Summary
A few months ago registration for BlackHat USA19 kicked off, and for the third year in a row I just missed getting into Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) training. This was frustrating as hell because I only know of it being offered once a year in North America. The story doesn’t end there though. A couple weeks after the disappointment I received an email from OffSec offering early access to OffSec Alumni to the online version of the AWAE training before it is publicly available! Normally I would be shit outta luck because I don’t really have extra cash laying around for stuff like this but I do work for a kick ass employer who took care of the bill! So it was game on.
March 9th I received my training material and lab access. I was not initially impressed as my last OffSec experience was the PWB training in 2013 and the AWAE lab was much smaller. Don’t judge a book by it’s cover I guess cause the handful of machines in the lab gave me one hell of a good time.
Layout is similar to the PWK (formally PWB) training. You get a PDF textbook, a collection of videos, and access to the lab. In the lab there is a control panel where you can revert your machines, you will need it cause ya pooch em hard sometimes. The main difference with the AWAE was the inclusion of a WiKi in the lab and access to the applications, machines, and source code. I was taken back a bit as I was expecting a blackbox approach to the training but it is completely the opposite. This training is completely based around the idea of whitebox testing.
Content
Introduction
Completely necessary but dry. Just like all housekeeping it has to be done and if ignored the student will not get the full experience from the course. Just read it, pay attention, and take a couple notes of where things are.
Tools & Methodologies
After reading this I thought that the AWAE was going to be a waste of money. Isn’t this supposed to be an advanced class? Ugh, either way they go through BURP Suite, some basic Python with sockets, .NET decompilation, and Java decompilation. Aside from the .NET stuff none of this was new to me but you go through it, and you may or may not learn something new.
Atmail Mail Server Appliance: from XSS to RCE
Finally you get to some fun stuff here. They ease you into the training starting with a basic XSS vulnerability. Then you start to see what will be the trend in the rest of the material. Just because you have a vulnerability that you can exploit, don’t stop until you can get RCE. From the XSS vulnerability multiple examples were given on how to leverage this to further progress deeper into the system. The best part here was creating a PoC that would chain multiple actions together to make a single XSS turn into RCE.
ATutor Authentication Bypass and RCE
You can’t have a web attack class without SQLi … this was the first instance, at least it was blind. The material goes on to touch on input sanitation bypass, data exfiltration, authentication bypass, file upload vulnerabilities, path traversal, and of course getting RCE. The best part of this module was following the source and seeing why the application worked the way it did. Oh and hand crafting the zip payload was just plain old fashioned fun!
ATutor LMS Type Juggling Vulnerability
This is where it got a bit tough for me. Type juggling was something that I have never done and after this training it has opened up a whole new realm of tests that I will be running. Not only was the concept of type juggling introduced to me here but also the concept of magic hashes. Very cool material in this module.
ManageEngine Applications Manager SQLi to RCE
I was not looking forward to having to work with Java applications, just because its unfamiliar to me, but here it was. The content was exceptional though to help with understanding Java web applications. From source recovery, tracking down how to call which servlets, great coverage of postgresql including user defined functions and large objects, input sanitation bypass, multiple ways to exploit the same vulnerability, and one hell of a challenging “Extra Mile”.
Bassmaster NodeJS Arbitrary JavaScript Injection
NodeJS … really? I wanted to punch my LCD. More Java and a bastardized version (according to a Java dev I know) at that. Just more unfamiliar territory for me, but that is what learning is about. This module went by pretty quick though as I am pretty familiar with RegEx and python. Then at the end of the material there is a great “Extra Mile” that took me a very long time to finally crack through. More on the extra mile things below.
DotNetNuke Cookie Deserialization RCE
Just as soon as I get through all the Java stuff I was uneasy with they through .NET at you. This took me a few read through’s as I was not familiar with deserialization vulnerabilities, other than hearing about them. Not to mention I don’t know as much as I should on how a .NET web application works. This is where the value of the course really started coming out for me. You spend a good portion of your time in Visual Studio with C# and understanding serialization, thank gawd as I really needed it. Once you get a handle on serialization the concept of changing the type is introduced with vulnerable code. Then in true OffSec style you build the payload by hand with really detailed explanations. Then the extra mile …
The Extra Mile
Every concept introduced in the training is followed up with exercises that you complete. Not much different than any other training. They aren’t hard, the answers are pretty much given to you, and are there to re-enforce the concepts presented. Then there are what are called “Extra Mile” challenges. These varied from very “Mickey Mouse” to taking over a week to accomplish. I will highlight the few that stick out in my mind.
Type juggling
This is the first instance in the training where the student is asked to find a vulnerability. Simple hints of where to look are given but that is it. As type juggling was new to me this challenge was interesting but far from a hard challenge. What it did do for me was really drive home the concept of type juggling and improved my ability to follow through code looking for potential vulnerabilities.
ManageEngine JSP
This challenge was definitely just that for me, a huge challenge. I followed many red herrings trying to exploit the system using a JSP payload but time after time it just wouldn’t work. I ended up finding some other students chatting about this and getting a hint from the conversation. It then took me a couple days to finally pull the exploit together. This was a great challenge making the student think of alternative ways of doing things and chaining multiple “steps” together to obtain full RCE.
NodeJS Jailbreak
How could I forget this one. It took me over a week to finally crack this bad boy. Why, most people will ask. Well let’s just say that even if you have a working exploit and it is coded perfectly the delivery of the payload makes all the difference. I’m still kicking myself in the ass for this one. Either way in the end it was really great and I came away with a pretty good understanding of “Context” in NodeJS and how to reach up through the process stack to get what you want. I am sure that doesn’t make sense to anyone who hasn’t done this challenge.
.NET Deserialization
I was running out of lab time. I asked my family to give me the weekend to work on this challenge and the final remaining one. I was able to get through it in just over 10 hours of straight pounding away. Basically OffSec “introduced” a secondary .NET deserialization vulnerability into DNN. Yeah that’s basically what you were told, go find it, and exploit it. Hands down the hardest part for me was finding the vulnerability but detail-oriented people will find the same “clues” that were there to help you. I’ll tell ya I was jumping around when I finally popped this shell. What a great challenge!
Java Deserialization
I have this one in here as it was the final challenge in the training and it had an interesting twist. Although deserialization vulnerabilities were covered it was all done in .NET. This challenge has you go back to ManageEngine and find the Java Deserialization vulnerability and exploit it. This was crazy fun and now that the pressure was off of me to complete the training in time I spent hours making a fully automated PoC in python that was multithreaded and handled everything for the attacker. This was just plain fun and a great way to end the training.
Where Offensive Security got it Right
- The material is very in-depth, and I love how it walks you through the code step by step so you understand why web applications work the way they do.
- Even though it made me uneasy the training wouldn’t have been the same without touching every different backend technology from PHP, JAVA, NodeJS, .NET, and various different database technologies.
- The “Extra Mile” challenges make this true OffSec training and they make you “Try Harder”. Once a student accomplishes these challenges they have a feeling of accomplishment and have went out and studied the technology/vulnerability on their own.
Where Offensive Security got it Wrong
- I was in the Beta version of this training, so I am sure that the grammar in some of the extra mile challenges will be corrected. There was confusion on what exactly some of the challenges were asking of the student.
- At certain points of the training the student is forced to work on a windows machine in the lab through RDP. These were slow most times I was on them and I can’t count the number of times I ran out of memory while debugging DNN.
Final Verdict
Offensive Security training has always been hands down HARD the absolute best security training I have ever received. You don’t just read and do exercises. You are forced to understand the concepts to complete the extra mile. If any student says that the AWAE training is not worth while they are either 1. Way smarter than I am (it doesn’t take much) or 2. They did not attempt the extra mile.