The first time you find a page with a Local File Inclusion (LFI) vulnerability, it's like magic.  You feed your string in the browser:

http://192.168.150.150/vulnerable.php?page=../../../../../../../../etc/passwd%00

... it spits back the contents of /etc/passwd, you're excited, and you continue enumerating the system. 

Read more: Python: Automating Local File Inclusion (LFI)

I was setting up fail2ban recently, I noticed that my notes were outdated, and I decided to document the setup for current setups.  Despite what the title states, this can be used for anything as long as you know what logs are receiving entries and what attacks look like.  For example, I haven't played with Drupal in a while but I seem to recall the admin page looking something like:  ?q=user/login

With that information, we search the logs for repeated attempts, create a regex and now this works for Drupal as well.

If you haven't already installed iptables, here are the steps for enabling iptables for ports open on ssh, http, and https.

Read more: Fail2Ban for Content Management Systems

VehicleWorkshop is vulnerable to SQL Injection and you can view the tidbit of information on Exploit-DB.  Essentially, our injection point is "vehicleid=" but this isn't a login prompt, I can't use:  bob' or 1=1;-- and while I don't like tools, this is definitely a job for sqlmap.  

Before we get started, let's get this app setup.  You can download the app from Exploit-DB, extract it to a folder, and setup the permissions with chmod 777.  I wanted command execution which is why I gave the folder wrx.  Without it, you won't be able to perform any of the os-shell commands.  You can get into sql-shell and poke around but it's not nearly as fun.  

Read more: sqlmap -- VehicleWorkshop SQL Injection

Kali Linux comes with a number of web path brute force utilities and when using these tools, you will find that one will work better over another when pointing at Server A versus Server B.  That could be any number of reasons including defense mechanisms which is why I’d suggest changing the user agent -- something I wrote about for Nikto.

These tools are pretty simple as long as you have the correct syntax.  That is -- until they don’t work which happens.  In those moments, you start bouncing around between this tool, that tool, and another tool expecting a better outcome.  In pentesting, there are a lot of tools and techniques to learn and the web brute force utilities are simple enough that we don’t spend time figuring out what they do behind the scenes.  That said, if you take a moment and look at it from the server side, you might see why the scan is failing. 

Read more: Understanding Web Path Scanners

I periodically hit up Vulnhub for some machines to beat on.  Bsides Vancouver:  2018 (Workshop) is the most recent addition, it's description states:  "Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target."

It was designed for VirtualBox but this was easily imported into Xenserver.  Once I got it running, I started my enumeration.

Read more: Vulnhub BSides Vancouver: 2018 Walkthrough

Penetration testers come from all walks of life but there are two obvious sources which I see most often -- IT and development.  Each come with advantages but eventually we'll need to fill in the gaps with the knowledge of the other.  My background is in IT and my skills in system and network administration run deep.  I'm filling in the software development gaps though.

If you're starting out in penetration testing and you're like me, first you'll need to learn how to read code and get to a point where you understand what you're reading.  It takes time but eventually, you'll see patterns and you'll recognize functions, variables, and other common syntax.  You might not be able to write code from scratch at this point but you be able to understand what's going on.  Once you get to this level, pick a language and rewrite what you see.

Read more: Rewriting Exploits: Webmin Arbitrary File Disclosure