My #100DaysOfHacking Challenge Summary

A summary of what I learned during my #100DaysOfHacking challenge

Disclaimer!!!
The information provided in this blog is to be used for educational purposes only. All of the information in this blog is meant to help the reader to develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage. Hacking is a crime and I am not responsible for the way you use the obtained knowledge.

I’m happy to be back with a new post after a long break. To document my daily updates and learning experience, I embarked on the #100DaysOfHacking challenge on March 11, 2023. My goal was to refine my hacking skills, gain more hands-on experience, and have a way to see my progress.

Throughout the challenge, I dedicated my time to exploring four main areas: infrastructure pentesting, webapp security, bug bounty hunting, and binary exploitation. Today, on June 24, 2023, I am happy to say that I have successfully completed the challenge.

In this blog post, I will provide you with a short summary of my key learnings first. After that, you are welcome to see my everyday progress if you are interested. This might help you to gain motivation, join a similar challenge, or simply get inspired on what to learn next.

If you have completed the same or a similar challenge, I would be more than happy to hear about that. Feel free to reach out to me on Twitter (https://twitter.com/hacking4every1), LinkedIn (https://www.linkedin.com/in/timotei-adamec/), or via email (adametim.hacking4everyone@gmail.com). Let’s connect and share our progress and growth.

Key Learnings

Infrastructure Pentesting

I have pwned 8 machines @ HackTheBox and learned about the following along the way:
-Redis exploitation
-CMS exploitation
-PFX + LAPS exploitation
-SCF + stealing NetNTLMv2 hashes
-hashcat password rules
-reversing a .Net executable
-LDAP enumeration
-resource-based constrained delegation

I have finished several modules @ HackTheBox Academy:
-VULNERABILITY ASSESSMENT
-Pivoting, Tunneling, and Port Forwarding
-WINDOWS ATTACKS & DEFENSE
-SHELLS & PAYLOADS

And I have learned about the following along the way:
-vulnerability scoring, Nessus, OpenVAS
-GPP passwords, GPO permissions, GPO Files
-different usecases of port forwarding and tunneling
-different tools (dnscat, rpivot)

I have thoroughly studied the AD pentesting guide @ HackTheBox.

I have read dozens of blog posts, including writeups. I usually read around three blog posts for every new topic I explore.

I have read several python exploits.

WebApp Security

I have finished Practical Web Application Security and Testing @ TCMSecurity.

I have tackled 2 challenges from OWASP Top 10 track @ HackTheBox.

I have finished several modules @ HackTheBox Academy:
-COMMAND INJECTIONS
-BUG BOUNTY HUNTING PROCESS

I have revised different webapp vulnerabilities and completed or reviewed several labs @ PortSwigger:
-Insecure Deserialization (2)
-Information Disclosure (all labs)
-Access Control + IDOR (all labs)
-Authentication (3 labs)

I have completed OWASP Top 10 – 2021 @ TryHackMe.

I have completed around 16 challenges of AEC Hacking competitions for different years.

I have gone through dozens of posts/videos on how to start with bug bounty hunting and on how to carry reconnaissance.

I have watched dozens of videos about Broken Access Control/IDOR/Information Disclosure/API/Web Cache Deception vulnerabilities.

I have explored different tools:
-KiteRunner, feroxbuster, hakrawler, gau
-amass, assetfinder, subfinder
-httpx, httprobe
-eywitness, gowitness
-puredns, massdns, altdns, Rapid7 FDNS, CommonSpeak

I have developed two scripts to automate my bug bounty hunting workflow:
-a subdomain enumeration script
-WCDScanner for automating Web Cache Deception exploitation

I have spent around 40 hours bug bounty hunting and discovered the following bugs:
-valid: 1 (Broken Access Control)
-informational: 1 (IDOR)
-triaged: 1 (Broken Access Control)

I have learned about the following along the way:
-insecure deserialization
-API security
-HTTP headers
-subdomain brute-forcing/resolving/permutations
-WAFs
-arbitrary file upload vulnerability (HackerOne public reports)
-Web Cache Deception
-403 bypasses
-Web Archive

I have studied several chapters of The Web Application Hacker’s Handbook:
-Core Defense Mechanisms
-Mapping the Application
-Attacking Authentication
-Attacking Access Controls
-Exploiting Information Disclosure

Binary Exploitation

I have started the Finding security vulnerabilities through fuzzing course by @hardik05.

I have completed Intro To Pwntools room @ TryHackMe.

I have finished Intro to Binary Exploitation track (10 challenges) @ HackTheBox and learned the following along the way:
-exploitation of stripped binaries
-Python with pwntools
-x64 ROP
-integer overflow attacks
-alphanumeric shellcodes
-Ghidra
-seccomp
-bit shifting
-glibc/binary base leaks
-stack alignment
-stack pivoting
-ASLR + ret2plt + http://libc.rip
-reversing
-format string vulnerabilities with pwntools
-shellcoding

I have studied several chapters of Hacking – The Art of Exploitation:
-Exploitation
-Shellcode
-Countermeasures
-Cryptology

I have read dozens of blog posts, including various writeups.

I have studied dozens of Python binary exploitation scripts.

I have started to go through the RPISEC/MBE course and have finished the following lectures so far:
-Introduction to Reverse Engineering + related labs
-Extended Reverse Engineering + related labs
-Intro to Memory Corruption + related labs
-Shellcoding / Code Injection + related labs
-Format String Vulnerabilities + first lab

I have created around 20 Python binary exploitation scripts for different challenges.

Other

Revising your gained knowledge at regular intervals is crucial for remembering as much information as possible.

I have revised a lot of my already obtained knowledge:
-bash scripting, Python requests, and PowerShell commands
-AD stuff, including basics, Kerberos authenticatioin, golden tickets, silver tickets, un/constrained delegation, DSRM persistence, overpass-the-hash, skeleton keys, DCSync, ExtraSIDs attack, and AD CS basics)
-pivoting & tunneling (sshuttle, chisel, DNS/ICMP tunneling, double pivoting, socat, SOCKS)
-pentesting standards and methodologies
-XSS
-path directory traversal attacks
-SSRF basics & bypasses, blind SSRF, along with open redirect vulnerability
-command injection
-JWT authentication + simple exploitation techniques
-SQLi (MySQL, in-band, blind, reading from/writing to a file)
-WEP basics and attacks such as ARP replay/fragmentation/korek chopchop
-binary exploitation topics (mona ROP, format string vulnerabilities, shellcoding, DTOR, PLT & GOT, ret2plt, stack pivoting, SEH, NX/DEP, unicode buffer overflows, ROP gadgets, memory registers, shellcoding optimization, PIE)
-tools (WPScan, GDB, patator, Nessus)
-Error-Level Analysis & Luminance Gradient analysis
-LLMNR/NBTS-NS poisoning, ICMP redirect attack, and SMB relay
-understanding of SMB, X system, SNMP, SSL and shell stabilization

I have created a python exploit template for my personal tools.

I have „hacked“ my LinkedIn profile.

I have learned about photo forensics.

I have worked on my #100DaysOfHacking summary.

I have learned more than 400 new English words.

Everyday Progress

Day #001 (March 11, 2023)

-revised some of my already obtained IT knowledge (especially Bash scripting)
-„hacked“ my LinkedIn profile
-applied for Jr Pentester position

Day #002

-started Binary Exploitation track @hackthebox_eu (completed the first box – Jeeves)
-completed parts 0x330 (ENV variables for buffer overflows) and 0x340 (Overflows in other segments) of the Hacking – The Art of Exploitation

Day #003

-revised some of my already obtained IT knowledge
-completed Reg and Batcomputer boxes of Binary Exploitation track @hackthebox_eu (learned how to locate main function of a stripped binary + practised Python with pwntools)

Day #004

-revised some of my already obtained IT knowledge
-completed 1 machine @hackthebox_eu (Redis exploitation)
-completed part 0x350 (Format Strings + .dtor & GOT overwrite) of Hacking – The Art of Exploitation

Day #005

-over the last month and a half, I revised around 1500 pages of my cybersecurity knowledge to prepare for job interviews
-upgraded my Kali
-started Admirer box @hackthebox_eu (MariaDB installation + setup)

Day #006

-revised some of my already obtained IT knowledge
-started 0x400 Networking part (OSI, Sockets, Network Byte Order, Internet Address Conversion, and Simple Server Example) of the Hacking – The Art of Exploitation

Day #007

-revised some of my already obtained IT knowledge
-completed Admirer box & started Blunder box @hackthebox_eu (CMS + arbitrary file upload)

Day #008

-revised some of my already obtained IT knowledge
-completed Blunder box + completed HTB-Console box (x64 ROP exploit) of Binary Exploitation track @hackthebox_eu

-went through few python exploits @ExploitDB

Day #009

-revised some of my already obtained IT knowledge
-watched @ippsec’s video on Admirer box @hackthebox_eu

Day #010

-revised some of my already obtained IT knowledge
-completed Timelapse box (PFX + LAPS exploitation) @hackthebox_eu

Days #011 – #012

-revised some of my already obtained IT knowledge (especially XSS + a bit of AD)
-completed Bastion box (played with VHD + extracted SAM & SYSTEM + read mRemoteNG connection file) @hackthebox_eu

Days #013 – #014

-revised some of my already obtained IT knowledge (AD golden tickets + bash scripting)
-completed Driver box (learned about SCF (Shell Command Files) + stealing NetNTLMv2 hashes) @hackthebox_eu

Day #015

-started to learn about insecure deserialization (identifying + how PHP/Java/Python serialization format looks)
-read Hands-on Introduction to Insecure Deserialization (research paper)
-started to work on the baby website rick challenge @hackthebox_eu

Day #016

-learned more about Insecure Deserialization (mostly Java) @snyksec (https://learn.snyk.io/lessons/insecure-deserialization/java/)
-completed the baby website rick challenge (Python pickle Insecure Deserialization) @hackthebox_eu

Day #017

-revised some of my already obtained IT knowledge (constrained & unconstrained delegation)
-started to learn about API security (OWASP API Security Top 10 2019)
-started the baby breaking grad challenge @hackthebox_eu

Day #018

-completed OWASP API Security Top 10 2019 paper
-completed the baby breaking grad challenge @hackthebox_eu (with the help of an excellent blog post – https://braincoke.fr/write-up/hack-the-box/baby-breaking-grad/)
-completed OWASP Top 10 track @hackthebox_eu

Day #019

-learned more about API hacking (https://danaepp.com/beginners-guide-to-api-hacking)
-learned about KiteRunner tool
-learned more about AD pentesting (https://hackthebox.com/blog/active-directory-penetration-testing-cheatsheet-and-guide) @hackthebox_eu
-completed 2 labs (Insecure Deserialization) @PortSwigger

Day #020

-revised some of my already obtained IT knowledge (unicode buffer overflow + SSRF + file upload vuln)
-completed OWASP Top 10 – 2021 & Intro To Pwntools rooms @RealTryHackMe

Day #021

-revised some of my already obtained IT knowledge (DSRM persistence + Overpass the hass)
-started to work on the Optimistic challenge from Binary Exploitatioin track @hackthebox_eu
-learned about Integer Overflow attacks

Day #022

-completed the Optimistic challenge (alphanumeric shellcode + more pwntools sorcery + splitting a shellcode) from Binary Exploitation track @hackthebox_eu (with the help of https://7rocky.github.io/en/ctf/htb-challenges/pwn/optimistic/ writeup)
-learned more about Integer Overflow attacks
-revised some of my already obtained IT knowledge (XSS + LFI)
-completed 5 tasks of AEC Hacking Competition 2023

Days #023 – #024

-revised some of my already obtained IT knowledge (mona ROP + constrained delegation + insecure deserialization)
-completed 2 more tasks of Hacking Competition 2013 @ SECURITY 2013
-learned about HTTP headers (security + exploitation)

Day #025

-revised some of my already obtained IT knowledge (pivoting with sshuttle + webapp authentication methods)
-learned about ghex (patching binaries) and setting breakpoints with pwntools

Day #026

-learned more about API security (https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/ + https://wallarm.com/what/how-to-hack-api-in-60-minutes-with-open-source)
-completed 0x420 (Sockets) and 0x430 (Peeling Back the Lower Layers) parts of Hacking – The Art of Exploitation

Day #027

-skipped the rest of the NETWORKING chapter and went through 0x500 chapter (SHELLCODE) of Hacking – The Art of Exploitation (removing NULL bytes, setreuid, port-binding & connect-back shellcode)

Day #028

-revised some of my already obtained IT knowledge
-started 0x600 chapter (Countermeasures)
-went through VULNERABILITY ASSESSMENT module (vuln scoring/Nessus/OpenVAS) + started Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy

Day #029

-revised some of my already obtained IT knowledge (pentesting standards + command injection)
-started Practical Web Application Security and Testing @TCMSecurity (30% done)
-completed 4 tasks (SECURITY 2015 – Hacking Competition)
-completed 0x630 + 0x640 parts (Hacking – The Art of Exploitation)

Day #030

-revised some of my already obtained IT knowledge (AD un/constrained delegation)
-completed 0x650 (creating stealthy shellcodes) part (Hacking – The Art of Exploitation)
-started the Blacksmith challenge @hackthebox_eu (created an ASM shellcode)

Day #031

-completed the Blacksmith (seccomp, pwn in Python2 vs Python3, selfcrafted an ASM shellcode) challenge @hackthebox_eu
-went through 0x660 and 0x670 (Camouflage + Socket Reuse) parts of the Hacking – The Art of Exploitation

Day #032

-revised some of my already obtained IT knowledge (SCF, stealthy shellcodes)
-continued with Pivoting, Tunneling, and Port Forwarding module @ HTB Academy (Dynamic Port Forwarding with SSH and SOCKS Tunneling + Remote/Reverse Port Forwarding with SSH)

Day #033

-revised some of my already obtained IT knowledge (SOCKS, ARP replay attack, patator)
-continued with Practical Web Application Security and Testing (OWASP Top 10) @TCMSecurity (65% done)
-completed 2 tasks of SECURITY 2016 – Hacking Competition

Day #034

-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
->Meterpreter Tunneling & Port Forwarding +
->Socat Redirection with a Reverse Shell +
->Socat Redirection with a Bind Shell +
->SSH for Windows: plink.exe
-revised some of my already obtained IT knowledge (PS jobs, korek chopchop attack, basic blind SQLi)
-completed Delivery box @hackthebox_eu (hashcat password rules + sucrack)

Day #035

-revised some of my already obtained IT knowledge (fragmentation attack, WPScan, AD silver tickets)
-continued with Practical Web Application Security and Testing @tcmsecurity (90% done)

Day #036

-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>SSH Pivoting with Sshuttle
–>Web Server Pivoting with Rpivot
–>Port Forwarding with Windows Netsh
–>DNS Tunneling with Dnscat2
-revised some of my already obtained IT knowledge (information_schema + reading from/writing to a file using SQLi, AD skeleton key)
-started to work on the Support machine @hackthebox_eu (reversing .Net exe)

Day #037

-revised some of my already obtained IT knowledge (format string vuln: https://7rocky.github.io/en/ctf/htb-challenges/pwn/format/ )
-completed the Leet Test challenge @hackthebox_eu (format string vuln)
-learned about bit shifting

Day #038

-revised some of my already obtained IT knowledge (format string exploitation with pwn)
-started to work on the PwnShop challenge @hackthebox_eu

Day #039

-revised some of my already obtained IT knowledge (Python requests)
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy
–>SOCKS5 Tunneling with Chisel
–>ICMP Tunneling with SOCKS

Day #040

-revised some of my already obtained IT knowledge (bit shifting, rpivot, information gathering – metadata + foca)
-learned more about chisel (https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html) + about shrinking Go programs (https://youtube.com/watch?v=Yp4oxoQIBAM&t=1469s&ab_channel=IppSec)

Day #041

-revised some of my already obtained IT knowledge (dnscat2 + ptunnel-ng)

Day #042

-revised some of my already obtained IT knowledge (information gathering – DNS)
-continued with Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>RDP and SOCKS Tunneling with SocksOverRDP

Day #043

-completed the Pivoting, Tunneling, and Port Forwarding module @hackthebox_eu academy:
–>Skills Assessment (single pivoting, port forwarding…)
–>Detection & Prevention (People, Processes, and Technology + MITRE breakdown)
-revised some of my already obtained IT knowledge (stealthy shellcodes)

Day #044

-revised some of my already obtained IT knowledge (leaking libc base address, nmap switches)
-continued with the PwnShop challenge @hackthebox_eu (leaked the binary + glibc base address)
-went through more pivoting stuff (https://youtube.com/watch?v=B3GxYyGFYmQ&ab_channel=HackTheBox)

Day #045

-revised some of my already obtained IT knowledge (https://vickieli.dev/binary%20exploitation/format-string-vulnerabilities/, nmap – different service scan types)
-completed the PwnShop challenge @hackthebox_eu (ROP + stack alignment + https://libc.rip to get correct function offsets)
-went through half the @_CryptoCat’s PwnShop video (https://youtube.com/watch?v=RNqJjO3uf98&ab_channel=CryptoCat)
-started the Finding security vulnerabilities through fuzzing course by @hardik05 (17% done)
-learned about stack pivoting (https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting)

Day #046

-revised some of my already obtained IT knowledge (stack pivoting, nmap switches for bypassing FW/IDS)
-went through pwntools section @ https://ir0nstone.gitbook.io
-continued with the Support machine @hackthebox_eu (LDAP enum)

Day #047

-revised some of my already obtained IT knowledge (more nmap switches for bypassing FW/IDS + DTOR + python exploit template)
-spent like 2 hrs trying to solve one command injection challenge (to no avail 😠)
-completed the COMMAND INJECTIONS module @hackthebox_eu academy (Intro + Detection + Exploitation + Filter Evasion + Prevention + Skills Assessment)
-completed 3 tasks (hidden page + photo forensics) of SECURITY 2019 – Hacking Competition

