Pentesting Methodologies & CTF Challenges!

Key Takeaways

alrighty hi everyone goodness gracious I think we're live I think we did it um I know we're just a few moments late maybe just a little minute or two but I wanted to hey make sure all the things behind the scenes are buttoned up uh eyes are dotted tees are crossed and we've got our good friend and guest for the show today now look there's no secret truth be told uh that a handful of these that I do want to keep trying to share uh live streams that have more of a jht or just hacking training Focus uh are hey me trying to help spread the word if anything really just trying to get the messaging out and about that we're trying to do really cool stuff we have some incredible people an All-Star lineup of cours developers exercise and activity developers training instructing all that sweet stuff uh so please forgive me please allow me please give me your grace and letting me showcase some of that fun stuff uh and you know we've done this for a bit now we've got uh Michelle Khan when we were chatting about ENT we were hanging out with Ellie do when we were doing some cryptography just recently we got together with slavy who shared some active directory magic uh and now I'm pretty excited to kind of open the door for not strictly the courses that we would like to be able to Showcase but even just the extra exercises and the activities and the challenges that we can make available for you again with Incredible folks that are doing awesome things in the industry and we thought you know let's get started trying to share some love for those upskill challenges um and Philip Wy I'm extremely grateful has put some together um and he's been doing some fantastic stuff so it's no secret we'll be sharing that out and we'll also be doing our kind of fun I hope little live stream uh Extravaganza when we can share a cutesy little coupon or discount code for you as a thank you for coming to hang out uh for letting us banter and get together and with that we'll have that available throughout the show uh and I'll give that to you right away when the time comes and uh we'll make sure that that is something available I think through the weekend that's been the benefit of having a Friday live stream is that all of you here hanging out with us get to reap the benefits if you'd like right away and we have a little bit of a trickle for uh the weekend for anyone that catches the vaud and wants to tune in just after the fact but with that I don't know I think I filled the air for like two minutes do you need any more bantering of just me do we need any other Shenanigans look the road map the agenda I will say we'll get Philip in here uh we'll chat and do some AMA for a little bit and then I I think will try my hand at some of the old old school vintage Capture the Flag challenges because I do want to give some love to some ctfs haven't been able to do that in a little bit and we do have some on the horizon I'm putting another show together in in February for another Capture the Flag event that we're hosting so uh that's kind of the pizzazz today and I'll give you um some love to be able to Tinker get your hands on it and interact and engage just as well but um Philip Wy if you're willing can you give me a thumbs up sort of from the backstage are you feeling good you ready to come into this thing all right I see it I got the Q and thank you so much everyone I will be sure to get chat in here and there I do want to be able to uh hey make sure we're interacting with you and get your questions answered and uh we'll have those back and forth but philli can I bring you in excellent hey my friend how are you hey John good happy Friday happy Friday so great to see you and especially thank you again and again for making some time to chat and hang out and a banter but uh if you're willing for folks that might not be familiar with who the heck you are what you're up to what's going on in your world are you willing to just kind of I don't know give some background give that context the bio the obligatory elevator pitch for who you are yeah so uh I'm Philip Wy I have my ocp and Sans web app pentesting certifications this month made 21 years in cyber security so I got my start back in 21 years in cyber security got my start back in 2004 prior to that want to make sure to include this because anyone trying to get into cyber security or uh pentesting I started out as a system ad administrator so those six years being a sist adman was some of the best things that helped me in becoming a pentester and so out of my 21y year career I've been on the offensive offensive security side for a little over 12 I'm a former adjunct instructor at Dallas College I taught there for almost four years got me interested in teaching I still continue to teach workshops at conferences and unfortunately I'm a part of you your platform and uh released the upskill challenge and looking to add more content there excellent thank you so much for doing this and I before we go too far I do have to say uh restream browser the studio session that we're doing is not always very friendly to me so if I just happen to disappear if I disc conect for a quick second I promise I will be back but I hope you don't mind hey Carrie in the show uh for maybe a couple seconds U it seems to be a running Trend when I've got together past guests uh I just fade away every now and again so forgive me but I appreciate your grace in that sure now I know your day job right now is that can I ask what are you up to yeah so my day job is Horizon 3. we're an autonomous pentesting uh Product Company which before I joined I did not realize that pen testing could be automated that much uh you know it's totally automated you've seen a lot of these great scripts like tiberious is auto recon and a lot of these other great automation scripts for pentesting but they've been able to figure out how to completely automate it which is really surprising to me and is really the automation is really kind of the the next evolution of pen testing because at one time and this is before I got into pen testing we didn't they didn't even have vulnerability scanners so it's all completely manual and you imagine doing a large scale pin test these days without a vulnerability scanner some of the tools met exploit some those tools so it only makes sense that we're able to scale to something like this it's a force multiplier makes it and it's not just a complete replacement the thing is thing about it is is there are Consulting companies and pentesters using this product they're able to get the boring stuff out of the way quickly and spend more stuff more time doing the creative stuff you know kind of like we hear about AI what AI does is frees us up to do more creative stuff and that's kind of what uh node Zero The Horizon 3 does yeah I'll admit I am uh on the outside looking in right just an external party uh and I did have the like hang on wait a second I had the like momentary hesitation of like uh can you fully automate a pent test I have been I don't want to say apprehensive but I'm like wait a second um but as I gotten to know a lot more of the Horizon 3 AI folks and uh been able to chat with you and plenty of others and we even spoke just previously I do want to dance with that for a moment um but I I think you all are crushing it it's a part they're a partner for the channel there's no secret in that uh and I appreciate all their support but it's wild and crazy cool to see just how much you can automate and just as you mentioned like get the boring stuff out of the way and get right in the fun really necessary critical issues so and if people really want to see how legit the product is just look at some of the research that our attack team has come out with I mean you see some of the competitors and I'm not going to name names that say they have OS CPS and occe we've got ocps but we got people finding zero days and doing some really great research yeah I had uh email I reached out just the other day uh to chat with you and ask hey can you tell me a little bit more about that uh simple help and these simple help vulnerabilities in cves so extremely grateful for naven I think he was the one that put together that write up and the blog post uh and we were chatting about that because we've also seen some of that in the wild exploitation I don't know if we're going to be cranking out a blog post or anything for that but um it's just good to see Community collaboration and Industry collaboration so thank you thank you thank you I can't say it enough I'm glad glad that they do that kind of stuff and it's not something you often see you know some people have their secret sauce they're not wanting anyone else to know about it hold it close their chest and so it's really good to see that they're open to collaboration and one of the things they also do too is we use a lot of Open Source tools under the hood but whenever they ever come up with improvements for those tools they'll submit it back to the crater open source project so they're not only just taking they're also if they find ways to make it better they share it back so awesome awesome can I ask I know you just mentioned at the start hey you were uh getting started in the industry in your career with system administration um and I know some folks might have somewhere in their mind of the that idea of there has to be or there is or there should be a natural path from A to B to C or whatever to do cyber security is that true yes or no somewhat sort of maybe and maybe it's help desk maybe it's CIS admin um or not can I pick your brain on that or is that a question you've heard time and time again oh yeah and I love to talk it's a it's a good question and and something that needs to be be rehashed because some people don't get to hear my response or whatever but you know there's a lot of people with different uh points of view on this but yeah would love to talk about it cool if you're willing um I'd love because I in my mind I know that I jumped into security before doing a proper oh CIS admin or help desk rooll uh and I feel personally like I've been at a disadvantage because of that like I I I'm not super duper sharp on setting up an active directory environment or making sure the printers are working in all the way that they should or oh all the other things that you just don't tend to think about when we've been kind of really focused on let's find a cve let's get a vault and let's pop a shell blah blah blah I'll let you feel in the gaps though if I may sure yeah I think one of the things I tell people because I've had a lot of people come to me because I share my background just to kind of show people where I came from and part of that's to encourage people that may be working in it that yeah you can transition this these skills help in this area and also to one things I mentioned earlier is I wrote a book on starting pentesting careers the pentester blueprint just to put that out there but uh one of the things too is like I tell people you don't have to spend all that time as a CIS admin but I would say while you're learning the skills needed to be a pentester you really need to have CIS admin level skills and that doesn't mean you have to work as a CIS admin desktop support or help desk you can gain those skills on your own so you don't have to have that direct experience uh but it is helpful I mean one of the things too to keep in mind for anyone listening that if you're in it somewhere or some entry-level cyber security job is all that experience Builds on each other and it's helpful when you move into those different careers and some of the things even as simple as if you work on a help desk you could be doing some social engineering on a pentest engagement and you're able to work your maybe your pretex is coming from a help desk angle you're able to share that experience but yeah I don't think you necessarily have to have the direct skills as in it or being assist admin honestly if I would had the opportunity to jump straight into cyber security would have but at the time there were hardly because I got my start in as assist admin in 97 there was hardly any companies that had uh security teams because a couple of my first IT jobs there wasn't a security team it was the network uh engineer managing or network administrators managing the firewalls and so I would have jumped in if I could