maxpowell - Network

Yo, it seems Scylla made its comeback!https://hyperiongray.net/hg

Yo, it seems Scylla made its comeback!

https://hyperiongray.net/hg

So after two weeks fighting against the Juice Shop project I come back to pentest a bit the new website our company is creating and ya boi...

So after two weeks fighting against the Juice Shop project I come back to pentest a bit the new website our company is creating and ya boi found a XSS. <3

Auditd needs a set of rules to be defined in order to generate alerts. The default configuration is garbage, you cannot install it, enable...

Auditd needs a set of rules to be defined in order to generate alerts. The default configuration is garbage, you cannot install it, enable it and leave it running. You must apply a configuration that works for you.

In order to deal with this we can apply a quick set of rules developped by our friend Florian. :)

https://github.com/Neo23x0/auditd

So first of all, what the hell is auditd?tl;dr - It's just another logging software that gives you a lot of info about what is happening...

So first of all, what the hell is auditd?

tl;dr - It's just another logging software that gives you a lot of info about what is happening in your host.

Someone wants to add a new user to the machine? This is going to be logged.

The www-data user has executed the 'whoami' command? This is going to be logged.

Okay, now it's time to play with auditd and to ask myself why the hell I've waited so long to install it.For the record, I...

Okay, now it's time to play with auditd and to ask myself why the hell I've waited so long to install it.

For the record, I successfully installed sysmon on every Windows endpoint, however, our linux servers are quite critical, so I was busy deploying a dedicated syslog config. <3

Fun fact, after almost a month and right before taking the app to prod, I notice that there are no password requirements for user creation....

Fun fact, after almost a month and right before taking the app to prod, I notice that there are no password requirements for user creation. As a result, you can create any user with a one character password.

God dammit, I didn't check that. :/

I've tried everything I know, but it seems we only managed to get those three vulns.I would say that our hardening guide was good enough...

I've tried everything I know, but it seems we only managed to get those three vulns.

I would say that our hardening guide was good enough and I should be happy about it, but as a hackerino I want to break more things. :/

Anyways, it was fun!

Dang it, it is possible to create users in the store with 1 character passwords.It seems someone forgot to mention password minimum...

Dang it, it is possible to create users in the store with 1 character passwords.

It seems someone forgot to mention password minimum requirements hehe (totally not me 👀​)

Wel well well, this website is supposed to be an online store, so let's mess with the products, the cart, the payment process, etc.First...

Wel well well, this website is supposed to be an online store, so let's mess with the products, the cart, the payment process, etc.

First thing I tend to try in this situations is send garbage like "I would like to buy -1 books of this ID". Suddenly WordPress shows me a HTTP 500 critical error hahahaha.

Is this a vuln? I don't know, I wouldn't say so. Basically it's a bad practice because they are not checking parameters and boundaries of their products.

I will probably just include this as additional information along with many visual bugs I've seen.

Anyways, I just love breaking things <3

Another day, another slay.I prefer using ZAP instead of Burp because open source goes brrRrRrRr, so after a quick manual review it seems...

Another day, another slay.

I prefer using ZAP instead of Burp because open source goes brrRrRrRr, so after a quick manual review it seems that a Javascript library they are using is outdated and is vulnerable to XSS.

We have a WAF that blocks this kind of requests, but there are no XSS protection headers configured on the web server, so this is another vuln for me. Medium leveln vuln in my opinion if we put everything together.

OH, it seems that the forgot password form only shows the "We have sent you an email" message if the account exists. Well, now I...

OH, it seems that the forgot password form only shows the "We have sent you an email" message if the account exists.

Well, now I would include this as a low level vuln and comment about the /author endpoint.

We got our first one bois!

In my opinion, I would not even include this in the report because that's the way WordPress work.Maybe I would just add it as a note,...

In my opinion, I would not even include this in the report because that's the way WordPress work.

Maybe I would just add it as a note, but not as a vuln.

Of course you could try with something like the company name or so, but that doesn't tell you anything

I know the username of one of the team members, so if I send a GET request to example.com/author/<username>, I get a 200 OK.So, this...

I know the username of one of the team members, so if I send a GET request to example.com/author/<username>, I get a 200 OK.

So, this could be seen as a information disclosure vuln, but:

1. I would need to bruteforce every possible combination to get the username and that would cause A LOT of noise and probably result in a block by the firewall.

2. You still don't have any password, so you can't do much.

Tip: try to look for any request for the /author/ endpoint in your logs ;)

Ok, in this case where we got absolutely nothing to deal with, it is common to start looking for the login page. It is usually at...

Ok, in this case where we got absolutely nothing to deal with, it is common to start looking for the login page. It is usually at /wp-login.php

By default wordpress leaks usernames in the login error messages, but in this case we changed that to just display a generic text.

Let's look for something else

And here we go! :DI'm not an expert in WordPress, but the first thing I like to do is run WPScan in order to give me some quick insights...

And here we go! :D

I'm not an expert in WordPress, but the first thing I like to do is run WPScan in order to give me some quick insights about any misconfiguration, outdated plugins and so on. Remember to get an API key on their website to get the vulnerabilities.

In this case the application is not in production, so I can run any aggressive method I want.

As I expected, everything is fine and I can't get any info because I added authentication and disabled all unwanted methods.

I will be the one carryong out the internal pentest and I will compare all the results with an external pentest from a third party.I know...

I will be the one carryong out the internal pentest and I will compare all the results with an external pentest from a third party.

I know they will find more things than me, but we will find out. ​

Sheesh, I've been out for a while. I will try to stay more active in here.First thing I will do is...pentest a wordpress...

Sheesh, I've been out for a while. I will try to stay more active in here.

First thing I will do is...pentest a wordpress installation!

After developping our wordpress hardening guide, I will pentest an internal wordpress of the company. Wish me luck!

WHAT! So, after a month I check my question and someone replied with the same problem I have.This person was so brave to debug the problem...

WHAT! So, after a month I check my question and someone replied with the same problem I have.

This person was so brave to debug the problem and discovered that Microsoft takes the certificate with the highest thumbprint (#Lmao) as the authentication certificate.

I will try to test this on my servers, but if this is true, I will just hate Microsoft more than ever.

I'm writing a detailed Wordpress hardening guide for my company and it's the first time I'm working with WP.I've been...

I'm writing a detailed Wordpress hardening guide for my company and it's the first time I'm working with WP.

I've been following the official WP security guide but even with it there are a lot of other options that must be implemented in order to achieve a good security level

I just found out that our one of our Dell systems does not allow the use of the character 'ñ' in a password because it is detected...

I just found out that our one of our Dell systems does not allow the use of the character 'ñ' in a password because it is detected as a non-printable character.

Bruh...