Ubiquiti Networks Covers Up Vulnerability and HackerOne Inadequate for Intervention

I’ve been away for a while.  Between my day job and long nights doing research in my personal time, I haven’t done much bug bounty work lately.  Most of what I have done is falling behind NDAs.  Though, a certain security vendor will be fixing a large number of my bugs very soon, and looks to be giving me credit.  But all that is an aside from what is bringing me back to writing.

Roughly two months ago I found a vulnerability in a subdomain belonging to Ubiquiti Networks.  This was the laughable kind of vuln.  Think, default credential bad.  But more in line with the OSCP *cough cough*.  In a nutshell, this sub domain allowed me to login as the admin user.  Disclosed finding on hackerone can be found here. See below for a screenshot of logging in as admin.

Interesting find right?  I can login as an admin user to a sub domain.  I thought it was interesting at least.  So I submit the finding.  What follows is a conversation, that may or may not be related (I cannot disclose with certainty to protect my account – so make up your own mind):

Where I’m from, weak credentials equals unauthorized access.  Regardless of what you access, you are unauthorized.  But appeals to logic and decent human nature failed me.  Perhaps some persistence?  Below, the conversation (with unconfirmed relevancy) continues, but rather one sided:

Note that at the time I write this, Ubiquiti Networks also decided this subdomain didn’t need to be present.  That’s right, they removed it in light of this finding.  Go ahead, go to nutty.ubnt.com

What are you waiting for?  Give it a shot!  It doesn’t resolve you say?  Strange timing….almost…suspicious?

OK, full disclosure.  They didn’t decide to disclose on their own.  I appealed to HackerOne to intervene (for a second time).  And hence the link to the public disclosure at the beginning of this post.  But what do they do when they finally disclose?  They explain it as:

The researcher found weak password in the site nutty.ubnt.com, but the system does not differentiate between authenticated and non-authenticated users. The researcher was not able to provide a PoC that could expose any vulnerability, so the report was closed “Informative”.

So they finally admit it was a weak password, but still will not explain how the system does not differentiate authenticated users.  Yet I showed them accounts that DO NOT authenticate.  Which breaks this argument in two.  If the site did not differentiate, then I would have gotten the same responses and functionality regardless of account used (or even anonymous as possibly claimed above, assuming it’s a relevant dialogue, which I cannot attest one way or another….).  I did not see this to be the case.

Any guesses where this leaves me?  Discredited.  Without a bounty.  And worst of all, in my opinion, unprotected by HackerOne.  Where is the mediation?  The checks and balances preventing programs from lying about the validity of findings?  I had another finding with UBNT that was RCE (using a recently released 0day no less), yet when I showed evidence, they acknowledged at first, then quickly recanted saying they were already patched.  I could not reproduce afterward.  Pointing to them correcting the issue in an attempt to bury the vuln.

I strongly encourage other bug hunters to share similar situations, as I’m sure I’m not alone.  By all means, comment here, or on twitter (#hackerone).  This has happened over a half dozen times (across multiple programs), and yet HackerOne has no protection in place for either the hackers, nor their very own platform.  Cheating us, cheats them.  Yet they do not have any means, nor any apparent interest in safeguarding ALL parties involved.

In an industry where legality is of the utmost importance, how much confidence should we hold in HackerOne if they won’t even safeguard their own bottom line?  Why would they ever step out to protect us in our efforts financially, or worse, legally?

Please comment or tweet (#hackerone).

100 Bugs in 30 Days

Being a part time bug/bounty hunter, I was doing a little reading and was inspired by Shubham Shah who posted about his efforts to get 120 Bounties in 120 days.  I came across this article quite some time ago, and it has weighed heavily ever since.  Ultimately I decided to follow suite with a slightly more realistic goal of 100 bugs in a YEAR.  After all, I bug hunt on the weekends and evenings.  I can’t go full time, so a year seemed much more realistic.

Oh, but I can hear you saying, “WTF Korr, this post says 100 bugs in 30 days!  You canz no counterz! lolz”.  First off, stop talking like that, it’s extremely annoying.  Second, that’s no typo.  So here is what happened.  I started my 100 bugs in a year journey on november 20th.  It was a strong start with 3 bugs in the first day.  Then something magical happened.  My voice started cracking, and hair started grow…oop, wrong kind of magical.  The important thing that happened was twofold.  First, a HUGE program opened on the 20th (yes, same day).  I started shaking and dove right into the massive scope.  If you are involved with this particular program, then you know both just how massive the scope really is, and why I am hesitant to identify it.  Though I think there may be a hint somewhere in this post…  But getting in on the first floor for the new program wasn’t the only alignment in the stars.  A little over a week later, on the 30th, I received an invite to a private program.  I can’t disclose which yet, but the number of invited hackers seems to be a relatively small number, leaving competition rather sparse.

Getting in day one on both of these was massive.  However, I was still at a disadvantage because of the need to work nights/weekends.  But, diligence has paid off.  My eyes hurt, I am sleep deprived, and my brain feels like a shaken bowl of hot pudding.  But I got a large number of bugs in a short period of time.  As I write this, I have not been green lit to disclose details about my bugs.  Nor will I until given permission.  I am not allowed to give much information, but metrics are not listed as off limits, especially if I combine programs so as to further obfuscate the origins.  Which means I can at least combine all my bug findings across all the programs, and give a little bit of useful data about my experience.  I will not say which programs resulted in what findings, but will give a little insight into how many bugs per day, frequency of certain vulnerability types, etc.  Ideally, the disclosures will come very soon.

The first and easiest metric.  100 bugs in 30 days.  Or 3.3333 bugs per day.  Some days I had 0 bugs, others I saw a spike of 10 or more.

Considering this is a race for bugs, I am not ashamed to say I had a rather large quantity of Lows.  So be it.  A risk is a risk.  If they are worth points and/or money, I’m reporting them.  So clearly, this is not a case of 100 RCE vulnerabilities, though there were a few of those 😉  So judge me not, lest ye can do better, and if ye can, mentor my simple ass.

So without further ado, here are a list of bugs by vuln type, in order of frequency (it’s important to note that some of the reports were for ‘multiple instances’, but I am only counting the reports):

  • XSS – 41
  • Error Message/Info Disclosure  – 19
  • HTML Injection – 11
  • SQL Injection – 6
  • Authentication Flaws/Bypass – 5
  • Unchecked Redirect – 5
  • CSRF – 4
  • Weak/Default Credentials – 2
  • User Enumeration – 2
  • Misc – 5

NOTE: Misc includes Subdomain Hijack, Insecure Direct Object Reference, External Service Interaction, AV Signature Bypass, and a known RCE vuln

Now for the big question I was dying to know. What is the market value of these bugs?  Given other projects of similar scope (Google and Facebook), here is the estimate (based on publicly disclosed monetary awards and bounty program pages):

Google – $285,000 (rough estimate)

Facebook – Tougher to estimate, but placing the amount smaller than Google at about $160,000

So these are rather unrealistic in the sense that these programs are currently demolished and this number of bugs is rather unlikely at the moment.  But what about HackerOne’s own estimates?  They estimate values as listed below:

  • Low
    • Median – 100
    • Competitive – 250
    • Top – 500
  • Medium
    • Median – 150
    • Competitive – 600
    • Top – 1500
  • High
    • Median – 500
    • Competitive -2500
    • Top – 4000
  • Critical
    • Median – 1400
    • Competitive – 9000
    • Top – 15000

Using these values, the HackerOne Median worth is roughly $22,000.  Using a rough 6x value to derive the Top value (because I’m tired of writing this post), I would be looking at $132,000 for Top values.  Or a 4x multiple for Competitive, coming to 88,000.

Sad panda

No matter how I look at the numbers, that’s a solid 5 figures worth of bugs….that I won’t be getting paid for….

Yes, that’s right, no money.  Well, almost none.  I anticipate a couple grand from the private program.  But all the other programs were for points and/or swag.  And even then, the points system was completely screwed up (I will discuss this soon…).  So I will be walking away with a boost in rankings only.

To top it off, I will be posting a rant about the short falls of a poorly implemented bug bounty platform.  Get ready, I’m about to bite the hand that feeds me.  But for now.  I’m just going to revel in what I accomplished in a month.  I’m happy.  That’s good for now.

Also important to note, I’m still working on the massive…OMFG sized scope program.  I only get points (biting my lip as to why that’s an extra bad rub – more on this later), but those help get invites right?  That’s what I’m told….but I now have my doubts.  Serious doubts.

