How I discovered Ippsec and online cybersecurity training platforms
I am blogging about my pentesting voyage because it helps me to learn better. It keeps my information scope in control. When one begins to immerse oneself into a field one tends to jump back and forth into various interesting rabbit holes. And hacking has many of those, all pretty and sweet. At the same time the art of hacking is also being able to see through many many of those holes and find the way in. There are so many details and areas so good repetitive practice and documenting thinking through builds motivation and most important inspiration
Let me introduce my self briefly and the methodology that I will use. I have been tinkering with my linux boxes (Archlinux btw, debians and lately NixOS mostly) for more than a decade. My first linux was Slackware. It seems like ancient history to me honestly. I don’t work in IT, I am a professional classical guitarist and educator, but always, since my youth have I have felt drawn to computers and linux. Lately, I have been learning Haskell and functional programming because it feels mind expanding, but I kinda gave that up being overwhelmed with functors and monads at the same time being a parent and having a regular job in a local music school. Not to say functional programming did not actually help me in so many ways, like when I see some code now the way I think about it has changed, type oriented thinking helps in seeing how things compose together. I say a regular job because I am not too happy with it. Its kind of a straight jacket. This year I have been learning about NixOS declarative linux distribution which is completely configured with nix expressions. There in a single source of truth, the configuration.nix file and you can roll back and forth from generation to generation, basically you can have many versions of the same program on the same system and nothing gets corrupted. I am no programmer and have not written any kind of program except the most basic ones. I often read and copy-paste too much and enjoy exploring various rabbit holes like category theory, taking a bite too big to swallow. I love reading things I don’t know about. I wonder if that is some kind of imposter syndrome reverse shell.
I am familiar with various infosec terminology though, in the sense that I do know what nmap does, what TCP/IP means. I even used to read phrack issues from time to time. I spent much time reading all kinds of posts, deep diving on hackernews and on and so on. After ten years sometimes I feel I don't know much, just a bunch of very wide lateral surface like knowledge. Not much has been put into actual deep practice. Since most of these things I don’t really use or practice variations upon a theme I tend to forget them after a while. I am aware I might sound like a complete mess but I feel I am a hacker at heart. I do care for user experience and imagine a world where interacting with computers is well, more interactive. I used to play armagetronad game very well but after noticing my cortisol levels reaching up and wide I stopped suddenly and never played any games after it. I was good at it. But I thought about a gamified learning experience often and Imagined how the future of work are virtual gamified platforms. This is where Hack the Box blew my mind with it’s gamified hacking platform, a place where one can so to say have the cake and eat it too, where one can learn by doing, where one can play and learn at the same time and be a part a kind and receptive community of hackers.
I recently finished watching the amazing Mr. Robot series on Netflix. Elliot can move through the networks and do all kinds of hacks which inspired me to think more about security and the actions of a user and read bits on security here and there. But there is something else too. A hacker is somehow flexible and creative and has a superior control over his digital senses. He can break in, he can modify all kinds of files, noticing the patterns and knowing how even a tiny change in the code might change the complete state of the system, and all that is visible in the real world too. He can write an exploit, a work of art whose sole purpose is to deliver a payload that will somehow bring the system to its knees. It is sci-fi at its purest.
I discovered HackTheBox platform and Ippsec walkthroughs. Ippsec is the famous HackTheBox player who also made many, almost 250 and counting, video explanations of the boxes he breached. He works now for HTB and continues to work on new boxes and doing all kinds of interesting work. I read about him and how many people even call him a legend. That is inspiring. I was instantly hooked and blown away into million bits as if Rinzler himself threw that disc at me. He seems like a really nice guy and you can sense his love and enthusiasm when he talks. He is humble too which is an amazing quality to experience when listening to an educator. It helps one progress faster and removes many mental afflictions that may appear along the way. Speaking as an educator myself, having someone like that helps immensely since he is not pulling you into his own afflictions but allowing you to grow as an artist, as a person. Actually seeing someone moving like that and talking back and forth about the possible attacks and defenses made all the difference for me too. Somehow the static images of hacking pages turned into a movie, and seeing this movie opened my eyes to the true beauty of hacking.
I actually did buy the famous book Hacking The Art of Exploitation back in 2011 but unfortunately I never read that book, it seemed too hard, too low level for me at that time, which is too bad since it looks like a great book. I needed my Ippsec. But have no regrets! HackTheBox is here to stay and there has never been better time to learn hacking! Isn’t that amazing!? Wait, how amazing is that!?
Seeing Ippsec kindled that flame again and realizing you could hack all kinds of real boxes on a private virtual network with other players seemed so super exciting and again, mind blowing. But it’s not just that. It is amazing to see how someone moves around the network. While before I would read much and like statically configure something on my system, a hacker actually moves around the network and computers like USS Discovery. That is the inspiration I guess I was missing. Yes watching Ippsec is inspiring to say the least. It motivates you to learn about buffer overflows and php filters. You realize the shell commands are like various senses of a user and editing the code files is like search and replace actions, as if teleporting your actions into the distance of the digital grid you automate them, invoke reverse shells that connect to you and oh so many other goodies.
Let's pop the corn!
So first I just watch the Ippsec popcorn video couple times and write a couple of notes here and there, not too many since I first want to listen to the way Ippsec speaks and the flow of it. Stuff like the php script into png file conversion eludes me the first time but by the next time I understand the idea of adding the beginning magic bytes from another legitimate file to the script so that the linux file command recognizes the script as a normal file. Looks hard at first but then it does get much easier.
Now watching it for the third time I am carefully stopping after each phrase and googling everything Ippsec is saying. I do know what is nmap and php and png and what it means to get a reverse shell but of course I have no idea how to do all these things. I am like a hacker impostor, I can follow the conversation but I have no actual idea what is happening. I can only fake it, but that’s a beginning too.
ppsec begins connecting to the virtual network with tmux which is a terminal multiplexer. He fires it up with a command
tmux new -s HTB
Now this is a very nifty program and I am only briefly familiar with it from my xmonad days. In a tmux session you can open multiple terminal windows inside tmux, so in a way it is like a tiling window manager but just for the terminal window. Nice and important feature of tmux is that the session is persistent which means that if you do get disconnected from the server the program on the server will keep running. I still don’t know the full implication on this but let’s go on. There is also a new multiplexer called zellij written in Rust which is a modal multiplexer and visually it also seems really nice to try it out. Zellij shows the commands in the bottom pane which is more user friendly than the tmux way. So I install rustup and then zellij.
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ cargo install zellij
Ippsec taks about the importance of being organized:
Very first thing to do is find a way to stay organized. I just created a folder called boxes and labeled the hostname of each box. This one is called popcorn
I have been first using emacs with org mode and then switched to notion.so (I am actually using notion right now to write this) which has a really nice mobile app too but now I am also looking at obsidian too which has this temporal mapping and visual network of things you learn. In any case making good notes is very important. It makes all the difference when one is learning. One is repeating what one learns, formulating it in a variety of ways, thus going deeper into what one learns. It is extremely important. The next thing after taking notes is actually writing write-ups, blogging and streaming about what one learns. This helps in connecting with the community, which then helps in building motivation and persistence. Again, really important to take notes. And the level of expertise is not important, even more so, I wish there are more noobs documenting in detail how they go through these things. There is much to learn from that. Again, user experience and how one learns. It will help more people to learn IT.
Ippsec begins the reconnaissance phase with a nmap scan with options:
-sV for version, -sC to run safe scripts against it, it may be redundant to run both of these but I always do it out of habit. I put -oA formats because I don’t know if? I want to use the grepable format, the regular format or the xml. It might as well give me all.
The first thing he does is he goes to the 10.10.10.6 in the browser and gets the standard Apache server page it works!. I have no idea what nmap can actually do. Ok, so nmap is something called a port scanner. A port scanner is usually used in the initial phase of reconnaissance. It enumerates or tells you information about the system or the networks you’re scanning. nmap is like the eyes through which you can see what is happening around you, what things or systems are doing on the network, what doors or ports are open or closed, how many there are, but also which kind of systems are running behind these doors. It seems it is easy to begin with nmap but there is a lot of depth to it too.
I take the note to myself to do the corresponding courses on nmap on HackTheBox and TryHackMe and skim through the freely available nmap book by its original coder Fyodor. Again, nmap seems like a huge time investment in itself but for now maybe let’s continue and learn just the basics.
So my very first step is I turn on my burp proxy and we are going to refresh this, and I am going to change this host to be the domain name of the server (Host: popcorn.htb) and I do this just because of something called virtual host routing. The server is going to look at this header that I sent and if it’s set up as virtual host routing it will read this and potentially service to a different location... Not the case here.
Ippsec is using the professional burp license and as I learn the community one which is free has some limitations. I am wondering if these limitations will get in the way when attacking a single box on hackthebox or these limitations are appearing when attacking web applications with potentially several domains across the network. What are the limitations when using it for just a single web application on the hackthebox network? And I google alternatives such as open source tool ZAP. ZAP seems like a similar program so I would like to try to learn the basics of ZAP too. Update: I found this really nice and on point video from John Hammond where he explains the basics of burp and setting the DVWA application using a docker container. It is a really nice down to earth video and one of the best. The other source would be hackersploit videos on burp on youtube.
So the next step is, I am going to run dirb against it, you can use wwwfuzz dirbuster, there are a lot of programs you can run. I just run dirb.
dirb http:10.10.10.6 -r -o tmp.dirb
-r is going to make it so it doesn’t go into recursive mode and -o saves it as output.
Now what is actually dirb and what does it do? DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses. Now, Ippsec turned off the reverse search this time because it would attack each subfolder of every folder and so on and so on. That's recursion. So it would take much time. Apparently this was not needed in this case but I learned what an recursive attack means. This is something familiar from Haskell. The output of dirb shows different pages on the server.
We have a http://popcorn.htb/cgi-bin/ (CODE:403|SIZE:287) It may be useful, we may wanna dirb this to see if there is any
cgiscripts. We have index,index.html,server-status, test is interesting. Let’s open uptest, and we probably have to turn intercept off, and we get thephpinfo page. This tells us a bunch of information about the server, most importantly it shows us where php scripts are cached so if we have a local file inclusion we may be able to chain some of the knowledge gained from this to give us code execution. So we’ll keep that in our pocket in case it’s useful. We also see a/torrentlink so I click this and see what this is. We do have an application, a torrent-hoster. So my first step is I generally always, and I say generally because I didn’t do it here, but I runsearchsploitagainst the app.searchsploitis going to searchexploitdbbut it’s all local so it goes really fast.And we do see one remote upload exploit
I will have to finish the blogpost here for now and continue next time. I would like to blog more often than waiting for something to be finished. This took me couple of weeks and juggling between family obligations and work and hacking is hard. Next time I am going to continue commenting the popcorn and eventually popping it myself. In the mean time I am studying burp, then setting up my virtual lab with metasploitable2 and learning more about linux text processing tools. Being quick on the command line and learning to filter files taking into account permissions, users, wildcards and regex is something I need to work on. I have watched the next two boxes from Ippsec. One is October and that one seems hard for me to understand since I don’t know anything about buffer overflows. The Arctic seemed easier but it was a windows machine and Ippsec used metasploit. So there is much learning to come! I am happy and super excited about this. Until soon.
Top comments (0)