LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | TryHackme | AMA
Skills:
Security Basics90%Tool Use & Function Calling80%AI Security70%Defensive AI60%AI Alignment Basics50%
Key Takeaways
The video covers web hacking, pentesting, and cybersecurity, with a focus on beginner-friendly tools and techniques, including TryHackme, Portswiger, and Chat GPT, as well as practical steps for self-study and career development in the field of cybersecurity.
Full Transcript
What's up everybody? I thought I would start the stream off with some cat tax. Look how cute she is. She's just chilling in the sun, having a nice nap. I mean, what is life if you're a cat? It's just too good to be true. How you all doing today? All right, let me let me move my camera because I have to hold it and it's kind of heavy. All right, hold it. And there's the other one. There you go. Cat tax number two done. There we go. Double double cat tax in the stream. Life is uh life is good. How you all doing today? Hello everybody. And then and I'm I'm back. So what is um what is what is life without cats? Huh? It looks like we're having a little bit of trouble getting connected. Uh YouTube hasn't popped up, but that's okay. Good to have you all here on Twitter and LinkedIn and Oh yeah, I can see Yeah, looks like uh looks like YouTube is up. So, we're all we're all good. How you all doing? So, we've got a box planned for today. So, we're going to do Chocolate Factory, which is uh just like an easy web box, I think. Uh I scanned it earlier and it looks like it should be fairly straightforward. have no idea what the priv is, but you know, we'll deal with that when we come to it. Hopefully, it's not like a buffer overflow or something uh too tricky, but uh should be all good. And I've got a couple of announcements. So, we have the AD live training. So, that's coming up on the 30th, which I've done it so many times. um just sat in because um Heath teaches uh AD live so well cuz he's just I don't know really really good with active directory and it's something that I think he's quite passionate about as well which really really helps as well and he has a ton of experience. So um you can really feel it when you do the class that it's uh it's a it's a really really good class. So check that out if you want. And I don't think I have any other Oh, yeah. We might be having a small small upcoming uh Can I say it? Is that Are we allowed to say? I don't know. Um Memorial Day is coming up. So, we'll be just doing something for Memorial Day. That's that's all I'm going to say. And then Whoops. We'll leave the rest uh we'll leave the rest there. I'll just knock some tea over. So, let me just quickly wipe that up because my desk is now covered in tea. Wonderful. Good times. H. All right. Um, let's see. Let me just log into my VM and I'm going to start uh start looking at some stuff. So, um I don't think I can see the YouTube chat coming up. Just a heads up. It doesn't look like it's connected. So, I'm just going to pull it up on a on a second screen. Oh, wow. Yeah, I can see the YouTube chat is like quite busy and uh it's not it's not connected to um to us, but you know, is what it is. Um let me see if I can fix this. One second. If I just refresh this and don't know don't know what's going on. All right, that's okay. It's all good. Don't worry about it. Um I can still Okay, so I've got YouTube open on a on a second monitor. So, obviously you're not going to be here, but you're going to be in on my second monitor, so you're all good. How are you all doing today? Um, all right. Let me see whether we have any questions before we jump into today's box. So, let's see. Let me scroll down. And looks like we're good there. And I can see one. So, I'm not going to be able to highlight the YouTube chat, but I can see one from Sedakal. Sedica, is that how you say your name? I'm not sure. Um, how to start hacking? The easy way is to follow a course. Uh, if you go to the cybermentor YouTube channel, there's like a 10 plus hour um ethical hacking course. That's the uh that's the best way to do it. And same for Rios. How should I self-study? So, self-study is a funny one. Um, personally, I like to like block out uh like a certain amount of time per day or whatever your schedule allows. So, when I was studying for sets, I would do 2 hours before I started work. So, I'd go to the office, I'd arrive early, and then I'd book a meeting room from like 7:00 a.m. till 9:00 a.m. and I would study in the office. And then I'd be like, "Okay, these are the things that I'm I'm working on this day." And then it just becomes like a habit. and over like a few months you then have done a ton of studying and you're way better like at whatever it is you're studying than you used to be. So, I think building it into your schedule is probably the most powerful thing or the most thing the biggest thing you can do to be successful because if you if you do like let's say it's Sunday, right, and you're like boom, I'm going to get good at Hack the Box. You spend 12 hours doing Hack the Box, you're probably not going to touch Hack the Box for another two months now. And that that's it. You you just spend all of your motivation on that one day. Whereas, if you build it in as a routine, then it's going to be um going to be much better. So this is the uh the important thing I think. Um let's see what else do we have. I wonder if actually let me uh refresh this if I refresh this. I don't know if that's going to help but um we'll see. It's all good. Um what else do we have? What's up Zen? How you doing? What's up, Freddy? How's it going? And let me scroll down, see whether we have some other questions. Oh, Israel. Alex says, "Can we have subtitles in Spanish?" I don't know. It like if YouTube does Spanish subtitles, then yeah, but we don't do the subtitles ourselves. So, I I have no idea how I can add subtitles in other languages. So, if there's a way to do it, then that would be awesome. But I I don't know how to do it off the like through the tools that we have, there's no uh no uh no way to do it. So, not for live streams at least. Obviously, for videos, they get like transcribed by YouTube and then and then you're all good. Um, good question from Caleb. Do I do bug bounty uh hacking live? No, because if I find an issue on a bug bounty platform and I do it live, then