Musings of a Pentester

OSEP Review 2021 - Offensive Security Experienced Pentester

What’s up, security folks! Today I’ll be putting pen to the paper and going over my thoughts on the Evasion Techniques and Breaching Defenses course from Offensive Security, colloquially known as the OSEP. I passed my exam at the end of November, so consider this a review of the updated exam (Post leak)! I’ll go over the contents of the course, how I prepared for the exam and any useful tidbits that helped me along the way. ...

Insecure Deserialization - Overview, Exploitation and Remediation

Insecure Deserialization is a concept that is often conveyed as one of the harder vulnerabilities to exploit, and I for one struggled to get my head around it initially. This has led to the creation of this post, where I’ll be attempting to break down the concepts behind it and how it can be exploited, whilst also offering some advice for ensuring your code is secure as a developer. I’ll be demonstrating some lab exercises from Burpsuite’s Web Academy whilst trying to break down some of the jargon and provide some metaphors to illustrate the concepts. ...

Creating a Home Active Directory Lab

Good afternoon folks! I’ve recently been studying for my CRTP, but my lab access expired. Now, I could pay for more time in the labs, but the elegant misconfigurations demonstrated by Nikhil Mittal in the CRTP really fascinated me. How easy was it to end up with one of these settings that I’ve been working on breaking? Was it really that common and easy to end up with? So, I decided to create my own labs. This is just a starting point, and from here, you can add additional services, users and workstations. Active Directory is used by over 95% of businesses, so understanding how to build it, how the parts fit together and also how to attack it should be a tool within every pentesters repoirtoire. ...

Discovering Stored XSS in Wordpress Plugin YOP Polls v6.2.7 - CVE-2021-24454

Good afternoon security fanatics. Back again today with a brief walk-through of a stored XSS (Cross Site Scripting) that I recently discovered in another wordpress poll plugin. YOP Polls, active on over 20,000 sites, allows users to create interactive and aesthetic polls that are fully customizable and perfect for data collection. I started to play about, testing for different injection types and XSS payloads. To my surprise, the results page reflected the answer back to me as a heading when I stuck it in <h1>tags</h1>. I then opened a new browser without a session and voted to view the results page again. The heading was still there! Therefore, I concluded that I’d discovered some form of stored XSS. I checked if I could use <script> tags too, and sure enough, it worked. ...

WpDevArt Wordpress Polls Plugin < 1.5.2 - Blind SQL Injection

What’s up everyone! Today I’ll be quickly discussing my first CVE entry - CVE-2021-24442 - and my thought process when I decided to start looking for it. It’s been my goal for a while, not only for a little confidence boost among the consistent industry imposter syndrome, but primarily to ensure that I helped sites become more secure. Selecting Software When considering where I’d look for my first CVE, I had lots of things on my mind. It needed to be easy to spin up locally, had accessible source code for reviewing and have multiple features and parameters that could be tested. I decided to install a wordpress instance locally, just using the official Ubuntu setup guide [https://ubuntu.com/tutorials/install-and-configure-wordpress]. It only took about 5 minutes. ...