Journey into eWPTX

eWPTX

On the request of some people I thought of writing a small review for this course and certificate. The course is WAPTx – Web Application Penetration Tesing eXtreme. The certificate is eWPTX – eLearnSecurity Web application Penetration Tester eXtreme. Last year I completed eWPT you check that post from here.
This course is very up to date compared to other web application penetration testing courses. I learned many things that I didn’t know in different web application technologies. There are many languages, technologies in the world of web applications. It’s very hard to master them all. This course however covers many advanced attack methodologies.

The exam is however “hard”, not matter you are a web developer or a networking guy, you need to make sure you understand how each vulnerability is exploited and also how to bypass filters. You cannot just fire up a tool and expect results. Make sure you understand manual exploitation and exploitation is always not straight forward in real world applications.

I actually loved the exam, it was a very small web app but lots of unseen holes. My experience with SQL injections came in handy in the exam 😉

If you are seeking for a next level certification in web application hacking I would recommend this course.

It was a very fast year! 2016 ended nicely as I planned. By October completed eCPPT, by November completed eCRE, by December completed eWPTX 🙂 Nothing is impossible if you try hard 😉

Thank you everyone for your feedback and messages!

cert

[tweet https://twitter.com/eLearnSecurity/status/814775586640068608]

Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$latex al < 2^{5}&bg=232225&fg=bbbbbb&s=4$
$latex bl < 2^{3}&bg=232225&fg=bbbbbb&s=4$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

Packing

1
2
3
4
; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or  dl, bl  ; xor would also work fine

Unpacking

1
2
3
4
5
mov cl, dl   ; Make a copy of dl
and dl, 111b ; Extract lowest 3 bits (b)
mov bl, dl
shr cl, 3    ; Extract highest 5 bits (a)
mov al, cl

(more…)

PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

[code language=”php”]
<?php
ini_set(‘error_displays’, 0);
$ip = htmlspecialchars($_GET[‘url’], ENT_QUOTES);
$f = fsockopen($ip, 80, $errno, $errstr, 5);
if($f) {
$result = shell_exec(‘ping -c 1 ‘ . $ip);
echo ‘<div class="alert alert-success">’ . nl2br($result) . ‘</div>’;
} else {
echo ‘<div class="alert alert-danger">’ .$errstr . ‘</div>’;
}
?>
[/code]
(more…)

Passed eCRE!

ecre_certificate_sm
I don’t know how to begin with, I’m not a expert experienced reverse engineer. I actually entered this field recently. Before that I had experience with basic exploit development and solving crackmes. But reverse engineering is not about solving a hard crackme, anyone can code a hard algorithm. However at the beginning some people said that this course is hard for me and not suitable for me. As the course title suggests “Advanced Reverse Engineering of Software” it is surely advanced to a level. I haven’t spent years in this field but I dedicated the last few months in this area and I really learned a lot from this course. If you ask the existing people in this field how to enter this area 9/10 people would recommend the tutorial series of “Lena151”. Actually those tutorials do not give a complete idea and is a bad choice. I’m not the only person who says this.

I have been thinking about why this happens. Thinking back to myself, I started learning reverse engineering by reading the Lena151 tutorials. I thought they were awesome until Daeken told me that was an awful approach to learn reverse engineering.
At first I didn’t understand why they were so bad. After all, Lena’s tutorials had taught me how to crack my first software.

You can check his post from here.

The things I learned in here really helped me to take my C/C++/ASM skills to the next level. Each topic I learned helped me research more and more into the subject.
(more…)

My Journey into eCPPT

This course covers lots of areas in the field of penetration testing. I like the content since it covers good theory as well. They have included new sections such as Ruby and Wi-Fi. The content is very up to date. The exam was more realistic and not CTF based. I’m not going to write a complete review, but I would recommend this course for anyone who wants to enter the field of penetration testing or existing people. Always there’s something to new to learn from any course 😉

ecppt

String Length Function in NASM

In certain situations when I want to print some string to stdout we need the length for the write syscall in linux. So we can’t always depend on the $-string macro, which is valid for a defined string.

We use the REPNE (REPeat while Not Equal) instruction which will loop as long as CX != 0. Along with REPNE we use SCASB (scan byte string). It compares the content of the accumulator (AL, AX, or EAX) against the current value pointed at by ES:[EDI]. In the end we calculate the difference between offsets of the scanned string (EDI) and the original string (EBX) to find the length.

_strlen:



  push ebx

  push ecx



  mov   ebx, edi            

  xor   al, al                               

  mov   ecx, 0xffffffff     

                                                     

  repne scasb               ; REPeat while Not Equal [edi] != al



  sub   edi, ebx            ; length = offset of (edi - ebx)

  mov   eax, edi            



  pop ebx

  pop ecx

  ret

(more…)

Assault Cube Trainer

I recently wanted to explore the world of game hacking, which involves some cool reverse engineering tricks. This is a trainer written in C++.
trainer
Simply uses WriteProcessMemory to write the values into memory of the game.

Download game: https://assault.cubers.net/download.html

Download trainer: https://github.com/OsandaMalith/GameHacking/blob/master/AssaultCube/Hack.7z

Freeze a Computer Using Ruby

When performing illogical ranges in Ruby and converting it to an array it uses 100% memory, disk and CPU which will freeze your computer. I have tested this issue on a Windows 10 64-bit machine. In a 64-bit Ubuntu machine after sometime the process will get killed when the process is out of memory. These types of issues can be caused in most languages, in which it tries to allocate more and more memory. This is a simple example I found in Ruby.

Ruby version:
[code]
ruby 2.3.1p112 (2016-04-26 revision 54768) [x64-mingw32]
[/code]

PoC:
[code language=”ruby”]
(‘malith’..’osanda’).to_a
[/code]

screenshot_3

Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

[code language=”C”]
int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
[/code]

More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be
[code language=”sql”]
select load_extension(‘path\dll’, ‘EP’);
[/code]
However this path, const char *zFile can be a SMB share too.
(more…)