Disclaimer!!!
The information provided in this blog is to be used for educational purposes only. All of the information in this blog is meant to help the reader to develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage. Hacking is a crime and I am not responsible for the way you use the obtained knowledge.
I’m happy to be back with a new post after a long break. To document my daily updates and learning experience, I embarked on the #100DaysOfHacking challenge on March 11, 2023. My goal was to refine my hacking skills, gain more hands-on experience, and have a way to see my progress.
Throughout the challenge, I dedicated my time to exploring four main areas: infrastructure pentesting, webapp security, bug bounty hunting, and binary exploitation. Today, on June 24, 2023, I am happy to say that I have successfully completed the challenge.
In this blog post, I will provide you with a short summary of my key learnings first. After that, you are welcome to see my everyday progress if you are interested. This might help you to gain motivation, join a similar challenge, or simply get inspired on what to learn next.
If you have completed the same or a similar challenge, I would be more than happy to hear about that. Feel free to reach out to me on Twitter (https://twitter.com/hacking4every1), LinkedIn (https://www.linkedin.com/in/timotei-adamec/), or via email (adametim.hacking4everyone@gmail.com). Let’s connect and share our progress and growth.
Key Learnings
Infrastructure Pentesting
I have pwned 8 machines @ HackTheBox and learned about the following along the way:
-Redis exploitation
-CMS exploitation
-PFX + LAPS exploitation
-SCF + stealing NetNTLMv2 hashes
-hashcat password rules
-reversing a .Net executable
-LDAP enumeration
-resource-based constrained delegation
I have finished several modules @ HackTheBox Academy:
-VULNERABILITY ASSESSMENT
-Pivoting, Tunneling, and Port Forwarding
-WINDOWS ATTACKS & DEFENSE
-SHELLS & PAYLOADS
And I have learned about the following along the way:
-vulnerability scoring, Nessus, OpenVAS
-GPP passwords, GPO permissions, GPO Files
-different usecases of port forwarding and tunneling
-different tools (dnscat, rpivot)
I have thoroughly studied the AD pentesting guide @ HackTheBox.
I have read dozens of blog posts, including writeups. I usually read around three blog posts for every new topic I explore.
I have read several python exploits.
WebApp Security
I have finished Practical Web Application Security and Testing @ TCMSecurity.
I have tackled 2 challenges from OWASP Top 10 track @ HackTheBox.
I have finished several modules @ HackTheBox Academy:
-COMMAND INJECTIONS
-BUG BOUNTY HUNTING PROCESS
I have revised different webapp vulnerabilities and completed or reviewed several labs @ PortSwigger:
-Insecure Deserialization (2)
-Information Disclosure (all labs)
-Access Control + IDOR (all labs)
-Authentication (3 labs)
I have completed OWASP Top 10 – 2021 @ TryHackMe.
I have completed around 16 challenges of AEC Hacking competitions for different years.
I have gone through dozens of posts/videos on how to start with bug bounty hunting and on how to carry reconnaissance.
I have watched dozens of videos about Broken Access Control/IDOR/Information Disclosure/API/Web Cache Deception vulnerabilities.
I have explored different tools:
-KiteRunner, feroxbuster, hakrawler, gau
-amass, assetfinder, subfinder
-httpx, httprobe
-eywitness, gowitness
-puredns, massdns, altdns, Rapid7 FDNS, CommonSpeak
I have developed two scripts to automate my bug bounty hunting workflow:
-a subdomain enumeration script
-WCDScanner for automating Web Cache Deception exploitation
I have spent around 40 hours bug bounty hunting and discovered the following bugs:
-valid: 1 (Broken Access Control)
-informational: 1 (IDOR)
-triaged: 1 (Broken Access Control)
I have learned about the following along the way:
-insecure deserialization
-API security
-HTTP headers
-subdomain brute-forcing/resolving/permutations
-WAFs
-arbitrary file upload vulnerability (HackerOne public reports)
-Web Cache Deception
-403 bypasses
-Web Archive
I have studied several chapters of The Web Application Hacker’s Handbook:
-Core Defense Mechanisms
-Mapping the Application
-Attacking Authentication
-Attacking Access Controls
-Exploiting Information Disclosure
Binary Exploitation
I have started the Finding security vulnerabilities through fuzzing course by @hardik05.
I have completed Intro To Pwntools room @ TryHackMe.
I have finished Intro to Binary Exploitation track (10 challenges) @ HackTheBox and learned the following along the way:
-exploitation of stripped binaries
-Python with pwntools
-x64 ROP
-integer overflow attacks
-alphanumeric shellcodes
-Ghidra
-seccomp
-bit shifting
-glibc/binary base leaks
-stack alignment
-stack pivoting
-ASLR + ret2plt + http://libc.rip
-reversing
-format string vulnerabilities with pwntools
-shellcoding
I have studied several chapters of Hacking – The Art of Exploitation:
-Exploitation
-Shellcode
-Countermeasures
-Cryptology
I have read dozens of blog posts, including various writeups.
I have studied dozens of Python binary exploitation scripts.
I have started to go through the RPISEC/MBE course and have finished the following lectures so far:
-Introduction to Reverse Engineering + related labs
-Extended Reverse Engineering + related labs
-Intro to Memory Corruption + related labs
-Shellcoding / Code Injection + related labs
-Format String Vulnerabilities + first lab
I have created around 20 Python binary exploitation scripts for different challenges.
Other
Revising your gained knowledge at regular intervals is crucial for remembering as much information as possible.
I have revised a lot of my already obtained knowledge:
-bash scripting, Python requests, and PowerShell commands
-AD stuff, including basics, Kerberos authenticatioin, golden tickets, silver tickets, un/constrained delegation, DSRM persistence, overpass-the-hash, skeleton keys, DCSync, ExtraSIDs attack, and AD CS basics)
-pivoting & tunneling (sshuttle, chisel, DNS/ICMP tunneling, double pivoting, socat, SOCKS)
-pentesting standards and methodologies
-XSS
-path directory traversal attacks
-SSRF basics & bypasses, blind SSRF, along with open redirect vulnerability
-command injection
-JWT authentication + simple exploitation techniques
-SQLi (MySQL, in-band, blind, reading from/writing to a file)
-WEP basics and attacks such as ARP replay/fragmentation/korek chopchop
-binary exploitation topics (mona ROP, format string vulnerabilities, shellcoding, DTOR, PLT & GOT, ret2plt, stack pivoting, SEH, NX/DEP, unicode buffer overflows, ROP gadgets, memory registers, shellcoding optimization, PIE)
-tools (WPScan, GDB, patator, Nessus)
-Error-Level Analysis & Luminance Gradient analysis
-LLMNR/NBTS-NS poisoning, ICMP redirect attack, and SMB relay
-understanding of SMB, X system, SNMP, SSL and shell stabilization
I have created a python exploit template for my personal tools.
I have „hacked“ my LinkedIn profile.
I have learned about photo forensics.
I have worked on my #100DaysOfHacking summary.
I have learned more than 400 new English words.
Everyday Progress
Day #001 (March 11, 2023)
-revised some of my already obtained IT knowledge (especially Bash scripting)
-„hacked“ my LinkedIn profile
-applied for Jr Pentester position
Day #002
-started Binary Exploitation track @hackthebox_eu (completed the first box – Jeeves)
-completed parts 0x330 (ENV variables for buffer overflows) and 0x340 (Overflows in other segments) of the Hacking – The Art of Exploitation
Day #003
-revised some of my already obtained IT knowledge
-completed Reg and Batcomputer boxes of Binary Exploitation track @hackthebox_eu (learned how to locate main function of a stripped binary + practised Python with pwntools)
Day #004
-revised some of my already obtained IT knowledge
-completed 1 machine @hackthebox_eu (Redis exploitation)
-completed part 0x350 (Format Strings + .dtor & GOT overwrite) of Hacking – The Art of Exploitation
Day #005
-over the last month and a half, I revised around 1500 pages of my cybersecurity knowledge to prepare for job interviews
-upgraded my Kali
-started Admirer box @hackthebox_eu (MariaDB installation + setup)
Day #006
-revised some of my already obtained IT knowledge
-started 0x400 Networking part (OSI, Sockets, Network Byte Order, Internet Address Conversion, and Simple Server Example) of the Hacking – The Art of Exploitation
Day #007
-revised some of my already obtained IT knowledge
-completed Admirer box & started Blunder box @hackthebox_eu (CMS + arbitrary file upload)
Day #008
-revised some of my already obtained IT knowledge
-completed Blunder box + completed HTB-Console box (x64 ROP exploit) of Binary Exploitation track @hackthebox_eu
-went through few python exploits @ExploitDB
Day #009
-revised some of my already obtained IT knowledge
-watched @ippsec’s video on Admirer box @hackthebox_eu
Day #010
-revised some of my already obtained IT knowledge
-completed Timelapse box (PFX + LAPS exploitation) @hackthebox_eu
Days #011 – #012
-revised some of my already obtained IT knowledge (especially XSS + a bit of AD)
-completed Bastion box (played with VHD + extracted SAM & SYSTEM + read mRemoteNG connection file) @hackthebox_eu
Days #013 – #014
-revised some of my already obtained IT knowledge (AD golden tickets + bash scripting)
-completed Driver box (learned about SCF (Shell Command Files) + stealing NetNTLMv2 hashes) @hackthebox_eu
Day #015
-started to learn about insecure deserialization (identifying + how PHP/Java/Python serialization format looks)
-read Hands-on Introduction to Insecure Deserialization (research paper)
-started to work on the baby website rick challenge @hackthebox_eu
Day #016
-learned more about Insecure Deserialization (mostly Java) @snyksec (https://learn.snyk.io/lessons/insecure-deserialization/java/)
-completed the baby website rick challenge (Python pickle Insecure Deserialization) @hackthebox_eu
Day #017
-revised some of my already obtained IT knowledge (constrained & unconstrained delegation)
-started to learn about API security (OWASP API Security Top 10 2019)
-started the baby breaking grad challenge @hackthebox_eu
Day #018
-completed OWASP API Security Top 10 2019 paper
-completed the baby breaking grad challenge @hackthebox_eu (with the help of an excellent blog post – https://braincoke.fr/write-up/hack-the-box/baby-breaking-grad/)
-completed OWASP Top 10 track @hackthebox_eu
Day #019
-learned more about API hacking (https://danaepp.com/beginners-guide-to-api-hacking)
-learned about KiteRunner tool
-learned more about AD pentesting (https://hackthebox.com/blog/active-directory-penetration-testing-cheatsheet-and-guide) @hackthebox_eu
-completed 2 labs (Insecure Deserialization) @PortSwigger
Day #020
-revised some of my already obtained IT knowledge (unicode buffer overflow + SSRF + file upload vuln)
-completed OWASP Top 10 – 2021 & Intro To Pwntools rooms @RealTryHackMe
Day #021
-revised some of my already obtained IT knowledge (DSRM persistence + Overpass the hass)
-started to work on the Optimistic challenge from Binary Exploitatioin track @hackthebox_eu
-learned about Integer Overflow attacks
Day #022
-completed the Optimistic challenge (alphanumeric shellcode + more pwntools sorcery + splitting a shellcode) from Binary Exploitation track @hackthebox_eu (with the help of https://7rocky.github.io/en/ctf/htb-challenges/pwn/optimistic/ writeup)
-learned more about Integer Overflow attacks
-revised some of my already obtained IT knowledge (XSS + LFI)
-completed 5 tasks of AEC Hacking Competition 2023
Days #023 – #024
-revised some of my already obtained IT knowledge (mona ROP + constrained delegation + insecure deserialization)
-completed 2 more tasks of Hacking Competition 2013 @ SECURITY 2013
-learned about HTTP headers (security + exploitation)
Day #025
-revised some of my already obtained IT knowledge (pivoting with sshuttle + webapp authentication methods)
-learned about ghex (patching binaries) and setting breakpoints with pwntools
Day #026
-learned more about API security (https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/ + https://wallarm.com/what/how-to-hack-api-in-60-minutes-with-open-source)
-completed 0x420 (Sockets) and 0x430 (Peeling Back the Lower Layers) parts of Hacking – The Art of Exploitation
Day #027
-skipped the rest of the NETWORKING chapter and went through 0x500 chapter (SHELLCODE) of Hacking – The Art of Exploitation (removing NULL bytes, setreuid, port-binding & connect-back shellcode)
Day #028
-revised some of my already obtained IT knowledge
-started 0x600 chapter (Countermeasures)
-went through VULNERABILITY ASSESSMENT module (vuln scoring/Nessus/OpenVAS) + started Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy
Day #029
-revised some of my already obtained IT knowledge (pentesting standards + command injection)
-started Practical Web Application Security and Testing @TCMSecurity (30% done)
-completed 4 tasks (SECURITY 2015 – Hacking Competition)
-completed 0x630 + 0x640 parts (Hacking – The Art of Exploitation)
Day #030
-revised some of my already obtained IT knowledge (AD un/constrained delegation)
-completed 0x650 (creating stealthy shellcodes) part (Hacking – The Art of Exploitation)
-started the Blacksmith challenge @hackthebox_eu (created an ASM shellcode)
Day #031
-completed the Blacksmith (seccomp, pwn in Python2 vs Python3, selfcrafted an ASM shellcode) challenge @hackthebox_eu
-went through 0x660 and 0x670 (Camouflage + Socket Reuse) parts of the Hacking – The Art of Exploitation
Day #032
-revised some of my already obtained IT knowledge (SCF, stealthy shellcodes)
-continued with Pivoting, Tunneling, and Port Forwarding module @ HTB Academy (Dynamic Port Forwarding with SSH and SOCKS Tunneling + Remote/Reverse Port Forwarding with SSH)
Day #033
-revised some of my already obtained IT knowledge (SOCKS, ARP replay attack, patator)
-continued with Practical Web Application Security and Testing (OWASP Top 10) @TCMSecurity (65% done)
-completed 2 tasks of SECURITY 2016 – Hacking Competition
Day #034
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
->Meterpreter Tunneling & Port Forwarding +
->Socat Redirection with a Reverse Shell +
->Socat Redirection with a Bind Shell +
->SSH for Windows: plink.exe
-revised some of my already obtained IT knowledge (PS jobs, korek chopchop attack, basic blind SQLi)
-completed Delivery box @hackthebox_eu (hashcat password rules + sucrack)
Day #035
-revised some of my already obtained IT knowledge (fragmentation attack, WPScan, AD silver tickets)
-continued with Practical Web Application Security and Testing @tcmsecurity (90% done)
Day #036
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>SSH Pivoting with Sshuttle
–>Web Server Pivoting with Rpivot
–>Port Forwarding with Windows Netsh
–>DNS Tunneling with Dnscat2
-revised some of my already obtained IT knowledge (information_schema + reading from/writing to a file using SQLi, AD skeleton key)
-started to work on the Support machine @hackthebox_eu (reversing .Net exe)
Day #037
-revised some of my already obtained IT knowledge (format string vuln: https://7rocky.github.io/en/ctf/htb-challenges/pwn/format/ )
-completed the Leet Test challenge @hackthebox_eu (format string vuln)
-learned about bit shifting
Day #038
-revised some of my already obtained IT knowledge (format string exploitation with pwn)
-started to work on the PwnShop challenge @hackthebox_eu
Day #039
-revised some of my already obtained IT knowledge (Python requests)
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy
–>SOCKS5 Tunneling with Chisel
–>ICMP Tunneling with SOCKS
Day #040
-revised some of my already obtained IT knowledge (bit shifting, rpivot, information gathering – metadata + foca)
-learned more about chisel (https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html) + about shrinking Go programs (https://youtube.com/watch?v=Yp4oxoQIBAM&t=1469s&ab_channel=IppSec)
Day #041
-revised some of my already obtained IT knowledge (dnscat2 + ptunnel-ng)
Day #042
-revised some of my already obtained IT knowledge (information gathering – DNS)
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>RDP and SOCKS Tunneling with SocksOverRDP
Day #043
-completed the Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>Skills Assessment (single pivoting, port forwarding…)
–>Detection & Prevention (People, Processes, and Technology + MITRE breakdown)
-revised some of my already obtained IT knowledge (stealthy shellcodes)
Day #044
-revised some of my already obtained IT knowledge (leaking libc base address, nmap switches)
-continued with the PwnShop challenge @hackthebox_eu (leaked the binary + glibc base address)
-went through more pivoting stuff (https://youtube.com/watch?v=B3GxYyGFYmQ&ab_channel=HackTheBox)
Day #045
-revised some of my already obtained IT knowledge (https://vickieli.dev/binary%20exploitation/format-string-vulnerabilities/, nmap – different service scan types)
-completed the PwnShop challenge @hackthebox_eu (ROP + stack alignment + https://libc.rip to get correct function offsets)
-went through half the @_CryptoCat’s PwnShop video (https://youtube.com/watch?v=RNqJjO3uf98&ab_channel=CryptoCat)
-started the Finding security vulnerabilities through fuzzing course by @hardik05 (17% done)
-learned about stack pivoting (https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting)
Day #046
-revised some of my already obtained IT knowledge (stack pivoting, nmap switches for bypassing FW/IDS)
-went through pwntools section @ https://ir0nstone.gitbook.io
-continued with the Support machine @hackthebox_eu (LDAP enum)
Day #047
-revised some of my already obtained IT knowledge (more nmap switches for bypassing FW/IDS + DTOR + python exploit template)
-spent like 2 hrs trying to solve one command injection challenge (to no avail 😠)
-completed the COMMAND INJECTIONS module @hackthebox_eu academy (Intro + Detection + Exploitation + Filter Evasion + Prevention + Skills Assessment)
-completed 3 tasks (hidden page + photo forensics) of SECURITY 2019 – Hacking Competition
Day #048
-revised some of my already obtained IT knowledge (SMB enum, X system, few PS commands)
-learned more about photo forensics (https://hackerfactor.com/blog/index.php?/categories/17/FotoForensics)
-completed the Support machine @hackthebox_eu (AD enum, resource-based constrained delegation)
-started the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Intro + Kerberoasting + AS-REProasting)
Day #049
-revised some of my already obtained IT knowledge (integer overflow, pwntools, SNMP – theory + enum, Linux – fail2ban + lsof)
-completed 2 tasks (git history + GPP password) of SECURITY 2019 – Hacking Competition
-decided I’ll start with bug bounty hunting (instead of just completing challenges)
-went through the BUG BOUNTY HUNTING PROCESS module @hackthebox_eu academy
-went through posts and videos about how to get started with #bugbounty
Day #050
-revised some of my already obtained IT knowledge (SCF, PS – input + output, constrained delegation)
-went through more posts and videos about how to get started with #BugBounty
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (GPP Passwords + GPO Permissions/GPO Files + Credentials in Shares)
Day #051
-revised some of my already obtained IT knowledge (PLT + GOT, sslstrip)
-completed the Shooting Star challenge @hackthebox_eu (ASLR + ret2plt + ROP + http://libc.rip)
-learned more about pwntools (ELF + ROP)
-completed the @_CryptoCat’s PwnShop and Shooting Star videos (https://youtube.com/watch?v=Bvd9xnBoWaA&ab_channel=CryptoCat)
Day #052
-revised some of my already obtained IT knowledge (ELF + ROP with pwntools, ret2plt)
-went through posts about bug bounty hunting reconnaissance (eg. https://cyberick.com/post/recon-automation-tips-bug-bounty)
-continued with the Hacking – The Art of Exploitation:
–>went through 0x680 (Payload Smuggling) + 0x690 (Buffer Restrictions) + 0x6a0 (Hardening Countermeasures: NX + ASLR) parts
–>started 0x700 (CRYPTOLOGY) part: 0x710 (Information Theory) + 0x720 (Algorithmic Run time)
Day #053
-revised some of my already obtained IT knowledge (ICMP redirect attack)
-learned about webapp recon tools for #bugbounty hunting (amass, assetfinder, httpx, httprobe, eywitness, gowitness)
-installed recon tools + added API keys
-started reading the recon guide @ https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Credentials in Object Properties + DCSync + Golden Ticket)
Day #054
-revised some of my already obtained IT knowledge (amass, basic wordlist generation, SSL process)
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Kerberos Constrained Delegation + Print Spooler & NTLM Relaying)
-started reading the Core Defense Mechanisms chapter of The Web Application Hacker’s Handbook (WAHH)
Day #055
-revised some of my already obtained IT knowledge (gowitness, httprobe, bit shifting, ret2plt, PS remoting, NTLM)
-learned more about subdomain enum (subdomain permutations/brute-forcing/resolving)
-installed and tested several subdomain enum tools
-worked on my subdomain enum script
-learned more about webapp recon tools for #bugbounty hunting (subfinder, puredns, massdns, altdns)
-continued with reading the recon guide @ https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
Resources for subdomain enum:
https://trickest.com/blog/full-subdomain-discovery-using-workflow/
https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
https://is.muni.cz/th/de05t/master_thesis_final.pdf
https://0xpatrik.com/subdomain-enumeration-2019/
Day #056
-revised some of my already obtained IT knowledge (CMD injection methodology, rpivot, )
-learned more about subdomain enumeration (Rapid7 FDNS, CommonSpeak)
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Coercing Attacks & Unconstrained Delegation + Object ACLs + PKI – ESC1)
-learned about more webapp recon tools for #bugbounty hunting (regulator)
RESOURCES:
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
https://youtube.com/watch?v=GxkuBFUfnL8&ab_channel=DEFCONConference
Day #057
-revised some of my already obtained IT knowledge (double pivoting, DNS/ICMP tunneling, SMB relay, file capabilities in Linux)
-learned more about subdomain enumeration (https://sidxparab.gitbook.io/subdomain-enumeration-guide/active-enumeration/dns-bruteforcing)
-created my own subdomain wordlists (combination of best-dns-wordlist + httparchive + few others
-completed the Windows Attacks & Defense module (Skills Assessment – ESC8)
Day #058
-revised some of my already obtained IT knowledge (bypassing stack canary, PIE, PTES)
-completed the Nightmare challenge @hackthebox_eu academy (reversing, format string vuln, GOT overwrite, pwninit + patching the binary with a different library)
-completed the Intro to Binary Exploitation track @hackthebox_eu (partying smiley)
-watched @_CryptoCat ‚s Nightmare video
Day #059
-revised some of my already obtained IT knowledge (SMB relay, CMD injection, unconstrained delegation)
-completed the Practical Web Application Security and Testing course by @TCMSecurity
-went through 0x730 (Symmetric Encryptioin) + 0x740 (Asymmetric Encryption) + 0x750 (Hybrid Ciphers) + 0x760 (Password Cracking) + 0x770 (Wireless 802.11b Encryption) + 0x780 (WEP Attacks) chapters of the Hacking – The Art of Exploitation
-finished the Hacking – The Art of Exploitation (Now deciding what to read next. Maybe Offensive Shellcode from Scratch? Or MD MZ?)