everybody who's watching knows that there's a bug on that platform or the on that target. So, doing live bug bounty is like kind of irresponsible, right? It's like it's uh irresponsible disclosure. And whenever you do bug bounty, I know like some people get around it. doing like just recon, but um I mean you're you're breaking like terms of service and uh all sorts of things if you're live streaming like uh a bug on a on a web app for example. So So yeah, I don't I don't want to get sued or banned or blocked from from any of the platforms. So unfortunately live bug bounty is out but um I do do a little bit of bug bounty on the side but um not honestly it's like it's hard to find the time like between working and studying and I'm back to doing OSWE now again like yeah it's it's it's hard to find the time but maybe in the future if I do find some good targets I might try and make um videos of them of what I did but um I certainly can't do it live unfortunately. Definitely. Um, let me keep scrolling down. Yeah, this is this is Koma said it right. Um, discipline is the key. I think discipline, but also like being smart as well, like with your motivation because, um, if you burn yourself out, it doesn't matter how much discipline you've got, you're just going to be burned out. So, I think like you also being smart and also being disciplined. I think it's like it's like a couple of things that you have to have uh in in sync if that makes sense. Um let me keep scrolling down. How hard is it to become a full-time bug hunter? I think it's uh is it hard? I think it depends on your expectations. I would I would really struggle to make as much money doing bug bounty as I do as a like I'm I'm currently like a contractor doing cyber security writing content creation and and I work for TCM. I think I would really struggle and I think apart from maybe the top maybe five to 10 bug bounty hunters in the world. I don't think anybody makes what I make at TCM doing bug bounty if that makes sense. So, uh, but depending on what your expectations are, that doesn't mean it can't work. Um, depending on where you live, what your costs are, what responsibilities you have, it could be a great lifestyle. Um, and it could be the lifestyle that that really suits you. But, uh, if it just boils down to making lots of money, then, um, I think it's quite tough. Possible, but tough. Uh, I think that's the that's the thing, uh, for sure. Uh, whoops. Let me double click that. Let me switch back over to YouTube for a second and see how we're doing. Um, loads of book bouncy questions today, which is good. I'm not complaining, but um, yeah, it's all good. Um, I want to Okay, so I've got this question. I want to get into cyber security and I've been doing self-study, but I feel like I'm not getting anywhere. I've attempted SSCP and I failed the certification. after that I'm lost and not sure where to go. So yeah, this is uh this is a tricky one. So you're probably feeling like uh you've put in a lot of effort and then you've got like nothing to show for it cuz especially when you you fail a certification, it kind of like it sucks. And I know cuz like I failed my uh OCP the first time I did it for example. Um and then I I passed passed it the second time round um in four hours no less. Um, so what I would say is, uh, take like a little bit of time just to reset. Uh, you know, take a week off study and just just don't worry about it and then come back with kind of like a a fresh mindset and a fresh game plan. That's that's the really the real trick. rather than um you know focusing on something that you can't control that's already happened um just think about how you can set yourself up for success going forward because um I think a lot of it is just keeping pace and keeping going forward and and keeping up the momentum and that's probably the hardest thing um but over a period of time you'll achieve like great things if that makes sense. So I think that's the the best thing to do is take a short break. Don't don't like don't take three months off but like take a week off towards the end of the week you know sit down and be like okay what was I doing before why did I fail um what am I going to do going forward set yourself again like an achievable goal and um something that's repeatable and then hopefully that will set you up for success um I think like studying cyber security and being successful is no different than any other industry it's you know obviously like cyber security is generally speaking a technical topic. Not always because you know there are non-technical cyber security roles but um you know it's no different than learning any other skill or or anything else if that makes sense. Just takes time, dedication and um and some smarts around work life balance and and all of that shenanigans. All right, so let me keep scrolling. I'm going to switch back from YouTube back to wherever we are now. Uh on the right hand side, so many screens. What's going on? Um [Music] restrictions to message a private user on a target. I shouldn't be able to interact with the private account, but the private account can also just reject and delete the message. Yeah. So, like I wouldn't put this as like a critical issue. I found similar things before. So, for example, um I could reach like uh subscriber only content. um uh it was a chess website actually um and uh I could reach like their premium features without being subscribed and and I reported to them and they were like we don't care. Um so in the grand scheme of things just being able to message somebody uh is probably not like it's not a high or critical finding but it is like a legit finding in my opinion like the application is doing something that you shouldn't be able to do. you technically have like um you know like a broken access control or you have access to something that you shouldn't have access to um uh like the ability to do something but is the impact very it's kind of quite a small impact and thinking of a scenario where this would actually be quite damaging to a user is probably quite hard to do. So I think like it's a legit finding but I would say it's like a low um uh in terms of like severity if that makes sense. But um but yeah, it's it's an interesting one. Uh chained with some other stuff. It might lead to something interesting. That's what