Tag: cyber security

Featured

A Simple Guide to Getting CVE’s

Written by @hyd3sec and boku

So you found a vulnerability and you want to get a CVE? SWEET!

Make sure that the vulnerability doesn’t already exist. That’d be lame if you went through all this work only to find it’s already out there… but still kudos to you for finding it! The only place you REALLY need to check is the MITRE database, but you should also check google, github, etc.

Contact the vendor/product owner and disclose the issue. Now if they have a bug bounty program that you’re involved with then unfortunately their disclosure policies may prevent you from disclosing it at all. Here’s the important part… take screenshots, save emails, do whatever to make sure that you document that you attempted to contact the application owner. This is where the clock starts ticking.

When contacting the vendor, aim for coordinated disclosure. In an ideal situation, you will release the vulnerability details after the vendor has been able to release a patch. With a responsive and cooperative vendor, MITRE has great documentation on how to progress your CVE to disclosure that can be found here: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf . However, for many reasons, the vendor will ghost you. If this is the case (and it typically is) this is what we do…

Disclosure is a gray area with no defined rules, but most people wait 30, 60, 90, or even up to 120 days after notifying/attempting to notify the vendor before disclosing. While you are waiting, go to the MITRE website and fill out the CVE request form. This process is going to be done on a case-by-case basis (ex. if the company/owner is a CVE Numbering Authority, also known as a CNA).

If you don’t see them in the CNA list, fill out this form: https://cveform.mitre.org/. This has taken us roughly 30 days on average, so we like to submit this once we find the vulnerability. Once you get a CVE ID (they will notify you by email), you’ll notice that it’s in a RESERVED state. This means that your CVE has been accepted by MITRE but has not been published yet.

Now while you’re waiting, it’s generally a good idea to keep trying to contact the application owner/developer at least every 30 days. Once you have waited however long you decide to/whatever the application owner and you agree upon, it’s time to publish! This is the best way that we have found to accomplish this:

  1. Send POC/exploit to PacketStorm Security/CX Security. A good format for the header is what Exploit-DB shows here: https://www.exploit-db.com/submit. Make sure that you include the RESERVED CVE-ID that you got from MITRE when you submit to these two websites.
  2. Once the exploits are published, send the links to MITRE by replying to the email that they sent you with a link to the published POC/Exploit.
  3. MITRE typically has a quick turn-around for this (1 day or so). Sometimes they email you with an update, sometimes they don’t. Best thing to do is to check the original CVE Link they sent and see if it changed from RESERVED and shows the details of the CVE.
  4. CONGRATS! YOU’VE GOT A PUBLISHED CVE!!!
  5. If you so choose, you can now try to send your exploit/POC to exploit-db. They typically won’t respond with an update on whether they decide to publish or not, but if not, try and try again!

EDIT: My friend Valerio had an issue where MITRE wasn’t being responsive. He had this addition:

If Mitre doesn’t respond to your email after months, it’s enough to open a new request not as a “CVE Request” but as “other”, specifying you are waiting for such a long time… after doing this, they replied to him after 24 hours with CVE IDs. Thanks Valerio!

Happy Hunting!

Resources: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

eLearnSecurity eCPPT [Certified Professional Penetration Tester] Exam Review

I’ll be putting up a review of the Penetration Testing Professional course put on by eLS soon, but that’s separate from this one. That post will have some tips on how to get through the material in the most efficient way.

If you prefer to watch the video, check out: https://youtu.be/OqzXajcXKdo

Timeline:

Day 1: Started on Valentine’s Day around 6:30 or so. Got an awesome start… got my first box, rooted it, made solid progress. Went to sleep at about 12:30 pm.

Day 2: Woke up at 6… got literally nowhere. Enumerated, enumerated, enumerated. Got really good at enumerating. Ugh. Found some stuff but really sucked at connecting some dots. Connected dots to stuff that didn’t need connecting. Went to bed at about 2 am. I think I forgot to eat a meal or two this day. This was like an 18 hour work day. I got nowhere.

Day 3: On very little sleep, since I was pretty frustrated and felt like I was falling behind. After lunch, I finally caught my second wind and rooted a few more boxes on the network. Finally, some wins. Yay morale. Got started on a little custom exploit development. Went to bed around 1 a.m.

Day 4: I was scratching my head. Could NOT figure out what I was doing wrong with getting access to the last box on the network before getting to the final objective.

Day 4 evening: I started looking up the retake policy. I was pissed and really getting down on myself.

Day 4 around zero dark whatever… I figured it out. Got access to the last box. Decided to get a couple hours of sleep.

Day 5: Ever get frustrated because you know you’re so close but you just can’t figure it out? Yeah, that was me. And I was mad.  Day 5 around 10 (I decided to sleep in a little), I figured it out. Amazing. Creative. Now all that was left was the final objective. At about 1:00 pm, I had rooted the DMZ. Wow. What a good feeling. Finally, I could breathe a little.

Exam Advice:

If this is your next step after the eJPT, be prepared. This is significantly more difficult. The objective of the eJPT is to introduce you to some pen testing concepts. This exam validates you being able to perform a full-scale penetration test at a professional level.

Keep track of what you’re doing. If it didn’t work the first time, don’t bother trying it again and again in hopes that it will magically work and some unicorn will come by to save the day. I wasted a lot of time doing this.

See if you can get off work.

Do not do a fresh Kali install. If everything has been working for you thus far, leave it as is.

Don’t do 16 hour days on the exam. I did it, and it was awful.

Plan your meals. Eat healthy. Set alarms on your phone if you must to make sure that you eat properly.

Don’t detract from stuff you do regularly. I usually try to go for a walk or go to the gym at least every day. I didn’t do that this time and it just hurt me mentally.

Get creative with how you solve some problems. Don’t overcomplicate things. There are many many different ways to get from point A to point B.

Take your time. I didn’t. I wanted to be done. This will only add to your frustration.

Try different payloads.

When you write your report, remember your audience. I’ve never written a pen test report before so it was a new experience for me, but based on the feedback I got, I did alright. Don’t get overly technical. You’re communicating issues potentially to C-level executives. You’re creating value, so your report is better received if they can understand you instead of you talking about what kind of encoding you decided to use.

Think outside the box. Remember, when you’re launching an attack, there are many different configurations. Trust your gut and try different things. You’re trying to be a certified pen tester after all. You’re expected to research new concepts and apply them. So no, all the answers aren’t in the course material, nor should they be.

Keep track of your IP! It’s not a matter of if you get kicked off, but when you have to re-establish your VPN, your IP may change… Mine changed 5 times.

How I prepped:

I prepped for it like I did the eJPT. Focused heavily on the labs and videos. Did the labs 5 times a piece and I must have read them over at least 10 times. Used about 40 hours of lab time which I consider a lot.

I took notes on everything… literally everything. Every slide, every video… everything.

How I recommend you prep:

Take the eJPT

Do everything I did, maybe only do the labs three times. Don’t overdo it like I did. You’ll get to a point where you’re gonna just stop retaining information.

Know your pivoting! Practice! Practice! Practice! One of the best things this exam does is simulate a real life pen test. It is not like other exams or hackthebox where you just need to root something and then move on to another machine, rinse and repeat. This emulates a full-on red team engagement, so get out of the “get root” mentality.

Make sure you know all the concepts, to include custom exploit development. Every little detail matters. There’s a reason that they teach certain things. It’s not frivolous learning.

Learn about basic operating systems stuff. I don’t want to get into too much detail, but this was a learning point for me. I don’t have an IT background, and I had to look up a lot of stuff.

Make a study schedule and stick to it. If you fall behind one day, make it up the next.

A couple links to some useful stuff to help reinforce what I learned:

Buffer overflow – https://www.youtube.com/watch?v=qSnPayW6F7U&t=1s

Another Buffer overflow video – https://www.youtube.com/watch?v=1TNecxUBD1w

Resource scripts (to make things a little easier on yourself during exam time) – https://www.youtube.com/watch?v=2HSKbE61z48

Pivoting – https://www.offensive-security.com/metasploit-unleashed/pivoting/

Socks Proxy – https://www.offensive-security.com/metasploit-unleashed/proxytunnels/

Reporting – https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

Remember, if you want it bad enough, you can do it. Focus on getting to the objective but remember, you should treat the exam like a real life red team engagement.