Introduction to Android Pentesting

Android Pentesting refers to the process of testing the security of Android applications and devices in order to identify potential vulnerabilities that could be exploited by attackers. It involves assessing the security posture of Android apps and systems by simulating attacks and attempting to exploit weaknesses in their design, implementation, or configuration.

In this guide we will be downloading tools used to get started with Android Pentesting and solving two HTB Mobile Challenges.

The tools we will use will be:

The HTB Challenges will be:

  • Pinned – We will perform an SSL Pinning Bypass.
  • Manager  Hack application using Burp Suite.

Let’s get started by installing the tools we will use. We will need Java and Python to be installed on the host machine to use these tools.

First let’s install Android Studio. This will allow us to create emulators for testing rather than using a physical device.

https://developer.android.com/studio

Once Android Studio is downloaded you can install it. Android Studio can be installed on Windows, MacOS, and Linux.

Next we will install Burp Suite.

https://portswigger.net/burp/communitydownload

Finally we will install Android Debug Bridge (ADB).

https://developer.android.com/tools/adb

The first program we will use is Android Studio. This will allow us to create emulators for Android Devices.

When starting Android Studio for the first time we will need to create a project.

I will name the Project Android Pentesting.

Creating a Device for testing.

Click the phone with Android Icon in the Top Right Corner.

Click on “Add a new device…”

Next select Create Virtual Device.

Feel free to experiment with this section. You can setup multiple devices with access to the Play Store and specify the API. For the purpose of this guide I will be using a Google Pixel 6 device that does not have access to the Play Store. *Note that a device with the Google Play Store cannot be rooted. Devices without the Play Store Icon are rooted devices.

The next step is to select the API Version. I will be using version 28. Feel free to experiment with the various versions of the API.

The last step for this will be naming our device. I chose Pentesting Device. You can name it whatever you prefer.

Now we can click the Play button on the right side and our emulator should display. It might take a few minutes on the first boot.

Now we have a device to do Android Testing. It is absolutely possible to do testing on a physical device. This is a cost effective approach without the fear of bricking a phone.

Next we can get Burp Suite setup. You can use either Community or Pro.

The first step to get Burp to work with Emulator (or physical device if that is what you are using) is to configure the Proxy Listener.

Click on the Proxy Menu and then click Proxy Settings.

Next click on the 127.0.0.1:8080 and click the Edit button.

Change the Bind to address to All interfaces.

Back on our phone we want to open the Settings on our Pixel device.

From the Settings we want to open Network & Internet

Next we want to select Wi-Fi.

Now click Android Wi-Fi.

Now click the pencil icon in the top right.

Click Advance Options and then Proxy.

Here we can setup our proxy. We will need to use our host machines IP Address. Mine is 192.168.0.224. You will need to gather your Internal IP Address from ipconfig/ifconfig/ip addr.

The port will be 8080. This is the Burp Default port.

Now click Save.

Back in Burp we can see traffic flowing through, but we have an issue with TLS. The next step will setup a certificate from Burp onto the Android Device. This way TLS traffic will work through our proxy and Burp.

Back in the Proxy Listeners section we can click “Import / export CA certificate”. Click on that and then Export Certificate in DER format.

Save the certificate onto your host machine. I named my burp.der.

The next step will be using Android Bridge to transfer the certificate to our device.

Using the command

adb push burp.der /sdcard/burp.crt

will send the certificate to the sdcard of our device.

We can now install the certificate on our device. Open the Settings on the device and search “Install Cert”. Click Install certificates from SD card.

Next select “Install a certificate”.

The Android Device will give you this warning. Click Install anyway on the bottom left.

You should save the burp.crt certificate.

Click on the burp.crt file and name the certificate burp.

You might be prompted to set a PIN. I kept it super simple with 1111.

You can verify if the certificate was installed by searching Trusted and clicking Trusted credentials.

Click on Trusted credentials.

Now clicking on USER will show the PortSwigger Cert.

This is when I reboot the device. When I re-launch the emulator and make sure the proxy is running on port 8080, I can verify that HTTPS traffic is now navigating through Burp Suite. This means we can now analyze and test HTTPS and HTTP with Burp just like a website.

If you are having issues please retrace your steps and try rebooting the emulator and Burp if needed.

The last tool we will need to complete this guide is Frida.

Frida can be found here.

Frida can be installed with pip (python package manager)

pip install frida-tools

Now that we have our lab setup knocked out we can move on to solving some HTB challenges to get our feet wet with Android Pentesting.

We will be tackling Pinned and Manager.

First we will download Pinned and Manager from HTB Challenges. Once downloaded you can extract the files to your workspace. I used my Desktop for quick access.

The password is hackthebox to get the files.

Now we have access to the pinned.apk file.

You can drag and drop the pinned.apk to the emulator device.

You should now see Pinned in your apps.

Opening the app should reveal this login form. We are now ready to test this Android application.

The goal of this lab is to perform a SSL Pinning Bypass.

SSL pinning refers to a security technique used to prevent man-in-the-middle (MitM) attacks when establishing secure connections over HTTPS (SSL/TLS) between a mobile app and a server. This is preventing us from viewing HTTP requests/responses in Burp.

We will use Frida to bypass the SSL Pinning for this application and allow us to see the HTTP requests and responses in Burp Suite.

