This week the following subjects caught my attention:
1. CRTO
This month I worked through the Domain Reconnaissance, Lateral Movement, Credentials & User Impersonation, Password Cracking, Session Passing, and Pivoting sections of the Certified Red Team Operator course. I’ve found that this course is a good blend of the familiar and new: conceptually, much of the content being covered is familiar (or at least, touches on content that I covered in other rigorous training such as the OSCP). There are certainly some aspects that are new to me (for example, there is a fair amount of consideration given to dodging blue teaming efforts and remaining stealthy), but most of the content is related to the use of the attack framework Cobalt Strike. Therefore, I’ve found myself really spending a significant amount of time getting used to using Cobalt Strike’s beacons.
In parallel, I’ve found that I still lack some underlying fundamentals as they relate to Active Directory. So to help supplement some of the work, I stepped through Microsoft’s course on AD. I found that the text-heavy approach to learning AD hasn’t quite filled in all the gaps I was looking for, so I’m still shopping around for something that will provide me a better education.
2. Pwn.college
I found this resource while browsing Reddit and it’s incredible. It is not only incredibly comprehensive but also provisions hundreds of labs to get hands-on experience. The material appears to be hosted by staff from Arizona State University (who also happen to be members of the Order of the Overflow - the organization responsible for hosting the annual DefCon CTF).
I’ve been stepping through some of the lecture content and - admittedly - some of it is above my head. However, I recognize that the material is quality stuff. I’m looking forward to stepping through the site and learning more.
3. Portswigger
I’ve been wanting to get more proficient at finding bugs a la bug bounty programs - not just for the financial incentive, but for the demonstrating professional competencies. Many folks have recommended that I examine the training available through Portswigger, and after trying it out I have to heartily agree. The free lab environments cover an array of web-based vulnerabilities.
At the moment, I’ve stepped through the SQL Injection and some of the Authentication modules. I particularly enjoyed the multi-factor authentication workarounds, because I hadn’t considered methods that were taught:
- If not properly configured, you could simply copy/paste the cookie of a different user.
- If not properly configured, the site may grant you the cookie of an authenticated user after entering a correct username/password (but before the user has provided the MFA check).
- If not properly configured, it may be possible to brute force the MFA check.
These modules encourage a variety of methodologies, but the solutions they supply are largely geared towards Burpsuite Pro (which makes sense, as that is Portswigger’s flagship product). After some hemming and hawing, I’ve gone ahead and picked up a year’s subscription to the tool. I figured that if I want to get serious with these efforts, I need to be working with the actual tool(s) I’ll be using.
4. Site Migration
Recent updates to my current content management service provider have made certain aspects of managing my site difficult. If you’re a reader, this largely means nothing! However in the (hopefully) not-too-distant future, I’m looking to accomplish the following:
- Acquire a proper domain (aka “mysite.com” vs the current ahessmat.netlify.app)
- Streamline blog management.
- Fix the search bar
- Modernize the site’s look and feel.