Multiple Vulnerabilities – Trend Micro Control Manager 6.0

The following are publicly disclosed vulnerabilities I discovered with TrendMicro Control Manager 6.0

Full details of the vulnerabilities have not been agreed upon for disclosure, so this is more for record keeping than anything else.  Please do not inquire for details as there is no agreement in place for me to divulge any.  As much as I would love to discuss and help, I prefer staying out of jail much more 🙂

  • ZDI-CAN-3634 – Closed without public disclosure (unknown reasoning as it was/is a valid finding)

SQL Injection with RCE:

XXE:

XPATH Injection:

Top 3 Ways To Fail As A Technical Recruiter

Quick disclaimer.  I am not actively looking for a new job.  I have a solid salaried gig that pays well and allows for a very accommodating work/life balance.  But that doesn’t mean I don’t still ‘collect’ contact information with solid recruiters in case the shit hits that fan.  So when I get contacted about jobs, 99% of the time I am already going to say ‘not interested’.  But politely, and I will take some time to build a bit of rapport in case I need to talk to the person again in the future.  But…this describes the idealistic scenario that rarely occurs.  The reality of what I experience with unsolicited recruiters is far from amicable.  In fact, I have begun to have an anxiety response before ever speaking to most of them.

I started asking myself, why am I so upset about people trying to find me work?  Well after a very brief examination of my experiences, a few major gripes covered almost all of my experiences with technical recruiters.  Those who are the exception to what I list below, are not only going to hear back from me if/when I am back on the market, but will easily get referrals for my friends/colleagues. If that is what you are looking for when recruiting for technical positions, then you better pay attention and take this to heart.  After asking around, I am not alone in this, and my responses are often (unbelievably) more tasteful than some of the anecdotes I have heard from friends.

 

NUMBER 1: Don’t speak clearly or effectively

A typical week for me would not be complete without roughly a half dozen unsolicited phones calls about positions. This sounds like a large amount of unrealized opportunities right?  Well, you got the unrealized part right, but not for the reasons most would think.  The reality is that nearly all phone calls I receive about new positions are completely unintelligible.

aaeaaqaaaaaaaaanaaaajdbiy2uzyzkwlwvhzgqtndc3mi1inty3ltq2yze3yjy1yjcwmgNote that this doesn’t mean I have to listen to the message two or three times to discern what is being said.  I mean literally unintelligible.  If it weren’t for the different numbers, and clearly different voices and dialects, I would think I was getting trolled or pranked.  Because I cannot understand what the majority of these callers are saying, I have just begun to ignore calls from recruiters, and if I can’t understand the first few words in the voice mail message when played back, it gets deleted outright.  A typical voicemail, and again I get about a half dozen of these a week, sounds like this:

“HHHHaslo, ez eez yeshmal galbreek <unintelligible words mixed with crumpling paper sound> position <whispered and unintelligible>”

As I was trying to write that out I just gave up trying to translate.  And that right there is the problem.  I am literally trying to translate it and the message is still not discernible.

So let me repeat that I receive at least a half dozen of these a week.  At this point, I see a number I don’t recognize and my blood pressure goes through the roof.  Stop, just STOP.

  • Don’t farm out recruiters
  • Don’t take a phone gig in a language you are not fluent
  • Do email.  It’s easy, and audio technical difficulties and accents are much less of a problem

NUMBER 2: Don’t understand the sector for which you are recruiting

This is disturbingly common.  It would appear that people get into recruiting thinking it will be easy money and most jobs are interchangeable.  Maybe that happens in other sectors, but I seriously doubt it.  And with technology I can speak with utter certainty that this isn’t the case.  Because I believe examples and metaphors are the best way to convey a concept, let’s look at a recent conversation I had.

Before I stopped accepting calls from unrecognised numbers and while I was still actively looking for work, I answered one such call and the conversation went like this:

Me:  Hello?

Caller: Good Morning Mr. <blank>, how are you this morning?

Me:  Um, I’m good…..

Caller:  That’s nice to hear! I’m calling about an amazing opportunity we have with a client, and I was wondering if you are currently looking for a new position?

Me:  Actually I am at the moment.

Caller:  Excellent!  It’s a three month contract for <company>, doing quality assurance!  I see that this kind of work is on your resume and thought you would be an amazing fit!

Me: …oh….ah….well, that was about 10 years ago, and would be a massive step back in my career.  It’s not remotely what I do now.

Caller: <a few seconds of silence>…I haven’t even gotten to the best part.  It pays $15 an hour!  That’s good money!

Me: <unable to stifle the laughter> That’s so below what my going rate I can’t…I…wow, no.

Caller: Really?!

Me:  …ah…ya.  So like I said, I did that work over 10 years ago.  I work in information security now.  I can’t even remotely entertain that kind of a step back.

Caller:  How much of a step back is that really?  I mean it’s the same kind of work.

Me:  …so I’m actually going to hang up the phone now.  I would highly advise you to research the industry a little more before cold calling people.