I would always say is if you have a low finding uh maybe sit on it, see whether you can chain it with some other issue and then you might be able to upgrade the impact. Uh if that makes sense. Um let me see where we are. Off topic. Okay, let's go. What's up, Thomas? Uh, good day. This is a little bit off topic. I'm studying cyber security uh for a year. I got the PJPT. Nice. Good job. But I don't know what other certifications I should focus on. I've applied to hundreds of jobs, but no luck. Could you please give some insight? Yeah. So, what I'd say is think about uh not just certifications. uh when you're applying for a job, maybe think about like who who else is applying and what they might look like and what advantage do you have that you could lean into. So, for example, when I apply for jobs, um I'm bit of a weirdo. Like I I always tell the interviewer like, "Oh, I actually really enjoy doing code review." Even if the job isn't like doing much code review, that's just a kind of like a quirky thing that I can talk about and I can talk about my experience there and things that I've found and I can lean into that and that kind of gives me like an unfair advantage over other people because it's not actually a skill that they're necessarily looking for, but it's something that sets me apart and something that they can be like, "Ah, yeah, I like this kind of like, you know, curious person who likes to read JavaScript in his spare time because because he's weird." Um, so try and find something that gives you um an unfair advantage that makes you stand out. It's not necessarily like unfair, but like it's called unfair advantage, but find something that you have that makes you stand out. And if there are gaps or um think quite critically. So for example, if you get replies and you get interviews and then you get um rejected from the interview stage, then you probably need to work on your interview skills. If you're applying and you're not getting interviews, then you need to think, okay, is my CV um where it needs to be? Is my resume where it needs to be? Uh do I have um everything that's needed to apply for these jobs? Uh and think about like the well-rounded um situation where you might have uh like a certification, you might have like a side topic, um uh you might have uh a side topic like a a side project. um you kind of like up to date with like uh the typical uh interview questions that they might ask you and and you've got all of that kind of covered. So try and think critically. It's hard to give you like an exact area but hopefully that kind of gives you like um a little bit of insight into like you know how to approach it strategically, how to approach job finding strategically. Cyber security is definitely getting a little bit trickier especially at the entry level. I wouldn't say go nuts with the certifications. One or two is fine. Um especially if it's like if you're applying to entry- level roles. Um they're kind of diminishing returns, but you know, maybe adding one more might be useful, but if there are other gaps, then focus on the other gaps first. Like I say, um find out where where you're falling short and then and then uh try and address that first for sure. Hopefully that helps. Um, let me switch back over to YouTube and see how we're doing over here. And okay, I got a question from Sai, which reminds me of an intern I used to have called Sai. He was uh really really smart and uh still working for the company that they interned for when when they were my intern. Uh, which is good. Uh I just started learning web penetration testing with authentication bug but the problem is how to do recon. Yeah this is this is a big one. So for example Portswiger doesn't teach you how to do recon which no slight to Portswiger. Portzsworth is an amazing resource, but um in terms of approaching a target um uh dealing with um production systems being maybe like rate limited and and all and having to mess around with subdomains and and all sorts of other stuff and scopes and things like that. It doesn't really teach you any of that. So, um what I would say is there are some good um uh YouTube videos. So Jason Haddex, if you're interested in bug bounty, Jason Haddex has um a few like Defcon talks and things on YouTube that you can watch and he goes over different like tools and techniques for for doing recon. Um but what I would say is usually when you're looking at a target, there's a few things that you want to look for. You want to discover any subdomains um or other targets within scope so that you understand like what's your apex domain and and what other domains are in scope. Then you want to find all of the endpoints. So like slashadmin sluggin slregister um all of those kind of like directories or endpoints. If it's an old PHP server it's going to be like you know directories. If it's um a more modern web application you're finding roots basically. Um and then you want to be thinking about what functionality exists and what parameters exist uh and what input exists. So you know if we're on like sluggin for example um what parameters are being sent in the body? if you're on a different page like um slash uh blog question mark ID equals 456 and then there's some other parameters what parameters exist and then once you've kind of like got a reasonable idea of of what the web application looks like and what your scope looks like you can start um cherrypicking what you want to test first but work methodically through them and generally speaking I always pick authentication access control to work on first and then and then I go from there depending on what the target has. So that's kind of like a really very quick like strategic way to look at it. Those are the things you've got to do and then of course a lot of tools that will help you do that if that makes sense. So um let me keep checking. Yes. Uh Jason brutally honest about the industry. Yeah, Jason Jason Hadex is a legend. Uh I did some of his training as well. Um, and it was really, really good. So, shout out to to Jason Havoc and the um I did his bug bounty recon training which was fantastic because like I come from like more of an ABSAC background. Um, so like my recon skills were not very good either. It's never been my strong point. So, it's always nice to learn uh from somebody who's really really good at