Sunday, June 30, 2019

Hunting for Privilege Escalation with Burp Suite


In this blog post I would like to talk about a technique which can be used to find privilege escalation in web applications.

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.

We refer to vertical privilege escalation when a flaw allows a lower privileged user to access and/or modify data which should only be accessible to higher privileged users (administrators) and to horizontal escalation when it is possible to access resources granted to a similarly configured account (different user).
For this demo I will use Hackazon vulnerable web app VM from Rapid7.

Burp’s “Compare site maps” tool can be used to test for privilege escalation by comparing site maps generated with different users.

First create a new user in Hackazon named “User1” and create a new project in Burp with the same name. Login with User1’s credentials, browse around the site and then right click on the target and choose “Spider this host”. When the spidering is done, click on Logout and close Burp.


Then open Burp again and create a new project named admin.



 


 
Go ahead and login to the web app as admin/hackazon. Repeat the previous steps to spider the site. After the spidering is finished, right click on the target and choose “Compare site maps” tool.
 



For “Site Map 1” leave “Use current site map” and click Next, check “Include in-scope items only” and click Next.





For “Site Map 2” choose “Load from Burp project file” and select the file for User1’s project.






 



Check “Include in-scope items only” and for the rest of the options just click Next for defaults.









 



When the comparison is done we can see both site maps and visually identify the differences between the two with the help of color coding.
 

  


     
Looking at the “account” folder we can see the order "10000007" in admin’s sitemap, let’s try to access it from our User1 account.
Copy the order’s URL from Burp, login as User1 to the web app and paste the order URL in the browser.
Also we check that User1 does not have any orders placed.






 




 
We can now see admin’s order and confirm that the web app is vulnerable.

Saturday, May 25, 2019

Penetration Testing Books

I’ve compiled a list of some of my favorite books that I’ve found useful as a penetration tester.
Books listed should be read in no particular order.
The list will be constantly updated.


The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition

The Mobile Application Hacker's Handbook 1st Edition

The Antivirus Hacker's Handbook

Hacking: The Art of Exploitation, 2nd Edition

The Shellcoder's Handbook: Discovering and Exploiting Security Holes 2nd Edition

Gray Hat Hacking: The Ethical Hacker's Handbook, Fifth Edition

The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy 2nd Edition

The Hacker Playbook 3: Practical Guide To Penetration Testing 

Advanced Penetration Testing: Hacking the World's Most Secure Networks 1st Edition

Web Hacking 101: How to Make Money Hacking Ethically 

Social Engineering: The Science of Human Hacking 2nd Edition 

Hacking Exposed 7: Network Security Secrets and Solutions 7th Edition

Penetration Testing: A Hands-On Introduction to Hacking 1st Edition 

Rtfm: Red Team Field Manual 1.0 Edition 

How to Hack Like a GOD: Master the secrets of Hacking through real life scenarios (Hack The Planet) 

How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK (Hacking the planet)

How to Hack Like a LEGEND: A hacker’s tale breaking into a secretive offshore company (Hacking the Planet)

Google Hacking for Penetration Testers 3rd Edition

Professional Penetration Testing: Creating and Learning in a Hacking Lab 2nd Edition

Exploiting Software: How to Break Code 1st Edition

Building Virtual Pentesting Labs for Advanced Penetration Testing - Second Edition 2nd Revised edition Edition

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security 1st Edition

IoT Penetration Testing Cookbook: Identify vulnerabilities and secure your smart devices

Hands-On Penetration Testing on Windows: Unleash Kali Linux, PowerShell, and Windows debugging tools for security testing and analysis 

Kali Linux CTF Blueprints

Mastering Kali Linux for Advanced Penetration Testing: Secure your network with Kali Linux 2019.1 – the ultimate white hat hackers' toolkit, 3rd Edition

Saturday, April 20, 2019

Zeus - Boot2Root VM

Release Date: 20/4/19

This is my first Boot2Root VM.
Your goal is to get root and read the flags.

Level: Intermediate
Flags: user.txt and root.txt
Format: OVF
Tested: VMware Worstation
Networking: DHCP enabled
IP: Automatically assign

Download: HERE

Have fun, I hope you enjoy it!

For hints DM me at https://twitter.com/@SirPwnALot