Day #060
-revised some of my already obtained IT knowledge (shell stabilization)
-learned more about BB hunting (https://cyberick.com/bugbounty)
-learned about more webapp recon tools for #bugbounty hunting (feroxbuster)
Day #061
-revised some of my already obtained IT knowledge (LLMNR/NBTS-NS poisoning, ret2plt)
-had a job interview
-completed the Core Defense Mechanisms chapter of The Web Application Hacker’s Handbook 2
Day #062
-revised some of my already obtained IT knowledge (Nessus with Metasploit)
-continued with the Mapping the Application chapter of WAHH 2
Day #063
-finished the Mapping the Application chapter of WAHH 2
-revised Information Disclosure path and related labs @PortSwigger (https://portswigger.net/web-security/information-disclosure)
-learned about more webapp recon tools for #bugbounty hunting (hakrawler)
Day #064
-revised some of my already obtained IT knowledge (double pivoting)
-finished the Exploiting Information Disclosure chapter of WAHH 2
-revised Access Control path, IDOR and related labs @PortSwigger (https://portswigger.net/web-security/access-control)
Day #065 – #068
-spent couple of days in a hospital (due to a surgery)
-revised some of my already obtained IT knowledge (JWT auth + simple exploitation)
-watched 2 @InsiderPhD ‚s videos (Information Disclosure + Access Control and IDORs)
Day #069 – #070
-revised some of my already obtained IT knowledge (rpivot, ret2puts, amass)
-reviewed Authentication path @PortSwigger
-completed the Attacking Access Controls chapter of WAHH 2
-selected a VDP to participate in and performed subdomain enumeration + screenshotting webapps + directory brute-forcing
-submitted my first bug
Day #071
-learned about Ligolo-NG (https://youtube.com/watch?v=DM1B8S80EvQ&ab_channel=GonskiCyber)
-received an invitation to my first private program
-learned more about photo forensics (https://youtube.com/watch?v=CnaoWJlOhLU&ab_channel=AllHackingCons + https://hackerfactor.com/papers/bh-usa-07-krawetz-wp.pdf)
-spent some more time on the VDP searching for an interesting webapp with more functionality (to no avail) + performed more subdomain enumeration and screenshotting
-started reading the Attacking Authentication chapter of WAHH 2
Day #072
-revised some of my already obtained IT knowledge (stack pivoting)
-learned more about pwntools (https://github.com/Gallopsled/pwntools-tutorial – assembly + bytes + context + debugging + ELF)
-continued with RPISEC’s MBE course (crackme reverse engineering challenges)
Day #073
-revised some of my already obtained IT knowledge (double pivoting, WEP)
-continued with RPISEC’s MBE course (reverse engineering labs) + went through writeups (https://devel0pment.de/?p=4 + https://medium.com/@lpozogilo/modern-binary-exploitation-writeup-31343442596f)
Reversing is not fun (yet) 🙂
Day #074
-revised some of my already obtained IT knowledge (PS loops, AD CS basics)
-continued with the Attacking Authentication chapter of WAHH 2
-subdomain enum on a private #BugBounty program
Day #075
-revised some of my already obtained IT knowledge (.DTOR, Error-Level analysis + Luminance Gradient analysis)
-finished the Attacking Authentication chapter of WAHH 2
-spent some time on a private BB program (reported an IDOR vuln)
-learned more about IDOR vulns (https://bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
-started the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Intro + Shell Basics)
Day #076
-revised some of my already obtained IT knowledge (SEH, PS modules)
-learned more about IDOR bugs (https://bugbountyhunter.com/disclosed/ [IDOR] + https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html)
Day #077
-revised some of my already obtained IT knowledge (PTES)
-spent around 5 hours #BugBounty hunting and couldn’t find any valid bug 🤦♂️
-went through https://blog.cyberxplore.com/we-hacked-github-for-a-month-heres-what-we-found/
Day #078
-revised some of my already obtained IT knowledge (python exploit template, SCF, constrained delegation, socat encrypted shells, blind command injection)
-learned more about WAFs (https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)
Day #079
-revised some of my already obtained IT knowledge (PLT and GOT, ret2plt, path directory traversal)
-learned more about stageless meterpreter payloads (https://rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/)
-continued with the SHELLS & PAYLOADS module @ htbacademy (Payloads)
Day #080
-revised some of my already obtained IT knowledge (username enumeration, puredns + altdns)
-continued with RPISEC’s MBE course (Intro to Memory Corruption lecture + related labs)
Day #081
-revised some of my already obtained IT knowledge (amass, ffuf, 2FA + password reset bypass)
-reviewed few Authentication labs @PortSwigger
-went through all blog posts @ https://cyberick.com/bugbounty
-finished reading https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
-started hunting on a new VDP (I want to dedicate around 100 hrs there and see how it goes)
-primary goal: to learn and have fun 🙂
Day #082
-revised some of my already obtained IT knowledge (SQL)
-learned about more webapp recon tools for #BugBounty hunting (gau)
-read few articles about #BugBounty (https://infosecwriteups.com/bug-bounty-a-comprehensive-guide-2023-85bc30429a35 + https://blog.developer.adobe.com/attention-security-researchers-level-up-your-skills-and-join-our-private-bug-bounty-program-2da9d5979d8b)
-spent around 5 hrs BB hunting on a VDP
Day #083
-revised some of my already obtained IT knowledge (NX, blind SQLi)
-spent around 3.5 hrs #BugBounty hunting on a VDP (main sub/domains so couldn’t find anything)
-went through https://codelivly.com/overcoming-struggles-and-becoming-a-successful-bug-bounty-hunter/)
-learned more about Information Disclosure (https://medium.com/@nynan/what-i-learnt-from-reading-126-information-disclosure-writeups-d896c5d5a2a4)
-learned more about File Upload vuln (hackerone reports)
-learned about (WCD) Web Cache Deception vuln (resources below)
WCD resources:
https://blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf
https://beaglesecurity.com/blog/article/web-cache-deception.html
https://book.hacktricks.xyz/pentesting-web/cache-deception
https://securitycafe.ro/2022/07/01/web-cache-deception-attacks/
https://hackerone.com/reports/593712
https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9
Day #084
-revised some of my already obtained IT knowledge (GDB basics, double pivoting, powershell empire, blind SQLi with conditional errors)
-spent around 5 hrs #BugBounty hunting on a VDP (even though I didn’t find anything I learned a lot = I’m happy)
-learned more about File Upload vuln (hackerone reports – https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-learned more about 403 bypasses (resources below)
–https://sapt.medium.com/bypassing-403-protection-to-get-pagespeed-admin-access-822fab64c0b3
–https://notion.so/Broken-Access-Control-IDOR-37b610b3339748ec9df3d1283ff0475f
–https://infosecwriteups.com/how-403-forbidden-bypass-got-me-nokia-hall-of-fame-hof-8acbd2c1c2c8
–https://medium.com/@uttamgupta_/14-bypass-403-forbidden-82df3cfe5386
–https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/
Day #085
-revised some of my already obtained IT knowledge (WEP keys, SQLi on an UPDATE statement)
-spent 1 hour #BugBounty hunting
-submitted one report @HackerOne
-learned more about IDOR vuln (https://techkranti.com/idor-through-mongodb-object-ids-prediction/?utm_campaign=BugBountyHunting%20Snapshots&utm_medium=email&utm_source=Revue%20newsletter + https://medium.com/@nynan/what-i-learnt-from-reading-220-idor-bug-reports-6efbea44db7)
Day #086
-revised some of my already obtained IT knowledge (pwntools basics, PIE, MySQL, time-based SQLi)
-continued with RPISEC’s MBE course (Shellcoding lecture)
-analyzed and repaired my web-scraping python script
Day #087
-revised some of my already obtained IT knowledge (UNICODE buffer overflow)
-continued with RPISEC’s MBE course (completed shellcoding lab C and started shellcoding lab B)
Day #088
-revised some of my already obtained IT knowledge (ret2puts, domain privesc via extraSIDs attack, powershell empire, Out-of-band SQLi)
-spent around 3 hours #BugBounty hunting
Day #089
-revised some of my already obtained IT knowledge (DNS + ICMP tunneling, WCD, PS empire)
-went through https://medium.com/@cuncis/become-a-successful-bug-hunter-in-2023-d5dceba77543 + https://medium.com/@cuncis/how-the-internet-archive-wayback-machine-can-help-pentesters-find-hidden-vulnerabilities-2604fe31ba0c
-applied for a volunteer penetration tester position
-learned more about Web Archive (https://mr23r0.medium.com/uncovering-the-secrets-the-potential-of-web-archive-in-bug-bounty-programs-322151fa4e63 + https://blog.intigriti.com/2021/09/24/hacker-tools-waybackurls/)
Day #090
-revised some of my already obtained IT knowledge (ROP gadgets, logic vulns, bash scripting)
-learned more about Arbitrary File Upload vuln (https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-learned more about WCD (https://sajjadium.github.io/files/usenixsec2020wcd_paper.pdf)
-spent around 3 hrs #BugBounty hunting
-even though I planned to spend 100 hrs on a VDP, I decided to leave the VDP as it’s no longer fun for me
-performed subdomain enum on a private VDP (+ planning to perform tests with different wordlists)
Day #091
-revised some of my already obtained IT knowledge (buffer overflow basics)
-learned more about Arbitrary File Upload vuln (https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-performed subdomain brute-forcing tests with different wordlists
Day #092
-revised some of my already obtained IT knowledge (ROP with mona, information disclosure vuln)
-spent the whole day developing a new tool – WCDScanner (automating Web Cache Deception exploitation)
-went through a OSEE writeup (https://gerr.re/posts/osee-review/)
Day #093
-revised some of my already obtained IT knowledge (shellcoding, reference/dereference in C, Windows credentials)
-learned more about shellcoding (https://medium.com/@0x4553/linux-x86-read-file-analyzing-aa10c91a5a1d + )
-continued with RPISEC’s MBE course (completed shellcoding B lab + started working on the A lab)
-continued with the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Infiltrating Windows + Linux)
Day #094
-revised some of my already obtained IT knowledge (pwntools, memory registers, shellcoding optimization)
-continued with RPISEC’s MBE course (finished the Shellcoding lecture by completing the last lab (A difficulty))
Day #095
-revised some of my already obtained IT knowledge (insecure deserialization, SSRF basics)
-continued with the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Web Shells + Detection & Prevention)
-went through https://medium.com/@atomiczsec/one-bug-at-a-time-last-15-days-of-30daysofbugbounty-e6f59cb8b621
-learned more about IDORs with Autorize (https://youtube.com/watch?v=2WzqH6N-Gbc&ab_channel=InsiderPhD + https://youtube.com/watch?v=Mpw1Lo3GAK0&ab_channel=HackingSimplified)
Day #096
-revised some of my already obtained IT knowledge (format string vuln basics, C pointer reference/dereference, SSRF bypasses + open redirection, ssh-agent + SSH session hijacking)
-applied for cybersecurity positions at two different companies
-worked on my #100DaysOfHacking summary
Day #097
-revised some of my already obtained IT knowledge (amass)
-worked on my #100DaysOfHacking summary
-finished the SHELLS & PAYLOADS module @hackthebox_eu’s academy (The Live Engagement)
Day #098
-revised some of my already obtained IT knowledge (gowitness, httprobe, routing protocols)
-spent around 4.5 hours #BugBounty hunting (mainly the boring stuff such as checking 403 websites, using web archive, etc.) – checked around 120 websites this way
-learned more about subdomain takeover vuln
-worked on my #100DaysOfHacking summary
Day #099
-revised some of my already obtained IT knowledge (ICMP revshell, xinetd, blind SSRF)
-spent around 1 hour #BugBounty hunting (mainly the boring stuff such as checking 403 websites, using web archive, etc.) – checked around 60 websites this way
-worked on my #100DaysOfHacking summary
Day #100 (June 24, 2023)
-revised some of my already obtained IT knowledge (SSL process, 3snake, format string vulnerabilities, XXE)
-worked on my #100DaysOfHacking summary
-continued with RPISEC’s MBE course (started the Format String Vulnerabilities lecture + resolved the first lab)
Conclusion
#100DaysOfHacking challenge has been an amazing experience that I think everyone interested in hacking and cybersecurity should try. It helps you to learn a lot and stay motivated every day. Plus, you can see how much you improve over time, which feels really rewarding. So, I recommend giving it a shot and discovering your potential!
What’s next? Another #100DaysOfHacking challenge of course! See you after 100 days 😉