recon. Um, what hacking device would I recommend for beginners? a laptop virtual machine. That's for me that's like, you know, I do like AppSec and pen testing and stuff. Um, obviously if you're doing like hardware stuff, it's going to be totally different uh ballpark, but um but yeah, laptop, internet, virtual machine, and you could spend lifetimes with just those three things. You don't need to worry about anything else. Obviously, if you're interested in like hacking Wi-Fi and IoT devices and and uh and all sorts of other stuff, then yeah, you need more hardware uh for that. But um but otherwise, you're all good. Um let me keep scrolling down and see what we've got. Oh, message from Jazz. So, I can't highlight this one cuz it's on YouTube and YouTube's not linked at the moment. love the channel and all the advice and support which is awesome. Thank you very much. Um, past Comptier Trifecta. Yeah, nice. Good job. Looking at blue team as a career. Any thoughts on sets to concentrate on? So, blue teaming is great because I think there's a lot more um opportunities in blue teaming at the moment than there are on the offensive side, which is which is good. Um, which is awesome. Um, I think you've got some choices. Obviously like TCM, we have a blue team s and a lot of people um if you go on social media uh really really enjoyed the course and certification and it's not too expensive. Um but there are a couple of others kicking around. I think Andrew Prince did a blog for top blue top sock sets um if I recall. Uh, so that might be the best one to check out and then you can kind of like see the pros and cons and just decide which one is right for you. Whatever whatever you decide to take, make sure you take one that's practical. I think that's the biggest thing because whenever you get to an interview, even if you took a certification that's not the most popular, having a practical in um exam gives you something to talk about. And if the interviewer isn't familiar with it and they they they talk to you about it, you can be like, "Oh yeah, you know, I had to solve these tickets or I had to do this or I had to do this research or I had to investigate this and this is how I did it." It gives you so much to talk about from a from a technical perspective. And that's what people want to see. That's what interviewers want to see is your like mindset. So um whichever you take, um make sure you do uh something practical. Um there's no point in doing multiple choice exams once you get to like if you're trying to get into a technical role. Um the multiple choice exams kind of like tail off if that makes sense. And then and then we're all good from there. All right. Um let's see. Let me flip back to here. We're almost half past. Okay. So let me take one more question and then we'll start doing this box. Um I can see a few pinned questions over here. So, let's see. Oh, that's interesting. Okay, AI questions. Um, tell us about using AI in our major as cyber security specialists uh and waiting for us in the future. So, I think for me, um, AI is like a great assistant. Um, so for example, if I need a list of something or if I need to check something or maybe if I'm like, um, occasionally if I'm on an endpoint and I'm like, "Oh, I've checked this, this, this, and this. What other checks do you think I should do?" I'll ask chat GPT. And if chat GPT starts to hallucinate and give me attacks that are completely random, I know that I've probably like covered everything that I want. So sometimes chat PT GPT hallucinating is a good thing. um it means that you know you've probably covered everything you need to cover. Um yeah, I think like it improves my workflow and also when I'm building stuff for example or if I'm writing code for scripting um and like building frontends for example uh it speeds up my workflow quite a lot because you know yeah I could spend like a lot of time building a nice CSS front end with Bootstrap and or Tailwind or something like this or you know using a front-end framework. So I do a little bit of work in Vue at the moment or I could spend five minutes getting chat GPT to do that and spend the rest of the day on the back end or parts of the code that matter to me. So like I spend where things that are low priority I send to I use AI tools with and things that are high priority and require my expertise um I I do myself if that makes sense. And so chat GPT becomes like a really good um assistant from that perspective. I think when you're learning it's good to be not over rely too much on uh AI tools. Um but it's definitely good like if you have a if you've written something you need a sanity check or you want some kind of steps to get started it's useful for for things like that. All right, let's spin up this box. And I've lost it. So, hold on. Let me let me find my browser again. And I don't know what's happening today. I did not sleep very well last night, by the way. So, I'm really like today has been a day fueled by coffee. Uh, which for me, like I usually only drink like one or two coffees a day and I've pushed the boat out a little bit. three whole coffees. But for me, that's that's that's a lot. That's it's uh I'll start jittering soon. Um all right, starting the machine. Okay, so we're going to do chocolate factory. And let me switch over to my my VM. And then I really need to update my Ubuntu VM. Uh uh I think that's my password. There we go. And all right, other questions. Okay, so the questions for the box. Uh enter the key we found. What's Charlie's password? Change user to Charlie. Enter the user flag. Enter the root flag. Okay. So, uh, full disclosure, I scanned this box earlier just to see what was on there, but I haven't like made any meaningful progress. So, we'll see. We might get stuck. It's all good. Um, uh, let's make a directory. What's it called? Chocolates. If I can spell factory. Uh, and then let's end mapap dash a. Uh, where's my IP address? There it is. Oh, why is it not letting me paste? That's weird. My VM's not letting me paste into it. Okay, I'm just going to type 172.173 and then output normal scan.initial. So we can see uh scan the box and see what comes back. Now while it's doing that I am going to I'm in this weird view that one of my uh keys on my keyboard is broken now which is really irritating. It's like the command key on the left