After a long hiatus — my last proper post was back in 2022 — I’m restarting this blog.
Life got busy (as it always does), and the blog quietly slipped down the priority list. But I’ve decided it’s time to change that.
I’ve been thinking a lot about the value of maintaining a personal blog. A big inspiration for me recently has been Simon Willison .
This post describes how I got the latest build of Hashcat working on a newly installed Ubuntu 20.04.4 LTS.
My previous password cracking rig was a 2009 Mac Pro with an AMD Radeon RX580 and this proved a fast and reliable platform for several years until I upgraded the MacOS version to 10.15 (Catalina) after which hashcat started throwing runtime errors like:
Kiterunner is a context based webscanner that uses common api paths for content discovery of an application’s api paths.
Example usage:
kr scan https://example.com -w ~/kiterunner/routes.kite
kr scan https://example.com -w ~/kiterunner/routes.kite --ignore-length=1234
Our penetration testing engagements web applications increasingly involve URLs
with /api/ in their path. Of course these can be tested just like any other
URL but it became obvious that there are subtleties to testing APIs that
required a new set of testing methods.
This book promises to provide a thorough grounding in API testing. I purchased this book for our pen test team bookshelf with the hope that it would fill in any knowledge gaps that our team may have.
On 3 May 2022, @Jhaddix tweeted about his Bug Hunter’s Methodology Application Analysis v1.
This led me to his original guide titled "(4.02) to The Bug Hunter’s Methodology" which can be downloaded from Google Docs. A great overview of tools and techniques.
CVE-2022-1388 is a critical vulnerability (CVSS 9.8) in the management interface of F5 Networks’ BIG-IP solution that enables an unauthenticated attacker to gain remote code execution on the system through bypassing F5’s iControl REST authentication. The vulnerability was disclosed publicly on 4 May 2022.
A bash script to test for CVE-2022-1388 was published at https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/. I modified the sample script to accept a target IP or FQDN as a command line argument, as follows: