies, among which we found our user's password was also stored in the cookie as a md5 hash. However the cookie was signed and was therefore not tamperable without the secret key used to sign them.
Now, we had enough information to start poking at things more, we were asked to find a way to make our accounts an admin, or to gain access to an admin account. During this process we did a number of things, We discovered which accounts we could attempt to bruteforce, as well as testing the login and password reset mechanisms for weaknesses that would allow us to bypass them and get into an account without the correct information.
Afterwards, we were asked to find any user controlled data points and see if we could get either command or SQLi. We found a simple command injection in the file upload, as well as an SQLi on an SQLite3 database query which we were asked to do manually. It had been a while so it was nice to get back in the swing of doing that.
We finished this training a couple days early so our boss gave us a crypto challenge which we were asked to write a script to solve. It was quite difficult compared to what crypto challenges I was used to.
We did manage to get a working script but only after getting a lot of hints and roadmaps from our boss.
shrug cryptos not really our thing.
I was also encouraged to get my OSCP by my line manager, so will likely be purchasing lab time in September. I guess ch3rn0byl will finally be proud of me :D
All in all it was another easy-going week. Probably the calm before the storm of client work, lol. We learned a lot, got lots of feedback and got to know our team better.
I think the key take away is that they aren't just throwing us directly into the deep-end, and I think that's what we were afraid of.
Next week we have our first full practice engagement start to finish, and assuming that goes well we start client work the following week!
Subscribe to mallardlabs
Get the latest posts delivered right to your inbox