Stories from Cybersecurity: Andrey and the Practical Approach
When it comes to learning, there’s theory and then there’s doing by actual examples, or what is called, the practical approach. Sure, anyone can say ‘swing or pound the hammer into a nail’, but actually doing it is a different matter. Instructions often don’t say that you might pound one of your fingers by mistake or that the nail might bend in an ugly fashion.
This is our follow-up feature on Andrey, an ethical hacker from Serbia, which tells us the merits of real-world practice when it comes to cybersecurity. How getting down and dirty in the field is a good learning experience as well as meeting and learning from other people.
What can you tell us about the things you’ve learned in the field?
When it comes to the things I've learned since, it's hard to really tell.
Anyone could agree with me that in this field the reflection of learning is really big, the knowledge grows more and more every day, and keeping a track of progress is hard, you just get better with time.
So, while learning, you’ve been keeping track of stuff that’s been happening. Have you been learning from that as well?
I can say that I have moved my focus around new things, especially the ones I didn't get to play around while practicing on platform's like HTB. So, this time, my focus resolved around the real world rather than practice environment's, not because they are bad or anything, it’s just because eventually everyone needs to try to implement the learned skills outside of something that is intentionally vulnerable.
That is absolutely true! Tell us some of the field work you’re involved in.
As I was trying to get involved in the real-world vulnerability research, a friend reached out to me offering me to do some penetration appointments via UpWork platform with him. That was a perfect opportunity for me to do something I hoped to do one day, so of course, I accepted.
After doing a few appointments I started getting a hold of most of the web application vulnerabilities, earning a few bucks, and before all gaining a lot of experience and confidence boost from it. From the general experience, I would like to say the last appointment was the most interesting.
I had multiple stored XSS's and could steal user/administrator cookies, but since I was allowed to do a full internal test, I wanted to do more than that. I took a look at the administrator endpoint and saw that Laravel Debug mode was enabled, so I went full in and tried to get an RCE (remote code execution) with CVE-2021-3129.
At first i noticed i could get a partial LFI (local file inclusion), but after taking a look at https://blog.csdn.net/csdn_Pade/article/details/112974809. I noticed I could escalate it to RCE with phar deserialization. Taking a look at multiple blogs was essential since you get to determine which one included more helpful info!
So, after having a shell, I looked into the sudoers entries and noticed how they are only blocking a user account to run command `sudo /bin/su` as root (with sudo) which would "block" getting a shell as root. It was a funny way to protect yourself, and I easily got a root shell by doing `sudo bash -i`.
I took a similar approach for their AWS server instances (because i found leaked AWS keys), which led to a root shell on both of their internal system's and AWS server's.
You’re good. The things you described seems difficult for someone still learning.
It wasn't hard at all, but still made me confident enough to get myself to look into bug bounty programs. I mainly started working on automating everything and doing it the best way possible, so i can get prepared for people that are doing the same (probably better but it's always worth trying).
After quite some time building automation tools (with another friend of mine who joined me), I decided to give them a test run. I picked Redbull's program and a few VDP's on hackerone (vulnerability disclosure program) and gave it a test run.
Thankfully, it resulted into a few XSS's and accessing internal admin pipelines (Redbull) which of course, did require a bit of a manual hand to play around it. Redbull decided to award me 7 Redbull trays (168 cans) which is a fun thing to get (but not to drink too much haha).
Meanwhile, I've met and joined some friends on some source code auditing, which is a really fun thing to do! I would love to share all of their names, but they usually prefer to not go out publicly too much.
Congratulations. We hear that you have another interesting story; your first 0-day I believe?
We audited eCommerce products and 2 of them currently being in the process of being assigned a CVE. One of them being Maian Cart:
Maian Cart Announcement
And the other one being a little more used, so i prefer giving out its name as soon as a CVE is assigned.
The Maian Cart issue was also my first 0 day originally (yay) and it was found way back in November 2020 by me and another friend from our new group - purpl3 (not his actual nickname but it's what he chose for the CVE reference) but we procrastinated to report it since we had more things to work on, and i mainly had school.
I also created a blog at https://dreyand.github.io, it currently doesn't/shouldn't have anything on it (depending on when you are reading this) but the technical details of the both CVE's and exploits will be deeply explained there once i am allow to do so!
Also, another thing to mention, I need to thank MyHackerTech for giving me an opportunity from the start, which gave me more than needed motivation to keep improving. Thank you!
You’re very welcome. We are glad to have inspired your continuous improvement. Keep up the good work!
Leave a comment