<I hung up>

less-is-moreFor those not in the know, pen testing is in the range of 75k to 150k depending on experience and credentials (read certifications).  At $15/hour this guy was pitching me a $30k/year job and treating it like it was the holy grail.  This is all after he failed to recognize that he was pitching a job from 10 years back in my career, and failing to recognize that what I do now is not remotely the same as what he was pitching.

If this were an isolated incident it would be a humorous anecdote at best.  But….it’s not an isolated incident.  I have had conversations like this, mostly over email now, over a dozen times.  That’s a trend folks.  A clear cut sign of laziness.  Don’t just think that he’s screwed up by pitching me a job incorrectly, but think about how this represents him as a recruiter.  He was lazy and uninformed.  Do I want that person looking for work for me?  Do I want that person representing me?  Hell no.  Don’t be this guy.

  • Don’t be lazy about reading and comprehending resumes.  A couple hours of reading about an industry can ratchet up your success rate by filtering appropriately
  • Don’t be delusional/arrogant about who you are or what you know or what you have to offer
  • Do take the time to find a solid fit, or at least approach it differently (“I see you haven’t done this in a while, but thought why not try?”, will go much further for longevity of interaction, and actually something I encountered from a recruiter with whom I still speak to this day, primarily because of using that approach)

 

NUMBER 3: Don’t recognize time zones

Assuming I come across a recruiter and there is a need to interact long term, this next one has been a major problem in the p ast.  Not so long ago I found myself looking for work with a bit of an intense drive.  I felt I needed a new position immediately and was willing to overlook several issues just to have more opportunities.  Along came one such opportunity that actually sounded great and not like I would have to settle for a lesser position just to get a pay check.9cedc5066c87efc1c09dffe668c6adf919500a34b9cb337a3afff7aa1622f6fc

The initial outreach was over linkedin and email.  After a couple messages I was handed off to a ‘lead recruiter’ to facilitate interaction with their client.  The next morning, at 5am local time, my phone began to ring.  Turns out, the recruiter is on the east coast, and I’m on the west coast.  And more importantly they did not see me as a person but a name on a list that would potentially convert into a commission.  Nothing else.  This sounds jaded and/or cynical, but the reality is that this wasn’t an isolated incident.

After apologizing to me after I enlightened him about what it meant to be 3 hours earlier, he continued to forget about the time zones no less than 3 more times over the stretch of two weeks.  The fourth incident saw no apology or recognition.  It became clear he just didn’t care, and expected everyone (me) to be at his beck and call.  I was highly motivated for a new job, and yet I told him to stop calling me.  It wasn’t worth the stress of the interaction, and more so, I realized that if he was this inattentive with me, then representing me to the client was going just as dismally.

No thanks.  Don’t need that, don’t need you if this is your mentality. Let me reiterate, I was highly motivated to find work, and was willing to risk losing the opportunity because this person was so awful.

  • Don’t expect you’re clients (on either side) to cater to you, you are the one offering a service, we are the customers, cater to us
  • Don’t treat you’re clients like expendable fodder for your bank account
  • Do think of us as what we are, people.  With lives of our own
  • Do be personable and compassionate (pretend to be a friend if you have to)

Bug Bounty Program Primer – Finding Vulnerabilities for Fun and Profit

After some requests and questions asked, I decided to answer the emails in the form of a post about bug bounty programs.

For those that do not know me personally, let me get the ‘street cred’ out of the way.  I have been bug hunting (bounty hunting) for a couple years now, and came in 10th during the “Hack the Pentagon” bug bounty program.  I have amassed a large number of unknown bugs (0days).  Some have been disclosed, others have not.  I have discovered many different types of web application vulnerabilities in the wild (SQLi, LFD, XXE, XSS, Arbitrary File Upload, Command Injection, etc.).  And on and on and on.  Hopefully that’s enough for me to dispense with some lessons learned and help some of you get a start in securing the Internet 🙂  I’ve structured this like an FAQ of questions I had and have been getting asked, so let’s get this started….

 

What is a bug bounty program?

In essence, this is a way for companies to open the doors to security researchers (white or black hat) to find security problems without fear of legal repercussions.  Note that this doesn’t mean you won’t go to jail.  Generally there is a scope to the bug bounty program, and if you go outside that scope, you cross the legal protection and could easily get in trouble with the law.  For example, if the scope says you can attack ‘www.foo.com’ and you find a flaw in ‘bar.foo.com’…you are attacking something they did not say you could.  Expect legal fees, and potentially a really large ‘friend’ when you get locked up.

Bug bounty programs are appealing because they don’t just offer a way to ethically disclose security flaws, but they often also offer incentive.  These incentives range from a ‘Hall of Fame’ listing those who have discovered legitimate problems, to swag (T-shirts, stickers, etc.), to a hand shake with the Almighty (yes I’m deifying cash).

 

Will I get arrested for participating in bug bounty programs?

Short answer, maybe.  That depends on your ability to read and follow directions.  If you stay in scope, you are covered.  If you don’t…..

 

Where can I find a list of bug bounty programs?

There are more lists than these, but here are the ones that I have bookmarked.  Though to be honest, at this point I just refresh hackerone and bugcrowd.

  • https://hackerone.com/directory
  • https://bugcrowd.com/programs
  • http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php
  • http://www.w4rri0r.com/bug-bounty-programs/where-are-you-bug-hunters.html

 

How competitive are bug bounty programs?

This depends.  If you get in at the ground level, it’s more of a race than anything.  Hack the Pentagon I had the majority of my findings closed as duplicates.  I simply got beat to the punch.  But I had several findings that were accepted too.  Generally speaking, the longer the program has been running, the harder it will be to find stuff.  Logically that makes sense as there are hundreds of eyes looking for low hanging fruit, and the ripest fruit (big bounties).  Look at hackerone and bugcrowd, pick some programs and check how many bugs have been found, fixed, and how many hackers have been thanked.  The larger the number, generally the harder it will be to find something profitable.  Not impossible, but harder.

Take Google and Facebook as a prime example.  They were inundated with findings when their programs opened.  Now, it’s a headline when someone finds something of merit.  It took them over a year before there was a noticeable slowing in headlines about bugs.  And now it’s almost a pride thing to get a bounty in either program.  There are still bugs to be found….but they are not anywhere near as prevalent, or easy to find.

So the short answer is, if you get in quick, it’s pretty easy to find stuff.  The longer you wait, the more bugs will be consumed by pros.  Plan accordingly.

 

What is the general process for finding a bug or vulnerability?

This is in no way an easy question to answer.  I have derived my own strategy with the base I learned from a web application security course I took.  I have since modified (mutated) it to fit my own personal style.  Unfortunately the depth of the question does not lend itself well to this post, and I will have to revisit this in length, at another time in another post.  For now I’ll give a brief overview of the strategy I use.

  • OSINT – identify all information I can about the target to flesh out the scope as much as possible (ie. subdomains, user accounts, etc.)
  • Examine each URL, in the scope, and categorize functionality (file uploads, probable DB queries, user input that is reflected, etc.)
  • Categorize possible attack locations
  • Use a generic test at each attack location
  • If there is a possible attack vector, dig deep, otherwise move on

 

How long should I spend on a particular bug bounty program?

Here’s another ‘it depends’ answer.  I find that some programs are VERY ripe.  And warrant more time.  Others, are like rubbing my face on asphalt to get dolled up for prom.  This is where experience really comes into play.  Generally I spend a day or two getting a feel for the target.

Let’s look at some real world examples.  I spent a week looking at the united airlines bug bounty program.  This was a headline making program and I saw it as a challenge to hit the boards.  My goal (was still relatively new to bounty hunting) was just a single bug.  I found that first bug on day one.  This lent to the logical conclusion that the scope would be pretty ripe.  Unfortunately by the end of the week I was only getting duplicates and decided it wasn’t worth the time spent.  I was glad to be on the boards and called it a day.  They are still making pay outs, so I think I missed out.  Big lesson learned.

sighOn the flipside, pornhub recently launched their program with hackerone.  As it turns out, they had already been running a private program (BOOOOOO….I’d tell them to go F themselves for that, but…uh….I’m pretty sure that’s what that site is all about), which clipped most of the low hanging fruit.  After a day, I realized they had gotten all the easy stuff and I was looking for obscure stuff.  This was an easy one to walk away from.  Recently there was a headline how pornhub paid out a bounty…..for a couple guys who used zero days in php to attack them.  Read that again, they attacked the language, not the site.  The bug(s) used would have gone for MUCH more than what pornhub paid out, but that neither here nor there.  The point is, a zero day was required to get a decent pay day.  I walked away perfectly.  Lesson learned.

 

How long does it take to find a bug or vulnerability?

And again, it depends.  I’ve had bugs pop up within minutes.  I’ve gone weeks on a program and found nothing.  It really depends.  Part luck, part skill, part experience.  And when I’m working on a COTS product, I’ve had a few apps that panned out to nothing (only a few).  Some apps I spend a couple days on, some months.  In the case of the latter, I recently concluded a 6 week gruelling campaign against a major vendor, on one of their products.  Found RCE, over a dozen SQLi….and no one gives a shit.  Totally wasted time.

On the other hand, in another product I discovered a stacked SQLi in the very first parameter I tested.  That landed me several grand.  It’s almost like playing the lottery.  If you want in this game, you really have to want to be in this game.  There are many pits of nothing.  Be ready for them.

 

What if I find a bug in a product that does not have a bug bounty program?

First off, if you are hacking sites without permission, stop.  Stop now.  You will go to jail.  Any bounty/bug I have found has either been within an authorized bug bounty program, or with a COTS (commercial off the shelf) product within the confines of my own personal lab.  If you attack something, you better be damn sure you have the permission to attack it.

That being said, there are 3rd party organizations that will buy bugs in products with no bug bounty program.  They are legal.  Here is a quick list of the top 3 and how they legally disclose/use your vulnerabilities/exploits:

Zero Day Initiative – a direct quote: “TippingPoint provides a “virtual patch” functionality that protects vulnerable systems from compromise when host-by-host patches have not been applied or do not yet exist from the vendor. Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers. By writing vulnerability filters for security issues that come in through the Zero Day Initiative, TippingPoint maintains a competitive edge while protecting customers and encouraging security researchers to bring findings into the public domain.”

Beyond Security – Sells the vulnerability/exploit to pen test companies for use in their engagements, while simultaneously working with a vendor to correct the vulnerability.

Zerodium – Sends vulnerability information to a feed that their clients subscribe to, allowing for protection before a fix is implemented.

 

What tools should I use for finding bugs or vulnerabilities?

Here is another big post in the making.  I’ll be as brief as I can here, while plotting on another post to go in depth.

Burp Suite is the go to here.  Period.  I have a pro license (though the scanner is largely unused).  If you are serious about bug hunting, get the free version and decide if the pro version makes sense later.  In 90% of the cases, the free version will be plenty.

I do occasionally use SQLMap.  Though only when I can’t figure out the PoC (Proof of Concept) on my own.  It’s great for automating possible injection strings, but noisy as all hell (definitely recommend not using during red team engagements).

DirBuster is sometimes used for finding folders, pages, and docs that are not intended to be referenced, though that is rarely something I check during bug hunting.

Finding subdomains is a necessity (typically with *.foo.com scopes).  For this I generally use sites like https://pentest-tools.com/information-gathering/find-subdomains-of-domain

An OSCP Review – The OSCP Epic Part 4 – Grand Finale

As of March 12th 2016 I am OSCP certified.  Writing that first sentence was VERY bitter sweet.  I stopped doing the lab after the 4th month.  In all i was putting in roughly 25 hours a week into the lab.  The last two week stint I purchased was a huge boon and pushed well in to the 30+ machines owned category.

You would think that prepared me for the exam.  But it didn’t, and it won’t prepare you either.  It took me more than one attempt to pass.  And the experience I had taking the exam was frustrating, aggravating, and disgusting.  I realize how negative that sounds, and it’s intentional.

Take the hardest machines in the lab, with all their bullshit CTF style games, and give yourself 24 hours to crack them.  Let me revisit that first part.  The exam machines are CTF style.  This means no real world, realistic flaws.  No.  You are given machines that are deliberately configured such that you have to solve puzzles.

The vulnerabilities WILL BE MODIFIED.  If you see a local file inclusion, expect to have to use it indirectly, or to find a ‘clue file’.  Then use that second part to find a third part.  And the third to find a fourth and maybe, just maybe gain shell access, only to solve a WHOLE NEW SET OF PUZZLES to escalate.

And this is why passing the exam is bitter.  Yes I’m one of the few who now holds the piece of paper.  But what does it mean?  The lab helped get my hands dirty and practice with some real flaws and research.  But was vastly unrealistic.  The exam, was despicable and bizarrely inaccurate for a real world demonstration of skill.

I’ve been doing pen testing and red teaming daily, for 5 years now.  And the exam and lab DO NOT PREPARE YOU FOR THE REAL WORLD.  Let me repeat, THEY DO NOT PREPARE YOU.  Am I saying the real world is crazy hard?  Fuck no!!!!  Popping a targeted user base with phishing, moving laterally until you can get domain admin credentials, shadow copy, etc…..FAR EASIER.

Using known vulnerabilities in a real exercise….you don’t have to find clue files, decipher cryptic files to find hidden directories, etc.  My experience with real engagements is far more closely related to a con game than anything, combined with technical knowledge.

How would/could you test that?  No idea.  But I can tell you one thing, the OSCP will not show you what to expect when you are confronted with a real organization.  Not every box is readily exploitable.  Often you have to rely on skills and tricks that are outside the realm of exploits.  Read: conning users into giving you the credentials you want (drive by downloads, social engineering, pop ups, etc).

I’m going to end my rant and summarize.  Yes i’m now certified.  I can’t say i would ever endorse this cert for real world training.  It will get you jobs that pay a lot of money, but you will have to learn real TTPs crazy fast or lose that very same high paying job for not knowing what to do, when, or how.

It is my solid opinion that the OSCP will set you up for failure in the real world.  If you know little to nothing about pen testing, then the course will help facilitate your education.  But not by teaching you, by giving you a sandbox where you effectively TEACH YOURSELF.

I feel like a i just got the CISSP part 2 🙁

An OSCP Review – The OSCP Epic Part 3

I just purchased my third month, and I have mixed feelings about doing so.  I have spent almost 6 weeks (minus 2 out of the 8 for selling my house and moving), averaging almost 20 hours per week.  At this point i have 25 machines fully rooted/system’d, including the ‘gimme’ msf box.  My goal was 24 before taking the exam, but that goal has changed as i discovered my personal weak areas.  That being privilege escalation and modification of binary exploits.

I can say with certainty that web based application hacking experience has carried me far, and fast.  I dropped MANY machines by utilizing web based attack vectors, but have been informed that most machines have multiple avenues of compromise.

Currently, I have all but one network unlocked (dev…wtf?!).  This is a major bone of contention for me.  I have access to the machine that touches the dev network, but haven’t gotten priv esc to unlock the network key.  Why is that frustrating?  because i have shell, and can…well in the real world I WOULD be able to….access the dev subnet.  But because i haven’t unlocked the subnet, i can’t reset machines, and am having port scans come up dead.

So the try harder adage applies right?  Well, yes, but i have uncovered no less than half a dozen machines that unlock the IT network, and only one that unlocked the admin network, and one that will likely unlock dev.  I find this to be disproportionate, and ridiculous, especially when i find a fucking IT subnet key, on an admin network machine (you have to unlock IT before admin).

So i’m a bit frustrated, and a bit disillusioned.  Having done Red Team exercises and pen testing (professionally) for a few years now, i find some of the lab to be realistic, and other parts nothing more than game play.  There is literally a box where it’s nothing more than a CTF style challenge.  No spoilers, but that one aggrevated me on a whole new level, and not because I couldn’t pop it, but because it had no real value other than playing a ‘game’.  It’s not realistic in the slightest.

This leaves me with another month to do the following:

  • Pop a few more boxes (ideally the dev net…sight)
  • Practice priv esc until i gain a little more comfort
  • Practice exploit modification (essential for the exam)
  • Write my lab report
  • Prep my test report

That’s a tall order for one month, but i’m tired of the ‘game’ aspect of the lab, and really fatigued.  I need to rest, and want the exam done with.  So i will be scheduling it for a few weeks after this month is over.  So I should be taking it sometime before christmas.  I can’t wait….lol

An OSCP Review – The OSCP Epic Part 2

Haven’t updated in a while, and that’s because I just got my ass kicked (time wise) from moving.  But here is a breakdown of the experience thus far.

Week 1:

I had only evenings (1-2 hours) and Sunday (all day) to devote to the materials, but part of the certification includes doing the exercises in the material.  I felt much of it was busy work and review, but that may be because I have done this kind of thing in live environments professionally.  For most people I would be the material is pretty overwhelming.  The details are missing in a few places, so without experience it can leave the uninitiated with a lot of homework to do.  BUT, the material was highly relevant.  Using powershell as a call back mechanism, was discussed.  This was very nice to see, and VERY relevant to modern techniques.

Having said it was almost all review for me, it still took me an entire week to get through.  That being a little over 20 hours of time total.  If this stuff is new, plan to multiply that time out at least to a magnitude of 2 or 3.

Week 2:

This is where it got fun.  Finally.  I had finished the exercises in the materials, and was finally hitting the lab.  Doing the exercises did build a little bit of a base, since they have you do a few things that will get you started.  There were a handful of boxes that fell to a VERY well known exploit.  And in roughly ’67’ seconds I had some proof.txt files.  Then I came to a screeching halt.

I enumerated and enumerated and enumerated.  Researched flaw and flaw and found that the labs are constructed with a lot, and i mean a LOT of red herrings.  So don’t expect a scan and pop scenario.  Those exists, but not by and large.

About the 5th day in, I reverted to what i knew best (web applications) and started smashing.   I popped one more really quickly, then found three more to crush.  Unfortunately moving day arrived and I lost internet connectivity until two days ago.  So i just lost an entire week of lab time.  Extension here i come.  I don’t have 10 boxes yet, but should in the very near future.

A big gripe i had, and maybe i just missed something, is that i unlocked a subnet, but have no idea what the range is.  OK, i know, cheating right?  except that i have a client side attack into a network, and no idea if it is one i have unlocked.  See the problem?  I could pivot through, but if i haven’t unlocked the subnet, i can’t progress into that area.  There is a mismatch on that goal.  And i may be stymied until i unlock other subnets, even though in the real world i’d be moving along no problem.

And that’s the update.  I’m on week three, and finally able to get back to the lab (though i’m working so nights and weekend are my limitations)

EDIT: The subnet i unlocked was not visible until i logged in and out of the dashboard.  it did, in fact, coincide with the attack method i discovered so i should be able to pivot into second network very soon.

An OSCP Review – The OSCP Epic Part 1

After several years of yammering on about how I’m dying to take the course (read “blast the labs”), I have finally take the plunge and put my money where my mouth is.  I recently landed a few bounties that left me with some capital to spend, and since I’m in between contracts.  Fuck it.  Let’s do it.  So today I signed up.  I’m currently waiting on an email to get started and find my heart pounding with anticipation.

I have known a handful of OSCP holders, and they assure me I should do really well.  Further, I’ve read MANY reviews about the course/labs/exam, and have a strategy in place to expedite the process.

  • Step 1) Course materials.  I will bang through the course materials as quickly as possible.  Although the syllabus looks to be almost all review, there are exercises involved that help with extra points come exam time.  Seeing as I want to pass no matter what, I’m going for every point I can get my hands on.
  • Step 2) Lab time.  I am literally salivating here.  I can’t wait.  My goal is over half the machines in a month (including pivots).  To accomplish this I have devised a strategy to hit the ground running (and in the background as I smash through step 1).  I’m hoping this lands me a couple low hanging fruit and gives me a toe hold into the external network.  Then, loot and pillage.  Loot and pillage.  Loot and pillage.  Rinse repeat.  I’m going to document (make my report) as I go, to further speed up the process of the final report come exam day.
  • Step 3)  The exam.  I’m going to buy a single month, and tack on a second month if need be.  It’s only a $50 dollar savings if i buy the second month up front, but a $200 dollar savings if i don’t, and don’t need it.  I will be compiling my scripts, exploits, and preparing my report before hand, in hopes that it buys me some extra time.

Some anticipated hurdles and obstacles will likely get in the way.  I have a possible job offer, and starting a new day job could cause me to lose momentum.  Hence the possible second month.  Also, I sold my house and will be moving in a month’s time.  If i can time things well, i will be able to pack and move, and utilize the process as a mental break from the lab, before i review and hit the exam.  But that may not go according to plan, and the second month may be needed.

So there you have it. Time to smash it.  I welcome any words of encouragement, but NO SPOILERS.  I want this, but on my own blood, sweat and tears.  Questions/comments also warmly welcomed!

EDIT: And of course, there was an unforeseen problem.  No one had mentioned to me (or i selectively forgot) that there is a waiting period for the course to begin.  So here I feel all teased up and ready to go, but nope, get ready for the ache to set in, i have to wait until the 29th of this month to get started.  FML.  Two weeks before I can begin?  That’s a gripe right there 🙁

Welcome from the new owner!

this is how i work...seriously

this is how i work…seriously

If you are here for finance advice, you are in the wrong place.  Sorry, but this site is under new management.  The internet marketing experiment is over, and now is the time to pursue my true passion(s).  Join me as I follow the white rabbit and build up my presence and career in the tight knit world of cyber security.

Now to get to know me.  I’ve been a hobbyist for a very long time, but only recently delved into the depths of true knowledge.   I now bug/bounty hunt in my personal time (primarily web application vulns), and am teaching myself binary exploitation.  I have a few of the industry certs, one big one that doesn’t need mentioning, and a few lesser known ones like the eCPPT and eWPT.  The OSCP is in my cross-hairs and I am thoroughly excited to take it down!  I plan to document the latter as I go (adhering to NDAs of course), so join me, learn with and from me, and above all, never stop questioning!