Enumeration, Data Exfiltration, and SSRF Attacks
I am currently taking Web Application Bootcamp by Vivek Ramachandran from Pentester Academy to refresh my testing skills for the OWASP top 10 vulnerabilities. What a better way to end the “unpredictable” year, right !!
I decided to share the testing methodology I developed while taking the class and solving the challenges.
Today, I will explore XML External Entity vulnerability aka XXE and how we can leverage it in performing data exfiltration and SSRF attacks.
Before we dive into it, let’s cover the fundamentals.
XML is a markup language designed for storing and transporting data. We commonly used in configuration files and web services. …
SSH Port Forwarding, Network Pentesting, Pivoting
A year ago, I worked on one of the eLearning Security labs while taking the PTP course. During one of the labs, I compromised an external web server where I found MySQL and RDP’s internal services running on the localhost.
The firewall set up on that network blocks any inbound traffic to these services. To interact with them, I needed to tunnel the traffic from the internal compromised machine to mine and bypass the firewall restriction — that technique is called Port forwarding or tunneling.
Today, we are going to talk about local and remote port tunneling with the SSH protocol. …
Recently working on the Sniper machine on hack the box, I came across a technique of exploiting a remote file inclusion on a PHP application with SMB.
Before working on this machine, my understanding was that PHP applications are vulnerable to Remote File Inclusion ONLY when “allow_url_include” and “allow_url_fopen” functions are set to On. However, what I learned is that these restrictions apply only to HTTP and FTP protocols.
The inclusion restriction does not apply to SMB UNC paths. …
Chaining Command Injection vulnerability & Insecure Configuration to obtain AWS account information
There is a common misconception that cloud-hosted services are more secure than traditional ones. Well, as it might be partially correct on the infrastructure level, they still have user-controlled elements that can contribute to their vulnerability.
This short tutorial will explore how to exploit a vulnerable Lambda function and leak its AWS account information.
Before we jump into it, let’s go over the fundamental terminology.
Lambda function is an AWS serverless computing service designed to execute code only when needed or triggered. Once the execution is over, the computing instance that runs the code decommissions itself. You can create as many functions as the application needs for handling different tasks. …
Basic Server-Side Request Forgery on Selenium Grid Framework
Recently I was reading through bug bounty write-ups as it is becoming my favorite pastime activity in the quarantine. I came across a Selenium Grid article written by Peter Jaric; he explained the lack of authentication and the hardening of security measures on a Selenium Grid framework.
Searching more online, I found out that Selenium Grid, out of the box, offers no built-in authentication and has the functionality of loading scripts that make the server vulnerable to Server-Side Request Forgery attack.
I decided to learn more about the SSRF attacks and apply it to the Selenium Grid testing instances that I built in my lab. As usual, before we get started, we will go over the key concepts before delving into the exploitation part. …
Remote Code Execution through Insecure Deserialization Vulnerability
Today, I will go over one of the OWASP’s top 10 vulnerabilities, Insecure Deserialization focusing on exploiting basic .NET applications.
Serialization is the process of turning data objects into a stream of bytes that can be stored in files, memories, and databases or sent over a network, between different components of an application, and in API calls.
Deserialization is the opposite process; it restores the stream bytes into their original state of objects before they were serialized.
Insecure deserialization is passing manipulated serialized objects that can be interpreted by the application leading to its control. The impact of this vulnerability ranges from denial-of-service attacks, bypass authentications to arbitrary code execution. …
Data Exfiltration in OpenEMR 2018 v5.0.1
Applications errors and warning messages are significant for understanding the application’s infrastructure and its underlying technologies. If you can get an application to communicate back to you during testing with viewable errors, you will understand the application’s behavior better.
This article will focus on exfiltrating data through XPATH functions in MySQL error-based injections. I’ll be going through the manual enumeration of an application, discovering the SQL vulnerability, and then using the Intruder feature in Burp Suite to automate the database dumping.
Linux Privilege Escalation Technique
There are many common techniques in Linux privilege escalation that are related to abusing SUID programs. In this quick tutorial, we will talk about the method of hijacking relative paths to escalate privileges.
Before we get started, let’s create a baseline understanding of what SUID is, the difference between Absolute paths and Relative paths, and how we can use them to our advantage.
SUID, known as (Set User ID), is a special Linux type permission that allows a user to run a file with the same level of permission as the file owner. …
Exploit Analysis of OpenNetAdmin v18.1.1
OpenNetAdmin is a Network Management application that provides a database of managed inventory of IPs, subnets, and hosts in a network with a centralized AJAX web interface. The application is an Opensource written in PHP; you can view the source code on GitHub “ONA Project.”
The vulnerability found in v18.1.1 allows for a code execution that leads to a full compromise of the hosting machine. …
Basic methodology to approach LFI vulnerability when Pentesting a Web Application
Local File Inclusion is a vulnerability often found in poorly-written web applications. This vulnerability occurs when a web application allows the user to submit input into files or upload files to the server — Offensive Security.
Most modern programming languages have a mechanism to prevent this type of vulnerability .However, old languages such as Java, ASP.NET, and our known friend PHP are still prone to produce this issue if implemented incorrectly.
A successful attack would expose sensitive information about the running web server, such as configuration files, world-readable files and system files. In some cases, this vulnerability can be escalated to remote code execution by uploading a remote shell and compromising the entire web server. …