have jumped straight into pentesting I would have because I'm these people that are not always patient I'm an instant gratification kind of person so I want to do it right away and sometimes that's really come back to bite me well it's funny because now I feel like you've built out a methodology is that fair to say like hey you've got um a not so much a checklist but a procedure the order of operations as to how you do what you do is that fair to say uh yes yeah yeah well hey I wanted to use that as a little bit of a segue to uh tease and uh showcase what you've been willing to put together for us and I'm extremely grateful over on the just hacking training side I will screen share if that's a okay sure but yes as soon as I find the browser cool and I really thought this was a good idea because you see a lot of content out there that it's really focused on the technical side and sometimes sometimes the methodology gets overlooked and methodology is very important yeah I'm super excited to shine the spotlight on that because uh as I've been saying hey the whole my what I've been wanting to embrace with just hacking training is that look it's not me it's not just me anymore for stuff that either I showcase on the channel or hey we're trying to share education with other Capture the Flag competitions Etc while they're all incredible for learning there are so many other fantastic folks who have learned so much and can share everything that they've learned over time uh so that's been the love with our Allstar lineup of great folks that we've been bringing in getting together with and I'm stoked that you were willing to join the party and thank you thank you thank you for even if it is maybe starting small uh we have the upskill challenges as one of the many things that we could bring to the table but can you tell me a little bit about what you've put together for your upskill challenge sure yeah so for my upskill challenge I put together a upskill challenge for those you're not familiar with these are short small trainings 10 to 30 minutes of student time uh but really it just shows you the steps the methodology of the steps in performing a pentest and what this does is this helps you to be consistent and make sure you cover everything that needs to be done because you're just going out there without a plan and sometimes companies May refer to their testing method or whatever they may have a Playbook or a run book that they have all the steps through there sometimes I've seen some reports and there some people that are using uh report generators that actually have like a checklist at the back of it verifying that you've done all the steps and it's making sure everything gets covered because it's easier to easy to miss things and so you want make sure and plus going through the steps as someone starting out as you learn this this becomes you know second nature you don't have to sit there and look at the list because you know what all needs to be done you know you need to do your reconnaissance uh you need need to do your vulnerability scanning uh port and service scanning and then your vulnerability analysis of things that you found so this really helps you to be consist consistent and fully and and have full coverage on uh testing whatever Target you're testing and this is applicable across any kind of uh technology because it's it may be some of the newer technologies that weren't out when some of these uh methodologies were created and one of my favorites is is the pest standard penetration testing execution standard one of the reasons I love it is if You' got real world uh gurus that wrote this Dave Kennedy John strand uh Carlos Perez Chris Nickerson from you know people from worldclass Boutique pentesting firms and sometimes you see a lot of things from the academic world while it's not always bad I think when it comes to the pentesting world you really need real world hands-on experience because a lot of times there's a lot of confusion sometimes people think a pentest is an adversary emulation so they think they're trying to go undetected and all this and that's not really the case most of the times it may be uh a request from the customer to see how long you could go before being detected and this was kind of earlier on in my career but now you have things like red team engagements and and purple team exercises that get you some of the same same effects at a better scale one thing that I did want to harp on uh is hey this among all the other upskill challenges are free um and they are meant to be hey that small bite-sized learning but also totally accessible totally something that anyone could dive into without a price tag on it um so I hope anyone tuning in would be willing to go take a look uh just hacking.com and if you would to navigate drill down to some of those upskill challenges it'll eventually take you hey to the platform in the program where you get to dive in to that penetration testing methodology um can I showcase it can I just hey maybe pull it up scroll through it I don't think there's too many Seekers here um please do but I love the fact that you know it's still trying to get folks involved engaged uh the benefit with these is that it is going to be a good amount of material and content and then a little bit of a quiz something that you might have been able to see on the left hand side for the navigation you can check your understanding oh do the double tap make sure that is something that you've uh ingrained and learned and reinforced and then if anyone is interested in taking on more then that's what it's all there for but hey please do go take a look at the upskill challenge and especially Philip wy's penetration testing methodology it's something that I'm very excited about and happy about especially because as you mentioned there's not a whole lot of background there's not a whole lot of extra understanding on all the other components of that world it's pretty easy to just get on the keyboard start hacking away but there is much more to it so anything else we can sprinkle in here for you philli or what are you uh what else is cooking up in your mind is there more that you are going to be tackling how are you feeling with time with commitments with obligations uh what I don't know what's next for you yeah one of the things I want to do is far as just hacking training is I want to do like an introduction to network pen testing you know the basic kind of network pen testing uh because I see you get some really great folks on there doing the web application stuff and API backgrounds so I thought you know maybe something on network pen testing because I have a popular Workshop that I give it besides conferences typically uh that I call Pony networks and so basically it's an introduction to network pentesting so that's kind of something I plan next to to create a course on that awesome and one of the things I want to get more involved here is I did have a I I had a free platform that I was using for workshops that this company was building this training platform it was really buggy and didn't work out and they finally just closed down business which really worked out well because the uh the last inperson Workshop that I tried to teach at bides San Antonio the students weren't a able to get into the platform at all a bummer yes that's that's that's really hard dang I'm sorry to hear that so I needed a place to go so this provides me a way that I can create this as an on demand course and also leverage it during uh inperson workshops cool cool that's great to hear and I hope there will be some Runway uh thank you for you doing all the things you do yeah it's an honor Community is one of the big one of my big passions and one of the reason re I do my podcast and bring on people like yourself uh for those that are trying to break into cyber security some of those and it's not purely just for the beginners but just to introduce them to people in the community different Technologies different types of security and uh I know hey I'd love to shine the spotlight on your podcast for a bit how long have you been doing that and I'm grateful thank you for oh the guest appearance some time ago uh and I know we got to chat about all those things career CTF pen testing Etc um how long have you been putting that together so I I started but my podcast Journey started with the uncommon journey I used to podcast with Alyssa Miller and Khloe mogy on ITP magazines platform nice we did that for almost a year but you know how those two ladies are super busy oh yeah trying to schedule their schedule and my schedule and guests got pretty difficult so down to the end we did it for close to a year and then itsp Magazine asked if if we wanted to do our own and I started the Factory podcast and ran that up until my last episode was June of 2022 and then I went actually June of 2023 but I also started I went independent on some advice to some friends uh at the end of April of 20123 and actually our good friend Don donzel was one of my first guests and this time around I'm doing video not just purely audio and and also too just not I don't know when I came up with the idea for the first podcast it was really more focused on offensive security but there's so many other areas of security that that need to be examined and discussed so I just kind of just named it the Philip Wy show so that way it's not stuck doing any particular thing I've had people on from marketing I've had someone on a uh one of the personal trainers I know at the gym where I'm at did a talk on meditation because you know things like mindfulness and meditation is good for uh burnout and mental and mental health so so it's kind of open not always that kind of stuff I sprinkle some of that in but it's been a lot of fun I enjoying doing the video part of it instead of just the audio and it's been it's been a great experience so I'm over a hundred episodes wow congrats and and it's going strong and the thing is tough is whenever I switched thank you when I switched over I had no way of communicating with my former listeners so it's rebuilding the audience all over again so I'm really trying to get the word out it's starting to take take on some traction and build back up again so it's been it's been a lot of fun well hey more power to you uh I love it and absolutely want to help I don't know not to say promote but at least share and put you up on the pedestal of like hey look at all these awesome things uh great people are doing uh and can I dance with just a moment because you said there is so much in cyber security or just kind of like what we're loving to chase like even as the oh YouTuber or creating YouTube videos and content I am totally acknowledging that look stuff started with either programming for me and then mooved to capture the flag and then some pentest o offensive security work but then there's the blue team and there's malare analysis and there's tracking thread actors and cyber crime and oh looking in the dark web and oh hang on what about the game hacking direction or even the scam bit Direction it's like wow there are still so many things to explore and I have not even like cracked the can open for mental health which is absolutely a th% uh priority uh so I'm right there with you I think it's wow I when I had the channel of John Hammond there's a blessing of yeah John can do whatever he might like well it's many different pockets of cyber security so going for the Philip Wy show making a general I don't think there's anything wrong with that yeah one of the things back to the different things in security that's one of the things I like to see more of and I really love to see people sharing other Realms of cyber security because so many new folks come in all they know about is the ethical hacking piece or pentesting they really don't know about the blue team side and there's a lot of interesting interesting things out there and I think it's really worth your while to explore all of those because one of the stories I like to share was one of my former co-workers uh he started out on help Des get the company he went through some digital physics courses through Sans first I thought the company really puts out some money on training because he' been through several digital frenes courses through Sans and come to find out his parents and his family really support him on his education so this is kind of how he got funded to go through that s training but he went through all these courses and finally decided I think I'm want to take a pentesting course just to understand the hacker side of things so maybe it'd be better at digital forensics he took the course fell in love with pentesting and now he's been doing that for about eight years now or so and if he hadn't ventured outside of that one thing he was checking out he would have been doing who knows he might have been happy with it but he may not been so he explored and found his true passion no I love it it's certainly good to explore try new things see what else is out there and there's so so much out there yes there is yeah well did you get a chance to mention uh your book uh as we've been chatting I'm sorry I don't know if I missed it but I you I know that you mentioned look you wanted to give some love to The Blue Team here and there is it the blue team handbook and I misremembering and you've had so many now the pentester blueprint pentester blueprint blue is in the name so it got me think yeah yeah it's kind of It kind of plays homage and throwback to my very first career that led me into it was I used to be a cad drafter and so I used to do a lot of blueprints so we when we print out prints we'd make blueprints of it so was kind of a throw back to my first professional career and so uh yeah so the the book came out of before I even started teaching a Dallas College I had a lot of people wanting to go through the OSP that ask me advice on how to prepare for it as well as anyone trying to get into pentesting so I would share advice with people and learning resources and then once I got into teaching I took what I was learning there because the pentester blueprint was my first day of class lecture each semester so the first time I gave it was January of 2018 and the other instructors in the cyber security program there would ask me to come in and give the presentation to their students so by November 2018 I turned into a conference talk and gave it at our local bsides Dallas Fort Worth for the first time and then gave it many times after that and then I got asked uh by Wy publishing I wanted to write a book because I was in the tribe of hackers red team book and they asked me how book ideas and I thought as many times as I give this talk so many people have heard it for the first time I mean I've even had people been on cfp review boards and people said well one of the uh items in the check box has this talk been given before and I kind of told him I said if if it's not local then you should let the person give the talk because there's talks that have been given a lot of times and a lot of people haven't heard it yet so thinking along that line I thought if I wrote a book on the subject then it would get in hands of more people because not everyone is part of the cyber security Community or knows about it not everyone's following the right people on YouTube are going to conferences so it could be hard to get a hold of that information and so I thought writing a book would be a good way to do it and it it has it's been a good way to to reach people uh give them information on how to get started as a pentester and you know just to kind of clarify uh the book is not a book on pentesting it's not teaching to be a pentester it's sharing the prerequisite knowledge some of the helpful certifications discusses like home labs and different resources like that so that's really more what the book is about because there was a lot of resources out there to learn pentesting but no one really had anything what do you need to know first well I think if I'm looking back uh I I I feel like I remember hey you um you and the co-author had reached out for a quote uh and I am extremely flattered and honored I think made it in made it in I just got a little line on like page 87 or whatever I don't know but thank you thank you thank it's the sweetest thing in the world because I love to you know have a physical book that you've done all the work for but oh sweet I'm there yeah that was one of the nice things about being the tribe of hackers I mean you were able to contribute some not a lot but be part of a big overall project like that one Speaking of projects what I really need to do is go back through and dig through the book and find all the people that were contributing to it and somehow or another as long as they're you know uh bring attention to it because I think there's a lot of people don't realize all the people that contributed through quotes and their experiences that would be very cool yeah I think there's certainly quite a cohort of more incredible folks even through just that one resource so great to hear it well if you're all right with it um I think it would be kind of fun for me to do a tiny teeny weeny little showcase and demo um for some of the CTF stuff over on jht or the just hacking training uh and I'm happy to drive that uh I know you're a busy fella but I so with that I should ask do you have to run uh if you got something up ke enough time are you willing to hang out banter and I can maybe show you some sure definitely I'd like to see it yeah cool well with that I will do the shill sellout thing and start spewing and spamming some coupon codes but I did want to make sure we squeezed it in because I think that would be worthwhile for the folks that are here for the live stream thank you thank you thank you for those of you coming to hang out with us uh we are doing a little live stream fun Extravaganza if anyone wanted to get started with some of the capture the flags in the past um then you've got that accessible on just hacking training and the reason that we put that together is because I have hosted and we have hosted other ctfs historically way back when folks were tracking verset con that's like 2020 time frame five years ago and then we had activity con and then we had bides Boston CTF and Grim con and then we've done stuff with sneak and then we've done threatcon or other different events and conferences that we've built I think genuinely a thousand challenges now not just me but other hey incredible developers and folks that have made some cool stuff and we have been wanting for the longest time this is this keeps me up at night it's like right now after the game is over after a weekend 48 Hours the CTF the challenges they're dead for one thing they're burned right writeups and solutions are now shared on the internet and that's okay so we'll have to come up with some new fun stuff for the future but there has never been an always on platform for folks to be able to even just play with some of the challenges that we've made unless the game were to last or the infrastructure were up for another week and then we tear it down after but that's always just a matter of time it's not always on demand so one of the lovely things we've been able to do with jht is help preserve that in some of the capture the flag or CTF archives so we're slowly rolling these out but you might have seen oh there is actually the way for you to play some of the old like ncon 2024 challenges so if folks were really part of the community and involved in that event I'm so grateful for your participation but if you'd like to play with them a little bit more after the fact now you can uh let me add the disclaimer this comes with a price tag I hope a very tiny price tag I hope a minimal I hope an accessible price tag but that is so that you get a virtual environment a lab and an activity to be able to play in a playground to work with and we still kind of can keep the challenges and the source and the actual creation of them safe and secured in a way that's not just handing you all of the things still gamified to a certain extent now $20 I acknowledge but we did want to help share if you wanted more than just ncon or more than just sneak CF hey I'm trying to Hype it up uh you can get both of those two for one with uh the little deal that I think there's a link I don't know I can uh we might be able to share it in chat there's a sweet short link yeah thank you Don um he's helping share and promote thank you thank you thank you over in the chat short link there jh. live jht CF bundle and that will get you both the sneak fetch the flag and the ncon 2024 now background context on this sneak sneak fetch the flag we first put on that game with them way back in 2023 and I wanted to help bring it to life a little bit more and I'm so grateful for their support and letting me do that again this year and with that eventually I'll shut up I promise I really really will but coming February February 27th if folks wanted to play for a new real active game uh sneak do cf. games is the URL and the link to be able to register and sign up and play for our upcoming game so I'm very excited about that one I hope you do play we have a lot of really cool challenges up in the ringer but this is a short game no doubt about it I know folks I might be more comfortable with maybe the ncon or whether 48 hours or stuff that we've done for Huntress ran whole month for goodness sake but this is a 12h hour Sprint should be a lot of fun though but that February 27th I hope you can play and of course we'll try to get some of the challenges put in the archives on jht and then you'll be able to keep interacting with it even after the fact okay I'll shut up but I hope you can uh play with that CTF two for one bundle and get your hands on ncon 2024 and the old sneak fetch the flag challenges if you'd like with that said let's go play with it if I were to have jumped in and joined the sneak 2023 fetch the flag archives for just hacking training uh remember the upcoming one for 2025 is in February but if you wanted to look into the past go through the Vault here we do have this available and the structure and style here is that you have all of the challenges that would have been in different categories now within their own little lesson so to speak because the platform is built more for courses more for oh that Hands-On training and it's weird to see well we're not in ctfd anymore um with that said we can still ask those questions and get the prompts for what's the flag and I'm acknowledging a th% writeups already exist there are solutions out and about we still wanted to make this a place for you to play with them if you'd like the option is there and this can expand for all of those categories all of these and the warm-ups are labeled as easy with their estimated difficulty but if you were expand out other categories and these are veryy by different game or by CTF you can still play with them so if any of you wanted to go back for some of the lore or if you really liked oh I remember that worker B challenge or remember that Queen be challenge or remember that super cool wsgi flas cookie little exploit Shenanigans we were doing then you can go experiment and play the way that that happens is with all the credit to spin up a virtual environment it's super duper easy you kind of click the button and then it will spin up the challenge virtual machine that will host and serve all of this and the Cali Linux machine for you to have a Homebase HQ and the ability to actually work with these and play uh please please please give me some feedback uh would you like a different structure or style for this because I think oh the green yellow or orange or red little icon is good and fine but I'm sure would be really cool to get more of a lesson and an explanation and or a guided writeup or even links to other community writeups for folks that have solved this challenge in the past please please please do give me that feedback the only way that we can get better uh is if you voice that input that constructive criticism so nothing wrong with that now we do have some systems put together let me see if I can get into Cali once it starts to connect that should open up another tab for us and I'm good to allow it to use my clipboard it'll take I think just a second to get it cruising but there's nothing wrong with that we can uh get back to the challenges and see what else we could do the one that I wanted to Showcase in this case and I'm cognizant that there are a lot of web challenges but we'll do maybe a small one maybe a simple one maybe still something for us to dip our toes in the water cognizant we've got about 25 minutes left for a little live stream hangout but you've got all the challenges that were put together by either myself or by husky hacks folks might be very familiar with Matt Kylie uh he's a co-worker a teammate a great friend um and soups and some others that have been able to contribute previously I think it'd be fun to dive into Kevin's challenge kevster big shout out to him you wouldn't steal a flag. text and a slash flag. text The Prompt here is after the tragic unexpected and terrible breach of our computer systems from highly sophisticated adversary series we've removed all login functionality so there's not a lot for you to do or to play with on the website we Remain the most secure security system in the world and it will give you the connection info for you to open in your browser in the virtual environment some may or may not contain uh challenges for you to download and work with uh but you won't even have to download them because they'll again already be set up in that Cali Linux VM so you'll be able to drill down and maybe open up the directory extract the challenge files that are necessary for one of those tasks so you wouldn't steal a flag is on the challenge VM listing on Port 8300 and with that I think I can hop back over to our Cali Linux virtual machine and you see everything that is there on the desktop uh L things that are accessible for the other challenges can I full screen this AOK will it behave for me it might be I'll try my best to make sure the tech size is much larger and bigger here but let's open up a for the one thing and let's open up Firefox as a web browser to go explore uh I will again add the disclaimer because you know that I have to add my asterisks and I have to do that self-loathing just that's just because who I am uh browser based labs are good they are not my favorite I will be the first to say that I will fall on my sword I would love if we can get into a VPN or another oh VPN certificate or a quick and easier way to be able to um bring things to life I closed out of Firefox just as I opened it that was cool just because I was trying to clear the old tabs that were spoiling so we'll bring that back to life as soon as it comes back at me but remember if we were to move into our desktop we do have all of the other folders for challenges that might have uh static files for you to work with or download or review but benefit of working in Cali benefit of having the lab environment all set up anyway let's get to our challenge VM Port 8300 and this will bring us to that you wouldn't steal a flag. text challenge web page here is apparently called SSS reincorporated the security secure systems a little bit Goofy and I know there are a lot of web challenges but that's been kind of the fun especially for I don't Phil can I ask you actually is it fair to say when you're doing penetration testing when you're doing pen testing do you often times still find a foothold or at least a good lead in web apps yes yeah it's probably one of the number one footh holes that I would have I don't know how many times I went in and found like uh tom cat or uh red Hat's application server and just getting in a foothold through that because I've been in environments where you tried you know responder you couldn't get any credits that way and you couldn't get a foothold and then found like something like aache Tom cat was able to uh upload you know a malicious War file and gain access so yeah that's that's one of the biggest reasons I think anyone if you're going to be in pen testing you need to learn some web app at least in case you find some opportunities that you can uh get a foothold and I think that's why I'm a little biased I I like web challenges I think they're fun and they're cool and they're neat and uh I know there's so much love for OB binary exploitation and leite hardcore buffer overflows return to Lipsy stack smashing memory corruption but if I'm not going too far out in the cliff here Phil I don't think you tend to see that that much do you no not really yeah one of things I think I have to say about ctf2 is I've seen so much bashing of ctfs and and through part of it through like certifications where people would say this certification is to CTF like but the thing about ctfs is world world vulnerabilities sometimes could be easier than some things in CTF because you know CTF sometimes try to take you down a rabbit hole you think it's something else but it's not and you go this way there's multiple you know vulnerabilities there and it's really teaching you you really need to do your eon and and thoroughly assess that Target and not just go for the first thing you see because there's sometimes it's misleading but what that does is that kind of develops you for more difficult targets when you're pentesting so I think ctfs are great we've got one of probably one of our best pentesters and hackers in our Dallas community that used to do a lot of ctfs and he got a lot of experience uh you know doing ctfs as well as building some ctfs as well excellent well up against a web task a web challenge or a web app in the pentesting space here what are some of the first like either lwh hanging fruit we might be able to look at I know there's the Dumbo cheesy robots. text I know there's maybe a DOT wellknown and a site info maybe a sitemap.xml here and there well as John said he might lose video to the s to the session so he should be back shortly so yeah I just kind of was discussing with John that ctss really get overlooked in how much they help you know being able to find these systems and you it went a lot longer than you expected before it happened well I tried to give everyone the warning that that would totally crash out so I'm glad that we uh were're able to keep cruising for a smidge where did we leave off when did I die Phillip yeah you were looking through some of the you go like robots. text and some common areas that may you might find in there so cool thank you uh I see chat laughing and having a good time with me so thanks look yeah I will uh probably speedrun us to what would be the solution here but of course please keep in mind that is where you will want to go through your own checklist your methodology that's why you build build it out that's why you make some of that process this is a static web page right it's boring there's no particular input there's no login there's no tricks there but if we are scrolling through the HTML honestly just the source that it is made up of you can see the usual boiler plate but it is all static uh maybe there's some CSS there's some cascading style sheets maybe there's some jscript JavaScript JavaScript sorry I I almost conflated that in you know local uh active X objects but there is one audity if you were to take a closer look and try to see hey how is all this coming together whether it's those JavaScript files that are loaded there's a strange comment down below just after the JavaScript files to load these other endpoints securely quote unquote securely maybe this is cutesy maybe this is Dumbo but you notice the encoded scheme here for YX nzz XR ZL whatever but a couple equal signs at the end there Phil maybe this I don't know are you familiar with this one yeah what encoding is probably 64 bit encoding yeah base 64 yeah everyone's seen it everyone knows it's cutesy but there's nothing wrong sometimes it's here and there and it looks like this website uses a base 64 encoded endpoint to uh tell it itself where it could find other resources now these are boilerplate natural just regular libraries for JavaScript and others um but they all start with the same sort of structure you saw that yxn Z and that seems to be common throughout all of them and now we're kind of wondering okay what do we do with this well we could probably curl this down uh there's no sense in us working through all of this from the browser why not get back to our command line and let me see how well I can curl just that URL still gives me the exact same output that we saw earlier but that's the curl command we could work with and if we actually were to grab that Bas 64 or any of the others what does that even decode to so let me try to Echo that and pipe it to base 64 I think I got a spare single quote at the end there base 64 Tac d end up decoding and that tells us oh pretty similar to the other end points or URLs that we've seen assets vendor pure counter pure counter. JS but they all have that prefix of assets and then vendor and then some other file that they're trying to load so strange if our goal is to steal potentially a flag. text they included that little o cutesy slf flag. text in the challenge name maybe a little nudge and guidance to tell us well could we just try to go reach from the root of the website that slf flag. text let me see if I can do that nope that gives me an error 404 but that doesn't quite look like the regular like 404 page you might expect with like flask or any python app and if you wanted to look with WAP alyer or examine the headers in the network tab to see what is that really built off of maybe if we were to try to do that from the assets directory since it does still tell us that's something that strangely has that Bas 64 effect we could look for literally anything there but that gives us a different 404 that I was kind of alluding to that error message you might get with python or one or the other so strange odd if we're doing that base 64 thing could we try to access flag. text as if it were the base 64 representation um let's try that let me Echo flag. text on its own just a base 64 encoding if for whatever reason this were to be a really long line if you were trying to enter a whole lot you can specify Tac W for the width to say oh how long should this be where we wrap lines if you set that to zero it will not wrap U enter new lines under command line so you can just get everything in multiple places or at least one quick and easy copy paste let's try it with simply that and just see will the base 64 still interpret that smartly no uh no dice weird well we were probably trying to think maybe is this not so much the root of the website like the web route but is it even for the file system should we try some of that directory traversal like trying to climb up different locations or endpoints we could go to so folks might be familiar with that do do slash do do syntax over and over and over again they oftentimes use and there's nothing wrong we can spam this as much as we want and now we've got a much longer string let's try to copy and paste that one and see if that would work as an endpoint let me go back to this no error 404 again bummer bummer any thoughts uh anything that you saw or stuck out or something that just kind of looks strange from the past gimmicks that we're seeing from this website the base 64 all in the assets directories Phil I don't know if you got any ideas I want to I want to look at chat see if anyone else does too yeah I really can't think of anything well I wonder if we're seeing that assets structure each and every time for all of the URLs when we saw them here oh I opened up Firefox again but I want to get back to the old one could we try the very same directory traversal if it is an assets I wonder if that will help us climb let's try it out I'll get back to my terminal here and we were using the simple and easy thing to encode and decode base 64 but now if we started in assets and maybe we even went as far as vendor and then another thing that we would have seen previously like pure counter doesn't matter if we have all that structure to start with then we climb out with our dot dot do DOD directory traversal well we're gonna have to get through the first three because we're going to get probably all those middle slugs for p counter vendor and assets and then what's to stop us from going even further up the file system if we need to let's try to see if flag. text will work there well let's be sure to base 64 encode it now this is what I was mentioning oh you might need to wrap it on new lines if you didn't want to uh have it in multiple be sure to include that Tac w0 can be pretty handy uh and just another trick by the way if you you might have saw me has I decoded this just a moment ago I always am of the habit of echoing the base 64 command or the uh Bas 64 data out first and then piping it into B 64 tacd some folks might have seen or you might be familiar with base 64 Tac D can come first if you use a little cutesy magic like redirecting less t