LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | AMA

The Cyber Mentor · Intermediate ·🔐 Cybersecurity ·10mo ago

Key Takeaways

The video covers various topics in cybersecurity, including pentesting, web hacking, and appsec, with a focus on hands-on techniques and tools such as Hack the Box, AWS, and Burp Suite. The speaker also discusses career development and industry trends in cybersecurity.

Full Transcript

Good. Um, yeah, appreciating and roasting road at the same time. Good hardware, terrible software. Uh, story of the life of many, many companies. Um, how you all doing? What's up, Zen? What's up, Hamza? I can see you guys on the uh the the first comments, although looks like Brick got the first one in today. Um before we jump into the the Q&A and do some um do some labs, um just a heads up, we've got a live discount code for um attacking AD live. So this is one of our live courses. So, if you're interested in how to um attack Active Directory uh and do break different services, find misconfigurations, get domain admin, um you can check out uh there's a code, I mean, it's coming down on the screen, but I'm also going to pin um Brit's comment for a second. Uh ad September 10. So, this code will only work for like 12 hours, I think. Uh so it's going to switch off uh tomorrow morning for me. Um or like depends on your time zone, but like 12 hours from now it'll disappear. So um if you're interested in live ad training uh then uh there's the there's the code there and I'll just like you'll see the banner um going around. If you have questions about the training um just ask away. You know that's that's what the live streams are here for. So, all good. Um, let's see. What else have we got going on? Um, let me scroll down, catch up with the chat. I got distracted by uh my VM not working and the the mic not working. Um, but now we're we're back to normal. So, my cat has just decided to wake up. Poppy, where are you? She's She's gone somewhere, but she was scratching the back of my chair, which means she thinks she's going to get fed, but she's not getting fed for hours yet. So, good luck, Poppy. Um, let's see. Let me come down and see whether we have any questions. I'm just skipping past all of the my mic is muted stuff. All right. Um, I can see one question here from Say. So, um, what's up? 14 and nearly finished the PH. Good job. Uh, I wish I was doing this kind of stuff at 14. I was kind of like doing some PHP development and some other stuff um around that age, but um but yeah, um you want to go into red teaming. So I would say for red teaming um what you want to do is start to kind of build some skills around so you've got like a pentesting foundation start to understand how things like um Windows Defender detect stuff and like what are the common bypasses start to think about how you can attack like multiple machines at once. So looking at taking on some of the worked labs uh which could be like hollow or wreath or or one of the like the prolabs on hack the box or something like that and start building up skills where you can get persistence and you can um mine targets for for information. So I think all of these things are kind of like really key red teaming skills and then you know getting up to date with like the miter attack framework and stuff like that. Um, I'd say you don't have to go crazy on sets. Sets are good, uh, but they have diminishing returns. So, get one or two and then just work on yourself, build your knowledge, um, do some cool side projects, uh, and do things like that. No need to go nuts, uh, with them. So, I think that's my my best advice, um, that I can give for that. Let's see what else have we got. Um so the ad live uh completely the course in this live I don't think I fully understand this question maybe you're going to have to give me some more context um but I think for if you're talking about the ad live yeah it's um uh a number of days and then all of the labs are hosted so you just join um you've got an instructor the main instructor is Heath um and he takes you through um attacking uh active directory so so That's Yeah, it's a fully live class, so that's it. Um, what are my thoughts on iPhone 17? I I have no idea. It's probably the same as the 16, but with maybe an extra camera because that's how iPhone works, right? Or maybe they take something away. Does it now maybe it no longer has a charging plug, so you have to like you have to pay for some wireless like plug. I I don't know. I have this one. So, my phone is an iPhone. And um if I clear my notifications, you go, I got my cat's Elfie on there. Uh but this is a 15 13. No, my 13 broke. So I think I have a 15. I can't remember. I I don't know what the differences are between them. They're like slightly different size. And that that's it. That That's all I know. I don't know anything else. Um I'm not a big fan of the Apple ecosystem. I do think the iPhone is an excellent uh product. I think it's very over like it's very expensive for what it is, but I think that's an excellent product. Not so keen on the rest of Apple's ecosystem, but I could be biased. Back in the day, if you ever remember Apple Music and and and iTunes and stuff like that, like God, what a horrible experience that was. Uh, and I've never really recovered from from from iTunes. And so, there you go. That's why I don't really like the Apple ecosystem. Um, how many years have I been in cyber security? I think this was my 11th year, 10th year, maybe 10 or 11, something like that. So, about a decade across various different roles though, not all of it. Um, pentesting, I've done a little bit of blue teaming, done quite a bit of apps, um, all sorts of things. So, but yeah, 10 years. Thanks for making me feel old. Uh, victory vision. Um, let's see. I'm gonna answer like two or three more questions and then we'll we'll start today's box. Um, uh, oh, here's an interesting one. So, do I think that VDPs are less secure than normal bug bounty programs or they just don't want to pay? Feels like there are some crazy secure VDPs. Um, I think that whether something is a VDP or whether it's paying out is not the only factor to consider whether a target is well hardened or not. And I would say that um if you're looking for your first bug and you see a new VDP come up, I think you're more likely to find like you'll have a little bit less competition and you're more likely to find like your first bug. But I wouldn't necessarily think that um uh just because it's a VDP that it's weaker. I think that's like Yeah, that's kind of but I think it's a it could be a good indication. So maybe more often than not you're you're more likely to find a bug because you've got a little bit less competition, but um but it's not always the case. Um, so it's like maybe like like two out of three times it's the case and then one in three times it's not the case. But yeah, it's interesting one to think about. I haven't looked at many VDP um uh targets recently. I only looked at one like a few months ago and it was pretty it was pretty well hardened. So kind of like you're saying, but in the past I've looked at a bunch of EDPs and I've been like I found bugs in them. So yeah, maybe maybe times are changing. Um, all right. Let's see. Oh, okay. Last question before we jump into a lab. Um, how do you get into cyber security and ethical hacking on a low-end laptop? Easy. Just run like Abuntu. Abuntu requires no resources at all and and you're all good. Um I would say that you know AWS has like a free tier so you can run stuff on there. Like I run my um um uh I run a Linux box on uh AWS free tier just so that I can easily like mask my IP address for certain attacks when I'm looking at bug bounty trying not to get clapped by Cloudflare and so I can just you know use a throwaway IP from from AWS um and just use like a um Auntu server and route my traffic and stay on the command line. Um, it is harder if you're trying to like spin up like big labs like AD networks and stuff like that, but there are alternatives like there's hosted services. You can go on to try hackme and um there's a and spin up like a Windows lab on there. It doesn't have to be running on your local machine. Um, or you can make use of like Hack the Box uh and things like that. Um, but honestly like especially for web app pentesting, you barely need anything. You need like a web browser and a proxy and those are the only two tools you need and maybe like a fuzzer like FFUF or Gob Buster or something like that. For network pentesting, I get that you need some more tools, but I don't think there's a single tool that is like requires a lot. The the only difficulty is if you're running your own labs to to attack them. So, um but so much stuff is hosted these days and there's so much access to cloud environments. Um, and even if you sign up to like Digital Ocean, I mean, find a content creator that's sponsored by Digital Ocean and if you sign up using their code, you probably get like a free $100 um, as a as a as a voucher and then you can run your ID lab on that $100 for like for ages. Uh, as long as you keep it up and pull it down, you know, smartly, if that makes sense. So, so I think that's a pretty good way to um, uh, to do it. All right, let's jump into today's box. And we're just going to do like a chill box today. Uh, it's been a busy day. We've got lots to do. Um, so today's box is going to be a relaxing one, I think. Let me see. jump into my VPN and then that looks like we're good. So, I need to actually start the machine. Hold on. How do I do this again? It's been so long. There we go. All right. The machine is starting while it starts. Um, let's have a look. Is I presume you mean AI rather than I intelligence artificial useful for pentesting? I think it's useful for almost everything. AI is a great assistant for many many things and so I think it's also useful for pentesting. I think it's good for troubleshooting. uh if you see an error message that you don't understand or if you want to understand what technology might have like popped a generic error message and you're like, "Oh, what does this error message come from?" It's great for that. It's good for troubleshooting. It's good for creating payload variations. Uh there's like a lot you can do with AI to speed up your workflow. Uh for sure, I think um do some of the ports for collabs, the business logic ones, maybe next week. Um, we don't quite have tons of time today, but I'll I'll add this. I'll try and remember maybe uh remind me and then and then I'll I'll uh I'll try and clock some of those. All right, looks like this box is up. So, let's see. Okay, so that's up. And then let's do m map uh dash a output normal scan initial and see what end map comes back with. And whilst we're doing that, let's see. I think this is a web box. So, let's just bring up our proxy and see what we can come up with. You all right there, Popeye? The cat is like, "Poppy, she's chilling. She uh I don't know why she's so hungry today. I think it's it's getting colder, so I might need to give her like a little bit of extra food to to stay warm. Her coat's definitely gotten thicker over the last month, for sure. And Alfie spends all her time sleeping in the in the bed under the duvet. So, uh, so that's a thing. Uh, let's open up the browser and let's see what we can have. Oh, is it Prince next week? Yeah, actually I think Prince is streaming next week uh with a big announcement as well. So you got some stuff to you got some fun stuff to look forward to. Um for sure. All right, so we get this Apache to Abuntu default page. That's not super useful, but at least we know there's a web server there. And looks like in terms of this only port 80 and 22, we didn't scan all ports, but this I think means that we can do ffuf uh dashu like this. And then word list user share word list uh where are my word lists? Word lists cyclists. Um, uh, let's see. Let's go to we're doing discovery and then web content and then let's go with Ah, come on. Give me give me it back. It's not giving me my shell back. Ah, and it just closed what I was writing. Maybe I can copy and paste. Here we go. Web content big.txt. Let me um drop this banner for now so you guys can see what I'm doing. Otherwise, uh it's going to get cut off. And oh, also my name is in the way. So, let me There we go. You guys can see what I'm doing now. So, we're all good. Very professional. Uh, so FFUF-U http targetfuzz word list user share sacklist discovery web content big. So, let's go with this. And since it's Apache, we could probably append like PHP, but for now, I think let's just see um what we find. And um yeah, see whether there's anything good here. Um, all right. While that's running, let me see what other questions we've got uh happening on in the chat. Oh, what is the most effective tool? Um, I can give you like the typical, you know, sassy answer, which is like your brain. I think like, you know, nothing replaces what's up here, right? Um, for me, I just think proxies are good. Like I do a lot of manual testing. I'm not into nuclei or like scanning at scale and stuff like this or automation. That doesn't mean it doesn't work. Some people are very successful um using a lot of automation, using a lot of tools like uh scanning tools and things like that. It's not for me. I don't find it very interesting. Um so I would say there's a lot of good tools but honestly a good proxy um get comfortable with Kaido or Buite and uh and then you're all good. All right. So we've got this slashcontent directory. So let's have a look in here. Okay. Ah, yeah, it's this one. I remember this box. Okay. So, we've got sweet rice. So, this is a CMS, but then we've got powered by basiccms.org as well. So, since we have slashcontent, let's also just run Whoops. run this again um against slashcontent here. So, so we're good to go. Um, let's see. This is an external link. Let's have a quick look at the page source. And we've got /content/js sweet ricejs. Probably not that exciting in here. What else have we got? Any other links to anything? Nothing too exciting. So, this is pretty like pretty basic page. Is there like a /lo login.php? admin.php. I assume we're on index.php. Yeah, that's the page we're on already. Let's see what. Okay, so we've got slash as slashattachment slash images inc andjs. So let's look at slash as. Okay, so we've got a login page. That's useful. That's a good place to be. And then attachments. Can't find this. So, we probably Yeah, there looks like there's nothing in this directory. Images. We probably can't find much in here, but just in case. Oh, there's like a capture.php. Oh, 53853. Very secure. And oh, sitemap. Sitemaps can be really useful. Um, let's download this insecure file and open with text editor. Let's have a look. Okay, this one is not that useful, but sometimes you can find like some cool stuff with with site maps. Like there'll be like hidden content or like um uh protected content and it'll still be in the site map. And some people use like a slash and then like a UYU ID to try and protect something which is like you know maybe they'll like share and then only people with the link can access it and it's a unique link and then unless the link is leaked you wouldn't be able to find the content but then sometimes the site map leaks it. So this is something that's worth looking at um whenever you kind of find it. Um so we've got that we've got images. Let's just have a quick look in this last one. Otherwise, we'll have a look for Okay, we have stuff in here in includes. So, there's cache. No, Burp Suite doesn't like this page. Cache DB. Let's have a look at this. Going to have to come into the terminal. Uh, let's come into downloads. Um, microcache db. Oh, okay. Looks like there's something in there. These look like MD5 hashes, which could be useful, but it looks like DB array and then there's a hash. So that could just be like the hash of like whatever it is. Uh I don't really know how DB caches work. So that might be an interesting thing to look into. Um, HT access we write on. That's not very exciting. MySQL backup. There's a file here. Uh, let's try and micro again. Ah, keep the file. There we go. How big is this file? Not too big. Is there any useful data in here? Let me actually cats and then let's grab So that looks like a hash and then maybe the this is the admin or the manager hash and you can see that this is serialized data. So this is like string six and then this is six characters and then we got string 32 and this is like MD5 because MD5 is usually um looks like this and it's 32 characters. Um, so you can see this is like serialized data. Um, and then we've got so the description is string 11. So yeah, let's let's just see whether we can use this and um, uh, login. So let me come into Firefox quickly. Let's just see whether we can crack this hash. While we're doing that, let's answer some more questions. Uh any new ones coming in? Let's take a look. Oh, JavaScript deopiscation. Yeah, I cover this in like the um uh expert web hacking course that I published. So, there's like a couple of different approaches. So the first one is like the easy approach just try a bunch of deopfiscators and see whether that works. Um but I would say like a few steps. So one um debugging in real time is really really helpful because what you can do is um usually in Chrome um because Chrome has better dev tools for debugging JavaScripts in my opinion um you can set like break points um so try and deopiscate it get it into somewhat of some kind of format that's slightly easier to read and the variable names are all still going to be random and stuff but get it into a good state and then set break points and then like monitor variables as you step through and try and um uh understand the code. So that's like the quickest rundown of like an approach that I can give you. Um I would also say like basic um obiscation. Uh AI is pretty good at understanding if you if it's just like substitutions for like variable names and some like data and a bit of exor or something like this. uh AI is pretty good at uh understanding that and giving you uh some feedback. But what I'd say is do it in small chunks at a time and be like ah here's a function. Try and figure out what that function does and then start to piece it together if that makes sense. I think that's the uh the best way to do it. All right. Oh, capital P uh password two. That's the password. Wonderful. So hopefully this is the password. Let's try admin. Let's try manager. And we're in. Easy peasy lemon squeezy. Um, that's pretty nice. I think just from looking around, we found this uh MySQL backup. And then oh, we've also got the version 1.5.1. So we could maybe look for exploits uh within the target. But let's keep looking around and see whether we can do it manually first. And um that gives us access which is quite cool. So let me close this and then oops come back to here. Ah lazy admins website system information. So let's see what have we got here. Uh, we've got language URL rewrite web status running or close. So, we could switch it on. Maybe that's why um when we come to is it slashcontent? Yeah, we got this site is building now. Please wait. So, maybe if we switch it to running, but I don't want to try that just yet because we might break something. um posts, comments, attachments. I wonder if it's like WordPress where I can set like a theme and then inject some PHP into the theme permal links. Whoa, suit didn't like that plug-in list. Yeah, looks like we might be able to upload a malicious plugin. So, this is definitely something that we want to take a look at. Ads, you can edit ads as code and put it into a template or you can edit the template here. So, that could be a way in. I think maybe we can just in Oh, yeah. Ads is ads code. We can probably just inject straight into here. site map, theme, updates, data, etc. Oh, SQL execute. We might be able to get uh code execution through my uh through SQL as well. I think it's kind of unlikely, but you know, who knows? uh depends on the permissions and if it's um because MySQL um we can use like the system exec function maybe if it's an old version of my SQL but I think let's try this since it just says we can do code. So, let's do like system and we'll just do who am I like this and we'll call it rce done. Um, what does this do? How does this work? Oh, is there only JavaScript that we can use? That wouldn't be so good if it's uh if it's only JS. How do we actually use this though? Let's go to posts. Create RC, please. RCE, please. RCE, please. Um, and then let's just do test. And then can I add an ad? That's the question. So, let's just do test. Test test test. publish attachment. Maybe we can add a file here. There's so much to uh to look at actually. So, um how do I preview this? So, that's modify. Uh maybe we need to turn the site on. Okay, here we go. Okay. Um. Oh, permal link. Oh, no. That's just the Oh, look. Every time we click like the the counter comes up. That's like you can just pretend that your site's really really popular just by clicking the link lots and lots of times. Nice. Um, okay. So, that's something. And let's go back to here and see whether we can add this to a page. So, what do I do with this or maybe it's in the comments? I'm sure I've seen something with this before. I have done this box at some point in the past, so I think this is the way, but I can't really remember. So, I'm just going to stumble around until I find it. user comments off. Oops, we don't want categories. Okay. Well, what should we do? Should we have a look for CVS? I think that would be the easy way. Or we could just carry on testing. What was that? Something just like floated across the screen. Um Can we edit the theme? Okay, let's see whether we can do this. Um, [Music] so theme list. Oh, we could probably maybe find a malicious theme and update that. All right, let's let's I've had enough fun. Um, let's Ah, I don't have search on here. That's fine. We can just come to Firefox. Oh, actually before we search for CVS, I wonder if so when we were here Oh, I thought this was as uh ads, not as uh I wonder if it's actually in the ink here. Is it added? No. Oh, yeah. Here we go. Ah, I did my thing wrong. Okay, I think we can get RC here. So, if we edit this and actually write some proper PHP with the proper opening tag, some versions of PHP will actually execute uh like this. Um, but let's do the super global um dollar sign_get. And let's just do cmd and then save this. And then let's see if uh cmd. Yeah. Okay, we have our C. There we go. So, that was um that was pretty straightforward. Um, we just kind of had to look around like just to find it. Um, let's see. LS/home. Whoops. It guy uh user.txt. Let's see whether we can cap the flag. Yeah, we can get the flag doing this. So, that's pretty nice. Um, all right. Let's see. Um, just checking back in with the chat, so we're all good. Um, oh, can I reduce the size of the chat on screen? I can't unfortunately because I had to change my setup because my old setup broke. And hello kitten. Um, unfortunately I'm only set up for this like size. So if I just remove the chat, it just like just does this. So sorry about that everyone. I will get it fixed soon. Uh, for sure. It's just I've been like super busy with other stuff. So we're stuck to this uh this size for the time being. Um, yeah, the cat wants feeding, but it's not her feeding time. So, sorry, pups. You're just going to have to carry on being annoying for a little bit, and I'll feed you a bit later. All right. So, how do we go from this to a reverse shell? I mean, we've got the flag here, but um let's try and get an actual shell. Um if we go for let's go for the uh pentest monkey reverse shell PHP and this one's usually pretty good. Let's just grab the raw. Copy this. And then where's my terminal gone? And then micro shell dot Whoops. shell.php. In fact, we don't even need to create it. We can just come into here, paste this in, and we can get rid of all of the warning. You're going to go to jail. Let's get rid of that. Now, we're no longer going to jail. And let's come back to here and not save this. And grab our IP. Whoops. Uh. Ah. I really can't type today. My brain is like all over the place. That's our IP address. Uh, netcat- NLVP. Let's do 4444 just for fun. And then we need this and this. And let's do RC2. And save this. And then hopefully when we browse to it, um, it's actually going to hang. So yes, this is a good sign. So what's happened is it's executing our script and hopefully we've got the reverse shell connection and it's waiting for this connection uh to finish before it sends the response. But in this case, we don't want it to finish. We just want to enjoy our shell. So let's do uh which Python 3? Yeah, we've got Python 3. So, Python 3- C import pty pty dot uh spawn bin bash upgrade our shell and then we can cd to home cd it guy. Okay, there's the flag. All right, so we're good. Um and then we can have a look at our priv. So before we dive into Privk, let me see whether um we have any uh any other questions coming through. Oh, sound off in X. Well, if the sound's off in X, I mean, just just go to YouTube. It's probably a better viewing experience. Um I don't know. I don't really use Twitter all that often, so uh sorry I'm not really set up for it. Um Oh, interesting. So, lots of bug bounty questions today, which is cool. Do you think bug bounty uh as a full-time source of income will be less feasible in the future? No, I don't think so. I just think that bug bounty, as with anything, will change over time. Uh so the approach will change um technology will change uh the things you look for will change and the way you look for things will change and I think if you just try and stay still that will be uh that means you get left behind but I think if you try and you don't have to be like week to week keeping up with every new thing but I think like especially if you're in a field like cyber security or like um especially for web where web apps move quite quickly. The technology of web apps move quite quickly. I think like network pentesting doesn't change as quickly as web app pentesting does. But um you do kind of like need to keep up right you need to understand uh what's happening what the new um latest and greatest things are especially like front-end development like is break neck speed like new versions of react coming out different frameworks happening um some of the back end is still the same but like you got a variety in technology you got like GraphQL and stuff and then you've got loads of different systems that are all interconnected and some of them are microservices and like there's there's a lot to um to keep up with. But yeah, I think bug bounty will just change. Um and hopefully it'll become part of like the normal process. To me, in like a perfect world, safe harbor would apply to everything. Like by law, if you put something on the internet, then somebody should be able to responsibly disclose stuff to you and then they should be should be paid for it. Uh that's kind of like my opinion of how things should be, but we'll probably never reach that point. But bug bounty platforms exist to to do that. So So ephemeral bugs, uh you know, the bugs that appear between your yearly pen test, somebody's going to find them and let's hope it's a bug bounty hunter and not somebody else. Uh so all goods. Um let's see. Let's see if we can do the priv. So, what's the magic like I'm going to throw this one out to the chat. What's the the magic command that if we get it um gives us anything we want, especially when you're talking about priv. So, I'll I'll give you all a minute or so to think about how to get anything you want. And the answer is not risk accepted, which is the old uh cyber security joke on how to get anything you want. While we're waiting, um yeah, so just a heads up, we are running uh live ad uh courses. Um there are still some seats left. Um a bunch have gone already. Um but there's a discount code um which will be alive for like the next 11 hours. 11 hours and 12 minutes. So, if you want to check out the ad live, um you can you can take a look. Uh what is the question? Yeah, how to get anything you want. Yeah, I'd like John John Doe got it first. I think this is kind of like part of the answer. Sue is definitely it. Sudo is also definitely it, but then uh Wyatt, you're you're definitely on this. I'm pretty sure Pseudo Dashell is going to be Yeah, look at that. Easy peasy lemon squeezy. Um, pseudo check out my cats. Yeah, that's that's it. I feel like I should just start a YouTube channel with my cats and then I can retire and then they can just do all the work. Just live stream cats all day. I have seen that actually on Twitch. There's a turtles and chill. So, it's like a music channel, but then it's got like some video of like some turtles and stuff, and they're just relaxing all the time. So, that's a pretty nice one. Um, all right. So, we've got pseudo all no password user bim pearl/homeit guy backup.pl. So, let's check out this file first. So, looks like we can read uh read this file, but we can't edit it. And user bin pearl systemshets copy.sh. Okay, so what are we going to have to do here? Can we copy? Can we just overwrite Etsy copy.sh? Yeah, look at that. So, copy.sh which is being accessed by backup.pl. We can't change this because the permissions on backup.pl is read write by root, read by the root group, and then read and execute by everybody else. So, we can execute it, but we can't um we can't write to it. but it's actually doing systemsh and then etsy copy.sh and in here we have read write by roots and then we've got read by the group roots but then we've got read write executes by everybody else. So we can actually um uh put a shell in here. So what's the best way to do this? Let's try and echo something like um chmod plus s to bin bash and currently actually let's let's see if we can't etsycopy.shf first. Oh, this just does like that looks like a reverse shell. Anyway, back to 5554. So, maybe we can just change this to um uh our IP address and then we can just use the same reverse shell. Hold on. What's my IP address again? I'm in the wrong terminal. Here we go. IPA netcat dash NLVP 4444. In fact, let's keep it simple. Let's use the same ports as what it was trying to use. 5554 like this. And then we grab this. I was just going to overwrite it and be like, let's add the um sewer bit to bin bash, but um uh ah what do I want to do here? Let's do micro test. Let's do it in here. Grab this. Drop this in here. grab this whole thing and then echo uh there's no quotes in it to Etsy copy.sh like this and then pseudo-l. If this doesn't work, I'll just go back to the sewer bit rather than trying to pop a reverse shell. And then we just upgrade our shell. Um, we've got this running and we can just copy this pseudo come to here and we are roots. Nice. And then if we cd /roots we can cat uh root.txt. And there we go. We solve the machine. Oh, the magic word is not please. The magic word is always pseudo. Um, so I can't. Somebody was asking earlier. They were saying they had some questions for you, uh, Andrew, but I said you'd be streaming next week. So, um, maybe they can save them till then. But, uh, but all good. Um, all right. And I think that is today's box out of the way. Hey, look at this cat. She's just like trying to steal the show, aren't you, Pops? Let me switch back to um here. And then you're just going to see tails going across the Whoops. going across the uh the screen. But all good. All right. So, um let me answer a couple more questions before we finish up today. Um that's a pretty nice box to be honest. Um, I'm glad we found the path without looking at like known CVS and stuff. So, if you find a random web app and uh let's say it's like on GitHub and it's got a couple of contributors uh but it isn't like really widely used and you want to practice your um uh CVE finding skills, then you're probably going to find something good. um especially if it's like you know if it's being maintained but not being maintained by lots of people or if it's not like being used in thousands and thousands of places. This is a way that you can start building up your methodology, getting some confidence and also seeing like some results because if you just try and attack something that's, you know, been very well tested and is very widely used, you might find something for sure. And that's kind of like the ultimate goal, of course, but uh it's nice to see like progress and see what works and what doesn't work. And that's kind of how you build your confidence uh over time rather than just diving into the uh the deep end. Um I do see po people posting on LinkedIn they're like ah yeah you know CVS is just a number blah blah blah not all CVS are the same. Just don't worry about other people's opinions. Do what's right for you and build your skills and then you know eventually you'll find something that is wildly impactful. Um, and maybe you're already halfway there. Maybe you're most of the way there. Maybe you're just starting out. Doesn't matter. I like do what um is important to you. All right, let's answer two more questions. Um, oh, what do I use as a base system? So, my like day-to-day is just a Windows box. And to be honest, uh, it kind of runs everything I need. And for web app pen testing, you don't need anything special, uh, really. Um, but I do a lot of my dev work on Iuntu. Um, just because it plays nicer with Docker, um, and some of the other tools that I use. So, so yeah, that's kind of my my general uh, approach. Um, I have thought about going Linux full-time. Um, but maybe that's something for the future. So, so we'll see. Um, all right, last question. Let's see. Oh, interesting one. Malware analysis versus penetration testing. Which is the best for job prospects? Um, I don't know. That's a difficult question. I think I mean they're both great jobs. Um, uh, they're also both jobs that, you know, are going to change, uh, given new tools, given the rise of AI. Um, your approach and methodology is going to change for sure. Um I think that like if you had to pick one, pick one that excites you more more than the other. I think I think pentesting is um there is still like a lot of people are saying ah pentesting is kind of like shrinking or disappearing. I think people are trying to automate pentesting more and more but then after a while realizing that you can't actually replace pentesters and then going back to it. Uh I've seen this. I've seen lots of startups doing pentest as a service, AIdriven pentesting. Um, I've seen live demos and it's not the same as a pentest. Simple as that. That's the long and short of it. Um, is it a useful supplements between like your yearly pentest? Yeah, could be great. Could be really, really useful. But, um, there's still uh there's still an industry for pentesting for sure. A malware analysis. I don't know a ton about malware analysis. So I would say maybe malware analysis more niche um I think so maybe there are slightly less jobs specifically for malware analysis uh than pentesting. Uh I could be wrong. I don't really know. Um but Andrew will be able to give you a better answer on the malware analysis side uh next time. But yeah, I think just choose what you enjoy and um you know, just try and keep up with with what's happening and you'll be all good. Um all right, I think that's it for today. So, thanks for tuning in everybody. Don't forget um ad live training. So, if you are interested, uh there is a discount code here going across the bottom of the screen. Uh it's only active for like another half day, so if you want to use it, use it sooner rather than later. Um attacking AD is great. Uh and Heath is an awesome teacher, so it's definitely worth checking out. Uh but with that I will catch you all next

Original Description

https://www.tcm.rocks/adlive-y - Spots remain available for our upcoming Hacking & Defending Active Directory Live! Learn straight from Heath about AD security and hacks - a perfect opportunity for offensive practitioners, defenders, and everyone in between. Alex Olsen answers your security questions and demos methods of hacking web applications. He also discusses how to start a career in cybersecurity and the importance of training.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video covers hands-on techniques and tools for pentesting, web hacking, and appsec, with a focus on career development and industry trends in cybersecurity. The speaker discusses various topics, including Active Directory, Windows Defender, and bug bounty programs.

Key Takeaways
  1. Build skills around pentesting foundation
  2. Understand Windows Defender bypasses
  3. Attack multiple machines at once
  4. Use hosted services like Hackme and Hack the Box for labs
  5. Map dash a output normal scan initial
  6. Bring up a proxy
  7. Open up a browser
  8. Run FFUF with a wordlist against the target
  9. Scan all ports for open ports
💡 Pentesting is not shrinking, and there is still an industry for it, with a focus on hands-on techniques and tools, as well as career development and industry trends.

Related Reads

📰
XSS— TryHackMe
Learn about Cross-Site Scripting (XSS) and its significance in cybersecurity through a TryHackMe challenge
Medium · Cybersecurity
📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Social Discovery Group's announcement raises questions about transparency and cybersecurity, highlighting the importance of critical analysis in the industry
Medium · Cybersecurity
📰
Adobe Producer Spoofing: A PDF Metadata Forgery Case Study
Learn how to detect PDF metadata forgery by analyzing the Adobe Producer string and structural forensics to catch contradictions
Dev.to · Iurii Rogulia
📰
Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend
Apply urgent CISA patches before the deadline to ensure infrastructure security
Dev.to · Fabio Baensch
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →