Skip to content

My OSWE Pre-preperation (i.e. before acutally buying the course) phase plan and notes!

License

Notifications You must be signed in to change notification settings

shreyaschavhan/oswe-awae-pre-preperation-plan-and-notes

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

38 Commits
ย 
ย 
ย 
ย 

Repository files navigation

visitor badge

Notes/Plan for my own personal reference!

๐Ž๐’๐–๐„/๐€๐–๐€๐„ ๐๐ซ๐ž-๐๐ซ๐ž๐ฉ๐ž๐ซ๐š๐ญ๐ข๐จ๐ง ๐๐ฅ๐š๐ง ๐š๐ง๐ ๐๐จ๐ญ๐ž๐ฌ

Started  : 16-09-2022
Expected : ?? Donno ?? [bcz of college Assignments/ Exams/ Projects. College Sucks]
Oct to Dec: Got Distracted with bug-bounties + College Assignments/Exams: 2 months
Re-started: 01-12-2022
Goal :
Make yourself familiar enough with all the concepts required to be able to tackle OSWE Course Material and exam
with ease and clear the examination with one single attempt (even if it's gonna be my first certification in the field of cyber sec)


Image Credits: https://alaa.blog/wp-content/uploads/2020/08/awae.png

Image Credits https://alaa.blog/wp-content/uploads/2020/08/awae.png



๐Œ๐ฒ ๐จ๐ฐ๐ง ๐๐ž๐ญ๐š๐ข๐ฅ๐ž๐ ๐ง๐จ๐ญ๐ž๐ฌ ๐š๐ง๐ ๐ฉ๐ซ๐š๐œ๐ญ๐ข๐œ๐ž ๐ซ๐ž๐ฉ๐จ๐ฌ๐ข๐ญ๐จ๐ซ๐ข๐ž๐ฌ

๐“๐š๐›๐ฅ๐ž ๐จ๐Ÿ ๐‚๐จ๐ง๐ญ๐ž๐ง๐ญ

- Pre-requisites
- Tools and Methodologies
- ATutor Authentication Bypass and RCE
- ATutor LMS Type Juggling Vulnerability
- ManageEngine Applications Manager AMUserResourceSyncServlet SQL Injection RCE
- Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- DotNetNuke Cookie Deserialization RCE
- ERPNext Authentication Bypass and Server Side Template Injection
- openCRX Authentication Bypass and Remote Code Execution
- openITCOCKPIT XSS and OS Command Injection - Blackbox
- Concord Authentication Bypass to RCE
- Server Side Request Forgery
- Guacamole Lite Prototype Pollution

๐๐ซ๐ž-๐ซ๐ž๐ช๐ฎ๐ข๐ฌ๐ข๐ญ๐ž๐ฌ


  • Things that ain't mentioned in pre-requisites but are actually required
- SQL
- ReGex
- Reverse Shells
- An IDE + Code Editor:
  - Maybe Visual Studio (IDE)
  - Visual Studio Code or ATOM or Sublime Text

Quick Notes:
MetaCharacters (Need to be escaped):
.[{()\^|?*+


For Example:
. - select everything
\. - matches literal dot

- You have to escape \ with \ i.e. \\
Matches characters
.  - Any Character Except New Line
\d - Digit (0-9)
\D - Not a Digit (0-9)
\w - Word Character (a-z, A-Z, 0-9, _)
\W - Not a Word character
\s - Whitespace (space, tab, newline)
\S - Not Whitespace (space, tab, newline)

Anchors - matches visible positions between characters
\b - Word Boundary
\B - Not a Word Boundary
^  - Beginning of a String
$  - End of a String
[]   - Matches Characters in brackets
[^ ] - Matches Characters NOT in bracket
|    - Either Or
( )  - Group
Quantifiers:
*      - 0 or More
+      - 1 or More
?      - 0 or One
{3}    - Exact Number
{3, 4} - Range of Numbers (Minimum, Maximum)

codewars
stratascratch
https://pgexercises.com/questions/basic/
https://app.sixweeksql.com/
https://mystery.knightlab.com/
https://schemaverse.com/
https://mode.com/sql-tutorial/
https://advancedsqlpuzzles.com/
https://www.w3schools.com/sql/exercise.asp
https://bipp.io/sql-tutorial
https://learnsql.com/
https://selectstarsql.com/
http://www.sql-ex.ru/
https://www.sqlservercentral.com/stairways

๐“๐จ๐จ๐ฅ๐ฌ ๐š๐ง๐ ๐Œ๐ž๐ญ๐ก๐จ๐๐จ๐ฅ๐จ๐ ๐ข๐ž๐ฌ

  • Syllabus:
- Web Traffic Inspection
- Interacting with web listeners using python
- Source Code Recovery
==> .NET code
==> Java classes
- Source code analysis methodology
- Debugging

Tools Features
Burp Suite Web Proxy/Listener
dnSpy .NET Code decompilers
dotPeek
ilSpy
JD-GUI Java decompilers

Reference:

Best .NET Deompilers: https://www.reddit.com/r/REGames/comments/t6me91/what_best_c_decompiler_that_gives_you_working/
Best Java Classes Decompilers: https://www.reddit.com/r/java/comments/6gyprq/looking_for_a_java_decompiler/


๐‘ฝ๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’๐’† ๐‘ฝ๐’†๐’“๐’”๐’Š๐’๐’๐’” ๐’๐’‡ ๐‘จ๐’‘๐’‘๐’๐’Š๐’„๐’‚๐’•๐’Š๐’๐’๐’” ๐’…๐’Š๐’”๐’„๐’–๐’”๐’”๐’†๐’… ๐’Š๐’ ๐’•๐’‰๐’† ๐’„๐’๐’–๐’“๐’”๐’†

Syllabus Version
ATutor Authentication Bypass and RCE ATutor v2.2.1
ATutor LMS Type Juggling Vulnerability ATutor v2.2.1
ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE ManageEngine Application Manager before (<) Version 13 (13730 build)
Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability Bassmaster v1.5.1
DotNetNuke Cookie Deserialization RCE DNN v9.1.1
ERPNext Authentication Bypass and Server Side Template Injection Probably ERPNext <= v12
openCRX Authentication Bypass and Remote Code Execution Probably OpenCRX version <= 4.30 and 5.0-20200717
openITCOCKPIT XSS and OS Command Injection Probably openITCOCKPIT < 3.7.3

Reference:

ATutor to DotNetNuke: https://github.com/timip/OSWE

ManageEngine Application Manager SQLi & RCE: https://www.manageengine.com/products/applications_manager/issues.html

ERPNext Authentication Bypass and Server Side Template Injection:

A lot of Google Search based on syllabus pdf +
https://erpnext.com/security/references
https://github.com/frappe/frappe/pull/8044
https://www.cvedetails.com/cve/CVE-2019-14965/
https://infosecwriteups.com/frapp%C3%A9-technologies-erpnext-server-side-template-injection-74e1c95ec872

OpenCRX Authentication Bypass and Remote Code Execution:
https://nvd.nist.gov/vuln/detail/CVE-2020-7378
https://www.rapid7.com/blog/post/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/

openITCOCKPIT XSS and OS Command Injection:
https://openitcockpit.io/security/
https://openitcockpit.io/2020/2020/03/23/openitcockpit-3-7-3-released/

๐€๐“๐ฎ๐ญ๐จ๐ซ ๐€๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐๐ฒ๐ฉ๐š๐ฌ๐ฌ ๐š๐ง๐ ๐‘๐‚๐„

  • ๐‘ท๐’“๐’†-๐’“๐’†๐’’๐’–๐’Š๐’”๐’Š๐’•๐’†๐’”:
  • SQL Injection - Specifically Blind Boolean Based
  • File Upload Vulnerabilities
  • ๐‘ฐ๐’๐’”๐’•๐’‚๐’๐’๐’‚๐’•๐’Š๐’๐’:

image

  • It's one of these versions:

image

  • I don't exactly remember which one I installed even if I could see the date modified and compiled date.
  • Even installing this on my local machine was a great exercise for me personally.
  • ๐‘ฝ๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’Š๐’†๐’”:
  • ๐‘ท๐’“๐’‚๐’„๐’•๐’Š๐’”๐’†:
I was thinking about something and an Idea popped up in my mind.
Idea:
What if we try finding each and every CVE mentioned in the CVE list about an application on our own? Don't you think it would be a great practice exercise?
1. Install the vulnerable version of the application.
2. Deploy it
3. Refer the CVE details and try finding that vulnerability on our own.
Great idea isn't it?

๐€๐“๐ฎ๐ญ๐จ๐ซ ๐‹๐Œ๐’ ๐“๐ฒ๐ฉ๐ž ๐‰๐ฎ๐ ๐ ๐ฅ๐ข๐ง๐  ๐•๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ

  • ๐‘ท๐’“๐’†-๐’“๐’†๐’’๐’–๐’Š๐’”๐’Š๐’•๐’†๐’”:
  • PHP Type Juggling
  • Magic Hashes
  • Python Module:
    • Hashlib
  • ๐‘ฝ๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’š:
  • ๐‘น๐’†๐’”๐’๐’–๐’“๐’„๐’†๐’”:
  • ๐‘ธ๐’–๐’Š๐’„๐’Œ ๐‘ต๐’๐’•๐’†๐’”:
  • Magic Hashes:
Plaintext MD5 Hash
240610708 0e462097431906509019562988736854
QLTHNDT 0e405967825401955372549139051580
QNKCDZO 0e830400451993494058024219903391
PJNPDWY 0e291529052894702774557631701704
NWWKITQ 0e763082070976038347657360817689
NOOPCJF 0e818888003657176127862245791911
MMHUWUV 0e701732711630150438129209816536
MAUXXQC 0e478478466848439040434801845361
IHKFRNS 0e256160682445802696926137988570
GZECLQZ 0e537612333747236407713628225676
GGHMVOE 0e362766013028313274586933780773
GEGHBXL 0e248776895502908863709684713578
EEIZDOI 0e782601363539291779881938479162
DYAXWCA 0e424759758842488633464374063001
DQWRASX 0e742373665639232907775599582643
BRTKUJZ 00e57640477961333848717747276704
ABJIHVY 0e755264355178451322893275696586
aaaXXAYW 0e540853622400160407992788832284
aabg7XSs 0e087386482136013740957780965295
aabC9RqS 0e041022518165728065344349536299
0e215962017 0e291242476940776845150308577824

Plaintext SHA1 Hash
aaroZmOk 0e66507019969427134894567494305185566735
aaK1STfY 0e76658526655756207688271159624026011393
aaO8zKZF 0e89257456677279068558073954252716165668
aa3OFF9m 0e36977786278517984959260394024281014729

Plaintext MD4 Hash
bhhkktQZ 0e949030067204812898914975918567
0e001233333333333334557778889 0e434041524824285414215559233446
0e00000111222333333666788888889 0e641853458593358523155449768529
0001235666666688888888888 0e832225036643258141969031181899

Reference: https://github.com/JohnHammond/ctf-katana#php

๐Œ๐š๐ง๐š๐ ๐ž๐„๐ง๐ ๐ข๐ง๐ž ๐€๐ฉ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐€๐Œ๐”๐ฌ๐ž๐ซ๐‘๐ž๐ฌ๐จ๐ฎ๐ซ๐œ๐ž๐’๐ฒ๐ง๐œ๐’๐ž๐ซ๐ฏ๐ฅ๐ž๐ญ ๐’๐๐‹ ๐ˆ๐ง๐ฃ๐ž๐œ๐ญ๐ข๐จ๐ง ๐‘๐‚๐„

  • ๐‘ท๐’“๐’†-๐’“๐’†๐’’๐’–๐’Š๐’”๐’Š๐’•๐’†๐’”:
  • Servlets (java)
  • PostgreSQL
  • Reverse Shells
  • ๐‘ฝ๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’Š๐’†๐’”:

image

  • ๐‘ฐ๐’๐’”๐’•๐’‚๐’๐’๐’‚๐’•๐’Š๐’๐’:

image

  • The above version should have worked but ain't working for me on my windows 10 vm. The latest version ran fine. I don't know why it's not working. I'll try downloading and installing few other versions and will mention it here later.
  • oops! this might be the reason, I should find a workaround:

image

  • Damn! It was more difficult than I thought. It took me 3 days to make it work, finally, sigh!

  • For anyone who feels like they'll need my help installing MAM, you can email me or DM me on linkedin. You know where to find me ;) If not, do research เฒ _เฒ .
  • ๐‘ท๐’“๐’‚๐’„๐’•๐’Š๐’”๐’†:

๐๐š๐ฌ๐ฌ๐ฆ๐š๐ฌ๐ญ๐ž๐ซ ๐๐จ๐๐ž๐‰๐’ ๐€๐ซ๐›๐ข๐ญ๐ซ๐š๐ซ๐ฒ ๐‰๐š๐ฏ๐š๐’๐œ๐ซ๐ข๐ฉ๐ญ ๐ˆ๐ง๐ฃ๐ž๐œ๐ญ๐ข๐จ๐ง ๐•๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ

  • ๐‘ท๐’“๐’†-๐’“๐’†๐’’๐’–๐’Š๐’”๐’Š๐’•๐’†๐’”:
  • NodeJS
  • ๐‘ฝ๐’–๐’๐’๐’†๐’“๐’‚๐’ƒ๐’Š๐’๐’Š๐’•๐’Š๐’†๐’”:

image

  • ๐‘ฐ๐’๐’”๐’•๐’‚๐’๐’๐’‚๐’•๐’Š๐’๐’:
npm install [email protected]

About

My OSWE Pre-preperation (i.e. before acutally buying the course) phase plan and notes!

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published