SSH Port Forwarding, Network Pentesting, Pivoting

A year ago, I worked on one of the eLearning Security labs while taking the PTP course. During one of the labs, I compromised an external web server where I found MySQL and RDP’s internal services running on the localhost.

The firewall set up on that network blocks any inbound traffic to these services. To interact with them, I needed to tunnel the traffic from the internal compromised machine to mine and bypass the firewall restriction — that technique is called Port forwarding or tunneling.

Today, we are going to talk about local and remote port tunneling with the SSH protocol. …

Recently working on the Sniper machine on hack the box, I came across a technique of exploiting a remote file inclusion on a PHP application with SMB.

Before working on this machine, my understanding was that PHP applications are vulnerable to Remote File Inclusion ONLY when “allow_url_include” and “allow_url_fopen” functions are set to On. However, what I learned is that these restrictions apply only to HTTP and FTP protocols.

• Allow_url_include function allows the inclusion of a remote file using a URL rather than a local file path.
• allow_url_fopen allows data retrieval from a remote server or website.

The inclusion restriction does not apply to SMB UNC paths. …

Chaining Command Injection vulnerability & Insecure Configuration to obtain AWS account information

There is a common misconception that cloud-hosted services are more secure than traditional ones. Well, as it might be partially correct on the infrastructure level, they still have user-controlled elements that can contribute to their vulnerability.

This short tutorial will explore how to exploit a vulnerable Lambda function and leak its AWS account information.

Before we jump into it, let’s go over the fundamental terminology.

💭$_Key_Concepts:

• AWS Lambda Function
• Command Injection (OWASP A1 Injections)
• Exploitation Demo
• Resources

🔥$_AWS_Lambda_Function

Lambda function is an AWS serverless computing service designed to execute code only when needed or triggered. Once the execution is over, the computing instance that runs the code decommissions itself. You can create as many functions as the application needs for handling different tasks. …

Basic Server-Side Request Forgery on Selenium Grid Framework

Recently I was reading through bug bounty write-ups as it is becoming my favorite pastime activity in the quarantine. I came across a Selenium Grid article written by Peter Jaric; he explained the lack of authentication and the hardening of security measures on a Selenium Grid framework.

Searching more online, I found out that Selenium Grid, out of the box, offers no built-in authentication and has the functionality of loading scripts that make the server vulnerable to Server-Side Request Forgery attack.

I decided to learn more about the SSRF attacks and apply it to the Selenium Grid testing instances that I built in my lab. As usual, before we get started, we will go over the key concepts before delving into the exploitation part. …

Remote Code Execution through Insecure Deserialization Vulnerability

Today, I will go over one of the OWASP’s top 10 vulnerabilities, Insecure Deserialization focusing on exploiting basic .NET applications.

📝$_Serialization_vs_Deserialization

Serialization is the process of turning data objects into a stream of bytes that can be stored in files, memories, and databases or sent over a network, between different components of an application, and in API calls.

Deserialization is the opposite process; it restores the stream bytes into their original state of objects before they were serialized.

Insecure deserialization is passing manipulated serialized objects that can be interpreted by the application leading to its control. The impact of this vulnerability ranges from denial-of-service attacks, bypass authentications to arbitrary code execution. …

Data Exfiltration in OpenEMR 2018 v5.0.1

Applications errors and warning messages are significant for understanding the application’s infrastructure and its underlying technologies. If you can get an application to communicate back to you during testing with viewable errors, you will understand the application’s behavior better.

This article will focus on exfiltrating data through XPATH functions in MySQL error-based injections. I’ll be going through the manual enumeration of an application, discovering the SQL vulnerability, and then using the Intruder feature in Burp Suite to automate the database dumping.

📔 $_Key_Concepts_To_Cover:

• In-Band Error Based SQL Injection.
• XPath functions in MySQL.
• Identifying the SQL vulnerability with manual testing. …

Linux Privilege Escalation Technique

There are many common techniques in Linux privilege escalation that are related to abusing SUID programs. In this quick tutorial, we will talk about the method of hijacking relative paths to escalate privileges.

Before we get started, let’s create a baseline understanding of what SUID is, the difference between Absolute paths and Relative paths, and how we can use them to our advantage.

$_Set_User_ID:

SUID, known as (Set User ID), is a special Linux type permission that allows a user to run a file with the same level of permission as the file owner. …

Exploit Analysis of OpenNetAdmin v18.1.1

$_ What_is_OpenNetAdmin?

OpenNetAdmin is a Network Management application that provides a database of managed inventory of IPs, subnets, and hosts in a network with a centralized AJAX web interface. The application is an Opensource written in PHP; you can view the source code on GitHub “ONA Project.”

$_Features_of_OpenNetAdmin

• Full command-line interface for scripting and batch maintenance. Local or remote capabilities.
• Plugin system to extend the functionality
• Manage DNS and DHCP server configs, archive host configs
• Full CLI interface for batch and scripting

$_Vulnerability_Impact

The vulnerability found in v18.1.1 allows for a code execution that leads to a full compromise of the hosting machine. …