The last tool we will need to download is the Frida server. This is what we will install on the Android device/emulator to have our client Frida communicate with it.

You can download it here.

We can setup frida server started by doing the following commands:

unxz frida-server-[version]-android-x86.xz (unzip file)

adb push frida-server-16.1.4-android-x86 /data/local/tmp/frida-server (move frida server to /data/local/tmp/)

adb shell "chmod 755 /data/local/tmp/frida-server" (change permissions)

adb shell (connect to device in shell)

/data/local/tmp/frida-server & (start frida server)

With Frida Server started on our emulator/device we can run a frida command to identify running processes.

frida-ps -Uai

We should see our Pinned apk running. This means we can interact with this application.

Now we need to use a Frida script to perform our SSL Pinning bypass.

We will leverage this script.

We need do one last bit of prep work. Reading the script reveals we need a certificate in order to execute this. Running without the certificate will cause the Frida script to fail and result in this error:

We can use the same cert we exported from Burp Suite, that we also stored on the emulator in /sdcard. Running:

adb shell "cp /sdcard/burp.crt /data/local/tmp/cert-der.crt"

adb shell "chmod 755 /data/local/tmp/cert-der.crt" (change permissions)

This will take the burp certificate we placed there earlier and copy the certificate to what the script is looking for it.

Now to execute the Frida SSL Pinning Bypass Script. To use the script we can run:

frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned

Our Frida script should fire off and open Pinned on our emulator.

Clicking Login should now send a request through Burp. That means for this application we have bypassed the SSL Pinning and can analyze HTTP requests.

Here in Burp we can see the POST request and the flag.

The last lab will be for Manager. The purpose of the lab is analyzing HTTP requests and finding an issue with the logic of the application through Broken Access Control.

On Hack the Box we can download the Manager.zip and unzip with hackthebox as the password. Note this challenge needs a back end server to communicate with. Make sure to turn on the instance and get the public facing IP address and port.

With the Manager.apk file we can drag it to our Android Emulator to install it.

We can now see Manager on the emulator.

Opening the application shows inputs for the IP address and port from HTB.

Inserting the IP address and port from HTB and clicking connect will reveal a Login Form.

Trying to login as test:test reveals the message “User Not Found”.

Back in Burp we can see the POST request.

Let’s try and register a user for the application. I will use test:test.

With the test user created we can test these requests to see if we find any issues.

Let’s analyze the request in Repeater.

We are able to successfully update our password. What if we were able to update another users?

We can successfully update the admin password due to a broken access control oversight.

Now we can login as admin with the password test and retrieve the flag.

 

That completes this introduction guide to Android Pentesting. I hope it was able to help you successfully dive into the world of Android pentesting and exploitation. More will be posted in the near future to help expand on this content.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod

 

Uncovering and Exploiting a Client-Side Template Injection in Vue.js

Vue.js is a popular open-source JavaScript framework used for building user interfaces and single-page applications. It was created by Evan You and released in 2014. Vue.js is known for its simplicity, flexibility, and ease of integration with other libraries and projects.

Vue.js has gained significant popularity in the web development community due to its simplicity, performance, and extensive documentation. It’s often compared to other front-end frameworks like React.js and Angular.js, offering it’s own unique features and advantages.

As with any software framework or library Vue.js may have vulnerabilities that could potentially be exploited by attackers. Some common types of vulnerabilities associated with Vue.js applications include:

  • Cross-Site Scripting (XSS): XSS vulnerabilities can occur if developers do not properly sanitize user input or output. Attackers may inject malicious scripts into the application, which can then be executed in the context of other users’ browsers, potentially compromising sensitive data or performing unauthorized actions.
  • Component Security: Vue.js applications often rely on third-party components and libraries, which may introduce vulnerabilities if they are not regularly updated or if they contain security flaws. Developers should ensure that they use reputable and up-to-date components to minimize the risk of vulnerabilities.
  • Sensitive Data Exposure: Vue.js applications may expose sensitive data if developers do not properly secure data transmission or storage. Attackers may intercept network traffic or exploit vulnerabilities to gain access to sensitive information such as user credentials or personal data.

In this post we will analyze and understand common mistakes and misconfigurations that lead to applications being vulnerable to Cross-Site Scripting (XSS) in Vue.js.

Let’s start with a simple example of a Vue.js application that displays a form to search for data that is reflected in the URL and to the page.

 

Let’s take a look at the code and get an understanding of what is going on.

  • This HTML structure sets up a basic web page layout.
  • The Vue.js and Vue Router libraries are imported using script tags from CDN (Content Delivery Network) sources.
  • Bootstrap CSS is included to style the components again from a CDN.
  • The main content is wrapped in a div with the id app, which is the root Vue instance.

The important part about this HTML is on line 25. <p v-html="searchQuery"></p>. We will come back to this. Let’s keep moving.

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Search App</title>
  <script src="https://unpkg.com/vue@2/dist/vue.js"></script>
  <script src="https://unpkg.com/vue-router@3/dist/vue-router.js"></script>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>

<body>
  <div id="app" class="container">
    <h2>Search Form</h2>
    <div class="form-group">
      <form action="#">
        <label for="search">Search: </label>
        <input id="search" name="search" type="text" v-model="searchQuery" @input="updateUrl" placeholder="Type something...">
      </form>
    </div>
    <strong>Results:</strong>
    <p v-html="searchQuery"></p>
  </div>

The next and final snippet of code we will analyze is the guts of the Vue.js code. Let’s also break this down.

