Penetration testing course: Social engineering, HTB and WebGoat – h3

This is a homework assignment for Tero Karvinen’s penetration testing course.

a) Guest lecturer Riku Juurikko’s wisdom on social engineering

OSINT – your information is all over the place

Open Source Intelligence is information gathering that is based on public sources, and it is very difficult or close to impossible to detect.

The cyber kill chain starts with reconnaisance, getting to know your target. In the context of OSINT, gathering information about targets’ assets, resources and associates from public sources is very easy with the help of Internet search engines and public services.

Intelligence is connecting data from different sources

Whether the target is individual or organization, getting a holistic picture just based on Internet searches is easy. Finding a suitable attack vector means often finding a suitable individual, who is then getting a more personalized treatment.

It’s all about trust

Social engineering starts with a pretext. You have to know enough about your target so you an create a valid background story to get closer. These days we are seeing more often than not handcrafted phishing emails, or phishing campaigns targeted for a specific audience. If your target person accepts a fake social media contact you have created, you are one step closer. However, fake profiles are so common in social media platforms that the vendors have means to detect them. A valid looking profile can of course be bought, but who do you trust enough to buy it from?

Persuasion techniques

Even with small initial trust, persuasion techniques adopted mainly from the marketing industry can be used. The main point here is to disrupt the normal human decision making process. Make your victim feel special, or give something for free: “Special price for intelligent people! First fix for free!” Or you can have a “Limited Edition available today only!” “Experts recommend this!”, or even better: “Your friend recommends this!”

Once someone has made a small decision to accept, it can be surprisingly hard to say no to the next small offer, and soon you are getting a monthly bill. Especially if you like the person who asks for it, for example if you have something in common, interests, looks and whatnot.

Imagine the following overly generalized situation: An attractive person gives you a sample product, limited edition and gives you a short time limit to buy another. Later same day another of your new friends in a new social media platform recommends the product, and throws in some links with scientific proof behind it.

At every stage there is a possibility to say no, but when the product is tailored just for your current needs, can you? If it sounds too good to be true, it probably isn’t. In the digital world, social engineering methods are however much more subtle than and they might be hard to detect. Just making the victim click a link or visit a site can be enough.

The cyber attack

The main driver in using social engineering is to gain access to a system in form of credentials. Fromtherewithin, let the more technical people hunt for the information that is valuable. You can of course just try to plant a ransomware bomb bought from the darknet and wait for the money police come in.

Limits of penetration testing relating to remote working

A penetration tester, especially in the physical world, needs permissions to do his or her job. The scope of the test is often limited to an organization, and once a BYOD policy is implemented, a remote worker’s personal machines are out of the scope. But this is not true for criminals as they don’t ask for permissions. Which brings us back to the beginning: it’s also a game of covering tracks versus detection.

Final thoughts

The cat and mouse game goes on, and we are connecting things to the Grand Network at accelerating rate. As information flows are increasingly growing, so detecting malicious activity becomes more a challenge it was ten years ago. Machine learning backed data mining is an everyday activity today.

They say that data is the new oil. Recognizing and protecting valuable data is something everyone should take at least at moment to consider.

b)+c) Recon HTB web servers, learn new tools from 0xdf examples

I’m working on HTB’s OpenAdmin, and not far from user access. Just a quick enumeration with a script from ports 80 and 443 that were scanned earlier with nmap.

$ sudo nmap -A -oA HTBlan_A
$ grep -E "report for 10.10.10.|80/tcp|443/tcp" HTBlan_A.nmap


Hacking The Boxes continues on THIS PASSWORD PROTECTED PAGE

d) WebGoat 7.1, more exercises

I saw Arttu’s reports as they were reviewed on the class. Quality work! But I don’t want to spoil the fun from my self. Never read a film’s synopsis or a book’s back cover. Did someone spoil The Matrix for you? From Dusk till Dawn? Don’t spoil.

This time I’ll post few walkthroughs instead of green tick boxes. Hack The Box asks for not submitting solutions online, but WebGoat doesn’t.


Here is where I was left last time. I have mitmproxy running to watch traffic.


I have to edit Jerry’s address as Tom. I’ll first edit Tom’s address (Street) as Tom to see what happens:


What I have to do here is to save a malicious piece of code into my street field. When Jerry looks at it, the code gets executed.

I’m going to insert a picture in there from the Internet, I’ll just put html code to the field and see what happens:


This seems to work, however the objective is to put something on the ‘EditProfile’ page. Preferably so that Jerry doesn’t notice.


This actually reveals something: notice how the “/> is outside the input field? Lets look at the source in browser what actually happened:


And here is the relative line what went to the server:


Lets take a look how Jerry’s EditProfile button returns the data to browser. I tested inserting this as Tom’s street:

2211 HyperThread Rd.<script>console.log("WAZZUP JERRY?")</script>

Just viewing the information, nothing seems to be wrong, except for the odd console message 😉 But loading EditProfile seems to be different:


Here’s the catch: Jerry sees something weird in Tom’s address and wants to edit it. Tom will put the following as his address:

2211 HyperThread Rd."><script>console.log("WAZZUP JERRY?")</script>

This works, but I don’t get the green tick yet. Can we avoid detection on them both somehow? Editing and updating multiple times does something interesting though: signs disappear, but what stays and what does not? Lets examine this methodically:

  • Log in as Tom
  • Change street address to “>HELLO
  • Viewing the address it reads “>HELLO
  • Going to editing once more says HELLO”/> outside the field


Conclusion: after one edit/view/edit cycle, we get “> cleared from the value field and HELLO”/> appended after the input field. To put a script that runs when editing is entered:

  • Log in as Tom – ViewProfile-EditProfile
  • Change street address to “><code>SOMECODE
  • Whoops, most of the stuff disappeared 8)

But wait, I can just put onload event inside an input field!

  • Change street to: ” onload=TEST

When clicking ‘EditProfile’, this becomes:


Putting <hello> into the form shows in Edit view as it is, but renders into <hello></hello> in ViewProfile. Feels like I don’t know enough of the backend.

Ok. Enough guesswork for now. Some reading to do! Current number of solved WebGoats is 21, so I’m hanging with. I spent a lot of time with HTB, and some other courses demand attention too.

e)+f) CinCan malware analysis environment installation

I had a brief look at this already earlier, just remembering the size of it. This is a huge piece of work, and it certainly is interesting to have it covered on the course.

I have a fresh Xubuntu 18.04 VM that I installed prior the course. Beefed it up to 8GB RAM. Dynamically sized HD is big enough. I’ll update the VM and install CinCan according to instructions:

  • VBox GuestAdditions 6.1.6
  • apt update and upgrades

About to start the build script, forgot one trailing -e there…


I’ll leave the optionals out for now. Docker images are downloading.


Downloading takes a while… I’ll have this ready by tuesday so I can take a better look after the guest lecturer.

Published by:

Tuomo Kuure (tqre)

A professional double bassist and a ICT infrastructure student with good Linux skills. Coding skills include Python, shell scripting and Java. C and asm bubbling under. Main interests are Linux-related: cloud, configuration management, security and kernel programming.

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s