After ‘graduation’ with the OSCP certification, it’s time to find a new challenge to accomplish.
It seems that the [PentesterLab] Bootcamp will be the perfect fit!
It consists of 15 challenges in total and some, to me, seems to be quite difficult. Maybe I’ll feel otherwise when I get started on it, hands-on.
Time to learn some new stuff! Will update this page again once I’ve completed some of them as I go along. Heh.
[9th July, 2016]
[Complete Challenge 1-4]
– Linux and Scripting –
- Install Linux: Retrieve a virtualization system (VirtualBox, VM player) and install Linux. Use a traditional distribution like Ubuntu not a security related one.
- Learn the basics of a scripting language: Pick between Ruby (Try Ruby), Python (Online) or Perl and learn its syntax and data types. You will need it to keep going.
I’ve chosen Ubuntu 14.04 LTS for the virtualization system.
I’ve chosen Python, for the choice of a scripting language.
End of 
– HTTP –
- Install Apache inside your vm, change the home page of the hosted site using vim. Access this page in your browser (on the host).
- Change your host file to access the Linux system under the following names: vulnerable
- Write an HTTP client to retrieve the home page of your site using an http library (for example net/http in ruby).
- Write an HTTP client to retrieve the home page of your site using a socket.
- Download Burp Suite (free version) and visit a website and see what requests are sent and what responses are received
So not used to running “sudo” beforehand, hah.
Verifying its running.
Accessing it via localhost.
Edited some part of the index.html using vim.
Edited the /etc/hosts file.
Able to directly access the Web Server via “vulnerable”.
Source-code of my Python HTTP client, using a http library.
Source-code of my Python HTTP Client, using socket.
Downloaded Burp Suite Free edition.
Downloading the required OpenJDK.
Burp Suite working.
Configuring FireFox proxy to allow Burp Suite interception.
Interception success. Able to examine http requests/responses.
End of 
– PHP and DNS –
- PHP basics:
- Install PHP in your virtual machine (using your previous Apache installation), write a script that echoes back a parameter in the URL. For example, accessinghttp://vulnerable/hello.php?name=Louiswill return “Hello Louis”.
- Install Mysql and create a script that retrieves information from it, like article.php?id=1 returns a book and article.php?id=2 returns a computer.
- Create a page that sends data to itself using a POST request.
- DNS and whois:
- Install the command line tool dig in your vm.
- Find what name servers are used by PentesterLab, find what Mail servers are used by pentesterlab and find the Ip address of http://www.pentesterlab.com
- Obtain information about pentesterlab.com using the whois tool.
This was quite challenging for me, spent a few hours.
Google-Fu a lot.
Source-code of my hello.php
Setting up the database for this challenge.
Filling up the bootcamp database. (Ignore the image. Initially I wanted to beautify it.)
Source-code of article.php
I forgot to install php5-mysql and I was stuck for quite awhile.
Without php5-mysql, the PHP will not be able to communicate with MySQL.
Working article.php code.
Working article.php code.
Working article.php code
Source-code of post.php
Working post.php code
Working post.php code.
“POST” method will not display the variables and its values on the URL.
Dig was already installed on my version of Ubuntu.
“Digging” Pentesterlab.com Mail Servers. (Highlighted in white)
“Digging” Pentesterlab.com Name Servers. (Highlighted in white)
“Digging” Pentesterlab.com IP Address. (Highlighted in white)
The whois tool can be easily installed on Ubuntu.
It was also possible to use the web-based whois tool.
End of 
– SSL/TLS –
- Setup SSL:
- enable HTTPs on your web server
- make sure you disabled all the weak ciphers.
- Play with SSL:
- write a SSL client using an HTTP library
- write a SSL client using a socket
- acces your SSL server with your previous HTTP script and socat to do the connection socket<->ssl-socket
Generating apache.key and apache.crt (RSA:2048)
Edited the default-ssl.conf file.
(Change the variables which are not commented out accordingly)
Verifying our traffic is encrypted.
(The error is expected, since I am using a self-signed cert)
Source-code of my Python HTTPS client script using a http library.
Source-code of my Python HTTPS client script using socket.
As shown below,
The source-code of my Python script is requesting “http”, which should not work if forwarded to a SSL server (Error code 400 Bad Request)
I successfully “proxy” http request to my SSL Server on port 443 using socat.
End of