and I use that to like pop the menu and it's just so irritating that it doesn't work anymore. Um, we've got this web app which is this is what I found earlier. So, this is where we were at and I was like, this is probably the way. So, um, let's come into here and let's think about what we want to do here. If we had some notes, right? And if this was a pen test, probably what I'd be thinking is, okay, we have this main page, we've got a login form. Login form is obviously something that needs to be tested, but we also need to think, are there subdomains? Are there other pages? other other directories uh what else exists on this site. So here we can try a couple of things. We can try default credentials especially if it's like a CRM or or like a login portal for a particular tool. Um we could try basic credentials. So we could try like a bit of fuzzing like admin password one password two password three. Uh or we can try SQL injection uh as well. So we can just do something like let's just try adminad admin invalid credentials that did go to uh if we press F12 quickly and we come to network. So we land on validate.php. Ah how do I save preserve log? There we go. Why has this changed? No. What's going on? Is it because it's Whoops. Don't know why I just did that. Uh, usually it gives you a list of There we go. That's it. It's just like not displaying properly. Okay. So, we can see there's a few. We come over to validate.php and we get 200. And then back here to index.html. There's some content.js that we might want to look at. DOMJS and things like this. So, we could just briefly come in here. See where there's anything interesting. No, this is not like and stuff like that. Let's take a quick look at the page source. It's just CSS and a login form and it just posts to validate.php. Okay. So, let's just try admin or 1= 1. Still invalid credentials. Let's just try admin like this. Still invalid. And then we could think of names, right? So, uh, Willie Wonka, for example, or Charlie like this and try and just guess credentials, but doesn't look like we're getting anywhere. So, while we do this, I'm going to probably throw this into SQL map, but that's going to take a few minutes. So, while it's doing that, let's just uh ffufu http col the full the full URL on the clipboard. Uh, and let's fuzz this. And let's use user share. Uh, where's my word lists? Word lists. Uh, and [Music] then let's see. Let's come into sack lists and then discovery and then No, that's not where I want to be. Where's the dare buster one? Is it in here? This is not where I want it to be. Cy list. Let's see what's in here. Username payloads. We shells. Maybe it's in fuzzing. I thought it was in discovery. You know what? Let's do instead of doing this, let's um find dashame uh directories like this in word lists. Why doesn't that work? I've forgotten how to do this. Whatever. Um, let's just try Let me come into word lists. I thought I'd sorted out all of my word list. Let's just do. How big is this one? 4,000. Okay, this one will do. Let's do this one for now. So, FFUF-U. We can at least start with this one. fuzz and then our word list wants to be word lists and then common web directories. And then I'm probably going to add some extensions. So we saw the HTML extension um used for index. Um and I'm going to also add PHP I think because it looks like a PHP web app. And we could obviously check in the headers um in the response, but that should do. We'll see what happens there. All right, while that's running, end mapap has finally finished. So, let's take a quick look at this and then if we have some more questions, I'll try and uh tick them off as we go. FTP is open. So, that's something we should definitely look at. Um, so it looks like uh here as well um anonymous login is allowed and there's a file called gum room.jpeg in there. So, this is probably going to be since this is a CTF, uh, it's going to be a Stego challenge, maybe. And we've got SSH, which is pretty normal. Um, then we've got 80, which we're looking at. Got 100. Not sure what this is doing here, but it looks like um it connects. You connect to it and then it gives this and then small hint from Mr. Wonker. Look somewhere else. It's not here. Hope you won't uh drown Augustus. It's a cool name. Augustus. Don't think I know anybody with that name. Uh 106. Welcome to the chocolate room. Look somewhere else. 109. Same thing. 10. Same thing. 101. Same thing. And [Music] then looks like it's just the same on each. I'm not sure what these [Music] are. We've got a load of fingerprints. And that's it. That is probably the weirdest scan I've had in a little while. So, um yeah, that's it. Not much to see here either. So, let me answer one or two questions and then we'll we'll come back to uh to this box. Uh let me come back to the chat. Where are we? Yeah, this is a CTF challenge. This one's called Chocolate Factory on uh Try HackMe. It should be fairly straightforward. So yeah, we'll see. He's looking a little different. That's it. New glasses. That's changes everything. New glasses, new accent. AI accent. That's where it's at. [Music] Um keep scrolling down. Okay. Looks like Oh, can we link the room? Yeah. Uh let me let me drop it in the chat. There we go. That's the uh that's the link. I think it's been shared uh above as well. Uh can you get the recording? So yeah, we record all of these sessions. They're all on YouTube. Uh so if you go to the Cybermentor YouTube channel on the live tab, then uh then it's there and then you're all good. So uh and it's a try hackme machine, just a heads up. Let me just check in with uh YouTube. So, sorry if I can't if I'm missing your questions today, YouTube chat. To be fair, YouTube usually gets the primary treatment. So, um now today you get to feel what it's like to be on a platform with less viewers, at least for our channel anyway. So, uh but it's all good. Yeah, it's looking all good. All right, let's carry on. Um interesting that this home.php the size is different. I actually thought when I initially looked at this, this is the same page, but it looks like it's different. So, let's have a quick look at that. Uh, okay. This is Yeah, this is the way in. Okay, look, we have we have easy peasy command injection without even any filters. Press control U. It's going to be a little easier to see, but um yeah. Okay. Unless this is a trick somehow like so sometimes on CTFs what'll what they'll do is um they'll have like a command execution box and then it'll just like respond to keywords like key words from command injection like who am I else let's try host name at least we're not inside a uh container probably because this is called chocolate factory rather than just like a random ID which is what containers usually get uh for their names. Um, okay. [Music] So, we've got netcat. No, that didn't work. No, that didn't work either. Um, we're definitely running PHP because this app has PHP. You can see it's like home.php. So I'm probably going to use that to get a reverse shell. So let's go to payloads all the things reverse shells. And let's come to here. We could try bash as well. So if we don't get a PHP shell working, then the bash reverse shell might be the way to go. So let's just try this top one. Uh let's put it in here. Let's come back to here. And my IP is here dash LVP. I wonder how many times I've written this command out over the last 10. Like how long have I been doing CTFs and stuff for probably 8 n years or something? Maybe 10 years. Probably a lot of times. Uh so let's come into here and then paste this in here. And we're just going to change the uh the port on there. And the fact that it hung is actually really really good. Um this means we probably got a call back because it's very connected. And then it's waiting to send a response back to the um web app. But looks like we got a shell. Easy peasy lemon squeezy. I wonder if that was the uh intended route. It was a bit of a strange one considering we saw so many um things open on on the on the scan. Maybe it's just like supposed to be rabbit holes and stuff and this is like the intended way. Yeah, I suppose actually why would home.php with um uh with command execution on it exist if that wasn't the way? I think this is it. Um, cool. Nice. We're all good. So, who are we? Dub data. Yeah, that makes sense. And, uh, key rev key. What is that? That looks suspicious. Oh, we might have to do some buffer overflow. Okay, we've got like a 64-bit shared uh object. So let let me come back to this in a second. Let's just see whether we can um so we've got a user Charlie. Let's just see if we can get the user flag first. Mission denied. What is that? This looks like a public key cuz it has pub. Oh, there's a private key there. Okay. So, let's grab this. We might be able to just become I Okay, so my prediction is we can probably SSH in as Charlie and then we have to do um uh check this binary to do our prives uh SSH char. Oh, no. Let me micro um it's just micro key save quit chmod 600 key charlie ssh at uh what's the IP of the box again? So 10 10 172 dot uh 173 and we need dash I key like this. Oops. Oh, I've done this the wrong way around. I told you I haven't had much sleep today. How did I make that mistake? That was so dumb. Um, wow. That's wild. That's probably the weirdest thing I've typed on stream in a long time. All right. Um, let's see. We are Charlie, which is good. And CD into home. In fact, maybe we can just No, it's quite funny. We've So, we're we're called Charlie and then when we try to CD into our home directory, they've obviously set it up wrong and misspelled the name Charlie in the home directory. So, we can't use the tild to get into the home directory, which is kind of a fun quirk, but you know, it's what is not a big deal. And there's our flag. Nice. All right. Hopefully, I can copy and paste out of Oops. User flag. There we go. Oh, no. It's not letting me paste. Let's see. Come on. Ah, wonder if I right click, copy. I don't know what's wrong with my VM today. Okay, never mind. Um, just for fun, I set up like this. Oh no, she's moved. Oh, the cat's gone. I was going to change my camera to cat cam, but she's now lying on the floor chilling, so too late. The cat's gone. Um, she'll be back later, I'm sure. Okay, so what do we want to do now? [Music] Um, we probably want to investigate that binary. Let's do pseudo-l for good measure. Oh, we can do okay. Uh, I think we can just prove like this then. So, sudo user bin by and then just drop into a shell like this. Oh, easy peasy. Okay, so for those who haven't seen this before, so what we just did was uh we did pseudo-l which uh lists what pseudo privileges the user Charlie has. And then um we can basically run um user bin vi as root. And part of vi is that you can actually drop into a shell. So like I just let me demo it again. Oh wa wa. Here we go. So here whenever you see this on a CTF, this is probably like 99.99% of the time. Uh this is the way um this is what your priv is. And then what we can do is we can pseudo user bin vi probably what we could also do is actually we might also be able to impact files. So for example Etsy pass WD we could edit them with VI since we have pseudo privileges and we could either add a new user or upgrade a user so that it has root privileges. overwrite the roots um password for example so that we can then just uh sue to root. There are so many ways to to prove from from here but the easiest way I think is you just come into here and then hit escape um exclamation mark oh escape colon exclamation mark uh and then bin bash. So you see in the bottom corner you can put in and this basically says hey drop into a shell and usually like if you want to save or quit like you can like write or quit and things like that but uh in this case vi has like a a bin bash um capability. Same with like sometimes like end mapap as well you can like execute commands from from end mapap and and and things like this. So there are there are loads of ways to do this. Um, so hopefully Whoops. If we cd /root and then Oh, there's a root.py. What is that? Oh, it's just displaying a message. Let's python. So, we can Python root.py. Ah, we have to get the key. Okay. And this is like ah yeah, we did. Okay, we didn't do that. We still need to go and get the key. Okay. All right, that's it. This is This is what we need to do now. Um, where was that? It's in here. Yeah, this one. Okay, let's try strings. So, this is like a binary file and Whoops. I'm going to try and read the strings inside. See whether we can just steal that. Looks like it could be it. So, we steal this from inside the file and then cd /roots python roots.py paste in the key. No, it didn't work. [Music] Um, this actually looks like Why is this got dashes here? What's going on here? Um, I wonder if this is like No, it's uppercase as well, so that makes sense. Um, what is going on here? This is so random. Let's come back to our dub HTML strings this this file here and take a proper look. And while we do that, I can answer some some more questions. Oh, let me see. How are we doing? Is a golden ticket going to be the final flag? Uh, that would be cool, but it's not a Windows box, so maybe no golden ticket exploit today. Let's see what we've got here. This is like beast. This is like what? Byte stream or something in [Music] um in Python. What is B in Python? Let me have a look. Python 3 [Music] B string. Oh, string is binary as opposed to unic code. [Music] Uh, Python 3 B string to echo. Let's see. So maybe we can do something like uh which Python 3. So Python 3 and then we can do like um my string equals like this. And then I'm just looking at Stack Overflow. And then maybe we have my string dot decode UTF8. No, it's just giving me the same thing. Looks the same to me. Don't know. Maybe we need to decode this [Music] somehow. It's not can't be B 64 because it's got these dashes in it which are not legal B 64 characters. I did try before as well and it didn't work. And also um yeah, I mean it looks like it is with the padding, but let me see what else I can find on uh bite strings and see whether it's got some like cheeky hidden [Music] thing. And then let's go here. And this is just converting it. And then I wonder actually if we need it in the quotes. Oh, there we go. I was wondering what was going on, right? Because there's no way to like This isn't an encoding scheme, right? Is it? So, it's basically just a string. There we go. We just needed to include the quotes and then we're all good. Um, nice. You're now the owner of the chocolate factory. And we get the flag down here, which is nice. I need to copy and paste these because um I can't uh micro notes. For some reason, I can't get um copy and paste out of my uh out of my VM at the moment. So, that was a nice little challenge at the end. It's always nice to kind of get something a little bit extra, especially from like an easy box. So, it's like makes you think a little bit, keeps you sharp. Um, let me grab this as well. I think that's everything I need for the questions which I'm going to fill in later. Uh, cuz I need the points for try hackme. Oh, it does say what's Charlie's password. Oh, we didn't find Charlie's password. That's an interesting one that we also need to find. Let's have a quick look around. Um, see what we can find in here. Um, crap. There it is. CN7824. I thought it might be in the web app or I thought it would be in a database somewhere. So, this is Charlie's password. Charlie's password is this. Um, I wonder if we can sue Charlie. Oh, yeah. Of course, we can exit. Let's exit here. exit here and then quit out of uh uh this and then exit from here. Ah no, I need the I wanted the [Music] um uh dubdubdub session the web shell. Where is it? There we go. Let's let's respawn the web shell quickly. Uh if I go back, execute, and then in here. So, Pyth, we're just going to have to upgrade our shell quickly. pty.spawn bin bash like this. Um, what did I do wrong? Python 3- C import pty pty.spawn Did I typo something there? Oh, yeah. I typed import. That's why. And then sue Charlie. Yeah. Okay. So, we can't like uh upgrade to him unfortunately. But, you know, we've got his password technically, I suppose. Um, I wonder if actually if we come back to here it's just this, isn't it? Ah, got it. And this takes us to the homepage. Okay, so that's how we were supposed to discover this. But then how are we supposed to discover? Maybe there's like an LFI or like a way to read the PHP file from the web app. Uh, that would be Whoops. Where am I? Let's come back into this shell quickly. Uh uh don't know. Yeah, not sure. Not sure how you're supposed to discover this then. If you're supposed to like go through the index and then log in and then discover home.php. It's an interesting route, but um yeah. It was a fun challenge. All right. Um, let's go through a few more questions. We've got a little bit of extra time, so all good. And so, let's see if we have any questions queued up that I haven't done yet. [Music] So, let me keep scrolling down. Oh, good question here. Do I think it's okay for a pentester to just focus on web apps or red teaming or should they learn a bit of everything? I think generally speaking it's fine if you just want to specialize. Um I think there are I mean there are dividends to be paid like if you try and broaden your horizon a bit and try and learn a little bit about different areas and things like that. But honestly it's like um you know opportunity cost, right? So you could spend loads of time learning about something else which might be a little bit helpful at some point or you can just keep specializing and getting really really good at web app. So I don't think there's a right or a wrong way to do it. I think both are or can be correct like just specializing and not worrying about anything else can be a good way to go. And um having having a broad knowledge in lots of domains is or can also be a good way to go. I think generally speaking like the thing to not neglect is like like report writing is really important. Networking is quite important. Being able to communicate effectively is quite important. Um having good like general being able to manage your own projects and time management and things like that. Those are all really, really important skills that I think that everybody basically needs. I mean, there's probably a few individuals who can get away without having them, but I think that's also something that a lot of people uh neglect. Um, yeah, I think I typoed something here, but I name. So, the reason I wrote Iame was um, uh, the I is for, uh, ignore caps and lowerase. So it would it would match both cases. So if like we had a directory with a capital D, it should still match. But I think I don't know what I did. I think maybe I did it in the wrong order. Maybe I'm supposed to do like find slash dashame like this and then something. I think this is the right I think I was being crazy and putting this at the end like this. But we can just test this really quickly. Um, so let's find dot dashame. Yeah, that's it. I was being I was being stupid. So I I basically was putting this like you've got to put the path in here like user home. Um uh uh what's Oh no, I'm not on my screen. Hold on. Here we go. Here we go. I always forget to do this. Um yeah. So what I did before was find let me let me just clear this. So I did find I name and then like the current directory for example but this is wrong. So you're supposed to put the directory here which was me being dumb cuz I'm tired. Um and the reason I putame is yeah is basically um if this had a capital D or if the uh case didn't match it would still get the same results. So you can see that like yeah you get the same results. That's why I use the that tag. But um but yeah all all good good question just me being done with the uh with the order of the syntax. Um let's go for three more questions and then we'll we'll wrap up for today. Um let's see. Let me switch over to YouTube for a [Music] minute and see where we are. What's up everybody on YouTube? How are you all doing? I don't see many questions on over on YouTube. I'm having to scroll pretty far. Um, so I might be missing them. Yes. Motivation to finish the web hacking course on TCM Academy. That's it. This is this is the way. Oh, Discipline Spark has an exam tomorrow. Good luck. Good luck. Good luck. Hope it goes well. Drink water. Get plenty of sleep. Don't fall into rabbit holes. you're answering questions. Generally, your first instinct is most of the time your best bet. All right, I don't see any questions over here. Oh, uh, there's one. Started my studies with practical bug bounty. Nice. My question is, what made TCM join up with Integrity? Um, I can't remember. So I think integrity reached out to us and I was I mean I was already kind of in contact with Jonah and so we kind of know each other anyway. Um I can't remember whether it was Iny who reached out to us or or Jonah I can't remember it was so long ago but um you know the guys at Integrity are great so shout out to them. um they have such a great team and all really really nice people and it's like whenever I go to a conference it's always nice to catch up with them. Um but I can't remember the exact like circumstance as as it came around. I think there's there's a gap between like people I think the barrier to entry to bug bounty is quite high because it's quite hard and um obviously if you want to get like private bug bounty programs you have to get a little bit of experience you have to find some bugs and then we were thinking okay so how can we um narrow that gap and give people a little bit more uh hands-on experience um so that they don't just um you know sign up to a bug bounty program not find anything and and then never do it again. Um, and it kind of gave them a way to build a little bit of troubleshooting skills, covering core vulnerabilities and things like that. And that that was our idea of closing the gap basically. And it's supposed to be, you know, beginner friendly. Um, and that's it. So So yeah, that's how it came about. Um, sevenab says, "What should I do after finishing the try hackme paths?" Um, honestly, if you've done a bunch of like paths or courses, then move on to like challenges. I think that's the best thing you can do is start to work on things where uh you're not being guided through. So, you're putting your methodology to the test and then you can also sharpen it, add things to it and things like that. So, you can step it up a little bit and um and work on challenges. I think that's the the best thing to do. Um, let me take one more question. Oh, can I suggest some CTFs for beginners which should be done to get some fundamentals? Yeah, I'd say if you're a beginner, the paths are quite good. Um, Pico is CTF is is also really good. It covers like a wide range of topics and skills. So, I think that's probably your your best bet. Pico CTF is really um uh really really good um yeah, I think that's the best place to start or one of the best places. Like the over the wire challenges are also quite good. um they're not they're more like um like Linux kung fu kind of skills rather than like cyber security skills like pen testing skills. But it all it it really helps uh for sure. All right, that's it for today. Let me let me do the cat tax once again very quickly. If I if I turn this around here and go There we go. There's Po. Poppy. Yeah, there we go. paying that cat tax like a good content creator. Oh, she's she's up now. She's like she thinks she's going to get fed. Oh, actually, I can use my second angle. Here we go. Here we go. Oh, yeah. Fancy fancy camera turn. You all right, puppy? You okay? She's She's so confused. Look over here. Over here. There we go. Anyway, yeah. All right, and that's it for today's live stream. So, thanks everybody for joining. Um, if you have some like topics or particular boxes or or something that you want us to cover, then if you go on to YouTube and leave it in a comment there. Um, I do check the YouTube comments. So, that's the best way or um the Discord if you have the Wednesday there's the Wednesday live vibes channel. If you have like a request or something um we'll see what we can do. No promises, but if it's if it's a cool box or an interesting challenge for one of us, then um then we'll definitely uh take a look. But otherwise, have a great rest of the day, everybody, and we'll catch you next time. Thanks, everyone.
Original Description
https://www.tcm.rocks/pbb-y - Take on one of Alex's Web App courses with Practical Bug Bounty! This intro-level course can get you started down the path to the PWPA and the PWPP - and a rewarding Web App pentesting career.
Hack along with Alex in this recorded TCM Security livestream! Use the challenge here: https://tryhackme.com/room/chocolatefactory
Hacking starts at the 26:12 mark!
#tryhackme #cybersecurity #hacking #infosec #webapp #thecybermentor
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
SQL Injection Is Not Dead: Why an Old Vulnerability Still Breaks Modern Applications
Medium · Cybersecurity
TryHackMe: Support Walkthrough
Medium · Cybersecurity
Phase One: Getting Situational Awareness Right
Medium · Cybersecurity
How to Detect Unauthorized Devices on Your Network with Python (A Practical Scapy Tutorial)
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI