oswe-awae-pre-preperation-plan-and-notes icon indicating copy to clipboard operation
oswe-awae-pre-preperation-plan-and-notes copied to clipboard

Published 20 hours ago verified publisher icon shreyaschavhan

Metadata

My OSWE Pre-preperation (i.e. before acutally buying the course) phase plan and notes!

visitor badge

Notes/Plan for my own personal reference!

𝐎𝐒𝐖𝐄/𝐀𝐖𝐀𝐄 𝐏𝐫𝐞-𝐏𝐫𝐞𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧 𝐏𝐥𝐚𝐧 𝐚𝐧𝐝 𝐍𝐨𝐭𝐞𝐬

Started  : 16-09-2022
Expected : ?? Donno ?? [bcz of college Assignments/ Exams/ Projects. College Sucks]

Oct to Dec: Got Distracted with bug-bounties + College Assignments/Exams: 2 months
Re-started: 01-12-2022

Goal :
Make yourself familiar enough with all the concepts required to be able to tackle OSWE Course Material and exam
with ease and clear the examination with one single attempt (even if it's gonna be my first certification in the field of cyber sec)


Image Credits: https://alaa.blog/wp-content/uploads/2020/08/awae.png

Image Credits https://alaa.blog/wp-content/uploads/2020/08/awae.png



𝐌𝐲 𝐨𝐰𝐧 𝐝𝐞𝐭𝐚𝐢𝐥𝐞𝐝 𝐧𝐨𝐭𝐞𝐬 𝐚𝐧𝐝 𝐩𝐫𝐚𝐜𝐭𝐢𝐜𝐞 𝐫𝐞𝐩𝐨𝐬𝐢𝐭𝐨𝐫𝐢𝐞𝐬

𝐓𝐚𝐛𝐥𝐞 𝐨𝐟 𝐂𝐨𝐧𝐭𝐞𝐧𝐭

- Pre-requisites
- Tools and Methodologies
- ATutor Authentication Bypass and RCE
- ATutor LMS Type Juggling Vulnerability
- ManageEngine Applications Manager AMUserResourceSyncServlet SQL Injection RCE
- Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- DotNetNuke Cookie Deserialization RCE
- ERPNext Authentication Bypass and Server Side Template Injection
- openCRX Authentication Bypass and Remote Code Execution
- openITCOCKPIT XSS and OS Command Injection - Blackbox
- Concord Authentication Bypass to RCE
- Server Side Request Forgery
- Guacamole Lite Prototype Pollution

𝐏𝐫𝐞-𝐫𝐞𝐪𝐮𝐢𝐬𝐢𝐭𝐞𝐬

  • Things that ain't mentioned in pre-requisites but are actually required
- SQL
- ReGex
- Reverse Shells
- An IDE + Code Editor:
  - Maybe Visual Studio (IDE)
  - Visual Studio Code or ATOM or Sublime Text

Quick Notes:

MetaCharacters (Need to be escaped):
.[{()\^|?*+


For Example:
. - select everything
\. - matches literal dot

- You have to escape \ with \ i.e. \\

Matches characters
.  - Any Character Except New Line
\d - Digit (0-9)
\D - Not a Digit (0-9)
\w - Word Character (a-z, A-Z, 0-9, _)
\W - Not a Word character
\s - Whitespace (space, tab, newline)
\S - Not Whitespace (space, tab, newline)


Anchors - matches visible positions between characters
\b - Word Boundary
\B - Not a Word Boundary
^  - Beginning of a String
$  - End of a String

[]   - Matches Characters in brackets
[^ ] - Matches Characters NOT in bracket
|    - Either Or
( )  - Group

Quantifiers:
*      - 0 or More
+      - 1 or More
?      - 0 or One
{3}    - Exact Number
{3, 4} - Range of Numbers (Minimum, Maximum)
  • SQL
    • https://sqlbolt.com/
    • https://www.hackerrank.com/domains/sql
    • https://leetcode.com/problemset/database/
    • Others
codewars
stratascratch
https://pgexercises.com/questions/basic/
https://app.sixweeksql.com/
https://mystery.knightlab.com/
https://schemaverse.com/
https://mode.com/sql-tutorial/
https://advancedsqlpuzzles.com/
https://www.w3schools.com/sql/exercise.asp
https://bipp.io/sql-tutorial
https://learnsql.com/
https://selectstarsql.com/
http://www.sql-ex.ru/
https://www.sqlservercentral.com/stairways

𝐓𝐨𝐨𝐥𝐬 𝐚𝐧𝐝 𝐌𝐞𝐭𝐡𝐨𝐝𝐨𝐥𝐨𝐠𝐢𝐞𝐬

  • Syllabus:
- Web Traffic Inspection
- Interacting with web listeners using python
- Source Code Recovery
==> .NET code
==> Java classes
- Source code analysis methodology
- Debugging
Tools Features
Burp Suite Web Proxy/Listener
dnSpy .NET Code decompilers
dotPeek
ilSpy
JD-GUI Java decompilers

Reference:

Best .NET Deompilers: https://www.reddit.com/r/REGames/comments/t6me91/what_best_c_decompiler_that_gives_you_working/
Best Java Classes Decompilers: https://www.reddit.com/r/java/comments/6gyprq/looking_for_a_java_decompiler/
  • Vidoes:
    • Reversing .NET Applications with ILSpy: https://youtu.be/3xPL0vHGKLE
    • dotPeek - .NET decompiler and assembly browser: https://youtu.be/msJVDzrHS2g
    • How to Use dnSpy to Reverse Engineer Unity Games: https://youtu.be/jZnT__DphzE

𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒍𝒆 𝑽𝒆𝒓𝒔𝒊𝒐𝒏𝒔 𝒐𝒇 𝑨𝒑𝒑𝒍𝒊𝒄𝒂𝒕𝒊𝒐𝒏𝒔 𝒅𝒊𝒔𝒄𝒖𝒔𝒔𝒆𝒅 𝒊𝒏 𝒕𝒉𝒆 𝒄𝒐𝒖𝒓𝒔𝒆

Syllabus Version
ATutor Authentication Bypass and RCE ATutor v2.2.1
ATutor LMS Type Juggling Vulnerability ATutor v2.2.1
ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE ManageEngine Application Manager before (<) Version 13 (13730 build)
Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability Bassmaster v1.5.1
DotNetNuke Cookie Deserialization RCE DNN v9.1.1
ERPNext Authentication Bypass and Server Side Template Injection Probably ERPNext <= v12
openCRX Authentication Bypass and Remote Code Execution Probably OpenCRX version <= 4.30 and 5.0-20200717
openITCOCKPIT XSS and OS Command Injection Probably openITCOCKPIT < 3.7.3

Reference:

ATutor to DotNetNuke: https://github.com/timip/OSWE

ManageEngine Application Manager SQLi & RCE: https://www.manageengine.com/products/applications_manager/issues.html

ERPNext Authentication Bypass and Server Side Template Injection:

A lot of Google Search based on syllabus pdf +
https://erpnext.com/security/references
https://github.com/frappe/frappe/pull/8044
https://www.cvedetails.com/cve/CVE-2019-14965/
https://infosecwriteups.com/frapp%C3%A9-technologies-erpnext-server-side-template-injection-74e1c95ec872

OpenCRX Authentication Bypass and Remote Code Execution:
https://nvd.nist.gov/vuln/detail/CVE-2020-7378
https://www.rapid7.com/blog/post/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/

openITCOCKPIT XSS and OS Command Injection:
https://openitcockpit.io/security/
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/

𝐀𝐓𝐮𝐭𝐨𝐫 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐁𝐲𝐩𝐚𝐬𝐬 𝐚𝐧𝐝 𝐑𝐂𝐄

  • 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
  • SQL Injection - Specifically Blind Boolean Based
  • File Upload Vulnerabilities
  • 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
  • Download: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
  • (Worked for me on my local windows machine) XAMPP v3.2.2 : https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/

image

  • It's one of these versions:

image

  • I don't exactly remember which one I installed even if I could see the date modified and compiled date.
  • Even installing this on my local machine was a great exercise for me personally.
  • 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
  • https://www.cvedetails.com/cve/CVE-2016-2555/
  • 𝑷𝒓𝒂𝒄𝒕𝒊𝒔𝒆:
  • https://www.cvedetails.com/vulnerability-list/vendor_id-7805/Atutor.html
I was thinking about something and an Idea popped up in my mind.
Idea:
What if we try finding each and every CVE mentioned in the CVE list about an application on our own? Don't you think it would be a great practice exercise?
1. Install the vulnerable version of the application.
2. Deploy it
3. Refer the CVE details and try finding that vulnerability on our own.
Great idea isn't it?

𝐀𝐓𝐮𝐭𝐨𝐫 𝐋𝐌𝐒 𝐓𝐲𝐩𝐞 𝐉𝐮𝐠𝐠𝐥𝐢𝐧𝐠 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲

  • 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
  • PHP Type Juggling
  • Magic Hashes
  • Python Module:
    • Hashlib
  • 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒚:
  • https://srcincite.io/advisories/src-2016-0016/
  • 𝑹𝒆𝒔𝒐𝒖𝒓𝒄𝒆𝒔:
  • 𝑸𝒖𝒊𝒄𝒌 𝑵𝒐𝒕𝒆𝒔:
  • Magic Hashes:
Plaintext MD5 Hash
240610708 0e462097431906509019562988736854
QLTHNDT 0e405967825401955372549139051580
QNKCDZO 0e830400451993494058024219903391
PJNPDWY 0e291529052894702774557631701704
NWWKITQ 0e763082070976038347657360817689
NOOPCJF 0e818888003657176127862245791911
MMHUWUV 0e701732711630150438129209816536
MAUXXQC 0e478478466848439040434801845361
IHKFRNS 0e256160682445802696926137988570
GZECLQZ 0e537612333747236407713628225676
GGHMVOE 0e362766013028313274586933780773
GEGHBXL 0e248776895502908863709684713578
EEIZDOI 0e782601363539291779881938479162
DYAXWCA 0e424759758842488633464374063001
DQWRASX 0e742373665639232907775599582643
BRTKUJZ 00e57640477961333848717747276704
ABJIHVY 0e755264355178451322893275696586
aaaXXAYW 0e540853622400160407992788832284
aabg7XSs 0e087386482136013740957780965295
aabC9RqS 0e041022518165728065344349536299
0e215962017 0e291242476940776845150308577824
Plaintext SHA1 Hash
aaroZmOk 0e66507019969427134894567494305185566735
aaK1STfY 0e76658526655756207688271159624026011393
aaO8zKZF 0e89257456677279068558073954252716165668
aa3OFF9m 0e36977786278517984959260394024281014729
Plaintext MD4 Hash
bhhkktQZ 0e949030067204812898914975918567
0e001233333333333334557778889 0e434041524824285414215559233446
0e00000111222333333666788888889 0e641853458593358523155449768529
0001235666666688888888888 0e832225036643258141969031181899 
Reference: https://github.com/JohnHammond/ctf-katana#php

𝐌𝐚𝐧𝐚𝐠𝐞𝐄𝐧𝐠𝐢𝐧𝐞 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐌𝐚𝐧𝐚𝐠𝐞𝐫 𝐀𝐌𝐔𝐬𝐞𝐫𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞𝐒𝐲𝐧𝐜𝐒𝐞𝐫𝐯𝐥𝐞𝐭 𝐒𝐐𝐋 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧 𝐑𝐂𝐄

  • 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
  • Servlets (java)
  • PostgreSQL
  • Reverse Shells
  • 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
  • https://www.manageengine.com/products/applications_manager/issues.html

image

  • 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
  • Download: https://archives.manageengine.com/applications_manager/13720/
  • Direct Download: https://archives.manageengine.com/applications_manager/13720/ManageEngine_ApplicationsManager_64bit.exe

image

  • The above version should have worked but ain't working for me on my windows 10 vm. The latest version ran fine. I don't know why it's not working. I'll try downloading and installing few other versions and will mention it here later.
  • oops! this might be the reason, I should find a workaround:

image

  • Damn! It was more difficult than I thought. It took me 3 days to make it work, finally, sigh!
  • For anyone who feels like they'll need my help installing MAM, you can email me or DM me on linkedin. You know where to find me ;) If not, do research ಠ_ಠ.
  • 𝑷𝒓𝒂𝒄𝒕𝒊𝒔𝒆:
  • https://www.cvedetails.com/vulnerability-list/vendor_id-9841/product_id-41385/Zohocorp-Manageengine-Applications-Manager.html

𝐁𝐚𝐬𝐬𝐦𝐚𝐬𝐭𝐞𝐫 𝐍𝐨𝐝𝐞𝐉𝐒 𝐀𝐫𝐛𝐢𝐭𝐫𝐚𝐫𝐲 𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲

  • 𝑷𝒓𝒆-𝒓𝒆𝒒𝒖𝒊𝒔𝒊𝒕𝒆𝒔:
  • NodeJS
  • 𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔:
  • https://nvd.nist.gov/vuln/detail/CVE-2014-7205

image

  • 𝑰𝒏𝒔𝒕𝒂𝒍𝒍𝒂𝒕𝒊𝒐𝒏:
npm install [email protected]

Metadata

58
Stars
11
Forks
Watchers

Owner

verified publisher icon shreyaschavhan

Metadata

My OSWE Pre-preperation (i.e. before acutally buying the course) phase plan and notes!

Back