Day #048

-revised some of my already obtained IT knowledge (SMB enum, X system, few PS commands)
-learned more about photo forensics (https://hackerfactor.com/blog/index.php?/categories/17/FotoForensics)
-completed the Support machine @hackthebox_eu (AD enum, resource-based constrained delegation)
-started the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Intro + Kerberoasting + AS-REProasting)

Day #049

-revised some of my already obtained IT knowledge (integer overflow, pwntools, SNMP – theory + enum, Linux – fail2ban + lsof)
-completed 2 tasks (git history + GPP password) of SECURITY 2019 – Hacking Competition
-decided I’ll start with bug bounty hunting (instead of just completing challenges)
-went through the BUG BOUNTY HUNTING PROCESS module @hackthebox_eu academy
-went through posts and videos about how to get started with #bugbounty

Day #050

-revised some of my already obtained IT knowledge (SCF, PS – input + output, constrained delegation)
-went through more posts and videos about how to get started with #BugBounty
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (GPP Passwords + GPO Permissions/GPO Files + Credentials in Shares)

Day #051

-revised some of my already obtained IT knowledge (PLT + GOT, sslstrip)
-completed the Shooting Star challenge @hackthebox_eu (ASLR + ret2plt + ROP + http://libc.rip)
-learned more about pwntools (ELF + ROP)
-completed the @_CryptoCat’s PwnShop and Shooting Star videos (https://youtube.com/watch?v=Bvd9xnBoWaA&ab_channel=CryptoCat)

Day #052

-revised some of my already obtained IT knowledge (ELF + ROP with pwntools, ret2plt)
-went through posts about bug bounty hunting reconnaissance (eg. https://cyberick.com/post/recon-automation-tips-bug-bounty)
-continued with the Hacking – The Art of Exploitation:
–>went through 0x680 (Payload Smuggling) + 0x690 (Buffer Restrictions) + 0x6a0 (Hardening Countermeasures: NX + ASLR) parts
–>started 0x700 (CRYPTOLOGY) part: 0x710 (Information Theory) + 0x720 (Algorithmic Run time)

Day #053

-revised some of my already obtained IT knowledge (ICMP redirect attack)
-learned about webapp recon tools for #bugbounty hunting (amass, assetfinder, httpx, httprobe, eywitness, gowitness)
-installed recon tools + added API keys
-started reading the recon guide @ https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Credentials in Object Properties + DCSync + Golden Ticket)

Day #054

-revised some of my already obtained IT knowledge (amass, basic wordlist generation, SSL process)
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Kerberos Constrained Delegation + Print Spooler & NTLM Relaying)
-started reading the Core Defense Mechanisms chapter of The Web Application Hacker’s Handbook (WAHH)

Day #055

-revised some of my already obtained IT knowledge (gowitness, httprobe, bit shifting, ret2plt, PS remoting, NTLM)
-learned more about subdomain enum (subdomain permutations/brute-forcing/resolving)
-installed and tested several subdomain enum tools
-worked on my subdomain enum script
-learned more about webapp recon tools for #bugbounty hunting (subfinder, puredns, massdns, altdns)
-continued with reading the recon guide @ https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
Resources for subdomain enum:

https://trickest.com/blog/full-subdomain-discovery-using-workflow/
https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
https://is.muni.cz/th/de05t/master_thesis_final.pdf
https://0xpatrik.com/subdomain-enumeration-2019/

Day #056

-revised some of my already obtained IT knowledge (CMD injection methodology, rpivot, )
-learned more about subdomain enumeration (Rapid7 FDNS, CommonSpeak)
-continued with the WINDOWS ATTACKS & DEFENSE module @hackthebox_eu academy (Coercing Attacks & Unconstrained Delegation + Object ACLs + PKI – ESC1)
-learned about more webapp recon tools for #bugbounty hunting (regulator)
RESOURCES:
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
https://youtube.com/watch?v=GxkuBFUfnL8&ab_channel=DEFCONConference

Day #057

-revised some of my already obtained IT knowledge (double pivoting, DNS/ICMP tunneling, SMB relay, file capabilities in Linux)
-learned more about subdomain enumeration (https://sidxparab.gitbook.io/subdomain-enumeration-guide/active-enumeration/dns-bruteforcing)
-created my own subdomain wordlists (combination of best-dns-wordlist + httparchive + few others
-completed the Windows Attacks & Defense module (Skills Assessment – ESC8)

Day #058

-revised some of my already obtained IT knowledge (bypassing stack canary, PIE, PTES)
-completed the Nightmare challenge @hackthebox_eu academy (reversing, format string vuln, GOT overwrite, pwninit + patching the binary with a different library)
-completed the Intro to Binary Exploitation track @hackthebox_eu (partying smiley)
-watched @_CryptoCat ‚s Nightmare video

Day #059

-revised some of my already obtained IT knowledge (SMB relay, CMD injection, unconstrained delegation)
-completed the Practical Web Application Security and Testing course by @TCMSecurity
-went through 0x730 (Symmetric Encryptioin) + 0x740 (Asymmetric Encryption) + 0x750 (Hybrid Ciphers) + 0x760 (Password Cracking) + 0x770 (Wireless 802.11b Encryption) + 0x780 (WEP Attacks) chapters of the Hacking – The Art of Exploitation
-finished the Hacking – The Art of Exploitation (Now deciding what to read next. Maybe Offensive Shellcode from Scratch? Or MD MZ?)

Day #060

-revised some of my already obtained IT knowledge (shell stabilization)
-learned more about BB hunting (https://cyberick.com/bugbounty)
-learned about more webapp recon tools for #bugbounty hunting (feroxbuster)

Day #061

-revised some of my already obtained IT knowledge (LLMNR/NBTS-NS poisoning, ret2plt)
-had a job interview
-completed the Core Defense Mechanisms chapter of The Web Application Hacker’s Handbook 2

Day #062

-revised some of my already obtained IT knowledge (Nessus with Metasploit)
-continued with the Mapping the Application chapter of WAHH 2

Day #063

-finished the Mapping the Application chapter of WAHH 2
-revised Information Disclosure path and related labs @PortSwigger (https://portswigger.net/web-security/information-disclosure)
-learned about more webapp recon tools for #bugbounty hunting (hakrawler)

Day #064

-revised some of my already obtained IT knowledge (double pivoting)
-finished the Exploiting Information Disclosure chapter of WAHH 2
-revised Access Control path, IDOR and related labs @PortSwigger (https://portswigger.net/web-security/access-control)

Day #065 – #068

-spent couple of days in a hospital (due to a surgery)
-revised some of my already obtained IT knowledge (JWT auth + simple exploitation)
-watched 2 @InsiderPhD ‚s videos (Information Disclosure + Access Control and IDORs)

Day #069 – #070

-revised some of my already obtained IT knowledge (rpivot, ret2puts, amass)
-reviewed Authentication path @PortSwigger
-completed the Attacking Access Controls chapter of WAHH 2
-selected a VDP to participate in and performed subdomain enumeration + screenshotting webapps + directory brute-forcing
-submitted my first bug

Day #071

-learned about Ligolo-NG (https://youtube.com/watch?v=DM1B8S80EvQ&ab_channel=GonskiCyber)
-received an invitation to my first private program
-learned more about photo forensics (https://youtube.com/watch?v=CnaoWJlOhLU&ab_channel=AllHackingCons + https://hackerfactor.com/papers/bh-usa-07-krawetz-wp.pdf)
-spent some more time on the VDP searching for an interesting webapp with more functionality (to no avail) + performed more subdomain enumeration and screenshotting
-started reading the Attacking Authentication chapter of WAHH 2

Day #072

-revised some of my already obtained IT knowledge (stack pivoting)
-learned more about pwntools (https://github.com/Gallopsled/pwntools-tutorial – assembly + bytes + context + debugging + ELF)
-continued with RPISEC’s MBE course (crackme reverse engineering challenges)

Day #073

-revised some of my already obtained IT knowledge (double pivoting, WEP)
-continued with RPISEC’s MBE course (reverse engineering labs) + went through writeups (https://devel0pment.de/?p=4 + https://medium.com/@lpozogilo/modern-binary-exploitation-writeup-31343442596f)

Reversing is not fun (yet) 🙂

Day #074

-revised some of my already obtained IT knowledge (PS loops, AD CS basics)
-continued with the Attacking Authentication chapter of WAHH 2
-subdomain enum on a private #BugBounty program

Day #075

-revised some of my already obtained IT knowledge (.DTOR, Error-Level analysis + Luminance Gradient analysis)
-finished the Attacking Authentication chapter of WAHH 2
-spent some time on a private BB program (reported an IDOR vuln)
-learned more about IDOR vulns (https://bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
-started the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Intro + Shell Basics)

Day #076

-revised some of my already obtained IT knowledge (SEH, PS modules)
-learned more about IDOR bugs (https://bugbountyhunter.com/disclosed/ [IDOR] + https://rez0.blog/hacking/cybersecurity/2022/08/18/unpredictable-idors.html)

Day #077

-revised some of my already obtained IT knowledge (PTES)
-spent around 5 hours #BugBounty hunting and couldn’t find any valid bug 🤦‍♂️
-went through https://blog.cyberxplore.com/we-hacked-github-for-a-month-heres-what-we-found/

Day #078

-revised some of my already obtained IT knowledge (python exploit template, SCF, constrained delegation, socat encrypted shells, blind command injection)
-learned more about WAFs (https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)

Day #079

-revised some of my already obtained IT knowledge (PLT and GOT, ret2plt, path directory traversal)
-learned more about stageless meterpreter payloads (https://rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/)
-continued with the SHELLS & PAYLOADS module @ htbacademy (Payloads)

Day #080

-revised some of my already obtained IT knowledge (username enumeration, puredns + altdns)
-continued with RPISEC’s MBE course (Intro to Memory Corruption lecture + related labs)

Day #081

-revised some of my already obtained IT knowledge (amass, ffuf, 2FA + password reset bypass)
-reviewed few Authentication labs @PortSwigger

-went through all blog posts @ https://cyberick.com/bugbounty
-finished reading https://offensity.com/en/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/
-started hunting on a new VDP (I want to dedicate around 100 hrs there and see how it goes)
-primary goal: to learn and have fun 🙂

Day #082

-revised some of my already obtained IT knowledge (SQL)
-learned about more webapp recon tools for #BugBounty hunting (gau)
-read few articles about #BugBounty (https://infosecwriteups.com/bug-bounty-a-comprehensive-guide-2023-85bc30429a35 + https://blog.developer.adobe.com/attention-security-researchers-level-up-your-skills-and-join-our-private-bug-bounty-program-2da9d5979d8b)
-spent around 5 hrs BB hunting on a VDP

Day #083

-revised some of my already obtained IT knowledge (NX, blind SQLi)
-spent around 3.5 hrs #BugBounty hunting on a VDP (main sub/domains so couldn’t find anything)
-went through https://codelivly.com/overcoming-struggles-and-becoming-a-successful-bug-bounty-hunter/)
-learned more about Information Disclosure (https://medium.com/@nynan/what-i-learnt-from-reading-126-information-disclosure-writeups-d896c5d5a2a4)
-learned more about File Upload vuln (hackerone reports)
-learned about (WCD) Web Cache Deception vuln (resources below)
WCD resources:
https://blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf
https://beaglesecurity.com/blog/article/web-cache-deception.html
https://book.hacktricks.xyz/pentesting-web/cache-deception
https://securitycafe.ro/2022/07/01/web-cache-deception-attacks/
https://hackerone.com/reports/593712
https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9

Day #084

-revised some of my already obtained IT knowledge (GDB basics, double pivoting, powershell empire, blind SQLi with conditional errors)
-spent around 5 hrs #BugBounty hunting on a VDP (even though I didn’t find anything I learned a lot = I’m happy)
-learned more about File Upload vuln (hackerone reports – https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-learned more about 403 bypasses (resources below)
https://sapt.medium.com/bypassing-403-protection-to-get-pagespeed-admin-access-822fab64c0b3
https://notion.so/Broken-Access-Control-IDOR-37b610b3339748ec9df3d1283ff0475f
https://infosecwriteups.com/how-403-forbidden-bypass-got-me-nokia-hall-of-fame-hof-8acbd2c1c2c8
https://medium.com/@uttamgupta_/14-bypass-403-forbidden-82df3cfe5386
https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/

Day #085

-revised some of my already obtained IT knowledge (WEP keys, SQLi on an UPDATE statement)
-spent 1 hour #BugBounty hunting
-submitted one report @HackerOne

-learned more about IDOR vuln (https://techkranti.com/idor-through-mongodb-object-ids-prediction/?utm_campaign=BugBountyHunting%20Snapshots&utm_medium=email&utm_source=Revue%20newsletter + https://medium.com/@nynan/what-i-learnt-from-reading-220-idor-bug-reports-6efbea44db7)

Day #086

-revised some of my already obtained IT knowledge (pwntools basics, PIE, MySQL, time-based SQLi)
-continued with RPISEC’s MBE course (Shellcoding lecture)
-analyzed and repaired my web-scraping python script

Day #087

-revised some of my already obtained IT knowledge (UNICODE buffer overflow)
-continued with RPISEC’s MBE course (completed shellcoding lab C and started shellcoding lab B)

Day #088

-revised some of my already obtained IT knowledge (ret2puts, domain privesc via extraSIDs attack, powershell empire, Out-of-band SQLi)
-spent around 3 hours #BugBounty hunting

Day #089

-revised some of my already obtained IT knowledge (DNS + ICMP tunneling, WCD, PS empire)
-went through https://medium.com/@cuncis/become-a-successful-bug-hunter-in-2023-d5dceba77543 + https://medium.com/@cuncis/how-the-internet-archive-wayback-machine-can-help-pentesters-find-hidden-vulnerabilities-2604fe31ba0c
-applied for a volunteer penetration tester position
-learned more about Web Archive (https://mr23r0.medium.com/uncovering-the-secrets-the-potential-of-web-archive-in-bug-bounty-programs-322151fa4e63 + https://blog.intigriti.com/2021/09/24/hacker-tools-waybackurls/)

Day #090

-revised some of my already obtained IT knowledge (ROP gadgets, logic vulns, bash scripting)
-learned more about Arbitrary File Upload vuln (https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-learned more about WCD (https://sajjadium.github.io/files/usenixsec2020wcd_paper.pdf)
-spent around 3 hrs #BugBounty hunting
-even though I planned to spend 100 hrs on a VDP, I decided to leave the VDP as it’s no longer fun for me
-performed subdomain enum on a private VDP (+ planning to perform tests with different wordlists)

Day #091

-revised some of my already obtained IT knowledge (buffer overflow basics)
-learned more about Arbitrary File Upload vuln (https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPUPLOAD.md)
-performed subdomain brute-forcing tests with different wordlists

Day #092

-revised some of my already obtained IT knowledge (ROP with mona, information disclosure vuln)
-spent the whole day developing a new tool – WCDScanner (automating Web Cache Deception exploitation)
-went through a OSEE writeup (https://gerr.re/posts/osee-review/)

Day #093

-revised some of my already obtained IT knowledge (shellcoding, reference/dereference in C, Windows credentials)
-learned more about shellcoding (https://medium.com/@0x4553/linux-x86-read-file-analyzing-aa10c91a5a1d + )
-continued with RPISEC’s MBE course (completed shellcoding B lab + started working on the A lab)
-continued with the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Infiltrating Windows + Linux)

Day #094

-revised some of my already obtained IT knowledge (pwntools, memory registers, shellcoding optimization)
-continued with RPISEC’s MBE course (finished the Shellcoding lecture by completing the last lab (A difficulty))

Day #095

-revised some of my already obtained IT knowledge (insecure deserialization, SSRF basics)
-continued with the SHELLS & PAYLOADS module @hackthebox_eu ‚s academy (Web Shells + Detection & Prevention)
-went through https://medium.com/@atomiczsec/one-bug-at-a-time-last-15-days-of-30daysofbugbounty-e6f59cb8b621
-learned more about IDORs with Autorize (https://youtube.com/watch?v=2WzqH6N-Gbc&ab_channel=InsiderPhD + https://youtube.com/watch?v=Mpw1Lo3GAK0&ab_channel=HackingSimplified)

Day #096

-revised some of my already obtained IT knowledge (format string vuln basics, C pointer reference/dereference, SSRF bypasses + open redirection, ssh-agent + SSH session hijacking)
-applied for cybersecurity positions at two different companies
-worked on my #100DaysOfHacking summary

Day #097

-revised some of my already obtained IT knowledge (amass)
-worked on my #100DaysOfHacking summary
-finished the SHELLS & PAYLOADS module @hackthebox_eu’s academy (The Live Engagement)

Day #098

-revised some of my already obtained IT knowledge (gowitness, httprobe, routing protocols)
-spent around 4.5 hours #BugBounty hunting (mainly the boring stuff such as checking 403 websites, using web archive, etc.) – checked around 120 websites this way
-learned more about subdomain takeover vuln
-worked on my #100DaysOfHacking summary

Day #099

-revised some of my already obtained IT knowledge (ICMP revshell, xinetd, blind SSRF)
-spent around 1 hour #BugBounty hunting (mainly the boring stuff such as checking 403 websites, using web archive, etc.) – checked around 60 websites this way
-worked on my #100DaysOfHacking summary

Day #100 (June 24, 2023)

-revised some of my already obtained IT knowledge (SSL process, 3snake, format string vulnerabilities, XXE)
-worked on my #100DaysOfHacking summary
-continued with RPISEC’s MBE course (started the Format String Vulnerabilities lecture + resolved the first lab)

Conclusion

#100DaysOfHacking challenge has been an amazing experience that I think everyone interested in hacking and cybersecurity should try. It helps you to learn a lot and stay motivated every day. Plus, you can see how much you improve over time, which feels really rewarding. So, I recommend giving it a shot and discovering your potential!

What’s next? Another #100DaysOfHacking challenge of course! See you after 100 days 😉

Leave a Reply

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *