Featured

A Simple Guide to Getting CVE’s

Written by @hyd3sec and boku

So you found a vulnerability and you want to get a CVE? SWEET!

Make sure that the vulnerability doesn’t already exist. That’d be lame if you went through all this work only to find it’s already out there… but still kudos to you for finding it! The only place you REALLY need to check is the MITRE database, but you should also check google, github, etc.

Contact the vendor/product owner and disclose the issue. Now if they have a bug bounty program that you’re involved with then unfortunately their disclosure policies may prevent you from disclosing it at all. Here’s the important part… take screenshots, save emails, do whatever to make sure that you document that you attempted to contact the application owner. This is where the clock starts ticking.

When contacting the vendor, aim for coordinated disclosure. In an ideal situation, you will release the vulnerability details after the vendor has been able to release a patch. With a responsive and cooperative vendor, MITRE has great documentation on how to progress your CVE to disclosure that can be found here: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf . However, for many reasons, the vendor will ghost you. If this is the case (and it typically is) this is what we do…

Disclosure is a gray area with no defined rules, but most people wait 30, 60, 90, or even up to 120 days after notifying/attempting to notify the vendor before disclosing. While you are waiting, go to the MITRE website and fill out the CVE request form. This process is going to be done on a case-by-case basis (ex. if the company/owner is a CVE Numbering Authority, also known as a CNA).

If you don’t see them in the CNA list, fill out this form: https://cveform.mitre.org/. This has taken us roughly 30 days on average, so we like to submit this once we find the vulnerability. Once you get a CVE ID (they will notify you by email), you’ll notice that it’s in a RESERVED state. This means that your CVE has been accepted by MITRE but has not been published yet.

Now while you’re waiting, it’s generally a good idea to keep trying to contact the application owner/developer at least every 30 days. Once you have waited however long you decide to/whatever the application owner and you agree upon, it’s time to publish! This is the best way that we have found to accomplish this:

Send POC/exploit to PacketStorm Security/CX Security. A good format for the header is what Exploit-DB shows here: https://www.exploit-db.com/submit. Make sure that you include the RESERVED CVE-ID that you got from MITRE when you submit to these two websites.
Once the exploits are published, send the links to MITRE by replying to the email that they sent you with a link to the published POC/Exploit.
MITRE typically has a quick turn-around for this (1 day or so). Sometimes they email you with an update, sometimes they don’t. Best thing to do is to check the original CVE Link they sent and see if it changed from RESERVED and shows the details of the CVE.
CONGRATS! YOU’VE GOT A PUBLISHED CVE!!!
If you so choose, you can now try to send your exploit/POC to exploit-db. They typically won’t respond with an update on whether they decide to publish or not, but if not, try and try again!

EDIT: My friend Valerio had an issue where MITRE wasn’t being responsive. He had this addition:

If Mitre doesn’t respond to your email after months, it’s enough to open a new request not as a “CVE Request” but as “other”, specifying you are waiting for such a long time… after doing this, they replied to him after 24 hours with CVE IDs. Thanks Valerio!

Happy Hunting!

Resources: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

Bashed – No Metasploit

Let’s start off with our portscan:

Looks like only port 80 is open. Running gobuster on port 80, we get some interesting directories:

After going down the list, we see /dev’s contents:

What’s phpbash.php ?

It’s an interactive web shell. Well that’s pretty straight forward. Using this payload from the pentestmonkey website:

We get a reverse shell on our listener:

Grabbing the user.txt flag:

So let’s look around and MANUALLY enumerate before we try to use scripts. Manual enumeration is always preferred because you’re being more intentional on what you’re looking at. And to be honest, scripts can always miss stuff.

Running PS -ef we see that there is a cron job running every minute:

So let’s try to read test.py

Womp womp. Okay… well let’s try to do something that we should have done right away in the first place: sudo -l

So this is interesting. We know that scriptmanager is a user on the box. This took me a little bit, but I eventually got it (of course, syntax error):

So now, I can read test.py. Now that I am scriptmanager, I’m willing to bet that test.py is executed by root. I just need to create my own test.py and replace what’s in there.

Once I put this on the box, I tested it first to make sure it worked … of course I had a few issues prior to getting the script right but that’s why we test first!

Ok so the script works. Time to let the cron run and start our listener and wait patiently for root to execute the script:

eLS Penetration Testing Professional PTPv5 Course Review

If you prefer to watch the youtube video of my review with screenshots, head here: https://youtu.be/ZXDeBmOnFB0

So my first recommendation… if you just got your eJPT, don’t take too long of a “break” before you start the PTP. Especially if you found it fairly simple. If you struggled a bit through the eJPT, guess what? You’re gonna do great with the eCPPT exam. You’re already showing that you’re willing to push forward through some pretty tough stuff. This isn’t easy, so if you struggled, that just means you have the aptitude to get through the next step.

If you’re like me, and you just did the PTS course, you’ll step into the PTP courseware and think… what did I just get myself into. The amount of material that is covered here is no joke.

Not only that, each module can be several hundred slides. Some may think this is filler, but quite honestly it is eLS trying to teach you concepts instead of just teaching you to the test. You paid a lot of money so you should expect quality content. And A lot of it.

If you don’t care to understand everything and just want to pass the test, you might be in the wrong career field here. You should be naturally curious about how things work if you want to do this kind of stuff.

The first module makes the whole course seem pretty intimidating. System security is one of the hardest concepts to really master, and frontloading this will definitely make you think what did I just sign up for? The module is rough. I remember reading a bunch of slides and thinking “what did I just read?” Rest assured, the video actually does a really good job of explaining it. If you don’t understand everything about the construct of a stack or what an EIP or EBP or ESP is by reading the slides, I promise, you’ll get it after you look at the video a few times and understand what’s happening. A note to eLearnSecurity: maybe consider moving system security towards the end. That way people can ease a little more into the whole course.

A great supplement to this is TCM’s buffer overflows made easy. It will teach you a different way to approach the material. eLS does a good job of including as much content as is required to pass their certifications, but you should always try to explore other ways to solve the same problems. I said it in my exam review, but there are definitely multiple ways to achieve targets in the exam.

Be prepared to have issues with versions of certain scripts, applications, Metasploit modules, and tools. It will get frustrating at times, but you will need to work your way through it. Things change all the time in the cyber field. When stuff gets updated, it won’t work like it used to. It is expected of you to be able to troubleshoot any compatibility issues and to get the tools to work right on your own. Check the forums for help on this. But please, save us all some bandwidth and don’t use the eLS forums to complain that you weren’t spoon fed a Kali distro with pre-installed application versions that work 100%. Figuring it out yourself is a part of the learning process.

Honestly, if you’re not willing to try to fix the issue or find a workaround yourself, you might be better suited for a more standard-operating-procedure type of role like a strictly blue-team role, which is TOTALLY fine!

The forums and support are fantastic. Instructors are on there regularly to help out as best as they can. They’re very responsive and helpful.

The labs are extensive. Very extensive. Very comprehensive too. There’s a ton of cool stuff that eLS teaches you, from DLL injection to NTLM relays and a bunch of stuff in between. Their content is fantastic.

You don’t have to use hackthebox or other platforms to supplement the learning and content in order to fully understand… there’s plenty of labs there for you to be well prepared for the exam.

I will say this. In all of the labs, they advise you to try your hardest before you look at the solutions. Don’t second guess yourself if you can’t proceed without looking at the solutions. I promise you, it’s OK! I looked at ALL of the solutions for the labs. The labs have content in there that the course material didn’t cover in many cases. I’m saying this again: IT’S OK TO LOOK AT THE SOLUTIONS.

The goal is before you’re ready for the exam to be able to go through the labs and understand the steps that the solution takes, but most importantly understand WHY. Take notes on the labs if you need to separate from the course notes… I know I did.

eLS teaches you how to solve problems both with and without Metasploit. Here’s the thing, and I know I’m contradicting myself from an earlier post on my blog which I will shortly address on there, but I’ve spoken to several senior pen testers. They all use Metasploit. These are quotes from pen testers I’ve spoken with who have been doing this for years. In order to be an efficient and effective pen tester, you have to know how to use metasploit. Otherwise, you aren’t doing the client much justice because you won’t be able to actually test as much given whatever the engagement time period is. I know of one Pen Tester who actually enrolled in PTP to teach him how to use Metasploit effectively because he fell behind compared to his peers, and he already had a comparable professional level certification. If there’s a tool out there that helps you do your job, you’re not being smarter by not using it. That’s just the logic in me. This course does a great job of showing you how to use modules and plugins within Metasploit and how to integrate other tools into it.

My only gripe with the labs is that I do wish the buffer overflow lab had a little more direction to it. In order for me to feel confident enough with this, I tried replicating what the video showed and used the example that TCM put on in his youtube videos under Buffer Overflows Made Easy.

I also wish there were labs for WIFI.

I would buy the Elite package for PTP just because of the Ruby and Powershell modules. If you’re serious about pen testing, it will only help to have these tools under your belt.

I used about 40 hours of lab time, and I went through each lab at least 5 times, which I think was way more than I should have.

It also comes with 3 or 4 retakes if you need them. Even if you buy the FULL package, it comes with a free retake. This just goes to show you that eLS is all about getting its students certified without dropping their standards, instead of a lot of organizations that are clearly just in the game to make money. They also try to update their curriculum a lot sooner than many of their competitors.

The PTP teaches you to think like a pen tester in a red team engagement. You learn all the different tools and at the end you have to apply everything to a real life scenario.

So to sum it up, I would say I wish the system security module was just a little more clear and that the WiFi modules had labs. Get the elite package, and if you’re new to pen testing like I was, get the PTS as well. You’ll be happy you did. I’d advise to wait until they have a sale going on… they usually have one every couple weeks/months. If you do 2 courses or more at once, I think you get a volume discount. The courses may seem expensive, but the amount of quality and up to date content is unreal. And don’t forget, the packages usually include one or more retakes… stuff other vendors love to charge you extra for.

If you have any questions about anything with the course, or are struggling with getting stuff to work, please reach out to me… comment here, get on my LinkedIn, post on my blog… whatever. I burned through the PTP in 1.5 months, once again without an IT background. Make a calendar and set goals for every day.

I hope you all found this helpful and really consider getting the PTP. I found a lot of value in it, and eLS is regularly trying to make their courses better for the end user.