Hi meet Me again, in this article I would like to write My experience accompanying one of My community member to take challenge to hack an OS with defined vulnerabilities. I give a little reward for those who is able to get full access and able to present the attack vector to the audience.
During the hack challenge, I found some interesting lesson learn which good to be shared in this article, here are the points
- Kali Linux + Google = Masterpiece
For those who regularly do the pentest might say Yes to My statement above. By using kali linux and Google are more than just enough for you to get clear information and penetrate to the box. But, As you know that google will answer almost everything you put into the query, so putting the good query will make the process of penetration testing faster, the art of questioning come in to play …
- No sopisticated tools
During the penetration process sometimes We see some sophisticated tools being used to do the hack in some movies but actually most successfully penetration test or at least CTF use non sophisticated tools to actually successfully exploit the vulnerability such as nmap, gobuster, burpsuite, sqlmap and perhaps wpscan as per needed. No rocket science required..
- Pay Attention
Scanning and enumeration, the main things penetration tester shall have in this phase is a good attention to the scan output, Sometimes due to lack of attention to the output will take the penetration go around and around. Information given by the scan output is sometimes is too complex but when You know where to look at then it might easier to get the right things. I might say that Practice make Perfect .. 🙂
- Do not make assumption
What You should keep in mind that THERE IS NO APPLICATION MADE WITHOUT ANY SINGLE BUG because I believe to what Einstein says that only two things which is unlimited in this life they are Universe and Human Stupidity. So be patient in finding the bug, there must be at least one bug in every application made in the world but luckily either it is discoverable or not, exploitable or not from the attack surface. Try change your attack surface from time to time, You might find the jackpot soon..
- Try Everything
Sometimes penetration tester do not have enough motivation to find the bug and do real exploit. Penetration tester shall have 10000% eagerness, self confident and crazyness to find the bug and successfully exploit. When you down .. go and get Coffee
- Try Harder
Yes … Yes … No more description for this … TRY HARDER Guys …
The 5 points above are some lesson learn from that event, It is good keep in mind the above points to really tackle the challenge.