Won't Fix!!!

  Hey Guys, in this post I am just going to copy paste my notes which I collected during my OSCP journey from different sources. Feel free to collaborate. 💀 [*] SSH - 22 Tunneling ssh -L 8443:127.0.0.1:8443 user@x.x.x.x Credentials Spraying ncrack -U users.txt -P pass.txt ssh://x.x.x.x [*] DNS - 53 Perform DNS Zone Transfer check dig axfr x.x.x.x dig axfr vhost.com @x.x.x.x  [*] TCPDUMP tcpdump -i eth0 icmp [*] SMB 1. SMB Protocol enumeration: nmap -p445 --script smb-protocols x.x.x.x 2. Check for SMB Vulnerability nmap --script smb-vuln* x.x.x.x 3. Get a list of shares available on a host smbclient -L x.x.x.x 4. Connect to the share smbclient //x.x.x.x/Share_Name 5. SMBMap for checking access on fileshares smbmap -H x.x.x.x -u Username -p Password or smbmap -u '' -p '' -d 'htb.local' -H x.x.x.x 6. Download all files in shares: smbget -R smb://x.x.x.x/Share -U Username 7. Use crackmapexec for spraying crackmapexec smb 10.10.10.175 -u Users.txt -p Pass.txt --co...

On 9th August 2020, I received a confirmation mail from Offensive Security that I successfully clear my exam and I am now an OSCP!      After posting this on Linkedin, I got tons of messages from people asking me about tips and what are my thoughts on OSCP exam. So, in this post I'll be sharing my notes as well as few important takeaways which I feel it will help every beginner just like me! 😄    Tips #1: Always read more writeups! I know, it's a common suggestion that every other OSCP will give but believe me it will work!.   Tip #2: Follow the legendary Ippsec . On his Youtube channel you will get to learn a lot of techniques. Only watching his video won't help, so make proper notes. Link: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA    Tip #3: Practice, Practice and Practice!  OSCP labs + HTB + Vulnhub would be enough. (I also bought HTB VIP subscription just to practice more on retired boxes)    Tip #4: Before my ex...

On 4th August, I received a message from my mentor Tanoy that Offensive Security is doing giveaway for OSCP voucher. But in order to participate in the giveaway, participants have to pwn a box on vulhub.com and submit the root flag on discord server. So I thought let's give a try and to be honest it was a pretty easy box 😊. You can download the machine from the below link: https://www.vulnhub.com/entry/infosec-prep-oscp,508 Download the VM and get the IP. In my case it was 10.0.2.10 Steps: 1. Start with nmap scan. After doing scan we noticed that port 22 and 80 are open. 2. Nmap scan reveals /secret.txt file present on the web server. After visiting the file we got some base64 encoded data. 3. Decode it and you will get OpenSSH private key. 4. Save decoded data in a text file. Use following command to connect on port 22. 5. Host a local server using python and transfer LinEnum.sh on target machine. After running LinEnum.sh, we noticed SUID set for bash. 6. After exploiting SUID, ...

This machine was developed to prepare for OSCP. It is boot2root challenge. Let's begin! Target IP: 10.0.2.11 1. Results of nmap scan. 2. We noticed that on port 80 and 8000 http service is running. Also on 445 Samba smbd. 3. Let's visit port 80. 4. After performing directory fuzzing we didn't find anything sensitive. It's time to explore next port which is port 8000. At the bottom of the page it's disclosing the CMS name which is Koken. Koken CMS is vulnerable to Authenticated RCE. But in order to exploit it, we will require admin credentials. 5. Wfuzz gave us /admin/ directory through which we can login. Still creds required :( 6. Now we can connect to smb share on port 445. After connecting on port 445 we noticed two files. 7. mailsent.txt file reveals user Daisa's email address and indicating a secret "babygirl" which can be used as a password to login into Koken application. 8. Success! Now we can login into Koken admin panel. After browsing to Con...

Before you start reading this post, let me tell you all the tips are collected from twitter (few mine 😓) where awesome community folks share their knowledge and experience. I tried to mention every single twitter handle from where I refer the tips, in case your name missed out please reach out to me. 😉 Authentication # Access control vulnerabilities with blocked access can be bypassed by adding the X-Original-URL header. POST /admin/deleteUser HTTP/1.1 -> 403 POST / HTTP/1.1  X-Original-URL: /admin/deleteUser -> 200OK  Bypass Success! # Accessing the Admin Panel https://target.com/admin/ - 302 https://target.com/admin..;/ - 200 IDOR #Suppose you find endpoint  GET /api_v1/messages?user_id=Your_user_id Try "GET /api v1/messages?user_id=Another_user_id" "GET /api_v1/messages?user_id=Your_user_id&user_id=another_user_id" "GET /api_v1/messages?user_id=another_user_id&user_id=Your_user_id" CORS # CORS Protection RegEx Bypass If the target only a...

Checkpoints: 1. Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable. 2. Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems. 3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security. 4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Reference Link: https://apidock.com/ruby/Kernel/open 5. Found SSR...

I am a security enthusiast in the areas of web-applications, network engineering & mobile applications, programming is also a part of my interests (Python lover :p).Also work as an individual web-application security engineer with broad experience in all aspects of security management and implementation. I am looking forward towards hardening skills in various security standards. As a part of my core interest, always prefer consuming my leisure's in performing individual security audits and vulnerability assessments or source code analysis. I am also a bug bounty hunter. I participated in all major bug bounty programs organised by internet giants like Google, Microsoft,Apple, Bugcrowd,…..etc I have 4+ years of expertise in both black box as well as white box penetration testing . Twitter :  Facebook