  • A Vue component called SearchResults is defined. It receives a prop called searchQuery and renders a simple template displaying the search query.
  • Vue Router is configured with a single route /search, which renders the SearchResults component. The searchQuery prop is passed to the component based on the query parameter q from the URL. If the URL does not match any route, it redirects to /search.
  • A new Vue instance is created, bound to the #app element.
  • The instance is provided with the Vue Router instance router.
  • The data object initializes the searchQuery property to an empty string.
  • The updateUrl method updates the URL with the current search query whenever the input field changes.
  • In the created lifecycle hook, the code checks if there’s a q query parameter in the URL. If present, it initializes the searchQuery with its value.
<script>
    const SearchResults = {
      props: ['searchQuery'],
      template: `
        <div>
          <h2>Search Results</h2>
          <div>Results for:<p v-html="searchQuery"></p></div>
        </div>
      `
    };

    const router = new VueRouter({
      routes: [
        { path: '/search', component: SearchResults, props: (route) => ({ searchQuery: route.query.q }) },
        { path: '*', redirect: '/search' }
      ]
    });

    new Vue({
      el: '#app',
      router,
      data: {
        searchQuery: ''
      },
      methods: {
        updateUrl() {
          this.$router.replace({ query: { q: this.searchQuery }});
        }
      },
      created() {
        const queryParam = this.$route.query.q;
        if (queryParam !== undefined) {
          this.searchQuery = queryParam;
        }
      }
    });
  </script>
</body>
</html>

After breaking this down, what is the vulnerability and how can we exploit it?

As I stated earlier we need to review <p v-html="searchQuery"></p> and understand what makes this dangerous. Reviewing the documentation on the directive v-html reveals it will output data in HTML. The search form is taking user input and outputting it as HTML. 

Let’s abuse this and supply HTML to the search and see how it displays.

As we can see we have successfully exploited the search function and have HTML rendered on the page. Now we can try JavaScript with the payload <img src=x onerror=alert('xss')>.

Again we are successful at exploiting this flaw in the code. 

You might be wondering, “how prevalent is this issue?” Unfortunately, I must admit that it occurs far too frequently, despite the explicit warning message provided in the documentation on vuejs.org regarding its potential dangers.

How can we remediate this vulnerability? The proper method is simply wrapping the data in double mustaches or {{ }} to interpret the data as plain text and not HTML.

Let’s modified the code to use {{searchQuery}}.

<div id="app" class="container">
  <h2>Search Form</h2>
  <div class="form-group">
    <form action="#">
      <label for="search">Search: </label>
      <input id="search" name="search" type="text" v-model="searchQuery" @input="updateUrl" placeholder="Type something...">
    </form>
  </div>
  <strong>Results:</strong>
  <p>{{searchQuery}}</p>
</div>

<script>
  const SearchResults = {
    props: ['searchQuery'],
    template: `
      <div>
        <h2>Search Results</h2>
        <div>Results for:<p>{{searchQuery}}</p></div>
      </div>
    `
  };

As we can see in the results no HTML is rendered. Only the plain text value. 

This method of exploiting a common Vue.js mistake is both simple and impactful. Frequently, it stems from developers copying and pasting code snippets from sources like Stack Overflow or ChatGPT without fully understanding the risks. It underscores the importance of taking heed of warnings presented in documentation, as negligence in this regard can lead to significant vulnerabilities.
 
Here is the entire vulnerable code snippet if you would like to tinker with it. It’s all client-side.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod

 
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Search App</title>
  <script src="https://unpkg.com/vue@2/dist/vue.js"></script>
  <script src="https://unpkg.com/vue-router@3/dist/vue-router.js"></script>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>

<body>
  <div id="app" class="container">
    <h2>Search Form</h2>
    <div class="form-group">
      <form action="#">
        <label for="search">Search: </label>
        <input id="search" name="search" type="text" v-model="searchQuery" @input="updateUrl" placeholder="Type something...">
      </form>
    </div>
    <strong>Results:</strong>
    <p v-html="searchQuery"></p>
  </div>

  <script>
    const SearchResults = {
      props: ['searchQuery'],
      template: `
        <div>
          <h2>Search Results</h2>
          <div>Results for:<p v-html="searchQuery"></p></div>
        </div>
      `
    };

    const router = new VueRouter({
      routes: [
        { path: '/search', component: SearchResults, props: (route) => ({ searchQuery: route.query.q }) },
        { path: '*', redirect: '/search' }
      ]
    });

    new Vue({
      el: '#app',
      router,
      data: {
        searchQuery: ''
      },
      methods: {
        updateUrl() {
          this.$router.replace({ query: { q: this.searchQuery }});
        }
      },
      created() {
        const queryParam = this.$route.query.q;
        if (queryParam !== undefined) {
          this.searchQuery = queryParam;
        }
      }
    });
  </script>
</body>
</html>

 

 

Finding Vulnerabilities with Burp Suite Intruder and Repeater (Community Edition)

Burp Suite is a set of tools used to perform Web Application Pentesting. In this guide I will show you how to leverage the free (community) edition to help find vulnerabilities in web applications. We will utilize Burp Suites Repeater and Intruder functionality along with word lists from SecLists.

I will use a TryHackMe Free room called Team Room and a room called Brute it to help set up the testing targets. I highly encourage looking into the Burp Suite Academy for labs on Burp Suite as well to get more hands on experience.

I will also be using FoxyProxy to proxy the traffic through. If you are not familiar, Burp Suite needs to have a proxy setup between the browser and target application. FoxyProxy helps make managing the proxy simple, as it can be enabled and disabled through the browser.

Here is a basic setup on how I have FoxyProxy setup and leveraging Burp Suites port 8080.

Using TryHackMe’s Team Room, we can have an environment set up to do testing. With Burp Suite running and Team Room setup via TryHackMe we can get testing.

I will be cheating a bit to get to the fuzzing section of Team. In the /etc/hosts file I will add an entry for dev.team.thm. This will set up the section to perform our first attack.

Navigating to http://dev.team.thm will display a web page. With Burp Suite we can access the Proxy Tab and then the HTTP History Tab and “Add to scope” to ensure only this applications traffic is captured with Burp Suite.

Clicking the Place Holder Link loads a new page with a page parameter in the URL.

Next we can forward this request to Repeater in order to do some analysis. We can then tinker with the page parameter, change the Request to a Post Request, mess with the User-Agent, etc, to see if the application will display any errors or useful information in the Response.

The next step is to use Intruder to fuzz the page parameter to see if it is vulnerable. SecLists offers a variety of fantastic word lists that we can use to Fuzz the parameter. I encourage you to review and look over these word lists and see which ones can help you in a particular moment.

SecLists offers lists for command-injection, SQL Injection, XSS, Local File Inclusion (LFI), passwords, word lists for directory/file brute forcing, extensions, and much more.

Sending the request to Intruder, we can highlight the parameter we want to fuzz. In this case we want to highlight the teamshare.php value. The attack type will be set to Sniper.

Next we will click the Payloads tab. Here we can insert our word list values from our SecLists. Because the parameter appears to be loading in a file, it would be a good guess to try for Local File Inclusion (LFI). We can copy and paste the values of file LFI-Jhaddix.txt into the Payloads Options section. In SecLists this is stored in Fuzzing/LFI.

Burp Suite Community Version will throttle the speed at which the fuzzing is happening, but we will quickly see some results come back from our attack. While Intruder is cycling through the word list we can view Responses that have a vastly different Length to see if anything is interesting pops up. It turns out that the parameter is indeed vulnerable to Local File Inclusion.

The combination of Burp Suite intruder and SecList word lists for LFI allows us to not only to have a POC for /etc/passwd, but other Linux files that were read.

This was a good example of what Intruder and a good word list can do. Let’s take a look at one more example using Intruder to perform brute force password attacks on an administrative login.

Using the TryHackMe room Brute It we can get practice using Burp Suite Intruder to perform a brute force attack. If you are interested in working along, fire up Brute It on TryHackMe and navigate to the /admin page. Here we see a basic login page.

With Burp Suite running and FoxyProxy enabled we can capture a post request by attempting default credentials with admin/admin.

With the parameters setup for the user to be admin and the password to be the target using a Sniper Attack Type we can now load in another word lists with SecLists.

This time we will try the 500-worst-passwords.txt to see if we can find the admin password. This password list if found under /Passwords. Either load in the word list or copy and paste the passwords into the Payloads section. Submit the attack by clicking the attack button and let’s see if we get a hit.

Viewing the results we see one that sticks out with an HTTP Status of 302 and a much different Response size. This is a pretty good sign we got a hit during our brute force attack.

Using the credentials from Intruder we are able to verify the password for the admin was correct and we have successfully authenticated.

This concludes the basic guide for Repeater and Intruder. If you want to get more hands on with Burp I recommend TryHackMe’s Burp Suite Module. Here is the starting basics section. Burp Suite is an incredible suite of tools that can help find vulnerabilities and misconfigurations in a web application.

More hands-on labs can be found on Burp Suite Academy’s site if you want more targeted vulnerabilities to work on, such as SQL Injection or XSS.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Free Resources To Learn Pentesting

TryHackMe
TryHackMe is a online service that offers paid and free rooms. The highlight for TryHackMe is that it offers beginner friendly and advanced rooms for pentesting, malware analysis, digital forensics, and much more related to cyber security. If you are just getting into Cyber Security, this is a great starting point. If you enjoy the free content, consider the monthly service to have access to the paid rooms. I used this as my first Cyber Security Training to help me become a Pentester.

PortSwigger Web Security Academy
PortSwigger Academy is a free online resource for learning beginner and advanced Web Application Exploits. This site offers labs on XSS, SQL Injection, Server Side Request Forgery and so much more. The course is designed around PortSwiggers Burp Suite Program, but labs can be completed without it. PortSwigger is always adding new content to the site. This is a great resource for learning Web Application Pentesting.

API Security University
APISEC University is a website that offers Courses on learning how to hack and pentest against APIs. Corey Ball goes into great detail in discussing how to hack APIs and talking about the OWASP Top 10 for API Security. This course is free and offers great video material that help set up labs and perform the test, then at the end of each section you will be given a quiz and a lab to perform to ensure you are learning the material.

The Cyber Mentor YouTube Channel
The Cyber Mentor has a fantastic YouTube Channel dedicated to Cyber Security. I could make a blog post dedicated to just Cyber Mentor Content. The content on the YouTube playlist I recommend checking out is the twelve hour series on Ethical Hacking. It includes information on networking, basic hacking techniques, python programming, web application hacking, buffer overflows, OISNT, and much more. If you enjoy the free content, you can check out the paid video series on TCM Security Academy and extend your knowledge.

HackTricks
HackTricks is a fantastic website that has great learning material and methodology on pentesting. It is a typical go-to while I am performing a pentest to get a refresher on a tool. This site has a great number of links to resources and other learning material as well. I highly recommend checking out this resource and giving the material a read.

Active Directory Security
Active Directory Security is a website used to post information about Active Directory Security and pentesting. Learn about Mimikatz, Kerberoasting, AD Recon, and more. If you are interested in Active Directory Security and pentesting, this site is a great resource to learn from.

VulnHub
VulnHub is a resource with vulnerable boxes that are meant to provide hands-on practice. The website offers several vulnerable boxes that use Virtualization Software such as Virtualbox or VMWare. I recommend the route of setting up your own virtual environments and testing against it. You can also look into hardening and patches the boxes.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

My Top Ten TryHackMe Rooms

I have been a TryHackMe fanboy for a while and just finished up doing a 500 day streak and have completed 275+ rooms. I wanted to write a blog post describing my personal ten favorite rooms.

No flags or hints on how to complete these rooms on this page. I will discuss at a high level what the room is about and what skills or techniques would be needed to solve it. If you like to go into rooms 100% blind than feel free to skip this blog post.

10. Vulnversity

Vulnversity is a free and beginner friendly TryHackMe Room that is geared towards teaching the basics of Pentesting.

The room includes a video guide by Darkstar and does a fantastic job of explaining the tools used, thought processes, and holds your hand throughout the room. This is great for someone that is looking for their first penetration testing room that wants their hand held from start to finish.

This was one of the first rooms I did when I started TryHackMe and it cemented a number of techniques and tools I still use today. Port scanning, file and directory fuzzing, using reverse shells, and privilege escalation. Often I get asked what a good starting room is for penetration testing. This is the one I recommend.

Tools/Techniques that you could use are

  • Nmap
  • GoBuster
  • Burp
  • Netcat
  • Using Linux to abuse SUID to become root

9. Jason

Who doesn’t love a good horror movie? Jason is a room that is fairly easy, but the technique used to complete the room can be a bit complicated for those new to penetration testing.

It is an easy room if you know what deserialization vulnerabilities are and how to exploit them. If this is something you are not familiar with then here is an OWASP article for you to read if you are interested.

If you want to practice deserialization then this room is for you. It is one of the few rooms that if you are struggling with deserialization I recommend using a guide or walk through to help get you through and learn about the concept.

Great room with fun challenges, great design, and helps in learning a rather daunting technique. Highly recommend checking this out if you are on the hunt to learn more about exploiting deserialization vulnerabilities.

8. Thompson

Thompson has a special place in my heart. I used to manage Apache Tomcat and this room is all about exploiting Tomcat in a fun and real world scenario.

I love when a box has a real world feel to it and Thompson is a scenario that penetration testers will see in the wild and have an opportunity to exploit. Tomcat is deployed with multiple default configurations and files that attackers will use against the target.

From the starting point of the room you get to have a lot of fun fuzzing for files and directories, password spraying, and using Metasploit to exploit Tomcat Manager to get into the system with a reverse shell.

I have seen this similar room used in competitions and it is definitely a room you want to check out.

Tools/Techniques that you could use are

  • Nmap
  • GoBuster
  • Hydra
  • Metasploit
  • Abusing crontab for privilege escalation

7. Linux Agency

This box is 100% a video game box. It is a fun and exciting way to learn more about Linux commands.

The premise is: you start off on mission one. You ssh into the box as mission1 and are given a task to solve that allows you to become mission2 user and you essentially climb a ladder solving a challenge and then becoming a new user to solve another challenge.

The challenges change from different Linux techniques such as outputting data from a file, grepping a flag out of a file that has thousands of lines of data in it, changing file permissions, compiling files to get output and using various programming languages to read files.

Linux Agency is fun. However it is long so be prepared to spend some time on this room, but when it is done you will level up your Linux knowledge.

6. Wreath

Wreath is a large room aimed at teaching pivoting and Command and Control Frameworks. It is a very large room that can eat up a day.

It is highly recommend to take good notes and take it slow. I swear I didn’t plan this but again Dark has created a video guide to help teach and walk users through this if needed. The video guide is forty one videos and as stated earlier this can easily eat a whole day.

That being said it is a “free” room. The catch is it is free if the free user has a seven day streak.

This room goes into great detail on pivoting and what it is and with socat, chisel, and SSH Tunneling / Port Forwarding. The next major section will be Command and Control. If you are not familiar, Command and Control (C2 Frameworks) are applications used to manage remote sessions on a compromised host. Cobalt Strike, Covenant, Metasploit, and Empire are examples of C2 Frameworks. The last major section is AV Evasion.

I suggest this beast of a room because it teaches excellent fundamentals for internal pentesting and how to pivot and use C2 Frameworks. I cannot even remotely begin to explain how cool and amazing this room is. You will gain so much hands on experience and it is free for users with a seven day streak. I would easily pay money to TryHackMe to have access to this room.

5. Buffer Overflow Prep

Before I started TryHackMe, I had some basic Ethical Hacking Knowledge. I knew how to do a lot of the easy rooms and felt comfortable with using tools such as Nmap, Metasploit, GoBuster, Burp, etc. What I didn’t feel comfortable with was Buffer Overflows.

Buffer Overflow Prep by Tib3rius was a God send for me. It taught me how to do buffer overflows and gave me so many attempts at doing them that I got the basics down and felt like I conquered a huge undertaking. Buffer Overflows can be a lot to take in and work on and with Buffer Overflow Prep I was able to overcome the fear and learn to have fun with them.

That is why I recommend Buffer Overflow Prep and why it is one of my favorite TryHackMe rooms. It gave me the tools and knowledge needed to learn how to perform a Buffer Overflow and how to transfer the knowledge to other rooms and exams.

I know someone else out there is afraid to dive into Buffer Overflows and if that someone is you, try this room and watch the video Tib3rius made for this room. Stack Based Buffer Overflow Prep.

4. Linux/Windows Priv Esc

I’m cheating here, but I’m going to combine Linux and Windows Privilege Escalation rooms together for the number four spot.

Created by Tib3rius, these rooms are geared towards teaching some of the most important techniques that are required to go anywhere in this field. A short list of what you will learn are

Linux:

  • Weak File Permissions
  • Cron
  • SUID
  • NFS
  • Kernel Exploits

Windows:

  • Registry
  • Scheduled Tasks
  • Token Impersionation
  • Service Exploits

This is a short and sweet description, but nothing can really be said other than if you want to be a penetration tester / red teamer than these two rooms are essential.

A small bonus I found helpful was to take the Udemy courses by Tib3rius as I did these rooms. The Udemy videos and TryHackMe rooms do an excellent job complimenting each other.

Links to the Udemy courses can be found here.

3. Biohazard

For those that do not know this about me, I love the Resident Evil games and Biohazard does a phenomenal job capturing the feel of playing a RE game while hacking.

It is one of the more “video game” like rooms in both name and execution. You are tasked to collect flags and discovered hidden files, folders, pages, keys, images, and anything else scatted on the box to complete this room. It is simply a blast to play.

It can be difficult and at times I would get stuck and get a bit frustrated, but that emulated the feel of the RE games so much that I had to smile. Come prepared to think outside the box and don’t forget about that ever important source code to get by.

Not beginner friendly and it is one of the paid sub rooms, but if you haven’t played this room and love the Resident Evil franchise then I highly recommend this room.

Even if you do not play the Resident Evil games I still recommend this room. It is nothing but a crazy, fun puzzle.

2. Mr. Robot

This room is simply charming and fun to play with. Similar to Vulnversity it comes with a video guide by Darkstar to help hold your hand and provide though process and techniques used to help get through the room.

This room is marked as medium difficulty, but I would say it is one of the best rooms to transition someone that has been doing easy rooms and wants to step their game up and try the medium difficulty rooms.

If you are looking for a fun room to step up your game and have fun. I cannot recommend Mr. Robot enough. I was smiling and having such a blast hacking this box. It is easily one of the best TryHackMe has to offer.

1. Internal

My absolute favorite TryHackMe room is Internal, created by Joe Helle aka TheMayor. I love rooms that are more geared towards real world challenges and are exactly like what a penetration tester would see in the wild. This room was also designed to help prepare you for the eLearnsecurity eCPPT.

Just like in a real penetration test you are given a scope of work and are encouraged to create a report. Once you have completed reading the briefing and start the machine you need to obtain a user.txt flag and root.txt flag.

This room is rather difficult and not for beginners. It is a fantastic room to see where your skills are at and what needs improvement. Do not use a guide for this room. Internal is a room that if you can complete without help can really demonstrate to yourself that you have a good skill set when it comes to penetration testing.

TheMayor truly knocked it out of the park creating this room and even though I have completed it I will often come back to again and again just like one of my favorite video games. The amount of detail put into this room is excellent and I cannot recommend it enough to put your skills to the test.

In Conclusion: I hope this blog has provided some insight for those looking for suggestions for rooms on TryHackMe. TryHackMe has been a huge part in my growth as a Penetration Tester. The overwall number of rooms is huge and it can be a bit much to find the next room to do and I hope this helps someone!

If it does, feel free to send me a message on Twitter and let me know!

PNPT Experience

Introduction

This blog post was written to help provide information and express my feelings about studying for and taking the Practical Network Penetration Tester (PNPT) exam by TCM Security.

The reason I decided to take this exam was because I felt that I struggled with Active Directory Pentesting and this exam offered a means for me to improve in that area and help me to level up as a pentester. I currently work on external pentests, web application pentest, and external red team pentest. However, I also wanted to acquire the skills needed to work on internal pentesting.

I bought the exam and training material for $400. One major plus for the PNPT is that it felt like the first exam I have taken that I would be confident in saying that the course material is all you really need in order to pass the exam. The study material points to other references for reading or practicing your skills, so I did not feel the need to buy anything else to study.

One more thing I would like to highlight before I get into the study material is the material and exam take a real world approach. The biggest hurdle some might have to overcome is to not treat this like a CTF and to instead treat it like a real engagement. As someone that does penetration testing for a living, this exam and study material hit the mark.

Study Material

The Practical Ethical Hacking course is a great resource packed with essentials information. The material includes:

  • Basic Networking
  • Introduction to Linux
  • Introduction to Python
  • Information Gathering
  • Vulnerability Scanning
  • Buffer Overflows
  • Active Directory
  • OWASP Top 10
  • Wireless Penetration Testing
  • Report Writing

My attention was purely on the Active Directory portion of the material and what I spent the majority of my time on. However, I want to stress that I used the Buffer Overflow material here to ready myself for the eCPPT and for the eventual OSCP. TCM Security offers courses I would argue could replace other vendors’ study materials.

Going through this should help give someone the basic knowledge of penetration testing.

The Windows Privilege Escalation course is packed with excellent material and might have been my favorite course to go through. The course will cover:

  • Kernel Exploits
  • Stored Passwords
  • Potato Attacks
  • Registry
  • DLL Hijacking
  • Service Permissions
  • Capstone Challenges to test knowledge of Windows Priv Esc. via Hack the Box and TryHackMe.

The Linux Privilege Escalation course will help provide material on how to escalate privileges on a linux host. I want to say that I truly appreciate the inclusion of capabilities and Docker. The course includes:

  • Kernal Exploits
  • Enumeration
  • File Permissions
  • Sudo
  • SUID
  • Capabilities
  • Scheduled Task
  • Root Squashing
  • Docker
  • Similar to Windows, you will get Capstone Challenges via Hack the Box and TryHackMe.

The OSINT Fundamentals course provides material on how to gather information about a target. This provides a real world engagement feel on encountering a target and gathering all the information information about that target. The course will teach you how to hunt down:

  • Emails
  • Passwords
  • Usernames
  • Social Media Accounts including
    • Facebook
    • Twitter
    • LinkedIn
      Instagram
    • Reddit
  • Website OSINT
  • Using tools to gather information
  • Report Writing

The final course is the External Pentesting Playbook. This material is designed to help show what pentesters do when attacking an external network. It goes against the CTF style of just checking exploits at a machine and seeing what sticks. It has a focus on:

  • Attacking Login Portals
    • Office 365
    • OWA
    • Standard Login Portals
  • Insufficient Encryption
  • Username Enumeration
  • IKE Aggressive Mode
  • Insufficient Traffic Blocking
  • Open Mail Relays
  • Client Debriefs

The Exam

The exam’s structure gives you five days with the exam lab and then two days to write a professional report. After writing the report you will submit it for review and if you meet the objectives you will get an email to schedule a time to do a fifteen minute debrief over the report. Again capturing that real world feel of talking to a client and going over the report and findings. You can use whatever tools you want for the exam.

When the exam started I was given all of the information needed to complete the exam including what objectives need to be met and a sample report to help show how the final report should be structured.

TCM Security provided a stable and solid network to attack. This was a breath of fresh air after working on the eCPPT and eWPT this year, with their unstable exam environments that were unusable for hours.

As I moved through the exam environment I took breaks, ate meals, spent time with my family, and rested my mind when I needed to. I would get stuck a few times, but I felt the exam did a good job of rewarding for enumerating, taking good notes on the findings, and using that information in the exam. I never felt frustrated, which is a great feeling taking a major exam.

The best advice I can give is:

  • Know and understand the study material and do the labs provided by TCM Academy.
  • Feel confidant in Active Directory Attacks.
  • Know how to write a good and professional report.
  • Understand the exploits and how to remediate them.
  • Read through the provided information from TCM Security thoroughly and understand what you can and cannot do.

Final Thoughts

I really enjoyed this exam and the content provided by TCM Security through TCM Academy. I learned a lot going through it and had a lot of fun doing the exam. It’s one of the exams I would do over again just because I felt it was a lot of fun. The report writing is always the boring part, but the exam was great. I truly enjoyed this experience and the fact that it captures the feel of a real life pentesting engagement.

I hope more pentesters and aspiring pentesters look into TCM Security as a budget friendly and quality training material and wish you luck on the exam if you choose to take it!

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eCPPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and the eCPPT this year. Mission accomplished.

I’m writing this post because I want to provide helpful feedback for the eCPPT. I will cut away the fluff and get to the important stuff to help answer common questions. I will not be doing a day by day break down.

The lab is seven days of testing/hacking and seven days of report writing. It took me four days with the exam lab to get everything knocked out and two days of report writing. I had the results back in a couple days after submitting the report.

To prepare for the exam, I did all of the INE Penetration Testing Professional labs under the Penetration Testing: Network Security and Penetration Testing: Linux Exploitation.

The System Security for Buffer Overflows has good content. It gets a bad rap in my opinion. It’s useful, but the best way to prep for the Buffer Overflow from INE is the Exploitation with Ruby under the Metasploit & Ruby section. That’s the best way to get hands on practice from INE for BOF.

The Web App Security is a personal section I did not do much of, mainly because I did the eWPT. I would recommend taking the time to go through it and do the labs as well to learn about SQL Injection, Cross Site Scripting, and the other good to know web exploits.

Now I made that section because I believe the material from INE was good. If you don’t have that material because it is expensive, I recommend the following resources.

The last bit of advice I can give are to make sure you are comfortable with pivoting, proxychains, and port forwarding. You will live in proxychains for this exam.

I will also say the exam stability for me was a nightmare and I hope it works well for you. I took a few days off from work and the lab would not start for ten hours on Saturday. I tried to start at 8AM and kept getting errors about starting up the lab. The issue eventually fixed itself around 6PM. Elearn needs to work on more stable exam labs as I have heard similar issues with other people taking this and other exams.

You most likely will not know if you are ready until you start the exam. My rule is to go with the flow and figure out as you go. Don’t stress too much. Take breaks, rest, sleep on problems, and just try stuff. Learn as you go.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eWPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and will be working towards the eCPPT later this year.

This will be a post describing my thoughts on the INE study material, thoughts on the eLearn Security eWPT exam, how I studied for the exam, and what advice I have for those looking to take the eWPT.

For those that don’t know, the eWPT is a certification offered by eLearn Security and study materials are provided by INE to prepare yourself to take and pass the exam. You have seven days with the lab to hack and seven days to write the report. The report you submit is what is graded and determines if you pass. This is not a CTF style exam. First tip I will give is to start your report and work on it while taking notes and doing the lab work.

Initial Thoughts

At the beginning of the year I was really excited to take this exam. I felt INE had great materials to learn from, although they are a bit dated. The study material on Flash is worthless in 2022. You can skip that part and I would not be surprised if it was removed this year.

I felt INE did a good job covering XSS, SQLi, information gathering, session security, file upload attacks, CMS attacks, and noSQL databases in the slides and videos.

I will cover my opinions about the transition of the labs in my study material section.

After a few weeks of working on study materials I felt ready for the exam, I picked the first Friday evening in February and started the exam. Getting it up and ready took a few minutes of tinkering with the VPN and reading the Letter of Engagement. The Letter of Engagement is pretty straight forward, but very simple and not very professional looking. It lacks details. Just make sure you read it and understand it as it states a pretty important factor that needs to be done in order to pass, although it is not enough alone to pass.

The exam was pretty fun to say the least. It is a professional looking web application and something I would see in the real world. It has vulnerabilities and your job is to find them, report them and provide remediation’s. Just like on a real engagement.

After a few days into the exam, I felt I had everything needed to create my report. I wish INE would have a section in each course to talk about report writing. I feel report writing is being overlooked and for an exam that requires a report to pass, it would help to include something for those that have never written a penetration testing report.

Study Material

The study material I used to prepare myself were the Web Application Penetration Testing videos, PowerPoint slides, and labs offered by INE. An annoying issue on the INE platform was while working on the labs in the month of January, INE decided to update the Web Application Penetration Testing labs from their custom built labs to offering DVWA and Mutillidae hosted labs.

While I am a fan of the ability to click a button and have an ready to learn environment and have hands on practice, I was enjoying the labs (that worked) that were offered by INE and I’m a bit disappointed with the Web Penetration offerings now.

I am disappointed that the custom built labs for the eWPT have become free and open-source labs anyone could download from the internet and setup on their own machine. I feel like I wasted $500 and I hope the eCPPT will help me feel not so ripped off.

I also used The Web Security Academy from PortSwigger to get more hands on practice. Honestly if you only cared about getting the eWPT and wanted to save money, you could easily get the materials you need to pass the exam with the WebSecurity Academy from PortSwigger. They offer amazing labs and learning material that in a few cases are better than what INE offer. I find it funny that PortSwigger Labs are free, but a much better value than INE labs that cost $500 (when on sale) to access.

Other than these two sources I did not use anything else to prepare myself. The INE Web Application Penetration Testing course shows everything you need to know to pass the eWPT. I feel PortSwigger Academy is a great resource to also prepare yourself, but it’s not required to pass.

Final Review and Advice

My final thoughts about the eWPT exam are: I feel it is a good web penetration testing exam. It is fun and I am proud of my accomplishment in earning my certification. I did learn a few things while taking the exam.

My critiques are: the Letter of Engagement needs more detail. I feel it’s a bit too simple and vague to be passed off as a professional letter of engagement.

The labs from INE are bad. I cannot sugar coat this. I feel ripped off that I paid money for open-source labs. When I first started off with INE, they had great labs that you needed to access via a VPN and they were better than DVWA and Mutillidae. INE, please go back to having quality labs you built to prepare students to pass an exam.

The good parts are the exam is fun. It really is a great feeling when you find an exploit in the exam. A few of them really make you work for them.

My last bits of advice. When I do web penetration test I use two main tools. Burp Suite and SQLMap. These are my go to’s and I had them open for the entire exam. They can do almost all of the work if you know how to use them correctly.

SQLMap will save you time and headaches. BurpSuite Repeater is also important. Everyone has different tools, but all I needed to pass was a good knowledge on how to use these effectively. (If you prefer ZAP, go for it. Burp is just my go to. Proxy tool)

Good luck!