Pentesting for Beginners - Short Stories

Websites you should know

Websites everyone must know about - Go through each one to see what they offer and do. This is not just some list - make sure to understand what each is and does.

https://haveibeenpwned.com/

https://leak-lookup.com/search

https://securitytrails.com/app/account

https://viewdns.info/

https://archive.org/web/

https://webkay.robinlinus.com/

https://gtfobins.github.io/

https://tryhackme.com/p/tryhackmecourse

https://github.com/

https://stackoverflow.com/

https://shop.hak5.org/

https://www.kali.org/

https://semgrep.dev/

https://iknowwhatyoudownload.com/en/peer/

https://www.smartlook.com/

https://wigle.net/

https://www.zimperium.com/zanti-mobile-penetration-testing https://kon-boot.com/

https://subdomainfinder.c99.nl/

https://wpscan.com/wordpress-security-scanner

https://qifi.org/

https://temp-mail.org/en/

https://www.fakenamegenerator.com/

https://gchq.github.io/CyberChef/

https://covertinstruments.com/

https://dnsdumpster.com/

https://www.revshells.com/

https://crackstation.net/

https://hashes.com/en/decrypt/hash

https://github.com/EdOverflow/can-i-take-over-xyz

https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS https://dirtycow.ninja/

https://hackforums.net/

https://book.hacktricks.xyz/welcome/readme

The most important things to remember in hacking is it’s all the developers fault…

All jokes aside, the main types of exploit you’ll see doesn’t revolve around you getting root over machines all the time. That’s mainly for post exploitation however can be the most fun part.

Jobs and bug bounties will usually stop at the initial foothold stage and from my experience here is a quick look at the most common things you will come across:

IDOR: Insecure direct object reference.

In short, when a server for example looks like https://mywebsite.com/?user=1

This example uses an insecure reference directly to the user page, where if we change it to ?user=2 we could see all of the private account details of user=2.

This also commonly happens in Cookies.

XSS (Cross-Site Scripting):

XSS is a type of security vulnerability that allows an attacker to inject malicious scripts into a website viewed by other users. This can be achieved by sending specially crafted requests to the website, or by storing malicious scripts in vulnerable fields such as search fields or comment sections. The injected scripts can then be executed by other users who view the affected pages, allowing the attacker to steal sensitive information such as user credentials or manipulate the display of the website.

Knowing the difference between stored and reflected XSS is a big deal. Stored XSS refers to a scenario where the malicious script is permanently stored on the target website, and is executed every time a user visits the affected page. This is typically achieved by storing the malicious payload in a database, such as in a comment section or search field.

Reflective XSS, on the other hand, occurs when the malicious script is injected into a website through a user's request, but is immediately reflected back to the user's browser without being stored. In this case, the malicious script is only executed when the specific user visits the affected page such as when clicked on or sent directly from the hacker, and is not permanently stored on the target website. Both types of XSS can have serious consequences, so it is important to understand the differences and take steps to prevent them.

XSS is mainly used to steal cookies from logged in users which can then be manually put into the hackers browser to login as if they were you. A lot of websites will expire cookies when you click the logout button which will also logout the hacker. Knowing this can be a crucial step if you are unsure if a hacker as your cookies.

SQL Injection:

SQL injection attacks can be used to steal sensitive data, modify or delete existing data, or gain unauthorized access to the underlying system. For example, an attacker may use SQL injection to bypass login authentication by submitting a specially crafted username and password, such as ' OR 1=1-- which would always evaluate to true. An attacker can also use SQL injection to extract sensitive information, such as credit card numbers or personally identifiable information, from a database by crafting SQL statements that dynamically select and display this information. Additionally, an attacker may use SQL injection to execute arbitrary code on the target system or to launch a denial-of-service attack by overloading the database with excessive requests. These examples illustrate the potential consequences of SQL injection and why it is important to take steps to prevent it.

Error-based blind is what I find most frequent which essentially means the website responds differently if a character a-z for example exists or doesn’t exist in a certain column like abc? Where we try d in the column where ? is. We can essentially enumerate the database very slowly by trying every combination possible one letter at a time.

LFI (Local File Inclusion):

LFI is a type of vulnerability that allows an attacker to include and execute local files on a target system, potentially leading to information disclosure or code execution. It occurs when user-supplied data, such as a URL parameter, is used to specify the location of a file that will be included by the target system such as ?view.php=image.jpg. An attacker can use LFI to gain unauthorized access to sensitive information stored on the target system, such as configuration files or source code, by including files that contain this information. In some cases, LFI can lead to RCE (Remote Code Execution) or Log Poisoning. RCE is a technique that would call on programs built within the operating system above the website to run commands as if you were interacting with it normally like cat, ls, cd.

Log poisining would use RCE in a similar way. You would put code as your user-agent, cookie or referrer for example when accessing the page (a normal page or a page that doesn’t exist) to get the access.log or error.log to store a session of you trying to access those pages.

Upon then using Local File Inclusion to view those pages, you can get your code to execute as it is stored on the website in the log file.

An example of